Bug when scanning target that does not set cookie in response

Question

Bug when scanning target that does not set cookie in response

Closed this issue 4 years ago · 0 comments

drHEADer version: 1.0.0
Python version: 3.7.6
Operating System: macOS 10.13.6

Description

Current rule for Set-Cookie header is:

Set-Cookie:
    Required: Optional
    Enforce: False
    Value:
    Must-Contain:
    - HttpOnly
    - Secure

It is an optional header (not required). However, when scanning a target that does not respond with a Set-Cookie header, DrHeader returns the following error:

----
rule     | Set-Cookie
severity | high
message  | Header not included in response
----

This is not expected behaviour, as policy mandates that Set-Cookie is not a required header. Hence, when there's no Set-Cookie set in response, no error should be returned.

What I Did

drheader scan single <target>