Skip to content
GitLab
Closed
Issue created by Administrator@rootContributor

HttpOnly found in Response but Vulnerability still triggered

Created by: nrathaus

The response contains the HttpOnly tag but the vulnerability still is marked as relevant

Response:

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Set-Cookie: ASP.NET_SessionId=t; path=/; secure; HttpOnly
Set-Cookie: ASP.NET_SessionId=t; path=/; secure; HttpOnly
Set-Cookie: _culture=en-US; expires=Thu, 26-Nov-2015 13:56:21 GMT; path=/; secure; HttpOnly
Set-Cookie: __RequestVerificationToken_L=M; path=/; secure; HttpOnly
X-UA-Compatible: IE=edge
x-content-type-options: no sniff
X-Frame-Options: DENY
X-XSS-Protection: 0
Date: Thu, 26 Nov 2015 13:36:21 GMT
Content-Length: 4769

<script src="http://javascript.browser.arachni/taint_tracer.js"></script> <!-- Injected by Arachni::Browser::Javascript -->
<script src="http://javascript.browser.arachni/dom_monitor.js"></script> <!-- Injected by Arachni::Browser::Javascript -->