Project SimpleProject Type: software

Project Simple

Uploaded image for project: 'Project Simple'
  1. Project Simple
  2. ST-127

CONTENT SECURITY POLICY NOT SPECIFIED

    Details

    • Type: Change Request
    • Status: Closed
    • Priority: Medium
    • Resolution: Done
    • Component/s: BenAdmin
    • Labels:
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      Production Complete - Closed
    • Issue Importance:
      Must Have
    • Sprint:
      ST Sprint 2

      Description

      Vulnerability Description
      The server does not include a Content-Security-Policy header in HTTP(S) responses.

      Impact
      Content Security Policy is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. To use CSP, the developer writes a set of rules to govern which servers an app can open connections to, limit the types of content it can download from those servers, and restrict the use of dangerous features like inline scripts and the eval function.

      Verification and Attack Information
      Praetorian identified this issue through a manual application walkthrough by reviewing HTTP headers. While doing so, Praetorian noted that Content-Security-Policy header was not included in server response headers.

      Recommendation
      Best practices for web applications suggest that servers should specify a Content Security Policy (CSP) to whitelist the actions that their users' browsers are allowed to take.

      References
      https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
      http://www.html5rocks.com/en/tutorials/security/content-security-policy/

        Attachments

          Activity

          Ascending order - Click to sort in descending order
          vijayendra Vijayendra Shinde (Inactive) created issue -
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Field Original Value New Value
          Rank Ranked higher
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Sprint ST Sprint 2 [ 4 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Rank Ranked lower
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Assignee Niteen Surwase [ niteen.surwase ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status New Request [ 10029 ] Pending for Approval [ 10002 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status Pending for Approval [ 10002 ] Approved for Development [ 10003 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status Approved for Development [ 10003 ] In Development [ 10007 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Assignee Niteen Surwase [ niteen.surwase ] Amit Gude [ amitg ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status In Development [ 10007 ] Local Testing [ 10200 ]
          amitg Amit Gude (Inactive) made changes -
          Assignee Amit Gude [ amitg ] Zeeshan Chishty [ zeeshan.chishty ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Status Local Testing [ 10200 ] Reopen in Local [ 10018 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Reopen in Local [ 10018 ] In Development [ 10007 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status In Development [ 10007 ] Local Testing [ 10200 ]
          samir Samir made changes -
          Issue Importance Must Have [ 11800 ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Assignee Zeeshan Chishty [ zeeshan.chishty ] Niteen Surwase [ niteen.surwase ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Labels Security
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Assignee Niteen Surwase [ niteen.surwase ] Zeeshan Chishty [ zeeshan.chishty ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Status Local Testing [ 10200 ] Pending for Stage Approval [ 10300 ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Assignee Zeeshan Chishty [ zeeshan.chishty ] Niteen Surwase [ niteen.surwase ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Item State Parent values: Development(10200)Level 1 values: In Analysis(10204) Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Pending for Stage Approval [ 10300 ] Approved for Stage [ 10030 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Item State Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Assignee Niteen Surwase [ niteen.surwase ] Zeeshan Chishty [ zeeshan.chishty ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Assignee Zeeshan Chishty [ zeeshan.chishty ] Vijayendra Shinde [ ID10506 ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Status Approved for Stage [ 10030 ] Stage Testing [ 10201 ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217)
          rakeshr Rakesh Roy (Inactive) made changes -
          Assignee Vijayendra Shinde [ ID10506 ] Zeeshan Chishty [ zeeshan.chishty ]
          Developer Niteen Surwase [ niteen.surwase ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Assignee Zeeshan Chishty [ zeeshan.chishty ] Rakesh Roy [ rakeshr ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) Parent values: Stage QA(10202)Level 1 values: In Testing(10214)
          rakeshr Rakesh Roy (Inactive) made changes -
          Assignee Rakesh Roy [ rakeshr ] Deepali Tidke [ deepalit ]
          deepalit Deepali Tidke (Inactive) made changes -
          Assignee Deepali Tidke [ deepalit ] Kunal Kedari [ kunal.kedari ]
          kunal.kedari Kunal Kedari (Inactive) made changes -
          Assignee Kunal Kedari [ kunal.kedari ] Niteen Surwase [ niteen.surwase ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: In Testing(10214) Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Stage Testing [ 10201 ] Reopen in Stage [ 10023 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Reopen in Stage [ 10023 ] In Development [ 10007 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status In Development [ 10007 ] Local Testing [ 10200 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Local Testing [ 10200 ] Pending for Stage Approval [ 10300 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Pending for Stage Approval [ 10300 ] Approved for Stage [ 10030 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Assignee Niteen Surwase [ niteen.surwase ] Rakesh Roy [ rakeshr ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Stage Due Date 22/Jun/16 [ 2016-06-22 ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Assignee Rakesh Roy [ rakeshr ] Kunal Kedari [ kunal.kedari ]
          kunal.kedari Kunal Kedari (Inactive) made changes -
          Assignee Kunal Kedari [ kunal.kedari ] Niteen Surwase [ niteen.surwase ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Item State Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) Parent values: LB QA(10201)Level 1 values: On Hold(10211)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Item State Parent values: LB QA(10201)Level 1 values: On Hold(10211) Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213)
          shyam.sharma shyam sharma (Inactive) made changes -
          Item State Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602)
          gokul.sonawane Gokul Sonawane (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) Parent values: Stage QA(10202)
          gokul.sonawane Gokul Sonawane (Inactive) made changes -
          Item State Parent values: Stage QA(10202) Parent values: LB QA(10201)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Item State Parent values: LB QA(10201) Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Assignee Niteen Surwase [ niteen.surwase ] Rakesh Roy [ rakeshr ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Assignee Rakesh Roy [ rakeshr ] Prasad Pise [ prasadp ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Status Approved for Stage [ 10030 ] Stage Testing [ 10201 ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Component/s BenAdmin [ 10100 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) Parent values: Production Complete(10222)Level 1 values: Closed(10223)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Stage Testing [ 10201 ] Pending for Production Approval [ 10301 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Pending for Production Approval [ 10301 ] Approved for production [ 10034 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Approved for production [ 10034 ] Production Testing [ 10202 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Resolution Fixed [ 1 ]
          Status Production Testing [ 10202 ] Production Complete [ 10028 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Production Complete [ 10028 ] Closed [ 6 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Link This issue relates to DEV-13718 [ DEV-13718 ]

            People

            Assignee:
            prasadp Prasad Pise (Inactive)
            Reporter:
            vijayendra Vijayendra Shinde (Inactive)
            Developer:
            Niteen Surwase (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Pre-Prod Due Date: