Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
1 reply Latest Post - ‏2013-02-26T16:35:06Z by NicChop
SystemAdmin
SystemAdmin
403 Posts
ACCEPTED ANSWER

Pinned topic Encryption Not Enforced

‏2013-02-26T15:32:42Z |
AppScan reported this error: Encryption Not Enforced
Difference:
manipulated from: https to: http
manipulated from: 443 to: 80
Header manipulated from: q2web.mercerhrs.com to: q2web.mercerhrs.com:80

Reasoning: The test response is very similar to the original response. This indicates that the the resource was successfully accessed using HTTP instead of HTTPS.
Test Requests and Responses:
GET /Site/Page.asp?RID=1 HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Referer: --begin_mark_tag--http--end_mark_tag--s://product.site.com/folder/test.asp
Host: --begin_mark_tag--product.site.com:80--end_mark_tag--
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30;.NET4.0C; .NET4.0E)
But We have removed http and port 80 at F5 level, and user can't browse the site using http://. I dont see any response as well in the report related to http://.

we are using "AppScan Standard 8.6.0.1, Rules: 1524"

Is it a AppScan bug?
Updated on 2013-02-26T16:35:06Z at 2013-02-26T16:35:06Z by NicChop
  • NicChop
    NicChop
    5 Posts
    ACCEPTED ANSWER

    Re: Encryption Not Enforced

    ‏2013-02-26T16:35:06Z  in response to SystemAdmin
    Hello,

    To really dig into this we'd need to look at the test traffic. Best thing to do would be to log a PMR with us.

    This technote tells you what we'd need:

    http://www-01.ibm.com/support/docview.wss?uid=swg21295428

    And here's where to log a PMR:

    http://www-01.ibm.com/support/docview.wss?uid=swg21189715