AnsweredAssumed Answered

Why is Qualys attempting brute-force payloads when "minimal" brute-force list is set in Option Profile?

Question asked by Jamie Crow on May 30, 2019
Latest reply on Jun 6, 2019 by Ed Arnold

I have the system list set to "Minimal" in my profile, which is described as trying "Empty passwords + UID" as the only brute-force attempt the scan will try.  However, I recently ran accross a scan that came back with QID 150049 - Login Brute Force Vulnerability.


The payload in question (below) looks like it succesfully used "guest" for the UID and password.  This is obviously different than what is defined in the "Minimal" brute-force list associated with my profile.

 

Payload:user=guest&pass=g****&login=front&utcdelta=0&button_id=&WasNoName_S_5_=1

 

Upon researching the QID, I see that it is stated that the scan will try to use "...a pre-defined/system list internal to the scanner" in addition to what is defined in the Option Profile.

 

Question:  If I remove this QID from my option profile, will the scan still attempt the "Minimal" list defined via the Option Profile?  Given that this particular profile is used for scanning production systems, there is no appetite for potentially causing issues associated with brute-force testing--at least beyond that of testing an empty password.

Outcomes