Absent Member.
Absent Member.
5160 views

WebInspect marks the same response as a vulnerability during the first scan, but does not mark as a vulnerability during the second scan

Vulnerability: Web Server Misconfiguration: Insecure Content-Type

WebInspect report a vulnerability "Web Server Misconfiguration: Insecure Content-Type" in the first scan. But this vulnerability is not reported in the second scan.

Response for the first scan:

---------------

HTTP/1.1 404 Not Found

Date: Thu, 28 Jan 2016 03:05:35 GMT

Server: Microsoft-IIS/8.0

Set-Cookie: SMSESSION=XXXX; path=/; domain=.hp.com

X-Frame-Options: SAMEORIGIN

Cache-Control: no-cache

Pragma: no-cache

Expires: -1

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Vary: Accept-Encoding,User-Agent

Content-Length: 0

Keep-Alive: timeout=4, max=5000

Connection: Keep-Alive

Content-Type: text/plain

-------------------

Response for the second scan:

-------------------

HTTP/1.1 404 Not Found

Date: Tue, 01 Mar 2016 07:38:20 GMT

Server: Microsoft-IIS/8.0

Set-Cookie: SMSESSION=XXXX; path=/; domain=.hp.com; secure; HTTPOnly

X-Frame-Options: SAMEORIGIN

Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

X-Content-Type-Options: nosniff

Cache-Control: no-cache

Pragma: no-cache

Expires: -1

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Set-Cookie: userid=XXXX; expires=Tue, 01-Mar-2016 09:26:29 GMT; path=/

Vary: Accept-Encoding,User-Agent

Content-Length: 0

Keep-Alive: timeout=4, max=5000

Connection: Keep-Alive

Content-Type: text/plain

Labels (1)
0 Likes
4 Replies
Micro Focus Expert
Micro Focus Expert

Can you provide the CheckID that goes with "Web Server Misconfiguration: Insecure Content-Type", as well as state your version of WebInspect and if it is fully up-to-date with SmartUpdates?  I have the Fall 2015 release of WebInspect 10.50 (10.50.327 public release) and cannot locate this check by name, just two others that have "content-type" in their names, #11308 "Missing Content-Type Header" and #11307 "Reliance on X-Content-Type-Options".

I suspect this HTTP Response flagged this way because while they both included the Content-Type header of Text/Plain, the second instance included additional headers that helped secure that.  Perhaps it was the Strict-Transport-Security header.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Absent Member.
Absent Member.

Thanks for your response.

I am using WebInspect Enterprise and the Version is 10.40.260.10.

I am not sure the meaning of CheckID. I guess it is Vulnerability ID. It is 11309.

Summary: Web Server Misconfiguration: Insecure Content-Type

Vulnerability ID: 11309

0 Likes
Admiral Admiral
Admiral

So it looks like the reason you don't see the vulnerability being flagged in the second case is as expected because the mitigation for this particular vulnerability is as follows:

Configure the web server to always send the X-Content-Type-Options: nosniff specification in the response headers. In addition, ensure that following safety precautions are also put in place:

  1. Verify that the web server configuration will send the accurate mime type information in the Content-Type header of each HTTP response
  2. Configure the server to send a default Content-Type of text-plain or application/octet-stream to tackle failure scenarios
  3. Ensure that appropriate Character Set is specified in the Content-Type header
  4. Configure the server to send Content-Disposition: attachment; filename=name; for content without an explicit content type specification.
0 Likes
Absent Member.
Absent Member.

Thanks for your answer.

But i still have two questions for this,

1. In the second response, the following 2 items are still not fixed. Why WIE does not mark this as vulnerability?

  • Ensure that appropriate Character Set is specified in the Content-Type header
  • Configure the server to send Content-Disposition: attachment; filename=name; for content without an explicit content type specification.

2. And there are also have other reponse with similar response are marked as vulnerability during my second scan. You can check the following response. I am confused about how WIE indentify vulnerabilities.

-------------------

HTTP/1.1 200 OK
Date: Tue, 01 Mar 2016 07:39:58 GMT
Server: Microsoft-IIS/8.0
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
X-Content-Type-Options: nosniff
Content-Type: application/octet-stream
Last-Modified: Fri, 31 Jul 2015 16:22:56 GMT
Accept-Ranges: bytes
X-Powered-By: ASP.NET
Cache-Control: max-age=0
Expires: Tue, 01 Mar 2016 07:39:59 GMT
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=4, max=4998
Connection: Keep-Alive
Content-Length: 47

<truncated>application/octet-stream</truncated>

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.