Task #12561

Task #12556: Pentest - 2nd Assessment [2021]

Pentest_IBAM - Missing "X-Content-Type-Options" Header [LOW]

Added by Nurul Athira Abdul Rahim almost 3 years ago. Updated about 2 years ago.

Status:Work Completed-End life cycleStart date:November 08, 2021
Priority:NormalDue date:
Assignee:Nurul Athira Abdul Rahim% Done:

100%

Category:Penetration Test IssueSpent time:-
Target version:-

Description

The "X-Content-Type-Options" header (with "nosniff" value) prevents IE and Chrome from ignoring the content-type of a response. This action may prevent untrusted content (e.g. user uploaded content) from being executed on the user browser (after a malicious naming, for example).

Solution provided by LGMS :
Configure the application server to send the "X-Content-Type-Options" header with value "nosniff" on all outgoing requests.

For Apache, see:
http://httpd.apache.org/docs/2.2/mod/mod_headers.html

For IIS, see:
https://technet.microsoft.com/pl-pl/library/cc753133%28v=ws.10%29.aspx

For nginx, see:
http://nginx.org/en/docs/http/ngx_http_headers_module.html

'Affected URL:

https://10.10.55.34:9444/bsn-admin-uat/*

Related issues

Related to BSN Corporate Digital Banking - Task #12560: Pentest_IBAM - Missing "Content-Security-Policy" Header [... Work Completed-End life cycle November 08, 2021 November 11, 2021

History

#1 Updated by Najmi Pasarudin almost 3 years ago

  • Status changed from New - Begin Life Cycle to Internal Testing
  • Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
  • % Done changed from 0 to 100

Please refer sc4.png at Task 12560

#2 Updated by Nurul Athira Abdul Rahim almost 3 years ago

  • Status changed from Internal Testing to System Integration Test

#3 Updated by Nurul Athira Abdul Rahim over 2 years ago

  • Status changed from System Integration Test to Development / Work In Progress
  • Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin

Kindly review the fixes, as the new pentest (March,9,20202) result status stated "not solved".

#4 Updated by Najmi Pasarudin over 2 years ago

  • Status changed from Development / Work In Progress to Pending Review
  • Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim

LGMS team tested in application url instead of web url.
Fixes already applied to staging and production web server.

#5 Updated by Nurul Athira Abdul Rahim about 2 years ago

  • Status changed from Pending Review to Work Completed-End life cycle

Also available in: Atom PDF