Uploaded image for project: 'Project Simple'
  1. Project Simple
  2. ST-129

MISSING CROSS-SITE SCRIPTING PROTECTION HEADERS

    XMLWordPrintable

    Details

    • Type: Change Request
    • Status: Closed
    • Priority: Medium
    • Resolution: Done
    • Component/s: None
    • Labels:
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      Production Complete - Closed
    • Issue Importance:
      Must Have
    • Sprint:
      ST Sprint 2

      Description

      Vulnerability Description
      Cross-site scripting (XSS) filters included in modern browsers check if the URL contains harmful XSS payloads and determine if they can be reflected in the response page. If such a condition is identified, the injected code is modified in such a way to protect against an XSS attack. The application does not set appropriate headers to ensure use of these protections.

      Impact
      Without the appropriate header set by the application, browsers use default-configured behavior – which may not include additional XSS protections. If a user disables a browser’s built-in XSS filter protection, and the application does not set the appropriate header, a single line of defense against XSS attacks has been removed. Reducing the layers of protection can aid an attacker in executing an attack that may permit a wide variety of actions, such as stealing the victim's session token or login credentials.

      Verification and Attack Information
      Praetorian identified this issue by reviewing HTTP headers during regular use of the application. The X-XSS-Protection header is not included in server response headers.

      Recommendation
      As a means to provide a defense in-depth strategy against XSS attacks, the following header should be sent with each response to re-enable browser protections for the particular page in case it was disabled by the user:

      X-XSS-Protection: 1; mode=block

      This configuration enables XSS browser filters and instructs the user agent to block the response in the event that script has been inserted from user input, instead of sanitizing.
      The downside of these filters is that the browser is not capable of distinguishing between code fragments that were reflected by a vulnerable web application in an XSS attack and those that are already present on the page.
      In addition, it must be strongly emphasized that correctly setting this header should not be viewed as the only or main means for preventing XSS attacks. The filters that these headers enable should be seen as part of a defense in depth strategy to protect against XSS attacks, and correctly enabling them is considered best practice.

      References
      http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet https://www.owasp.org/index.php/List_of_useful_HTTP_headers

        Attachments

          Activity

            People

            Assignee:
            deepalit Deepali Tidke (Inactive)
            Reporter:
            vijayendra Vijayendra Shinde (Inactive)
            Developer:
            Niteen Surwase (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: