The Qualys WAS team continually evaluates the current web application security landscape and the product's capabilities. We also review feedback from customers who use WAS on a regular basis. As a result, some small changes are being made to three WAS detections (QIDs) to better reflect the nature of these issues. This post describes the changes so that all WAS customers can be informed about what is changing and why.
The following changes are being made.
- QID 150053 (Login Form Not Submitted over HTTPS)
The severity of this detection has increased from 3 to 4. The reasoning behind this change is that transmitting login credentials in plaintext (unencrypted) is very dangerous. Anyone who is sniffing network traffic – over public Wi-Fi for example – can easily steal the credentials. The level of risk deserves a rating higher than "medium" as represented by a 3. Bumping the default severity to 4 ("high risk") will bring this detection into better alignment with the accepted industry view on the issue.
- QID 150150 (Form Containing Password Field Served over HTTP)
The severity of this detection has been lowered from 4 to 3. The reasoning here is that sensitive data is not being transmitted in plaintext unlike QID 150053. With this detection, the WAS scan identified an HTML form that contained a potentially sensitive input field (where type="password") and the form was served over a non-HTTPS connection. The form therefore originated from an unverified source that is not necessarily trustworthy. This level of risk deserves a "medium" rating instead of "high".
- QID 150025 (Exception at Scan Launch)
The title of this informational QID has changed. This QID is triggered rarely, but in the cases where it occurred, the previous title of "Web Application Scan Configuration Error" was confusing. The new title of "Exception at Scan Launch" better reflects what occurred. One scenario this QID may occur is when a multi-scan is set to cancel after a certain amount of time. If the multi-scan has 100 targets ("child scans") and only 85 of the scans finished within the allotted time. The remaining 15 child scans, although submitted, are not actually launched because the time limit expired. QID 150025 will be reported for each of the 15 scans. The new title is more accurate because there is no configuration error, only an exception when the WAS engine was preparing to launch the scan.