Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial requests / cookie jar #64

Closed
dma opened this issue May 19, 2013 · 1 comment
Closed

Initial requests / cookie jar #64

dma opened this issue May 19, 2013 · 1 comment

Comments

@dma
Copy link
Contributor

dma commented May 19, 2013

Something is causing Vega not to run response processing modules on a very early GET request (the first?). Any cookies sent by the server are stored in the request engine. As a result of this, WackoPicko does not generate an alert for insecure (!HttpOnly) cookies when it should.

To reproduce:

Scan WackoPicko. Note that in the first GET sent by Vega for /, Vega sends a PHPSESSID cookie, which it somehow already has.

dma added a commit to dma/Vega that referenced this issue Aug 20, 2013
@dma
Copy link
Contributor Author

dma commented Aug 20, 2013

Fixed by e6514d9. We may want to have a policy where response processing modules run on every response Vega gets, I'm in favor of this, but we'll have to refactor, as the ContentAnalyzer instance is not created until after the probes run.

@dma dma closed this as completed Aug 20, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant