Release 10.2

July 23, 2024

What's New?

New QIDs in the Release

The following new QIDs are introduced in the release:

Vuln ID Category Title  Description
150885  Information Gathered Children Privacy Policy Act COPPA Found COPPA gives parents control over what information websites can collect from their kids. WAS identifies privacy pages and analyzes if COPPA policies are implemented and disclosed.
150858  Information Gathered Default Web Directory Paths Found Common file paths such as /var/www/. /var/lib/www, /usr/local/apache2, /Inetpub/wwwroot, /usr/share, etc are default web directory paths. Using such paths or directory structure and leaking information in web application leads to information disclosure about directory paths and framework in use. 

Updated QIDs

The following QIDs are updated in this release:

Vuln ID Category Title  Changes 
150796 Information Gathered Presence of Privacy Policy Information With the Regex improvement, detection happens during crawl phase for better accuracy.
150798  Vulnerability  HTTP Method Tampering Added support for PUT method - WAS checks if PUT method is not used in ALLOW header but is accessible. WAS reports vulnerability if HTTP 200 response is received.  allowed in header.
150151  Vulnerability Basic Auth over HTTP Full response headers for this QID are reported, which helps you review complete headers. This helps with debugging and gives more information about this detection, such as response headers.
150298  Vulnerability Server Side Request Forgery Found New payload is added for detection to avoid false negatives in rare cases.
The false positive filtering logic was preventing reporting of rare SSRF vulnerability.
150146 Vulnerability Passive Mixed Content Vulnerability Updated false positive logic for data URIs such as data:image/base64.

Enhancement in Crawling JavaScript Function

With this release, Web Application Scanning crawls links with anchor <a> tag containing JavaScript function, especially when the on-click event is not present. This helps to crawl more links and identify any vulnerabilities present in the web application. 

Enhanced Standard Authentication to detect more vulnerabilities 

Earlier, Web Application Scanning did not check some login forms. With the advanced standard authentication, Web Application Scanning identifies the login forms with the Submit button. This enhancement allows the discovery of more vulnerabilities. 

Issue Addressed

The following reported and notable customer issues have been fixed in this release.

Category/Component Issue
False Positives  We have fixed false positives for headers related to Information Gathered QIDs 150135, 150202, 150204, 150206, and 150210.
WAS incorrectly reported false positives for security header QIDs for some applications, such as last-redirected URLs, especially 301 redirects with meta refresh tags.