Medium Vulnerability Description
Sending the new 'X-Content-Type-Options' response header with the value 'nosniff' will prevent certain browsers from MIME-sniffing a response away from the declared content-type. The missing header causes these browsers to try to determine the content-type and encoding of the response, even when these properties are defined correctly.
Impact
This can make the web application vulnerable to Cross-Site Scripting (XSS) attacks. E.g. the Internet Explorer and Safari treat responses with the content-type 'text/plain' as HTML, if they contain HTML tags.
Verification and Attack Information
Praetorian discovered this vulnerability through manual testing. Specifically, Praetorian found the "X-Content-Type-Options" header was missing from server responses of the affected system.
Recommendation
Set the following HTTP header especially in all responses which contain user input:
X-Content-Type-Options: nosniff
References
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
| Field | Original Value | New Value |
|---|---|---|
| Assignee | Niteen Surwase [ niteen.surwase ] |
| Status | New Request [ 10029 ] | Pending for Approval [ 10002 ] |
| Status | Pending for Approval [ 10002 ] | Approved for Development [ 10003 ] |
| Status | Approved for Development [ 10003 ] | In Development [ 10007 ] |
| Sprint | ST Sprint 2 [ 4 ] |
| Rank | Ranked higher |
| Assignee | Niteen Surwase [ niteen.surwase ] | Amit Gude [ amitg ] |
| Status | In Development [ 10007 ] | Local Testing [ 10200 ] |
Assigning to Zeeshan
| Assignee | Amit Gude [ amitg ] | Zeeshan Chishty [ zeeshan.chishty ] |
Verified as X-Content Type Options Response header was implemented to 'nosniff'
Zeeshan Chishty (Inactive)
added a comment - Verified as X-Content Type Options Response header was implemented to 'nosniff' Zeeshan Chishty (Inactive)
made changes -
| Status | Local Testing [ 10200 ] | Pending for Stage Approval [ 10300 ] |
| Issue Importance | Must Have [ 11800 ] |
Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Niteen Surwase [ niteen.surwase ] |
Zeeshan Chishty (Inactive)
made changes -
| Labels | Security |
| Item State | Parent values: Development(10200)Level 1 values: In Analysis(10204) | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) |
| Component/s | BenAdmin [ 10100 ] |
| Status | Pending for Stage Approval [ 10300 ] | Approved for Stage [ 10030 ] |
| Item State | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) | Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) |
| Assignee | Niteen Surwase [ niteen.surwase ] | Zeeshan Chishty [ zeeshan.chishty ] |
Verified on stage as X-Content Type Options Response header was implemented to 'nosniff'
Zeeshan Chishty (Inactive)
added a comment - Verified on stage as X-Content Type Options Response header was implemented to 'nosniff' Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Vijayendra Shinde [ ID10506 ] |
| Status | Approved for Stage [ 10030 ] | Stage Testing [ 10201 ] |
| Item State | Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) | Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) |
| Status | Stage Testing [ 10201 ] | Pending for Production Approval [ 10301 ] |
| Assignee | Vijayendra Shinde [ ID10506 ] | Zeeshan Chishty [ zeeshan.chishty ] |
| Status | Pending for Production Approval [ 10301 ] | Approved for production [ 10034 ] |
| Item State | Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) | Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) |
Deployed on stage
Gokul Sonawane (Inactive)
added a comment - Deployed on stage | Developer | Niteen Surwase [ niteen.surwase ] |
x-content-type-options
nosniff header is added on Production server confirmed the same
Zeeshan Chishty (Inactive)
added a comment - x-content-type-options
nosniff header is added on Production server confirmed the same Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Deepali Tidke [ deepalit ] |
as discussed with Niteen no functional testing is involved here , can close this ticket.
| Item State | Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) | Parent values: Production Complete(10222)Level 1 values: Closed(10223) |
| Status | Approved for production [ 10034 ] | Production Testing [ 10202 ] |
| Resolution | Fixed [ 1 ] | |
| Status | Production Testing [ 10202 ] | Production Complete [ 10028 ] |
| Status | Production Complete [ 10028 ] | Closed [ 6 ] |
| Transition | Time In Source Status | Execution Times |
|---|
|
19s | 1 |
|
1s | 1 |
|
1s | 1 |
|
3d 3h 50m | 1 |
Zeeshan Chishty (Inactive)
made transition
-
|
4d 4m | 1 |
|
47d 18h 8m | 1 |
|
4h 53m | 1 |
|
28s | 1 |
|
5d 42m | 1 |
|
8d 21h 41m | 1 |
|
4s | 1 |
|
2s | 1 |
HTTP Response Header
Name : X-Content-Type-Options
Value : nosniff
For Testing :
1. Open Login Page --> Inspect Element --> Network Tab --> Reload Page (Ctrl + F5)
2. Check Response Headers of all files --> X-Content-Type-Options attribute is Added.
Help URL:
https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
https://scotthelme.co.uk/hardening-your-http-response-headers/
http://webtonio.com/iis-image-not-loading/