Http-Only is not secure [testing]
Its been a while since i posted. I've been bogged down with code reviews and training but even when you deliver training you learn something new. This is particularly true when training developers keen to learn secure development. The conversations during the course tend to be more about building than breaking.... HTTP - one side of a many sided coin So on with today's rant......many penetration testers still feel testing an application surrounds testing the HTTP requests and responses between the browser an client; Crawl the application, flag interesting parameters and fuzz using a scanner like OWASP Zap proxy or whatever...... .......We hope the scanner renders the page as a browser sees it. If it doesn't how do we know the reaction of the application is being detected. Many scanners parse HTML pretty well but when it comes to javascript/jquery/client-side-code-execution that's where they fall over. One of the hardest things to do when automating scanning is