[Openvas-discuss] Cookie attributes missing

Mon, 04 Jun 2018 04:10:13 -0700 

Hi all,
OpenVAS-9 is detecting our NetScaler Gateway VIPs do not have the 
"httpOnly" as well as the "Secure" cookies attribute set on their base 
URLs:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The cookies:

Set-Cookie: NSC_AAAC=***replaced***;Path=/;expires=Wednesday, 09-Nov-1999 
23:12:40 GMT;Secure 
Set-Cookie: NSC_EPAC=***replaced***;Path=/;expires=Wednesday, 09-Nov-1999 
23:12:40 GMT;Secure 
Set-Cookie: NSC_USER=***replaced***;Path=/;expires=Wednesday, 09-Nov-1999 
23:12:40 GMT;Secure 
Set-Cookie: NSC_TEMP=***replaced***;Path=/;expires=Wednesday, 09-Nov-1999 
23:12:40 GMT;Secure 
Set-Cookie: NSC_PERS=***replaced***;Path=/;expires=Wednesday, 09-Nov-1999 
23:12:40 GMT;Secure 
Set-Cookie: NSC_BASEURL=***replaced***;Path=/;expires=Wednesday, 
09-Nov-1999 23:12:40 GMT;Secure 
Set-Cookie: CsrfToken=***replaced***;Path=/;expires=Wednesday, 09-Nov-1999 
23:12:40 GMT;Secure 
Set-Cookie: CtxsAuthId=***replaced***;Path=/;expires=Wednesday, 
09-Nov-1999 23:12:40 GMT;Secure 
Set-Cookie: ASP.NET_SessionId=***replaced***;Path=/;expires=Wednesday, 
09-Nov-1999 23:12:40 GMT;Secure 
Set-Cookie: NSC_TMAA=***replaced***;Path=/;expires=Wednesday, 09-Nov-1999 
23:12:40 GMT 
Set-Cookie: NSC_TMAS=***replaced***;Path=/;expires=Wednesday, 09-Nov-1999 
23:12:40 GMT;Secure 
Set-Cookie: NSC_TEMP=***replaced***;Path=/;expires=Wednesday, 09-Nov-1999 
23:12:40 GMT 
Set-Cookie: NSC_PERS=***replaced***;Path=/;expires=Wednesday, 09-Nov-1999 
23:12:40 GMT 

are missing the "httpOnly" attribute.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The cookies:

Set-Cookie: NSC_TMAA=***replaced***;Path=/;expires=Wednesday, 09-Nov-1999 
23:12:40 GMT 
Set-Cookie: NSC_TEMP=***replaced***;Path=/;expires=Wednesday, 09-Nov-1999 
23:12:40 GMT 
Set-Cookie: NSC_PERS=***replaced***;Path=/;expires=Wednesday, 09-Nov-1999 
23:12:40 GMT 

are missing the "secure" attribute.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

According to Citrix Support that is not an issue (see below):

"Please note this is by design. For security reasons, NetScaler will 
invalidate all the cookies when they access base URL. Cookies will only 
set once the user is authenticated."

Is it possible to fine tune detection?

Thanks, Helmut
_______________________________________________
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Reply via email to