Insecure cache-control header

Hi, I receive that there is an insecure cache control header issue for the following response: HTTP/1.1 200 OK Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cach...

Id #5815 | Release: None | Updated: Aug 19, 2013 at 9:35 PM by chrisweber | Created: Aug 18, 2013 at 9:48 AM by webberonline

Javascript check for eval(), strings only

Functions that evaluate strings as javascript are only a risk when they are actually evaluating and executing strings. However setTimeout and setInterval can can also take function objects and exec...

Id #5814 | Release: None | Updated: Aug 1, 2013 at 8:40 PM by chrisweber | Created: Aug 1, 2013 at 8:10 PM by rprice

Javascript check for eval() does not ignore comments

Comments containing eval() should be ignored. // item A: restricted from using eval() function // eval("window." + i.toString().toUpperCase() + " = " + n++); //tt_op = (document.defaultView &...

Id #5813 | Release: None | Updated: Dec 13, 2010 at 4:39 PM by chrisweber | Created: Dec 13, 2010 at 4:39 PM by chrisweber

Random thoughts from Adrien

Dump the contents of all JSON arrays, or just flag that a ton of data is being pushed down but not displayed List all hidden or disabled fields Collect all cookies Flag cookies that might be used ...

Id #5810 | Release: None | Updated: Nov 9, 2010 at 9:20 PM by chrisweber | Created: Nov 9, 2010 at 9:20 PM by chrisweber

Add a tree-view display to the results tab

The Results should be available in both a list view (currently working) and a tree-view.  A toggle button/switch should be available to switch between the two. Tree-view results should organize th...

Id #5808 | Release: None | Updated: Nov 9, 2010 at 7:12 PM by chrisweber | Created: Nov 9, 2010 at 7:04 PM by

NEW CHECK - X-Download-Options

The check would see if the Content-Disposition header exists in the response and verify that the 'X-Download-Options: noopen' header is present.

Id #4268 | Release: Watcher v1.5.8 | Updated: Apr 3 at 7:21 PM by ericlaw1979 | Created: Apr 13, 2010 at 6:02 PM by chrisweber

NEW CHECK - Silverlight ExternalCallersFromCrossDomain

After unzipping a .XAP file, review the .XAML manifest file's 'deployment' section for an attribute and value: ExternalCallersFromCrossDomain="ScriptableOnly" When the attribute is set to Script...

Id #3855 | Release: None | Updated: Jan 18, 2010 at 6:40 AM by chrisweber | Created: Jan 18, 2010 at 6:40 AM by chrisweber

Integrate utility class for decompressing Silverlight .XAP files

XAP's follow the ZIP file format? Include a Utility class for decompressing XAP. Reference for unzipping XAP: http://www.sharpgis.net/post/2009/04/21/REALLY-small-unzip-utility-for-Silverlight.a...

Id #3853 | Release: None | Updated: Jan 18, 2010 at 6:21 AM by chrisweber | Created: Jan 18, 2010 at 6:16 AM by chrisweber

Map checks to CWE

Research CWE ID's that Watcher has checks for, and providing that mapping ID in the 'standards compliance' column for each check.

Id #3852 | Release: None | Updated: Jan 17, 2010 at 8:21 PM by chrisweber | Created: Jan 17, 2010 at 8:21 PM by chrisweber

Access to the path 'C:\Program Files\Fiddler2\Scripts\watcher_exceptions.txt' is denied.

The watcher_exceptions.txt file cannot be created on Vista or Windows 7 systems if Watcher was installed to the 'Program Files' directory. This directory requires administrative permissions to wri...

Id #3839 | Release: Watcher v1.5.8 | Updated: Feb 17 at 1:03 PM by elamid | Created: Jan 15, 2010 at 9:23 PM by chrisweber

  • 1-10 of 10 Work Items
    • Previous
    • 1
    • Next
    • Showing
    • 10
    • Work Items