Release 10.4
November 08, 2024
What's New?
New QIDs
The following new QIDs are introduced in this release:
| Vuln ID | Category | Title | Description |
|---|---|---|---|
| 150846 | Potential Business Logic abuse due to failure to perform actions | The XML HTTP Requests (XHR) allow a browser to communicate with the server without reloading the page and provide methods to send and receive data from the server. The failing XHR requests may lead to business logic misuse. Qualys now supports the detection of failing XHR requests to give you visibility into potential business logic misuse. |
|
| 150847 | Potential Business Logic abuse due to Site Coverage | Sometimes, authentication requests fail even when you provide the correct credentials. This means that the implemented security system is obscure and may lead to business logic misuse. Qualys now supports the detection of failed authentication requests, prompting quick actions to prevent potential business logic misuse. |
Updated QIDs
The following QIDs are updated in this release:
| Vuln ID | Category | Title | Description |
|---|---|---|---|
| 150051 | Open Redirect | We updated the QID 150051 to detect the open redirects that use the base URL with the Qualys domain (qualys.com) and perform smart requests to bypass filters. | |
| 150806 | Local Storage or Session Storage Found | We updated the QID 150806 to report up to 5 MB of local and session storage done via client-side JavaScript. |
Issues Addressed
| Category/Component | Description |
|---|---|
| Standard Authentication | The standard authentication was failing for web applications while launching the PCI scans due to the incorrect categorization of login form fields. We fixed this issue by implementing the email-password based standard authentication. |
| False Positives | We fixed the false positives findings reported for static check-related QIDs — 150159, 150161, 150103, 150122, and 150123 by adding the check to identify the out of scope domain cookies. Now these QID does not report the out of scope domain cookies. |
| False Positives | We fixed the false positive findings reported for the session storage-related QID — 150806 by improving the detection logic to avoid reporting of PNG and PDF files. |
| False Positives | We fixed the false positive findings reported for the passive mixed content-related QID — 150146. Now we have added a check to verify the source of mixed content to prevent detection when the web application redirects from HTTP to HTTPS server. |