-
-
Notifications
You must be signed in to change notification settings - Fork 750
HelpAddonsPscanrulesBetaPscanbeta
The following beta quality passive scan rules are included in this add-on:
This check identifies responses where the HTTP Content-Type header declares a charset different from the charset defined by the body of the HTML or XML. When there's a charset mismatch between the HTTP header and content body Web browsers can be forced into an undesirable content-sniffing mode to determine the content's correct character set.
The scanner handles various conditions depending on the Threshold set for the scanner, as follows:
-
All Thresholds:
- Header Versus Meta Content-Type Charset - The declaration in the HTTP Content-Type header doesn't match what is declared in a META Content-Type tag.
- Header Versus Meta Charset - The declaration in the HTTP Content-Type header doesn't match what is declared in a META Charset tag.
-
Low Threshold:
- Meta Content-Type Charset Missing - The response doesn't contain a META Content-Type declaration, which may overlook older clients.
- Meta Charset Versus Meta Content-Type Charset - The response contains both a META Content-Type declaration and a META Charset declaration, and they don't match.
Further reference: http://www.w3.org/TR/html401/charset.html#h-5.2.2 http://www.w3.org/TR/html5/document-metadata.html#charset
Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com.
The CSRFCountermeasures plugin identifies "potential" vulnerabilities with the lack of known CSRF countermeasures in pages with forms.
At HIGH alert threshold only scans messages which are in scope.
Post 2.5.0 you can specify a comma separated list of identifiers in the rules.csrf.ignorelist parameter via the Options 'Rule configuration' panel. Any FORMs with a name or ID that matches one of these identifiers will be ignored when scanning for missing Anti-CSRF tokens. Only use this feature to ignore FORMs that you know are safe, for example search forms.
This passive scanner checks the content of web responses for known Debug Error message fragments. Access to such details may provide a malicious individual with means by which to further abuse the web site. They may also leak data not specifically meant for end user consumption. Note: Javascript responses are only assessed at LOW thresehold.
Attempts to identify the existence of sensitive details within the visited URIs themselves (this may include parameters, document names, directory names, etc.).
Identifies the existence of sensitive details within the the Referrer header field of HTTP requests (this may include parameters, document names, directory names, etc.).
Analyzes web content to identify comments which contain potentially sensitive details. Which may lead to further attack or exposure of unintended data.
HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network.
The response at the following URL contains a ViewState value that has no cryptographic protections.
Searches response content for HTML forms which fail to specify an action element. Version 3 of the Java Servlet spec calls for aggregation of query string and post data elements which may result in unintended handling of user controlled data. This may impact other frameworks and technologies as well.
Attempts to identify VIEWSTATE parameters and analyze said parameters for various best practices or protective measures such as:
- Those based on ASP.NET 1.0 and 1.1.
- VIEWSTATE Lacking signature.
- Split VIEWSTATE.
- VIEWSTATE containing email or IP patterns.