Mixed Content Insecure HTTP Url's Missed During Scanning

minddabizz's Avatar

minddabizz

29 May, 2018 01:49 PM

In a nutshell, your scanner works flawless on basic test sites as in:

https://googlesamples.github.io/web-fundamentals/fundamentals/secur...
https://googlesamples.github.io/web-fundamentals/fundamentals/secur...

but when I had a dev intentionally add an http link on an iframe that contains Java Script referencing the non secure link, the scanner did not detect it. Upon further investigation, I examined using Firefox web dev tools (network), and can see the domains that are involved until the spider reaches the url that contains the insecure http link so I was thinking since these domains are not within the scope, that could be causing the scanner to not pick up the vulnerable java-script page. I have attached some screen-shots to give you a better understanding. Additionally I created a custom profile and enabled:

dom_depth_limit: 3 directory_depth_limit: 3 checks:
- mixed_resource no_fingerprinting: true

and kept the rest as the defaults. Thank you in advanced.

  1. 1 Posted by minddabizz on 29 May, 2018 07:30 PM

    minddabizz's Avatar

    Could it be the captch that is causing issues:

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Already uploaded files

  • 5-24-2018_11-35-02_AM.png 35.9 KB
  • 5-25-2018_2-08-38_PM.png 155 KB

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac