-
Type:
Change Request
-
Status: Closed
-
Priority:
Medium
-
Resolution: Done
-
Component/s: None
-
Labels:
-
Module:BenAdmin - Security
-
Reported by:Support
-
Item State:Production Complete - Closed
-
Issue Importance:Must Have
-
Sprint:ST Sprint 2
Vulnerability Description
Cross-site scripting (XSS) filters included in modern browsers check if the URL contains harmful XSS payloads and determine if they can be reflected in the response page. If such a condition is identified, the injected code is modified in such a way to protect against an XSS attack. The application does not set appropriate headers to ensure use of these protections.
Impact
Without the appropriate header set by the application, browsers use default-configured behavior – which may not include additional XSS protections. If a user disables a browser’s built-in XSS filter protection, and the application does not set the appropriate header, a single line of defense against XSS attacks has been removed. Reducing the layers of protection can aid an attacker in executing an attack that may permit a wide variety of actions, such as stealing the victim's session token or login credentials.
Verification and Attack Information
Praetorian identified this issue by reviewing HTTP headers during regular use of the application. The X-XSS-Protection header is not included in server response headers.
Recommendation
As a means to provide a defense in-depth strategy against XSS attacks, the following header should be sent with each response to re-enable browser protections for the particular page in case it was disabled by the user:
X-XSS-Protection: 1; mode=block
This configuration enables XSS browser filters and instructs the user agent to block the response in the event that script has been inserted from user input, instead of sanitizing.
The downside of these filters is that the browser is not capable of distinguishing between code fragments that were reflected by a vulnerable web application in an XSS attack and those that are already present on the page.
In addition, it must be strongly emphasized that correctly setting this header should not be viewed as the only or main means for preventing XSS attacks. The filters that these headers enable should be seen as part of a defense in depth strategy to protect against XSS attacks, and correctly enabling them is considered best practice.
References
http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet https://www.owasp.org/index.php/List_of_useful_HTTP_headers
| Field | Original Value | New Value |
|---|---|---|
| Status | New Request [ 10029 ] | Pending for Approval [ 10002 ] |
| Status | Pending for Approval [ 10002 ] | Approved for Development [ 10003 ] |
| Assignee | Niteen Surwase [ niteen.surwase ] |
| Sprint | ST Sprint 2 [ 4 ] |
| Rank | Ranked higher |
| Assignee | Niteen Surwase [ niteen.surwase ] | Amit Gude [ amitg ] |
| Status | Approved for Development [ 10003 ] | In Development [ 10007 ] |
| Status | In Development [ 10007 ] | Local Testing [ 10200 ] |
Assigning to Zeeshan
| Assignee | Amit Gude [ amitg ] | Zeeshan Chishty [ zeeshan.chishty ] |
Verified as X-XSS protection header is set to 1;mode=block
Zeeshan Chishty (Inactive)
added a comment - Verified as X-XSS protection header is set to 1;mode=block Zeeshan Chishty (Inactive)
made changes -
| Status | Local Testing [ 10200 ] | Pending for Stage Approval [ 10300 ] |
| Issue Importance | Must Have [ 11800 ] |
Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Niteen Surwase [ niteen.surwase ] |
Zeeshan Chishty (Inactive)
made changes -
| Labels | Security |
| Module | Parent values: BenAdmin(10100) | Parent values: BenAdmin(10100)Level 1 values: Security(10112) |
| Item State | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) |
| Status | Pending for Stage Approval [ 10300 ] | Approved for Stage [ 10030 ] |
| Item State | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) | Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) |
| Assignee | Niteen Surwase [ niteen.surwase ] | Zeeshan Chishty [ zeeshan.chishty ] |
Verified on stage as X-XSS protection header is set to 1;mode=block
Zeeshan Chishty (Inactive)
added a comment - Verified on stage as X-XSS protection header is set to 1;mode=block Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Vijayendra Shinde [ ID10506 ] |
| Status | Approved for Stage [ 10030 ] | Stage Testing [ 10201 ] |
| Item State | Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) | Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) |
| Status | Stage Testing [ 10201 ] | Pending for Production Approval [ 10301 ] |
| Assignee | Vijayendra Shinde [ ID10506 ] | Zeeshan Chishty [ zeeshan.chishty ] |
| Developer | Niteen Surwase [ niteen.surwase ] |
| Status | Pending for Production Approval [ 10301 ] | Approved for production [ 10034 ] |
| Item State | Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) | Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) |
x-xss-protection
1; mode=block header is implemented on Production Server confirmed the same
Zeeshan Chishty (Inactive)
added a comment - x-xss-protection
1; mode=block header is implemented on Production Server confirmed the same Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Deepali Tidke [ deepalit ] |
as discussed with Niteen no functional testing is involved here , can close this ticket.
| Item State | Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) | Parent values: Production Complete(10222)Level 1 values: Closed(10223) |
| Status | Approved for production [ 10034 ] | Production Testing [ 10202 ] |
| Resolution | Fixed [ 1 ] | |
| Status | Production Testing [ 10202 ] | Production Complete [ 10028 ] |
| Status | Production Complete [ 10028 ] | Closed [ 6 ] |
| Transition | Time In Source Status | Execution Times |
|---|
|
6s | 1 |
|
1s | 1 |
|
3d 3h 43m | 1 |
|
6s | 1 |
Zeeshan Chishty (Inactive)
made transition
-
|
4d 9m | 1 |
|
47d 18h 6m | 1 |
|
4h 56m | 1 |
|
24s | 1 |
|
5d 41m | 1 |
|
8d 21h 42m | 1 |
|
3s | 1 |
|
1s | 1 |
HTTP Response Header
Name : X-XSS-Protection
Value : 1; mode=block
For Testing :
1. Open Login Page --> Inspect Element --> Network Tab --> Reload Page (Ctrl + F5)
2. Check Response Headers of all files --> X-XSS-Protection attribute is Added.
Help URL:
https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
https://scotthelme.co.uk/hardening-your-http-response-headers/