Release 10.6
March 27, 2025
What's New?
New QIDs
| Vuln ID | Category | Title | Description |
|---|---|---|---|
| 150866 | Practice | Insufficient Session or Token Validation | A method to validate tokens and session ID is necessary to prevent unintended access to the web forms that do not use authentication. With this QID, we support the detection of invalid tokens and session IDs for form submission. |
| 150955 | Information Gathering | Username found in URL | Exposing username in URL parameter demonstrates poor credential handling by web applications. With this QID, we support the detection of usernames in the URL parameter to ensure that web applications are handling user credentials securely. |
| 150228 | Information Gathering | Subdomains Found During Crawling | This QID reports the subdomains found during crawling. |
| 150789 | Information Gathering | MIME Type Mismatch | URLs that do not have the correct MIME type may compromise the authentication credentials and cross-site scripting attacks. With this QID, we support the detection of URLs with incorrect MIME type. |
Updated QIDs
| Vuln ID | Category | Title | Description |
|---|---|---|---|
| 150021 | Information Gathering | Scan Diagnostics | The QID 150021 provides various details of the scan's performance and behavior. We have updated this QID to report all the unique basic server authentications configured on links. Now, Login Brute Force Server Authentication tests will report all the links with these unique configurations to provide clarity for Login Brute Force launch instances. |
Issues Addressed
The following notable and important and notable are fixed in this release:
| Category/Component | Description |
|---|---|
| False positives | The web application forms found on HTTPS that do not have authenticated access are susceptible to snipping attacks and may expose the user or web application's sensitive information. The QID 150144 detects these forms. With this release, we have fixed the false positives for the QID 150144. |
| Scan | We fixed an issue where cookie and header manipulation test were taking more time during web application scans. Now we have enabled an express mode feature. This has significantly reduced the time needed for cookie and header manipulation tests. |
| False Positives | Out of scope forms were reported for QID 150144 as the parent link for these forms was not being considered during the web application scanning. Now we do not report the forms for QID 15014, if the parent link for these forms are out of scan scope. |
| Authentication | We fixed an issue where user authentication to the web application failed due to the presence of unsupported attributes in the login request cookies. To resolve this issue, we have added support for processing cookies with unsupported attributes in login requests. |
| Authentication | We fixed an issue where the authentication status was not updated for some of the vulnerability QIDs. Now, we have added support to check the overall authentication status and use it to update the authentication status of QIDs. |
| False Negatives | We fixed an issue where, the QID 150146 used for detecting passive mixed content vulnerabilities was not reported by implementing a solution to dynamically extract the scan directory path for internal scanners. |
Refer to the Web Application Detections—February 2025, to see the latest QIDs released for WAS.