Our vBulletin migration is complete.
Welcome vBulletin users! All content and user information from the Micro Focus Forums (vBulletin) site has been migrated to this site. READ MORE.
Established Member.. dlambro
Established Member..
6707 views

Missing Response Headers

Jump to solution

The OWASP Top Ten 2013 policy has a check named Missing HTTP Strict-Transport-Security Header (ID=11365) that is enabled. However when I scan a site that does not include the HSTS header, this finding is not reported. Also when I created a custom check to report another type of missing response header using Keyword Search with a signature of  "[HEADERS]xxx NOT", this is not reported either. Maybe I'm not setting up the custom check correctly, but the similar Missing HSTS header is not showing up either.

0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

Re: Missing Response Headers

Jump to solution

I am afraid the Keyword search is used to flag when something is present, not when something is missing.    Just having "[HEADERS]xxx NOT" is incomplete.  Expanding your signature, this example would flag all instances of "xxx" found in Headers except when the word "rhinoceros" was somewhere in the HTTP Response.

Ex:  [HEADERS]xxx NOT [ALL]rhinoceros

You might be better off swapping the two, and using as a base something that will exist in 100% of HTTP Responses.  For example, if scanning our demo site, "zero.webappsecurity.com" ("zero" should show in Refered header)...

Ex:  [HEADERS]zero NOT [HEADERS]Strict\-Transport\-Security


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
3 Replies
Micro Focus Expert
Micro Focus Expert

Re: Missing Response Headers

Jump to solution

I am afraid the Keyword search is used to flag when something is present, not when something is missing.    Just having "[HEADERS]xxx NOT" is incomplete.  Expanding your signature, this example would flag all instances of "xxx" found in Headers except when the word "rhinoceros" was somewhere in the HTTP Response.

Ex:  [HEADERS]xxx NOT [ALL]rhinoceros

You might be better off swapping the two, and using as a base something that will exist in 100% of HTTP Responses.  For example, if scanning our demo site, "zero.webappsecurity.com" ("zero" should show in Refered header)...

Ex:  [HEADERS]zero NOT [HEADERS]Strict\-Transport\-Security


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Established Member.. dlambro
Established Member..

Re: Missing Response Headers

Jump to solution

Thanks Hans! I've been dealing with so many issues in our environment I'm pretty much brain dead right now. You did not mention anything about the existing Missing  HSTS check.  Since you used that for the custom check example, should I use that instead of the existing Missing HSTS?

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Missing Response Headers

Jump to solution

I do not know, but I will forward the concern to our Research team.  Perhaps that particular check needs a review.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.