Ben, Please read inline,
On Mon, Jul 7, 2014 at 7:15 PM, Ben Kirk <davidbenk...@gmail.com> wrote: > hi all, > I may be misreading my scan output results, but I get the following and when > I check all of these specific IDs they are for redirects like 302 or a 404. > Should this even be reported for HTTP responses that are not really content > for the user (like a normal 200 with HTML content) > > Is this something that can be filtered out? asking because I need to report > these in our monthly deployments to production to our security team and I > don't want to raise any unnecessary flags. I'm using the latest build in git > as of today. > > However if these are truly issues I should fix I'm open to that. > > thanks for any discussion on this. > > [Mon Jul 7 22:06:42 2014 - vulnerability] The whole target web application > has no protection (Pragma and Cache-Control headers) against sensitive > content caching. This vulnerability was found in the requests with ids 16, > 36, 42 to 43 and 50. Well, you raise an interesting point. I agree that it doesn't make sense for these to be checked against 30x. I would be more than happy to receive a pull-request which adds a check around here [0] for the 30x codes. Actually, believe it or not, that if in [0] was intended to match that situation, but it wasn't a complete solution since some 30x do have response bodies. RE: 404 codes, I believe that cache_control.py can't simply say: "we don't care about them". Some 404 pages do have some private information (at least the email address of the user?) Does this make sense? Do you have the time to send me that small PR? [0] https://github.com/andresriancho/w3af/blob/master/w3af/plugins/grep/cache_control.py#L58 > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > W3af-users mailing list > W3af-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
