Medium Vulnerability Description
Sending the new 'X-Content-Type-Options' response header with the value 'nosniff' will prevent certain browsers from MIME-sniffing a response away from the declared content-type. The missing header causes these browsers to try to determine the content-type and encoding of the response, even when these properties are defined correctly.
Impact
This can make the web application vulnerable to Cross-Site Scripting (XSS) attacks. E.g. the Internet Explorer and Safari treat responses with the content-type 'text/plain' as HTML, if they contain HTML tags.
Verification and Attack Information
Praetorian discovered this vulnerability through manual testing. Specifically, Praetorian found the "X-Content-Type-Options" header was missing from server responses of the affected system.
Recommendation
Set the following HTTP header especially in all responses which contain user input:
X-Content-Type-Options: nosniff
References
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
| Field | Original Value | New Value |
|---|---|---|
| Assignee | Niteen Surwase [ niteen.surwase ] |
| Status | New Request [ 10029 ] | Pending for Approval [ 10002 ] |
| Status | Pending for Approval [ 10002 ] | Approved for Development [ 10003 ] |
| Status | Approved for Development [ 10003 ] | In Development [ 10007 ] |
| Sprint | ST Sprint 2 [ 4 ] |
| Rank | Ranked higher |
| Assignee | Niteen Surwase [ niteen.surwase ] | Amit Gude [ amitg ] |
| Status | In Development [ 10007 ] | Local Testing [ 10200 ] |
| Assignee | Amit Gude [ amitg ] | Zeeshan Chishty [ zeeshan.chishty ] |
Zeeshan Chishty (Inactive)
made changes -
| Status | Local Testing [ 10200 ] | Pending for Stage Approval [ 10300 ] |
| Issue Importance | Must Have [ 11800 ] |
Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Niteen Surwase [ niteen.surwase ] |
Zeeshan Chishty (Inactive)
made changes -
| Labels | Security |
| Item State | Parent values: Development(10200)Level 1 values: In Analysis(10204) | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) |
| Component/s | BenAdmin [ 10100 ] |
| Status | Pending for Stage Approval [ 10300 ] | Approved for Stage [ 10030 ] |
| Item State | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) | Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) |
| Assignee | Niteen Surwase [ niteen.surwase ] | Zeeshan Chishty [ zeeshan.chishty ] |
Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Vijayendra Shinde [ ID10506 ] |
| Status | Approved for Stage [ 10030 ] | Stage Testing [ 10201 ] |
| Item State | Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) | Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) |
| Status | Stage Testing [ 10201 ] | Pending for Production Approval [ 10301 ] |
| Assignee | Vijayendra Shinde [ ID10506 ] | Zeeshan Chishty [ zeeshan.chishty ] |
| Status | Pending for Production Approval [ 10301 ] | Approved for production [ 10034 ] |
| Item State | Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) | Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) |
| Developer | Niteen Surwase [ niteen.surwase ] |
Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Deepali Tidke [ deepalit ] |
| Item State | Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) | Parent values: Production Complete(10222)Level 1 values: Closed(10223) |
| Status | Approved for production [ 10034 ] | Production Testing [ 10202 ] |
| Resolution | Fixed [ 1 ] | |
| Status | Production Testing [ 10202 ] | Production Complete [ 10028 ] |
| Status | Production Complete [ 10028 ] | Closed [ 6 ] |