Details
Alert ID 10042
Alert Type Passive
Status release
Risk Medium
CWE 319
WASC 15
Technologies Targeted All
Tags CWE-319
OWASP_2017_A06
OWASP_2021_A02
POLICY_DEV_STD
POLICY_PENTEST
POLICY_QA_STD
WSTG-V42-CRYP-03
More Info Scan Rule Help

Summary

This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they’re submitting data to a secure page when in fact they are not.

Solution

Ensure sensitive data is only sent over secured HTTPS channels.

Other Info

The response to the following request over HTTPS included an HTTP form tag action attribute value: https://example.com The context was: <form name="someform" action="http://example.com/processform">

References

Code

org/zaproxy/zap/extension/pscanrules/InsecureFormPostScanRule.java