Anyone out there who has experienced this as well and can provide guide?
Thanks,
Helmut
"Openvas-discuss" <openvas-discuss-boun...@wald.intevation.org> wrote on
04.06.2018 13:09:37:
> From: Helmut Koers <hko...@de.hellmann.net>
> To: openvas-discuss <openvas-discuss@wald.intevation.org>
> Date: 04.06.18 13:09
> Subject: [Openvas-discuss] Cookie attributes missing
> Sent by: "Openvas-discuss" <openvas-discuss-boun...@wald.intevation.org>
>
> Hi all,
> OpenVAS-9 is detecting our NetScaler Gateway VIPs do not have the
> "httpOnly" as well as the "Secure" cookies attribute set on their base
URLs:
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> The cookies:
>
> Set-Cookie: NSC_AAAC=***replaced***;Path=/;expires=Wednesday, 09-
> Nov-1999 23:12:40 GMT;Secure
> Set-Cookie: NSC_EPAC=***replaced***;Path=/;expires=Wednesday, 09-
> Nov-1999 23:12:40 GMT;Secure
> Set-Cookie: NSC_USER=***replaced***;Path=/;expires=Wednesday, 09-
> Nov-1999 23:12:40 GMT;Secure
> Set-Cookie: NSC_TEMP=***replaced***;Path=/;expires=Wednesday, 09-
> Nov-1999 23:12:40 GMT;Secure
> Set-Cookie: NSC_PERS=***replaced***;Path=/;expires=Wednesday, 09-
> Nov-1999 23:12:40 GMT;Secure
> Set-Cookie: NSC_BASEURL=***replaced***;Path=/;expires=Wednesday, 09-
> Nov-1999 23:12:40 GMT;Secure
> Set-Cookie: CsrfToken=***replaced***;Path=/;expires=Wednesday, 09-
> Nov-1999 23:12:40 GMT;Secure
> Set-Cookie: CtxsAuthId=***replaced***;Path=/;expires=Wednesday, 09-
> Nov-1999 23:12:40 GMT;Secure
> Set-Cookie:
> ASP.NET_SessionId=***replaced***;Path=/;expires=Wednesday, 09-
> Nov-1999 23:12:40 GMT;Secure
> Set-Cookie: NSC_TMAA=***replaced***;Path=/;expires=Wednesday, 09-
> Nov-1999 23:12:40 GMT
> Set-Cookie: NSC_TMAS=***replaced***;Path=/;expires=Wednesday, 09-
> Nov-1999 23:12:40 GMT;Secure
> Set-Cookie: NSC_TEMP=***replaced***;Path=/;expires=Wednesday, 09-
> Nov-1999 23:12:40 GMT
> Set-Cookie: NSC_PERS=***replaced***;Path=/;expires=Wednesday, 09-
> Nov-1999 23:12:40 GMT
>
> are missing the "httpOnly" attribute.
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> The cookies:
>
> Set-Cookie: NSC_TMAA=***replaced***;Path=/;expires=Wednesday, 09-
> Nov-1999 23:12:40 GMT
> Set-Cookie: NSC_TEMP=***replaced***;Path=/;expires=Wednesday, 09-
> Nov-1999 23:12:40 GMT
> Set-Cookie: NSC_PERS=***replaced***;Path=/;expires=Wednesday, 09-
> Nov-1999 23:12:40 GMT
>
> are missing the "secure" attribute.
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> According to Citrix Support that is not an issue (see below):
>
> "Please note this is by design. For security reasons, NetScaler will
> invalidate all the cookies when they access base URL. Cookies will
> only set once the user is authenticated."
>
> Is it possible to fine tune detection?
>
> Thanks, Helmut_______________________________________________
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
>
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
_______________________________________________
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
