Details
Alert Id 10041
Alert Type Passive
Status release
Risk
CWE
WASC
Technologies Targeted All
Tags OWASP_2017_A06
OWASP_2021_A02
WSTG-V42-CRYP-03

Summary

This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed.

Solution

Use HTTPS for landing pages that host secure forms.

Other Info

References

Code

org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java