Details

    • Type: Change Request
    • Status: Closed
    • Priority: Medium
    • Resolution: Done
    • Component/s: BenAdmin
    • Labels:
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      Production Complete - Closed
    • Issue Importance:
      Must Have
    • Sprint:
      ST Sprint 2

      Description

      Vulnerability Description
      Sending the new 'X-Content-Type-Options' response header with the value 'nosniff' will prevent certain browsers from MIME-sniffing a response away from the declared content-type. The missing header causes these browsers to try to determine the content-type and encoding of the response, even when these properties are defined correctly.

      Impact
      This can make the web application vulnerable to Cross-Site Scripting (XSS) attacks. E.g. the Internet Explorer and Safari treat responses with the content-type 'text/plain' as HTML, if they contain HTML tags.

      Verification and Attack Information
      Praetorian discovered this vulnerability through manual testing. Specifically, Praetorian found the "X-Content-Type-Options" header was missing from server responses of the affected system.

      Recommendation
      Set the following HTTP header especially in all responses which contain user input:
      X-Content-Type-Options: nosniff

      References
      https://www.owasp.org/index.php/List_of_useful_HTTP_headers
      http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx

        Attachments

          Activity

          Hide
          niteen.surwase Niteen Surwase (Inactive) added a comment -

          HTTP Response Header
          Name : X-Content-Type-Options
          Value : nosniff

          For Testing :
          1. Open Login Page --> Inspect Element --> Network Tab --> Reload Page (Ctrl + F5)
          2. Check Response Headers of all files --> X-Content-Type-Options attribute is Added.

          Help URL:
          https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
          https://scotthelme.co.uk/hardening-your-http-response-headers/
          http://webtonio.com/iis-image-not-loading/

          Show
          niteen.surwase Niteen Surwase (Inactive) added a comment - HTTP Response Header Name : X-Content-Type-Options Value : nosniff For Testing : 1. Open Login Page --> Inspect Element --> Network Tab --> Reload Page (Ctrl + F5) 2. Check Response Headers of all files --> X-Content-Type-Options attribute is Added. Help URL: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers https://scotthelme.co.uk/hardening-your-http-response-headers/ http://webtonio.com/iis-image-not-loading/
          Hide
          amitg Amit Gude (Inactive) added a comment -

          Assigning to Zeeshan

          Show
          amitg Amit Gude (Inactive) added a comment - Assigning to Zeeshan
          Hide
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment -

          Verified as X-Content Type Options Response header was implemented to 'nosniff'

          Show
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment - Verified as X-Content Type Options Response header was implemented to 'nosniff'
          Hide
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment -

          Verified on stage as X-Content Type Options Response header was implemented to 'nosniff'

          Show
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment - Verified on stage as X-Content Type Options Response header was implemented to 'nosniff'
          Hide
          gokul.sonawane Gokul Sonawane (Inactive) added a comment -

          Deployed on stage

          Show
          gokul.sonawane Gokul Sonawane (Inactive) added a comment - Deployed on stage
          Hide
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment -

          x-content-type-options
          nosniff header is added on Production server confirmed the same

          Show
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment - x-content-type-options nosniff header is added on Production server confirmed the same
          Hide
          deepalit Deepali Tidke (Inactive) added a comment -

          as discussed with Niteen no functional testing is involved here , can close this ticket.

          Show
          deepalit Deepali Tidke (Inactive) added a comment - as discussed with Niteen no functional testing is involved here , can close this ticket.

            People

            Assignee:
            deepalit Deepali Tidke (Inactive)
            Reporter:
            vijayendra Vijayendra Shinde (Inactive)
            Developer:
            Niteen Surwase (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: