🐛 fix qualys webapp scan request body

[manuel-sommer]

see #10239

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request focus on enhancing the functionality of the Qualys WebApp Parser in the Dojo application, improving the test coverage for the parser, and adding a new Qualys Web Application Scan report. From an application security perspective, the changes are not directly related to security vulnerabilities but rather aim to improve the quality and completeness of the information provided by the Qualys scanner.

The key highlights are:

1. The changes to the get_request method in the Qualys WebApp Parser now include the request body in the generated request string, providing more detailed information about the requests made during the scan.
2. The addition of a new test case test_discussion_10239 in the TestQualysWebAppParser class verifies the parser's ability to handle and report on potential security vulnerabilities, such as code injection or input validation issues.
3. The new Qualys Web Application Scan report identifies potential Denial of Service (DoS) vulnerabilities and the absence of security-related headers, which can expose the web application to content injection attacks like cross-site scripting (XSS).

Overall, these changes demonstrate a focus on improving the security assessment and reporting capabilities of the Dojo application, which is a positive step towards enhancing the application's security posture.

Files Changed:

1. dojo/tools/qualys_webapp/parser.py: The changes to the get_request method in the Qualys WebApp Parser now include the request body in the generated request string, providing more detailed information about the requests made during the scan.
2. unittests/tools/test_qualys_webapp_parser.py: The addition of the test_discussion_10239 test case in the TestQualysWebAppParser class verifies the parser's ability to handle and report on potential security vulnerabilities, such as code injection or input validation issues.
3. unittests/scans/qualys_webapp/discussion_10239.xml: The new Qualys Web Application Scan report identifies potential Denial of Service (DoS) vulnerabilities and the absence of security-related headers, which can expose the web application to content injection attacks like cross-site scripting (XSS).

Powered by DryRun Security

[mtesauro]

Approved

[cneill]

Thanks!