Project SimpleProject Type: software

Project Simple

Uploaded image for project: 'Project Simple'
  1. Project Simple
  2. ST-116

Missing HTTP Strict Transport Security Header

    Details

    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      Production Complete - Closed
    • Issue Importance:
      Must Have

      Description

      Vulnerability Description:
      The HTTP Strict Transport Security (HSTS) policy header defines the timeframe in which a browser must connect to the webserver over HTTPS. Without this header being sent in all HTTPS responses, the webserver may be vulnerable to several attacks.

      Impact
      An attacker may be able to setup a fake web server and cause the application to make requests to an imitation server over HTTP.

      Verification and Attack Information
      Praetorian identified the lack of "Strict-Transport-Security" headers during an application walkthrough.

      Recommendation
      Add the HTTP Strict-Transport-Security header to all HTTPS responses. The syntax is as follows: Strict-Transport-Security: max-age=<seconds>[; includeSubDomains]
      The parameter max-age gives the time frame for requirement of HTTPS in seconds and should be chosen quite high, e.g. several months. The flag includeSubDomains defines that the policy applies also for sub domains of the sender of the response.

      References
      https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

        Attachments

          Activity

          Ascending order - Click to sort in descending order
          vijayendra Vijayendra Shinde (Inactive) created issue -
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Field Original Value New Value
          Rank Ranked higher
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status New Request [ 10029 ] Pending for Approval [ 10002 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status Pending for Approval [ 10002 ] Approved for Development [ 10003 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status Approved for Development [ 10003 ] In Development [ 10007 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Assignee Niteen Surwase [ niteen.surwase ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Component/s BenAdmin [ 10100 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Labels Low Priority Security
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status In Development [ 10007 ] Mockup Approval [ 10010 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status Mockup Approval [ 10010 ] Mockup Approved [ 10012 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status Mockup Approved [ 10012 ] In Development [ 10007 ]
          Hide
          Permalink
          niteen.surwase Niteen Surwase (Inactive) added a comment -

          Steps to Configure Server for HTTP Strict Transport Security Header

          1. Open IIS Manager and Select Project (Site).

          2. Open "HTTP Response Header" and Click on "Add" button from Actions pane.

          3. Add following Name and Value:
          Name: Strict-Transport-Security
          Value : max-age=31536000; includeSubDomains

          Note : This will edit Web.Config file of Web Projects

          Show
          niteen.surwase Niteen Surwase (Inactive) added a comment - Steps to Configure Server for HTTP Strict Transport Security Header 1. Open IIS Manager and Select Project (Site). 2. Open " HTTP Response Header " and Click on " Add " button from Actions pane. 3. Add following Name and Value: Name : Strict-Transport-Security Value : max-age=31536000; includeSubDomains Note : This will edit Web.Config file of Web Projects
          Hide
          Permalink
          niteen.surwase Niteen Surwase (Inactive) added a comment - - edited

          Path To Test :

          1. Open Login Page --> Inspect Element --> Network Tab --> Reload Page (Ctrl + F5)

          2. Check Response Headers of all files --> Strict-Transport-Security attribute is added.

          3. It has 2 parameters max-age=31536000 and includeSubDomains.

          Show
          niteen.surwase Niteen Surwase (Inactive) added a comment - - edited Path To Test : 1. Open Login Page --> Inspect Element --> Network Tab --> Reload Page (Ctrl + F5) 2. Check Response Headers of all files --> Strict-Transport-Security attribute is added. 3. It has 2 parameters max-age=31536000 and includeSubDomains .
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Assignee Niteen Surwase [ niteen.surwase ] Amit Gude [ amitg ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status In Development [ 10007 ] Local Testing [ 10200 ]
          Hide
          Permalink
          amitg Amit Gude (Inactive) added a comment -

          Assigning to Zeeshan

          Show
          amitg Amit Gude (Inactive) added a comment - Assigning to Zeeshan
          amitg Amit Gude (Inactive) made changes -
          Assignee Amit Gude [ amitg ] Zeeshan Chishty [ zeeshan.chishty ]
          Hide
          Permalink
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment -

          Verified as Strict-Transport-Security header is implemented to
          max-age=31536000; includeSubDomains

          Show
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment - Verified as Strict-Transport-Security header is implemented to max-age=31536000; includeSubDomains
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Status Local Testing [ 10200 ] Pending for Stage Approval [ 10300 ]
          samir Samir made changes -
          Issue Importance Must Have [ 11800 ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Assignee Zeeshan Chishty [ zeeshan.chishty ] Niteen Surwase [ niteen.surwase ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Module Parent values: BenAdmin(10100) Parent values: BenAdmin(10100)Level 1 values: Security(10112)
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Item State Parent values: Development(10200)Level 1 values: In Analysis(10204) Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Pending for Stage Approval [ 10300 ] Approved for Stage [ 10030 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Item State Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Assignee Niteen Surwase [ niteen.surwase ] Zeeshan Chishty [ zeeshan.chishty ]
          Hide
          Permalink
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment -

          Verified on stage as Strict-Transport-Security header is implemented to
          max-age=31536000; includeSubDomains

          Show
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment - Verified on stage as Strict-Transport-Security header is implemented to max-age=31536000; includeSubDomains
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Assignee Zeeshan Chishty [ zeeshan.chishty ] Vijayendra Shinde [ ID10506 ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Status Approved for Stage [ 10030 ] Stage Testing [ 10201 ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217)
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Status Stage Testing [ 10201 ] Pending for Production Approval [ 10301 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Assignee Vijayendra Shinde [ ID10506 ] Zeeshan Chishty [ zeeshan.chishty ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) Parent values: Production QA(10203)Level 1 values: Production Deployed(10221)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Pending for Production Approval [ 10301 ] Approved for production [ 10034 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Developer Niteen Surwase [ niteen.surwase ]
          Hide
          Permalink
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment -

          Strict-Transport-Security
          max-age=31536000; includeSubDomains header is added on Production Server confirmed the same.

          Show
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment - Strict-Transport-Security max-age=31536000; includeSubDomains header is added on Production Server confirmed the same.
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Assignee Zeeshan Chishty [ zeeshan.chishty ] Deepali Tidke [ deepalit ]
          Hide
          Permalink
          deepalit Deepali Tidke (Inactive) added a comment -

          as discussed with Niteen no functional testing is involved here , can close this ticket.

          Show
          deepalit Deepali Tidke (Inactive) added a comment - as discussed with Niteen no functional testing is involved here , can close this ticket.
          deepalit Deepali Tidke (Inactive) made changes -
          Item State Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) Parent values: Production Complete(10222)Level 1 values: Closed(10223)
          deepalit Deepali Tidke (Inactive) made changes -
          Status Approved for production [ 10034 ] Production Testing [ 10202 ]
          deepalit Deepali Tidke (Inactive) made changes -
          Resolution Fixed [ 1 ]
          Status Production Testing [ 10202 ] Production Complete [ 10028 ]
          deepalit Deepali Tidke (Inactive) made changes -
          Status Production Complete [ 10028 ] Closed [ 6 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Link This issue relates to DEV-13718 [ DEV-13718 ]
          Transition Time In Source Status Execution Times
          Vijayendra Shinde (Inactive) made transition -
          New Request Pending for Approval
          		22s 1
          Vijayendra Shinde (Inactive) made transition -
          Pending for Approval Approved for Development
          		2s 1
          Vijayendra Shinde (Inactive) made transition -
          Approved for Development In Development
          		2s 1
          Vijayendra Shinde (Inactive) made transition -
          In Development Mockup Approval
          		4d 21h 30m 1
          Vijayendra Shinde (Inactive) made transition -
          Mockup Approval Mockup Approved
          		3s 1
          Vijayendra Shinde (Inactive) made transition -
          Mockup Approved In Development
          		2s 1
          Niteen Surwase (Inactive) made transition -
          In Development In LB Testing
          		46m 6s 1
          Zeeshan Chishty (Inactive) made transition -
          In LB Testing Pending for Stage Approval
          		10d 5h 30m 1
          Niteen Surwase (Inactive) made transition -
          Pending for Stage Approval Approved for Stage
          		47d 18h 11m 1
          Zeeshan Chishty (Inactive) made transition -
          Approved for Stage Stage Testing
          		4h 55m 1
          Zeeshan Chishty (Inactive) made transition -
          Stage Testing Pending for Production Approval
          		2m 6s 1
          Niteen Surwase (Inactive) made transition -
          Pending for Production Approval Approved for production
          		5d 35m 1
          Deepali Tidke (Inactive) made transition -
          Approved for production In Production Testing
          		8d 21h 43m 1
          Deepali Tidke (Inactive) made transition -
          In Production Testing Production Complete
          		4s 1
          Deepali Tidke (Inactive) made transition -
          Production Complete Closed
          		1s 1

            People

            Assignee:
            deepalit Deepali Tidke (Inactive)
            Reporter:
            vijayendra Vijayendra Shinde (Inactive)
            Developer:
            Niteen Surwase (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: