Missing header Security Vulnerability

Posted bydineshpanjwani 29 Comments on Missing header Security Vulnerability

During QUALYS Web Application Scanning of User System – Oracle Fusion (Integration layer), if one is facing the below security vulnerabilities, then follow the steps mentioned in the solution.

Vulnerability 1:

ID and Name

150202 and Missing header: X-Content-Type-Options

Threat

The X-Content-Type-Options response header is not present. WAS reports missing X-Content-Type-Options header on each crawled link with all types of static and dynamic response. The scanner performs the check on 4xx and 5xx responses too. It’s possible to see a directory link reported for QID as well.

Impact

All web browsers employ a content-sniffing algorithm that inspects the contents of HTTP responses and also occasionally overrides the MIME type provided by the server. If the X-Content-Type-Options header is not present, browsers can potentially be tricked into treating non-HTML responses as HTML. An attacker can potentially leverage the functionality to perform a cross-site scripting (XSS) attack. This specific case is known as a Content-Sniffing XSS (CS-XSS) attack.

Vulnerability 2:

ID and Name

150204 and Missing header: X-XSS-Protection

Threat

The X-XSS-Protection response header is not present.

Impact

The X-XSS-Protection response header provides a layer of protection against reflected cross-site scripting (XSS) attacks by instructing browsers to abort rendering a page in which a reflected XSS attack has been detected. This is a best-effort second line of defense measure which helps prevent an attacker from using evasion techniques to avoid the neutralization mechanisms that the filters use by default. When configured appropriately, browser-level XSS filters can provide additional layers of defense against web application attacks. Note that HTTP 4xx and 5xx responses can also be susceptible to attacks such as XSS. For better security, the X-XSS-Protection header should be set on 4xx and 5xx responses as well.

Solution

  • Stop the OHS

/<Environment_Name>/products/user_projects/domains/<Domain_Name>/bin/stopComponent.sh <OHS_Name>

  • Take a backup of httpd.conf kept on below location

/<Environment_Name>/products/instances/<OHS_Folder_Name>/config/OHS/<OHS_Name>

  • Modify the httpd.conf by adding the following block:

<IfModule mod_headers.c>

Header always append X-Frame-Options SAMEORIGIN

Header set X-XSS-Protection “”1; mode=block””

Header set Content-Security-Policy “”default-src ‘self’;””

Header set Strict-Transport-Security “”max-age=31536000; includeSubDomains; preload””

Header set X-Content-Type-Options nosniff

</IfModule>

  • Start the OHS

/<Environment_Name>/products/user_projects/domains/<Domain_Name>/bin/startComponent.sh <OHS_Name>

NOTE: Please perform above solution steps on each OHS servers.

Join the Conversation

  1. Pranita Wagh's avatar
  2. Rashmi Singh's avatar
  3. Antony Joseph's avatar
  4. Saborni Das's avatar
  5. mohsin shaikh's avatar
  6. Sheetal Saji's avatar

29 Comments

  1. Reply
  2. Reply
  3. Reply
  4. Reply
  5. Reply
  6. Reply
  7. Reply
  8. Reply
  9. Reply
  10. Reply
  11. Reply
  12. Reply
  13. Reply
  14. Reply
  15. Reply
  16. Reply
  17. Reply
  18. Reply
  19. Reply
  20. Reply
  21. Reply
  22. Reply
  23. Reply
  24. Reply
  25. Reply
  26. Reply
  27. Reply
  28. Reply
  29. Reply

Leave a comment

Design a site like this with WordPress.com
Get started