ZAP – Secure Pages Include Mixed Content

Details
Alert ID	10040
Alert Type	Passive
Status	release
Risk	Low
CWE	311
WASC	4
Technologies Targeted	All
Tags	CWE-311 OWASP_2017_A06 OWASP_2021_A05 WSTG-V42-CRYP-03
More Info	Scan Rule Help

Summary

The page includes mixed content, that is content accessed via HTTP instead of HTTPS.

Solution

A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS. The page must not contain any content that is transmitted over unencrypted HTTP. This includes content from third party sites.

Other Info

tag=img src=http://example.com/file

References

https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html

Code

org/zaproxy/zap/extension/pscanrules/MixedContentScanRule.java