Mixed Resource Detection

medium Web App Scanning Plugin ID 98091

Language:

Synopsis

Mixed Resource Detection

Description

Scanner discovered that the affected site is utilising both HTTP and HTTPS. While the HTML code is served over HTTPS, the server is also serving resources over an unencrypted channel, which can lead to the compromise of data, while providing a false sense of security to the user.

Solution

All pages and/or resources on the affected site should be secured equally, utilising the latest and most secure encryption protocols. These include SSL version 3.0 and TLS version 1.2.
While TLS 1.2 is the latest and the most preferred protocol, not all browsers will support this encryption method. Therefore, the more common SSL is included. Older protocols such as SSL version 2, and weak ciphers (< 128 bit) should also be disabled.

See Also

http://googleonlinesecurity.blogspot.com/2011/06/trying-to-end-mixed-scripting.html

https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content

Plugin Details

Severity: Medium

ID: 98091

Type: remote

Family: Web Applications

Published: 3/31/2017

Updated: 11/26/2021

Scan Template: basic, config_audit, full, overview, pci, quick, scan, ssl_tls

Risk Information

VPR

Risk Factor: Low

Score: 3.3

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS Score Source: Tenable

Reference Information

CWE: 319

OWASP: 2010-A9, 2013-A6, 2017-A3, 2021-A2

WASC: Insufficient Transport Layer Protection

CAPEC: 102, 117, 383, 477, 65

DISA STIG: APSC-DV-000170

HIPAA: 164.312(a), 164.312(e)

ISO: 27001-A.10.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.5

NIST: sp800_53-SC-13

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-9.1.1

PCI-DSS: 3.2-6.5.4