New WAS QIDs 150145 & 150146 for Mixed Content Detection

Document created by Sheela Sarva Employee on Jan 15, 2016Last modified by Robert Dell'Immagine on Jan 18, 2016
Version 3Show Document
  • View in full screen mode

Qualys Web Application Scanning (WAS) has added two new detections (vulnerabilities) for active (150145) and passive (150146) mixed content vulnerabilities.

 

Description:

Web applications with mixed content will deliver a web page to the browser over a secure channel (HTTPS), but will deliver additional contents like scripts, images, css, etc. over a non-secure channel (HTTP). These non-secure channels can be exploited to forge requests, steal cookies or leak DOM data. WAS detects both types of mixed-content vulnerabilities - active and passive. The WAS engine now identifies and reports such mixed content links in a given web application that is being scanned.

 

Diagnosis:

Qualys WAS reports QID 150145 if an active mixed content vulnerability has been discovered while loading the web page. We classify the mixed content into Active mixed content with reference to Mozilla Firefox browser behavior.  QID 150145 is severity 2.

 

Active mixed-content vulnerability is reported if any of the following content are discovered when loading the web page to be delivered over non secure channel: <script>, <link>, <iframe>, XMLHttpRequest requests, <object>, applet.

 

Qualys WAS reports QID 150146 if a passive mixed content vulnerability has been discovered while loading the web page. We classify the mixed content into Passive mixed content with reference to Mozilla Firefox browser behavior. QID 150146 is severity 1.

 

Passive mixed-content vulnerability is reported if any of the following content are discovered when loading the web page to be delivered over non-secure channel: images, audio, video.

 

Possible Consequences:

The non-secure channel (HTTP) is not encrypted and hence vulnerable to sniffing attacks. These non-secure channels can be exploited to gain access to a wide set of capabilities such as forging requests, stealing cookies or DOM data leakage.

 

Mitigation:

The solution to mixed content vulnerabilities is simply to load sub-resources of the web page over HTTPS.

 

Apart from loading sub-resources over HTTPS, mixed content vulnerabilities can mitigated using the following two options:

  1. HTTP Strict Transport Security (HSTS)
  2. Content Security Policy (CSP)

 

Additional References:

Attachments

    Outcomes