• 1 reply
  • Latest Post - ‏2013-02-26T16:35:06Z by NicChop
403 Posts

Pinned topic Encryption Not Enforced

‏2013-02-26T15:32:42Z |
AppScan reported this error: Encryption Not Enforced
manipulated from: https to: http
manipulated from: 443 to: 80
Header manipulated from: to:

Reasoning: The test response is very similar to the original response. This indicates that the the resource was successfully accessed using HTTP instead of HTTPS.
Test Requests and Responses:
GET /Site/Page.asp?RID=1 HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Referer: --begin_mark_tag--http--end_mark_tag--s://
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30;.NET4.0C; .NET4.0E)
But We have removed http and port 80 at F5 level, and user can't browse the site using http://. I dont see any response as well in the report related to http://.

we are using "AppScan Standard, Rules: 1524"

Is it a AppScan bug?
Updated on 2013-02-26T16:35:06Z at 2013-02-26T16:35:06Z by NicChop
  • NicChop
    5 Posts

    Re: Encryption Not Enforced


    To really dig into this we'd need to look at the test traffic. Best thing to do would be to log a PMR with us.

    This technote tells you what we'd need:

    And here's where to log a PMR: