Release 10.2
July 23, 2024
What's New?
New QIDs in the Release
The following new QIDs are introduced in the release:
Vuln ID | Category | Title | Description |
---|---|---|---|
150885 | Information Gathered | Children Privacy Policy Act COPPA Found | COPPA gives parents control over what information websites can collect from their kids. WAS identifies privacy pages and analyzes if COPPA policies are implemented and disclosed. |
150858 | Information Gathered | Default Web Directory Paths Found | Common file paths such as /var/www/. /var/lib/www, /usr/local/apache2, /Inetpub/wwwroot, /usr/share, etc are default web directory paths. Using such paths or directory structure and leaking information in web application leads to information disclosure about directory paths and framework in use. |
Updated QIDs
The following QIDs are updated in this release:
Vuln ID | Category | Title | Changes |
---|---|---|---|
150796 | Information Gathered | Presence of Privacy Policy Information | With the Regex improvement, detection happens during crawl phase for better accuracy. |
150798 | Vulnerability | HTTP Method Tampering | Added support for PUT method - WAS checks if PUT method is not used in ALLOW header but is accessible. WAS reports vulnerability if HTTP 200 response is received. allowed in header. |
150151 | Vulnerability | Basic Auth over HTTP | Full response headers for this QID are reported, which helps you review complete headers. This helps with debugging and gives more information about this detection, such as response headers. |
150298 | Vulnerability | Server Side Request Forgery Found | New payload is added for detection to avoid false negatives in rare cases. The false positive filtering logic was preventing reporting of rare SSRF vulnerability. |
150146 | Vulnerability | Passive Mixed Content Vulnerability | Updated false positive logic for data URIs such as data:image/base64. |
Enhancement in Crawling JavaScript Function
With this release, Web Application Scanning crawls links with anchor <a> tag containing JavaScript function, especially when the on-click event is not present. This helps to crawl more links and identify any vulnerabilities present in the web application.
Enhanced Standard Authentication to detect more vulnerabilities
Earlier, Web Application Scanning did not check some login forms. With the advanced standard authentication, Web Application Scanning identifies the login forms with the Submit button. This enhancement allows the discovery of more vulnerabilities.
Issue Addressed
The following reported and notable customer issues have been fixed in this release.
Category/Component | Issue |
---|---|
False Positives | We have fixed false positives for headers related to Information Gathered QIDs 150135, 150202, 150204, 150206, and 150210. WAS incorrectly reported false positives for security header QIDs for some applications, such as last-redirected URLs, especially 301 redirects with meta refresh tags. |