ALERT! The community will be read-only on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only on April 19, 8am Pacific as the migration begins.Read more for important details.
Commander Commander
Commander
795 views

CSP and X-Frames-Options headers in App. WI Flags as not sufficient protection

Good morning,

Just ran a scan that has a XSS vulnerability. When doing my review of the findings I find that the response headers have both CSP and X-Frames-Options set up and appears to be at sufficient levels.

X-Frame-Options: SAMEORIGIN

Content-Security-Policy: default-scr 'self' ; base-uri 'self' ; form-action 'self' ; frame-ancestors 'self';

There is also a X-XSS-Protection but that is, I assume, there for reflected XSS. Is there a reason why this is being flagged as insufficient protection? @HansEnders 

 

Labels (2)
0 Likes
7 Replies
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

@KSKrug I'm replying to report that we have the same issue. These are our most recent settings that have failed - I've tried many others.

X-Frame-Options: DENY

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'

I did notice in your post that the CSP says default-scr (scr instead of src) but it might just be a typo in this forum.

Hoping we can get some guidance on what WI is looking for here.

thanks

0 Likes
Commander Commander
Commander

I read this over the weekend and thought, "That could be the cause." But it was a typo on my behalf, unfortunately. Or fortunately given I would have hated to have that error pointed out to me. 🙂

 

 

0 Likes
Micro Focus Expert
Micro Focus Expert

Glad you caught your typo! 🙂 

It happens...A customer opened a ticket for this very same thing and they did have a typo in their header. This was pointed out to him and at first they denied it, but when it was highlighted in the screenshot they provided their tune changed a bit.

0 Likes
Micro Focus Expert
Micro Focus Expert

@KSKrug and @tessa if the appropriate measures are in place as recommended and you see the response headers have both CSP and X-Frames-Options set up and appears to be at sufficient levels then this could be a false positive.

In a nutshell, there is an enhancement request submitted to our SSR and Framework teams to address this situation. Here is a little more information on what may be happening.

"Our script-server is a sandbox that we attempt to execute and run as much as we can in. We must sandbox it because we know what we are doing will break the browser state. The way XFS detection is working it depends on getting a result from script. A result from the script server is never guaranteed, so if no result comes back from the script server it is determined that it is vulnerable. This is going to result in a lot of false positives for XFS detection."

If you would like additional analysis please contact support for additional review.

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

@ebell thanks so much for this feedback. I will send this to our security group to let them know.

It will take some red tape due to the organization I work for but I will try to get my report to the right person so they can submit a ticket. thanks again 

0 Likes
Cadet 3rd Class
Cadet 3rd Class

Hi 

I have a similar situation. I'm trying to add javascript, WI not detect this issue. But I'm not sure that's the right to do.

<style id="antiClickjack">body{display:none !important;}</style>
<script type="text/javascript">
if (self === top) {
var antiClickjack = document.getElementById("antiClickjack");
   antiClickjack.parentNode.removeChild(antiClickjack);
} else {
   top.location = self.location;
}
</script>

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.