Details
Alert ID 10041
Alert Type Passive
Status release
Risk Medium
CWE 319
WASC 15
Technologies Targeted All
Tags CWE-319
OWASP_2017_A06
OWASP_2021_A02
POLICY_DEV_STD
POLICY_PENTEST
POLICY_QA_STD
WSTG-V42-CRYP-03
More Info Scan Rule Help

Summary

This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed.

Solution

Use HTTPS for landing pages that host secure forms.

Other Info

The response to the following request over HTTP included an HTTPS form tag action attribute value: http://example.com The context was: <form name="someform" action="https://example.com/processform">

References

Code

org/zaproxy/zap/extension/pscanrules/InsecureFormLoadScanRule.java