HTTP Security Header Not Detected
The following is the excerpt from Qualys Scan report:
Vulnerability: HTTP Security Header Not Detected
QID: 11827
Reported on Port : 80/tcp
THREAT:
This QID reports the absence of the following HTTP headers:
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
IMPACT:
Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.
SOLUTION:
Depending on their server software, customers are advised to set proper HTTP response headers in their site configuration files.
RESULTS:
X-Frame-Options HTTP Headers missing on port 80 GET / HTTP/1.1 Host: linuxminion.com:80 Connection: Keep-Alive X-XSS-Protection HTTP Header missing on port 80 X-Content-Type-Options HTTP Header missing on port 80
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Additionally, we have the below useful information from scan report on how qualys is detecting this vulnerability based on what HTTP headers it is expecting to mitigate this threat.
QID Detection Logic:
This unauthenticated QID looks for the presence of the following HTTP responses:
X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a “UI redress attack”, allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page.
Valid directives for X-Frame-Options are:
| DENY | The page cannot be displayed in a frame, regardless of the site attempting to do so. |
| SAMEORIGIN | The page can only be displayed in a frame on the same origin as the page itself. |
| ALLOW-FROM RESOURCE-URL | The page can only be displayed in a frame on the specified origin |
X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSSProtection: 0; disables this functionality.
Valid directives for X-XSS-Protections are:
| 0 | Disables XSS filtering. |
| 1 | Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts). |
| 1; mode=block | Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected. |
| 1; report=<reporting-uri> | Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report. |
X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIMEtype.
Valid directive for X-Content-Type-Options:
| nosniff | Blocks a request if the request destination is of type – “style” and the MIME type is not text/css, or – “script” and the MIME type is not a JavaScript MIME type Enables Cross-Origin Read Blocking for the MIME-types – text/html – text/plain – text/json, application/json or any other type with a JSON extension: */*+json – text/xml, application/xml or any other type with an XML extension: */*+xml (excluding image/svg+xml) |
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
With all the above information in mind, we will now proceed to Test the current config, Fix this vulnerability on Apache and Re-Test to confirm for remediation.
Initial Test – check what HTTP headers configured on the site:
Execute any of the below commands (curl OR wget) to find the current config.
We can clearly see the expected HTTP headers are missing and not configured.
[root@linuxminion]# curl -I http://linuxminion.com:80 HTTP/1.1 200 OK Date: Tue, 06 Aug 2019 23:36:24 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips Content-Length: 11420 Content-Type: text/html Last-Modified: Wed, 03 Oct 2012 09:11:36 GMT
[root@linuxminion]# wget -q --server-response http://linuxminion.com:80 HTTP/1.1 200 OK Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips Connection: Keep-Alive Date: Tue, 06 Aug 2019 23:37:17 GMT Content-Length: 11420 Content-Type: text/html
Remediation Steps on Apache
Depending on the server software (in our case Apache), the relevant directives has to be configured in site configuration files (i.e, httpd.conf)
Add the following options in config file /etc/httpd/conf/httpd.conf and RESTART the service.
X-Frame-Options: Header always append X-Frame-Options SAMEORIGIN
X-XSS-Protection: Header always set X-XSS-Protection "1; mode=block"
X-Content-Type-Options: Header always set X-Content-Type-Options nosniff
NOTE: For NGINX, use the below options in nginx.conf
X-Frame-Options: add_header X-Frame-Options SAMEORIGIN;
X-XSS-Protection: add_header X-XSS-Protection "1; mode=block";
X-Content-Type-Options: add_header X-Content-Type-Options nosniff;
Test – Post Remediation
Below is the command output showing the configured HTTP headers.
[root@linuxminion]# curl -I http://linuxminion:80 HTTP/1.1 200 OK Date: Wed, 07 Aug 2019 06:07:55 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Last-Modified: Tue, 06 Aug 2019 06:37:34 GMT Content-Length: 11430 Content-Type: text/html
[root@linuxminion]# wget -q --server-response http://linuxminion:80 HTTP/1.1 200 OK Date: Wed, 07 Aug 2019 06:10:37 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Last-Modified: Tue, 06 Aug 2019 06:37:34 GMT Content-Length: 11430 Connection: Keep-Alive Content-Type: text/html