I ran AppScan and found the following vulnerability.
WASC Threat Classification
Application Privacy Tests
The web server or application server are configured in an insecure way. Sensitive information might have been cached by your browser
Reasoning: The test response is very similar to the original response. This indicates that the resource was successfully accessed using HTTP instead of HTTPS.
"What does this mean by "The web server or application server are configured in an insecure way". Could anyone please suggest any work around for such vulnerabilities."
george.baker 270001YCQD315 Posts
Re: Vulnerability issue in HATS App.2012-10-02T18:45:13ZThis is the accepted answer. This is the accepted answer.I believe that AppScan found a JSP that contains a password and there is no tag to disable the caching of the password by the browser, e.g. autocomplete="off". I had a client who complained of the same item so I did some research and found that autocomplete tag is an HTML5 supported tag. As best I know HATS does not support HTML5. Acccording to the items I've found on the internet this tag is not supported in HTML4 by all browsers.
I've not confirmed any of this with IBM, but would like IBM to comment.
RonCraig 120000N04A72 Posts
Re: Vulnerability issue in HATS App.2012-10-10T01:06:48ZThis is the accepted answer. This is the accepted answer.
- george.baker 270001YCQD