Re: [Openvas-plugins] Uncomplete regex in secpod_ssl_cookie_secure_flag_info_disc_vuln.nasl leads to false postive / negative

Mon, 16 Jun 2014 04:43:30 -0700 

Hello,
You are right, I think !(sslCookie =~ "; [S|s]ecure;?[^a-zA-Z0-9_-]+") will fix the issue. 

Will update the NVT.

Thank you!
Antu Sanadi



On Monday 16 June 2014 04:21 PM, Chris wrote:

Hi,

have already reported this at the bugtracker:

http://wald.intevation.org/tracker/index.php?func=detail&aid=6533&group_id=29&atid=220

but after my last mail to openvas-discuss i want to report this in here:

Hi,

from my understanding the regex used in secpod_ssl_cookie_secure_flag_info_disc_vuln.nasl 
to detect cookies with a missing "Secure" cookie flag is far from complete. 
When using the setcookie() function of PHP in a test environment like this:

setcookie("secure_cookie", "test", time()+3600, "/", "127.0.0.1", 1, 0);

the following cookie is set by the application:

Set-Cookie: secure_cookie=test; expires=Fri, 16-May-2014 11:34:04 GMT; 
Max-Age=3600; path=/; domain=127.0.0.1; secure

The regex "[S|s]ecure;?[^a-zA-Z0-9_-]+" used by the NVT is only checking for 
the following syntax:

Secure;
secure;

but misses the:

; secure

syntax above which leads to false positives. Additional if the application is 
setting more than one cookie like this:

setcookie("secure_cookie", "test", time()+3600, "/", "127.0.0.1", 1, 0);
setcookie("httponly_cookie", "test", time()+3600, "/", "127.0.0.1", 0, 1);
setcookie("secure_httponly_cookie", "test", time()+3600, "/", "127.0.0.1", 1, 
1);

resulting in this response:

Set-Cookie: secure_cookie=test; expires=Fri, 16-May-2014 11:34:04 GMT; 
Max-Age=3600; path=/; domain=127.0.0.1; secure
Set-Cookie: httponly_cookie=test; expires=Fri, 16-May-2014 11:34:04 GMT; 
Max-Age=3600; path=/; domain=127.0.0.1; httponly
Set-Cookie: secure_httponly_cookie=test; expires=Fri, 16-May-2014 11:34:04 GMT; 
Max-Age=3600; path=/; domain=127.0.0.1; secure; httponly

Even if the regex above would be correct this is causing a false negative as the script 
is only catching all three "Set-Cookies" as one single line.
_______________________________________________
Openvas-plugins mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins



--
Saner Personal
A free vulnerability mitigation
software. Build strong defense.
http://www.secpod.com/saner-personal.html

_______________________________________________
Openvas-plugins mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins






















					Reply via email to