HTTP Security Header Not Detected


The following is the excerpt from Qualys Scan report:

Vulnerability: HTTP Security Header Not Detected
QID: 11827
Reported on Port : 80/tcp
THREAT:
This QID reports the absence of the following HTTP headers:

X-Frame-Options
X-XSS-Protection
X-Content-Type-Options

IMPACT:
Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.

SOLUTION:
Depending on their server software, customers are advised to set proper HTTP response headers in their site configuration files.

RESULTS:

 X-Frame-Options HTTP Headers missing on port 80
 GET / HTTP/1.1
 Host: linuxminion.com:80
 Connection: Keep-Alive
 X-XSS-Protection HTTP Header missing on port 80
 X-Content-Type-Options HTTP Header missing on port 80

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Additionally, we have the below useful information from scan report on how qualys is detecting this vulnerability based on what HTTP headers it is expecting to mitigate this threat.

QID Detection Logic:

This unauthenticated QID looks for the presence of the following HTTP responses:

X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a “UI redress attack”, allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page.

Valid directives for X-Frame-Options are:
DENYThe page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGINThe page can only be displayed in a frame on the same origin as the page itself.
ALLOW-FROM RESOURCE-URLThe page can only be displayed in a frame on the specified origin


X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSSProtection: 0; disables this functionality.

Valid directives for X-XSS-Protections are:
0Disables XSS filtering.
1Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
1; mode=blockEnables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.
1; report=<reporting-uri>Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report.


X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIMEtype.

Valid directive for X-Content-Type-Options:
nosniffBlocks a request if the request destination is of type
– “style” and the MIME type is not text/css, or
– “script” and the MIME type is not a JavaScript MIME type

Enables Cross-Origin Read Blocking for the MIME-types
– text/html
– text/plain
– text/json, application/json or any other type with a JSON extension: */*+json
– text/xml, application/xml or any other type with an XML extension: */*+xml (excluding image/svg+xml)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

With all the above information in mind, we will now proceed to Test the current config, Fix this vulnerability on Apache and Re-Test to confirm for remediation.

Initial Test – check what HTTP headers configured on the site:

Execute any of the below commands (curl OR wget) to find the current config.
We can clearly see the expected HTTP headers are missing and not configured.

[root@linuxminion]# curl -I http://linuxminion.com:80
 HTTP/1.1 200 OK
 Date: Tue, 06 Aug 2019 23:36:24 GMT
 Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
 Content-Length: 11420
 Content-Type: text/html
 Last-Modified: Wed, 03 Oct 2012 09:11:36 GMT
[root@linuxminion]# wget -q --server-response http://linuxminion.com:80
   HTTP/1.1 200 OK
   Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips 
   Connection: Keep-Alive
   Date: Tue, 06 Aug 2019 23:37:17 GMT
   Content-Length: 11420
   Content-Type: text/html

Remediation Steps on Apache

Depending on the server software (in our case Apache), the relevant directives has to be configured in site configuration files (i.e, httpd.conf)

Add the following options in config file /etc/httpd/conf/httpd.conf and RESTART the service.

 X-Frame-Options: Header always append X-Frame-Options SAMEORIGIN
X-XSS-Protection: Header always set X-XSS-Protection "1; mode=block"
X-Content-Type-Options: Header always set X-Content-Type-Options nosniff
NOTE: For NGINX, use the below options in nginx.conf
X-Frame-Options: add_header X-Frame-Options SAMEORIGIN;
X-XSS-Protection: add_header X-XSS-Protection "1; mode=block";
X-Content-Type-Options: add_header X-Content-Type-Options nosniff;

Test – Post Remediation

Below is the command output showing the configured HTTP headers.

[root@linuxminion]# curl -I http://linuxminion:80
 HTTP/1.1 200 OK
 Date: Wed, 07 Aug 2019 06:07:55 GMT
 Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
 X-Frame-Options: SAMEORIGIN
 X-XSS-Protection: 1; mode=block
 X-Content-Type-Options: nosniff
 Last-Modified: Tue, 06 Aug 2019 06:37:34 GMT
 Content-Length: 11430
 Content-Type: text/html
[root@linuxminion]# wget -q --server-response http://linuxminion:80
   HTTP/1.1 200 OK
   Date: Wed, 07 Aug 2019 06:10:37 GMT
   Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
   X-Frame-Options: SAMEORIGIN
   X-XSS-Protection: 1; mode=block
   X-Content-Type-Options: nosniff
   Last-Modified: Tue, 06 Aug 2019 06:37:34 GMT
   Content-Length: 11430
   Connection: Keep-Alive
   Content-Type: text/html
NOTE: To completely confirm for remediation, have the Scanner re-scan the host and check your scan report. It should not pick these vulnerabilities if you have properly configured the above settings.

Leave a Reply

Your email address will not be published.