hi there , i have scanned whonix website fastly with vega tool which included in kali linux for just a quick test. the results showed many of them into the high vulnerability and some in the medium. c this:-
1- http://i.imgur.com/ktnHuwo.jpg
2- http://i.imgur.com/ohMqOxR.jpg
3- http://i.imgur.com/MinfUPy.jpg
4- http://i.imgur.com/h0IPbJ7.png
5- http://i.imgur.com/tMww0EU.jpg
and this is nikto general search result:-
this is just a sample for the results and i didnt complete the search to the end , so if u r interesting in the results i can show it all plus i can use another tools if u want.
Its a good thing to look for security vulnerabilities and disclose them, but I have a two comments.
It would be proper to ask for permission first.
You should report the results privately over encrypted email to Patrick so its taken care of first. I’m a fan of public disclosure but it doesn’t really apply here unless it concerns upstream software.
Most of them are false positives or not really serious. Which aren’t? The ones I am not sure what the report is. More details soon.
1- http://i.imgur.com/ktnHuwo.jpg
We don't have a content security policy:
https://phabricator.whonix.org/T70
It would be nice to have one, but it’s non-trivial to create and there are so many tasks… Help welcome.
2- http://i.imgur.com/ohMqOxR.jpg
It's just a maybe and the answer is, no.
3- http://i.imgur.com/MinfUPy.jpg
whonix.org is ssl-only anyhow. As far I know, there is no benefit from secure cookies then. Last time I checked, other checks don't criticize this, if it's ssl-only. Tampering with the cookies would likely mean tampering with the webapp and could be causing more trouble for no benefit.
4- http://i.imgur.com/h0IPbJ7.png
What's the reported issue?
5- http://i.imgur.com/tMww0EU.jpg
Doesn't show any issue.
hulahoop , yeah sorry for that i did it fastly, but i saw the results i didnt find them serious and i was thinking in just giving a sample and then c if thats good or not. and i didnt fully searched the website.
patrick , as hulahoop said i will send all the information related to scans through the email. if u have any alternative way for communications rather than the emails i dont mind also.
sorry again if i missed that point , thnx for pointing that.