Task #12584
Task #12556: Pentest - 2nd Assessment [2021]
Pentest_CDB - Missing "Content-Security-Policy" Header [LOW]
Status: | Closed - End of life cycle | Start date: | November 09, 2021 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | Nurul Athira Abdul Rahim | % Done: | 100% | |
Category: | Penetration Test Issue | Spent time: | - | |
Target version: | - |
Description
The "Content-Security-Policy" (CSP) header is designed to modify the way browsers render pages, and thus to protect from various cross-site injections, including Cross-Site Scripting. It is important to set the header value correctly, in a way that will not prevent proper operation of the web site. For example, if the header is set to prevent execution of inline JavaScript, the web site must not use inline JavaScript in its pages.
Solution provided by LGMS :
Configure the application server to send the "Content-Security-Policy" header.
It is recommended for the policy to include a 'default-src' or 'script-src' directive to prevent inline scripts from running, as well as blocking the use of eval().
The Content-Security-Policy should include a 'default-src' policy directive, which would serve as a fallback for other resource types when they don't have policies of their own.
'Affected URL:
https://10.10.55.34:9444/bsn-cdb-uat/*
Please test using web server URL:
http://10.10.95.121:8080/bsn-cdb-uat/commonLogin
Related issues
History
#1 Updated by Najmi Pasarudin almost 3 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
#2 Updated by Najmi Pasarudin almost 3 years ago
- File sc4.png added
- Status changed from Development / Work In Progress to Internal Testing
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
- % Done changed from 0 to 100
Staging and Production web server already applied the header.
Pentest was done in app server instead of web server.
Please refer sc4.png.
#3 Updated by Najmi Pasarudin almost 3 years ago
- Description updated (diff)
#4 Updated by Nurul Athira Abdul Rahim almost 3 years ago
- Status changed from Internal Testing to System Integration Test
#5 Updated by Nurul Athira Abdul Rahim over 2 years ago
- Status changed from System Integration Test to Development / Work In Progress
- Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin
Kindly review the fixes, as the new pentest (March,9,20202) result status stated "not solved".
#6 Updated by Najmi Pasarudin over 2 years ago
- Status changed from Development / Work In Progress to System Integration Test
- Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
LGMS team tested in application url instead of web url.
Fixes already applied to staging and production web server.
#7 Updated by Nurul Athira Abdul Rahim 7 months ago
- Status changed from System Integration Test to Closed - End of life cycle
Closed for this and refer new 2023/2024 pentest report