OWASP_2025_A04 on ZAP

Authentication Credentials Captured

Mon, 01 Jan 0001 00:00:00 +0000

An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted. The attacker eavesdrops on the network until an authentication has completed.

Generic Padding Oracle

Mon, 01 Jan 0001 00:00:00 +0000

By manipulating the padding on an encrypted string, an attacker is able to generate an error message that indicates a likely ‘padding oracle’ vulnerability. Such a vulnerability can affect any application or framework that uses encryption improperly, such as some versions of ASP.net, Java Server Faces, and Mono. An attacker may exploit this issue to decrypt data and recover encryption keys, potentially viewing and modifying confidential data. This rule should detect the MS10-070 padding oracle vulnerability in ASP.net if CustomErrors are enabled for that.

Heartbleed OpenSSL Vulnerability

Mon, 01 Jan 0001 00:00:00 +0000

The TLS implementation in OpenSSL 1.0.1 before 1.0.1g does not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.

Heartbleed OpenSSL Vulnerability (Indicative)

Mon, 01 Jan 0001 00:00:00 +0000

The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.

HTTP Only Site

Mon, 01 Jan 0001 00:00:00 +0000

The site is only served under HTTP and not HTTPS.

HTTP to HTTPS Insecure Transition in Form Post

Mon, 01 Jan 0001 00:00:00 +0000

This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed.

HTTPS Configuration

Mon, 01 Jan 0001 00:00:00 +0000

Performs HTTPS configuration analysis including certificate details and supported cipher suites.

HTTPS Content Available via HTTP

Mon, 01 Jan 0001 00:00:00 +0000

Content which was initially accessed via HTTPS (i.e.: using SSL/TLS encryption) is also accessible via HTTP (without encryption).

HTTPS Security Configuration Issues

Mon, 01 Jan 0001 00:00:00 +0000

The HTTPS configuration has one or more security issues identified by the TLS risk assessment.

HTTPS to HTTP Insecure Transition in Form Post

Mon, 01 Jan 0001 00:00:00 +0000

This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they’re submitting data to a secure page when in fact they are not.

Weak Authentication Method

Mon, 01 Jan 0001 00:00:00 +0000

HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network.