Task #12560
Task #12556: Pentest - 2nd Assessment [2021]
Pentest_IBAM - Missing "Content-Security-Policy" Header [LOW]
Status: | Work Completed-End life cycle | Start date: | November 08, 2021 | |
---|---|---|---|---|
Priority: | Normal | Due date: | November 11, 2021 | |
Assignee: | Nurul Athira Abdul Rahim | % Done: | 100% | |
Category: | Penetration Test Issue | Spent time: | - | |
Target version: | - |
Description
The "Content-Security-Policy" header is designed to modify the way browsers render pages, and thus to protect from various cross-site injections, including Cross-Site Scripting. It is important to set the header value correctly, in a way that will not prevent proper operation of the web site. For example, if the header is set to prevent execution of inline JavaScript, the web site must not use inline JavaScript in its pages.
Solution provided by LGMS :
Configure the application server to send the "Content-Security-Policy" header.
It is recommended for the policy to include a 'default-src' or 'script-src' directive to prevent inline scripts from running, as well as blocking the use of eval().
The Content-Security-Policy should include a 'default-src' policy directive, which would serve as a fallback for other resource types when they don't have policies of their own.
Kindly refer to the references for more examples on common use cases.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
'Affected URL:
https://10.10.55.34:9444/bsn-admin-uat/*
Please test using web server URL:
http://10.10.95.121:8080/bsn-admin-uat/
Related issues
History
#1 Updated by Ngoh Chee Ping almost 3 years ago
- Due date set to November 11, 2021
- Assignee changed from Najmi Pasarudin to SARAH NUR SABRINA BINTI SHUHAIRY
#3 Updated by SARAH NUR SABRINA BINTI SHUHAIRY almost 3 years ago
- % Done changed from 0 to 100
#4 Updated by Najmi Pasarudin almost 3 years ago
- Assignee changed from SARAH NUR SABRINA BINTI SHUHAIRY to Najmi Pasarudin
- % Done changed from 100 to 0
#5 Updated by Najmi Pasarudin almost 3 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
#6 Updated by Najmi Pasarudin almost 3 years ago
- File sc4.png added
- Status changed from Development / Work In Progress to Internal Testing
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
- % Done changed from 0 to 100
Staging and Production web server already applied the header.
Pentest was done in app server instead of web server.
Please refer sc4.png.
#7 Updated by Najmi Pasarudin almost 3 years ago
- Description updated (diff)
#8 Updated by Nurul Athira Abdul Rahim almost 3 years ago
- Status changed from Internal Testing to System Integration Test
#9 Updated by Nurul Athira Abdul Rahim over 2 years ago
- Status changed from System Integration Test to Development / Work In Progress
- Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin
Kindly review the fixes, as the new pentest (March,9,20202) result status stated "not solved".
#10 Updated by Najmi Pasarudin over 2 years ago
- Status changed from Development / Work In Progress to Pending Review
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
LGMS team tested in application url instead of web url.
Fixes already applied to staging and production web server.
#11 Updated by Nurul Athira Abdul Rahim about 2 years ago
- Status changed from Pending Review to Work Completed-End life cycle