-
Type: Change Request
-
Status: Closed
-
Priority: Medium
-
Resolution: Done
-
Component/s: None
-
Labels:
-
Module:BenAdmin - Security
-
Reported by:Support
-
Item State:Production Complete - Closed
-
Issue Importance:Must Have
-
Sprint:ST Sprint 2
Vulnerability Description
Cross-site scripting (XSS) filters included in modern browsers check if the URL contains harmful XSS payloads and determine if they can be reflected in the response page. If such a condition is identified, the injected code is modified in such a way to protect against an XSS attack. The application does not set appropriate headers to ensure use of these protections.
Impact
Without the appropriate header set by the application, browsers use default-configured behavior – which may not include additional XSS protections. If a user disables a browser’s built-in XSS filter protection, and the application does not set the appropriate header, a single line of defense against XSS attacks has been removed. Reducing the layers of protection can aid an attacker in executing an attack that may permit a wide variety of actions, such as stealing the victim's session token or login credentials.
Verification and Attack Information
Praetorian identified this issue by reviewing HTTP headers during regular use of the application. The X-XSS-Protection header is not included in server response headers.
Recommendation
As a means to provide a defense in-depth strategy against XSS attacks, the following header should be sent with each response to re-enable browser protections for the particular page in case it was disabled by the user:
X-XSS-Protection: 1; mode=block
This configuration enables XSS browser filters and instructs the user agent to block the response in the event that script has been inserted from user input, instead of sanitizing.
The downside of these filters is that the browser is not capable of distinguishing between code fragments that were reflected by a vulnerable web application in an XSS attack and those that are already present on the page.
In addition, it must be strongly emphasized that correctly setting this header should not be viewed as the only or main means for preventing XSS attacks. The filters that these headers enable should be seen as part of a defense in depth strategy to protect against XSS attacks, and correctly enabling them is considered best practice.
References
http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet https://www.owasp.org/index.php/List_of_useful_HTTP_headers