Project SimpleProject Type: software

Project Simple

Uploaded image for project: 'Project Simple'
  1. Project Simple
  2. ST-129

MISSING CROSS-SITE SCRIPTING PROTECTION HEADERS

    Details

    • Type: Change Request
    • Status: Closed
    • Priority: Medium
    • Resolution: Done
    • Component/s: None
    • Labels:
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      Production Complete - Closed
    • Issue Importance:
      Must Have
    • Sprint:
      ST Sprint 2

      Description

      Vulnerability Description
      Cross-site scripting (XSS) filters included in modern browsers check if the URL contains harmful XSS payloads and determine if they can be reflected in the response page. If such a condition is identified, the injected code is modified in such a way to protect against an XSS attack. The application does not set appropriate headers to ensure use of these protections.

      Impact
      Without the appropriate header set by the application, browsers use default-configured behavior – which may not include additional XSS protections. If a user disables a browser’s built-in XSS filter protection, and the application does not set the appropriate header, a single line of defense against XSS attacks has been removed. Reducing the layers of protection can aid an attacker in executing an attack that may permit a wide variety of actions, such as stealing the victim's session token or login credentials.

      Verification and Attack Information
      Praetorian identified this issue by reviewing HTTP headers during regular use of the application. The X-XSS-Protection header is not included in server response headers.

      Recommendation
      As a means to provide a defense in-depth strategy against XSS attacks, the following header should be sent with each response to re-enable browser protections for the particular page in case it was disabled by the user:

      X-XSS-Protection: 1; mode=block

      This configuration enables XSS browser filters and instructs the user agent to block the response in the event that script has been inserted from user input, instead of sanitizing.
      The downside of these filters is that the browser is not capable of distinguishing between code fragments that were reflected by a vulnerable web application in an XSS attack and those that are already present on the page.
      In addition, it must be strongly emphasized that correctly setting this header should not be viewed as the only or main means for preventing XSS attacks. The filters that these headers enable should be seen as part of a defense in depth strategy to protect against XSS attacks, and correctly enabling them is considered best practice.

      References
      http://www.owasp.org/index.php/Cross-site_Scripting_(XSS) http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet https://www.owasp.org/index.php/List_of_useful_HTTP_headers

        Attachments

          Activity

          Transition Time In Source Status Execution Times
          Vijayendra Shinde (Inactive) made transition -
          New Request Pending for Approval
          		6s 1
          Vijayendra Shinde (Inactive) made transition -
          Pending for Approval Approved for Development
          		1s 1
          Niteen Surwase (Inactive) made transition -
          Approved for Development In Development
          		3d 3h 43m 1
          Niteen Surwase (Inactive) made transition -
          In Development In LB Testing
          		6s 1
          Zeeshan Chishty (Inactive) made transition -
          In LB Testing Pending for Stage Approval
          		4d 9m 1
          Niteen Surwase (Inactive) made transition -
          Pending for Stage Approval Approved for Stage
          		47d 18h 6m 1
          Vijayendra Shinde (Inactive) made transition -
          Approved for Stage Stage Testing
          		4h 56m 1
          Vijayendra Shinde (Inactive) made transition -
          Stage Testing Pending for Production Approval
          		24s 1
          Niteen Surwase (Inactive) made transition -
          Pending for Production Approval Approved for production
          		5d 41m 1
          Deepali Tidke (Inactive) made transition -
          Approved for production In Production Testing
          		8d 21h 42m 1
          Deepali Tidke (Inactive) made transition -
          In Production Testing Production Complete
          		3s 1
          Deepali Tidke (Inactive) made transition -
          Production Complete Closed
          		1s 1

            People

            Assignee:
            deepalit Deepali Tidke (Inactive)
            Reporter:
            vijayendra Vijayendra Shinde (Inactive)
            Developer:
            Niteen Surwase (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: