Task #12584

Task #12556: Pentest - 2nd Assessment [2021]

Pentest_CDB - Missing "Content-Security-Policy" Header [LOW]

Added by Nurul Athira Abdul Rahim almost 3 years ago. Updated 7 months ago.

Status:Closed - End of life cycleStart date:November 09, 2021
Priority:NormalDue date:
Assignee:Nurul Athira Abdul Rahim% Done:

100%

Category:Penetration Test IssueSpent time:-
Target version:-

Description

The "Content-Security-Policy" (CSP) header is designed to modify the way browsers render pages, and thus to protect from various cross-site injections, including Cross-Site Scripting. It is important to set the header value correctly, in a way that will not prevent proper operation of the web site. For example, if the header is set to prevent execution of inline JavaScript, the web site must not use inline JavaScript in its pages.

Solution provided by LGMS :

Configure the application server to send the "Content-Security-Policy" header.

It is recommended for the policy to include a 'default-src' or 'script-src' directive to prevent inline scripts from running, as well as blocking the use of eval().

The Content-Security-Policy should include a 'default-src' policy directive, which would serve as a fallback for other resource types when they don't have policies of their own.

'Affected URL:

https://10.10.55.34:9444/bsn-cdb-uat/*

Please test using web server URL:
http://10.10.95.121:8080/bsn-cdb-uat/commonLogin

sc4.png (72.3 KB) Najmi Pasarudin, December 10, 2021 15:44

Related issues

Related to BSN Corporate Digital Banking - Task #12588: Pentest_CDB - Missing HTTP "Strict-Transport-Security" He... Closed - End of life cycle November 10, 2021
Related to BSN Corporate Digital Banking - Task #12587: Pentest_CDB - Missing "X-Frame-Options" Header [LOW] Closed - End of life cycle November 10, 2021
Related to BSN Corporate Digital Banking - Task #12586: Pentest_CDB - Missing "X-Content-Type-Options" Header [LOW] Closed - End of life cycle November 10, 2021

History

#1 Updated by Najmi Pasarudin almost 3 years ago

  • Status changed from New - Begin Life Cycle to Development / Work In Progress

#2 Updated by Najmi Pasarudin almost 3 years ago

  • File sc4.png added
  • Status changed from Development / Work In Progress to Internal Testing
  • Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
  • % Done changed from 0 to 100

Staging and Production web server already applied the header.
Pentest was done in app server instead of web server.
Please refer sc4.png.

#3 Updated by Najmi Pasarudin almost 3 years ago

  • Description updated (diff)

#4 Updated by Nurul Athira Abdul Rahim almost 3 years ago

  • Status changed from Internal Testing to System Integration Test

#5 Updated by Nurul Athira Abdul Rahim over 2 years ago

  • Status changed from System Integration Test to Development / Work In Progress
  • Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin

Kindly review the fixes, as the new pentest (March,9,20202) result status stated "not solved".

#6 Updated by Najmi Pasarudin over 2 years ago

  • Status changed from Development / Work In Progress to System Integration Test
  • Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim

LGMS team tested in application url instead of web url.
Fixes already applied to staging and production web server.

#7 Updated by Nurul Athira Abdul Rahim 7 months ago

  • Status changed from System Integration Test to Closed - End of life cycle

Closed for this and refer new 2023/2024 pentest report

Also available in: Atom PDF