1

After running a Nessus scan, one of its plugins checks for cookie injection called "Web Server Generic Cookie Injection" (https://www.tenable.com/plugins/nessus/44135)

The scan shows that this issue exists on a site. It shows that when injecting a javascipt in the request, it is only displayed in the response. However, the javascript is never executed in the response.

So could this finding be considered a false positive? If not, why does Nessus consider it an issue?

Improve this question
7
  • From the plugin's text: "Please note that : - Nessus did not check if the session fixation attack is feasible. "
    – schroeder
    CommentedFeb 24 at 13:59
  • @schroeder so can I consider it a false positive ? Or even though it is not executed its a MUST fix?
    – anonymous
    CommentedFeb 24 at 14:10
  • The Nessun script is pretty simple: vulners.com/nessus/COOKIE_MANIPULATION.NASL. Whenever its detection actually applies to your case it's up to you. DAST and SAST are mostly for careless mistakes, not for design mistakes. For example, a simple echo service that answer in plain/text what is given, would trigger this issue. We don't know what the tested endpoint does, just look at it and see if it is vulnerable. Nessus is like a TODO list, not a bullet-proof tools for ruling out vulnerabilities.
    – Margaret Bloom
    CommentedFeb 24 at 14:49
  • I might wait on someone else to weigh in on the risks there.
    – schroeder
    CommentedFeb 24 at 14:50
  • @MargaretBloom thank you for the explanation. Asside from my question, you diffrentiated between careless mistakes and design mistakes, if such scans only detect the careless ones, how to detect design mistakes?
    – anonymous
    CommentedFeb 24 at 16:02

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.