Release 10.5
December 31, 2024
What's New?
New QIDs
The following new QIDs are introduced in this release:
Vuln ID | Category | Title | Description |
---|---|---|---|
150837 | Information Gathered | Missing Brute Force Protection Mechanism |
Account lockout mechanisms are necessary to protect a user account from unauthorized access. Using this mechanism, you can configure unsuccessful authentication attempts before the user account is locked. With this QID, Qualys supports the detection of the missing account lockout mechanism for Brute Force. |
150938 | Information Gathered | Possible DOM XSS |
Exploiting a DOM XSS vulnerability allows attackers to execute malicious scripts in your browsers. This can lead to draft theft, session hijack, website defacement, and malware distribution. With this QID, Qualys reports highly possible DOM XSS vulnerabilities. This prompts you to protect your web resources from exploitable DOM XSS vulnerabilities. |
150288 | Information Gathered | Incorrect Sub Resource Integrity (SRI) Cryptographic Hash |
Subresource Integrity (SRI) enables a browser to deliver web resources without unexpected manipulation using a cryptographic hash provided by users. The absence or broken SRI hash allows attackers to manipulate JavaScript or inject malicious files to the requested resource. This QID detects the absent or broken SRI hashes to protect you from such attacks. |
Updated QIDs
The following QIDs are updated in this release:
Vuln ID | Category | Title | Description |
---|---|---|---|
150320 | Practice | Null Byte Injection | Null Byte Injection technique bypasses sanity check filters by adding URL-encoded null byte characters to user-supplied data. This allows attackers to alter web application logic and get unauthorized access. This QID detects null byte injection into user-supplied data to protect users from unauthorized manipulation of the requested web resource. |
150116 | Information Gathered | Server Authentication Found | The old and new web browsers behaved differently while crawling. The old browsers requested server authentication multiple times, whereas the new browsers requested it only once. We fixed this issue by implementing a solution to remove duplicate QID and text entries using a new request header. |
Issues Addressed
The following important and notable issues are fixed in this release:
Component/Category | Description |
---|---|
Reporting | While scanning some web applications, multiple findings were reported for the same vulnerabilities, which were detected with different URLs. We fixed this issue by updating the differentiators for the URLs. |
False Positives | We fixed the false positives generated by out-of-scope domain links for QID 150806. Now, we only report the in-scope domain links for QID 150806. |
False Positives | We fixed false positives for QID 150206, where it reported that the Content Security Policy (CSP) is not implemented for redirected links even when the user had correctly implemented it. |
False Positives | We fixed false positives for HTTP Strict Transport Security (HSTS) QID 150135, where browsers were receiving headers without HSTS when the catching was enabled for it. Now the false positives will not be reported as the response is received directly from the browser's cache. |
False Positives | We fixed false positives for QID 150124, where the vulnerable URLs with connection errors were reported for the framing test. Now, we skip URLs with connection errors for the framing test. |
False Positives | We fixed false positives for QID 150069, where multiple cookies were sent to the login page, causing login failure. To prevent false positives for QID 150069, we now delete the existing cookies after logout. |
False Positives | We fixed false positives for QIDs 150145 and 150146, where these QIDs were reported for incorrect links. We now report these QIDs only for the original links and not the redirected links. |
False Positives | We fixed false positives for QIDs 150123 and 150159, which were reported for incorrect cookie URLs. We have now updated the logic to manage the cookie URL to resolve this issue. |
False Positives | We fixed false positives for QIDs 150162 and 151015 where the scanner reported AEM-1.12.4 as a vulnerable version for CVE-2015-9251. |
False Positives | We fixed false positives for QID 150568, where out-of-scope links were called during the web application scans by implementing checks to remove out-of-scope links from the scan. |
Standard Authentication | We fixed an issue where the peer domain generated an authentication-related error with error code 401. while crawling. We now send the peer domain URL in the authentication header. |
Scan | We fixed an issue where the non-retest and non-progressive scans reported incorrect detection status for some vulnerabilities by adding checks to avoid scanning stored links for these scans. |
Crawling | We fixed an issue where the NextGen browsers generated timeout errors while downloading the files. |