Topic
  • 2 replies
  • Latest Post - ‏2012-10-10T01:06:48Z by RonCraig
razak_khan
razak_khan
3 Posts

Pinned topic Vulnerability issue in HATS App.

‏2012-09-28T16:41:28Z |
I ran AppScan and found the following vulnerability.

WASC Threat Classification
Application Privacy Tests

Possible Causes
The web server or application server are configured in an insecure way. Sensitive information might have been cached by your browser

Reasoning: The test response is very similar to the original response. This indicates that the resource was successfully accessed using HTTP instead of HTTPS.
"What does this mean by "The web server or application server are configured in an insecure way". Could anyone please suggest any work around for such vulnerabilities."
Thanks:
Razak
Updated on 2012-10-10T01:06:48Z at 2012-10-10T01:06:48Z by RonCraig
  • george.baker
    george.baker
    315 Posts

    Re: Vulnerability issue in HATS App.

    ‏2012-10-02T18:45:13Z  
    I believe that AppScan found a JSP that contains a password and there is no tag to disable the caching of the password by the browser, e.g. autocomplete="off". I had a client who complained of the same item so I did some research and found that autocomplete tag is an HTML5 supported tag. As best I know HATS does not support HTML5. Acccording to the items I've found on the internet this tag is not supported in HTML4 by all browsers.

    I've not confirmed any of this with IBM, but would like IBM to comment.
  • RonCraig
    RonCraig
    72 Posts

    Re: Vulnerability issue in HATS App.

    ‏2012-10-10T01:06:48Z  
    I believe that AppScan found a JSP that contains a password and there is no tag to disable the caching of the password by the browser, e.g. autocomplete="off". I had a client who complained of the same item so I did some research and found that autocomplete tag is an HTML5 supported tag. As best I know HATS does not support HTML5. Acccording to the items I've found on the internet this tag is not supported in HTML4 by all browsers.

    I've not confirmed any of this with IBM, but would like IBM to comment.
    The vulnerability explanation says the same data is accessible by both http and https. It could simply be that the app server is not configured to require https. That's the most likely cause of the original poster's issue.