Whonix website vulnerability scan results through vega

Website
1

hi there , i have scanned whonix website fastly with vega tool which included in kali linux for just a quick test. the results showed many of them into the high vulnerability and some in the medium. c this:-

1- http://i.imgur.com/ktnHuwo.jpg

2- http://i.imgur.com/ohMqOxR.jpg

3- http://i.imgur.com/MinfUPy.jpg

4- http://i.imgur.com/h0IPbJ7.png

5- http://i.imgur.com/tMww0EU.jpg

and this is nikto general search result:-

this is just a sample for the results and i didnt complete the search to the end , so if u r interesting in the results i can show it all plus i can use another tools if u want.

2

Its a good thing to look for security vulnerabilities and disclose them, but I have a two comments.

It would be proper to ask for permission first.

You should report the results privately over encrypted email to Patrick so its taken care of first. I’m a fan of public disclosure but it doesn’t really apply here unless it concerns upstream software.

3

Most of them are false positives or not really serious. Which aren’t? The ones I am not sure what the report is. More details soon.

4
1- http://i.imgur.com/ktnHuwo.jpg
We don't have a content security policy: https://phabricator.whonix.org/T70

It would be nice to have one, but it’s non-trivial to create and there are so many tasks… Help welcome.

2- http://i.imgur.com/ohMqOxR.jpg
It's just a maybe and the answer is, no.
3- http://i.imgur.com/MinfUPy.jpg
whonix.org is ssl-only anyhow. As far I know, there is no benefit from secure cookies then. Last time I checked, other checks don't criticize this, if it's ssl-only. Tampering with the cookies would likely mean tampering with the webapp and could be causing more trouble for no benefit.
4- http://i.imgur.com/h0IPbJ7.png
What's the reported issue?
5- http://i.imgur.com/tMww0EU.jpg
Doesn't show any issue.
5

hulahoop , yeah sorry for that i did it fastly, but i saw the results i didnt find them serious and i was thinking in just giving a sample and then c if thats good or not. and i didnt fully searched the website.

patrick , as hulahoop said i will send all the information related to scans through the email. if u have any alternative way for communications rather than the emails i dont mind also.

sorry again if i missed that point , thnx for pointing that.