In this month's update of Netsparker Desktop web vulnerability scanner we have included a new technical check for the cookies HTTP header, and several product improvements and bug fixes.
Multiple Cookies in HTTP Header
During a scan Netsparker web application security scanner will check if the cookies HTTP header contains multiple cookies. If it does it will alert you, as per the below screenshot.
It will alert you because as such the cookies HTTP header should only contain a single cookie, as per section 3 Overview in RFC 6265;
Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field.
Attaching multiple cookies in the same HTTP header could lead to a number of technical problems, such as the browsers accepting the first cookie only. Also, the last thing you want on your web application is a problem with HTTP cookies and HTTP Sessions. As such none of this will lead to a security issue (until today) but one should make an effort to stick to the standards.
Web Security Checks Improvements and Bug Fixes
With this update we also shipped an improved Content Security Policy security check, and improved the coverage of the Boolean SQL Injection engine. There are several other improvements. Please refer to the changelog of Netsparker Desktop 220.127.116.1182 for a complete list of improvements and fixes in this version of Netsparker Desktop web application security scanner.