Task #12586

Task #12556: Pentest - 2nd Assessment [2021]

Pentest_CDB - Missing "X-Content-Type-Options" Header [LOW]

Added by Nurul Athira Abdul Rahim almost 3 years ago. Updated 7 months ago.

Status:Closed - End of life cycleStart date:November 10, 2021
Priority:NormalDue date:
Assignee:Nurul Athira Abdul Rahim% Done:

100%

Category:Penetration Test IssueSpent time:-
Target version:-

Description

The "X-Content-Type-Options" header (with "nosniff" value) prevents IE and Chrome from ignoring the content-type of a response. This action may prevent untrusted content (e.g. user uploaded content) from being executed on the user browser (after a malicious naming, for example).

Solution provided by LGMS :

Configure the application server to send the "X-Content-Type-Options" header with value "nosniff" on all outgoing requests.

For Apache, see:
http://httpd.apache.org/docs/2.2/mod/mod_headers.html

For IIS, see:
https://technet.microsoft.com/pl-pl/library/cc753133%28v=ws.10%29.aspx

For nginx, see:
http://nginx.org/en/docs/http/ngx_http_headers_module.html

'Affected URL:

https://10.10.55.34:9444/bsn-cdb-uat/*

Related issues

Related to BSN Corporate Digital Banking - Task #12584: Pentest_CDB - Missing "Content-Security-Policy" Header [LOW] Closed - End of life cycle November 09, 2021

History

#1 Updated by Najmi Pasarudin almost 3 years ago

  • Status changed from New - Begin Life Cycle to Internal Testing
  • Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim
  • % Done changed from 0 to 100

Please refer sc4.png at Task 12584

#2 Updated by Nurul Athira Abdul Rahim almost 3 years ago

  • Status changed from Internal Testing to System Integration Test

#3 Updated by Nurul Athira Abdul Rahim over 2 years ago

  • Status changed from System Integration Test to Development / Work In Progress
  • Assignee changed from Nurul Athira Abdul Rahim to Najmi Pasarudin

Kindly review the fixes, as the new pentest (March,9,20202) result status stated "not solved".

#4 Updated by Najmi Pasarudin over 2 years ago

  • Status changed from Development / Work In Progress to System Integration Test
  • Assignee changed from Najmi Pasarudin to Nurul Athira Abdul Rahim

LGMS team tested in application url instead of web url.
Fixes already applied to staging and production web server.

#5 Updated by Nurul Athira Abdul Rahim 7 months ago

  • Status changed from System Integration Test to Closed - End of life cycle

Closed for this and refer new 2023/2024 pentest report

Also available in: Atom PDF