|
| 1 | +--- |
| 2 | + |
| 3 | +layout: col-document |
| 4 | +title: WSTG - Latest |
| 5 | +tags: WSTG |
| 6 | + |
| 7 | +--- |
| 8 | + |
| 9 | +{% include breadcrumb.html %} |
| 10 | +# Test Other HTTP Security Header Misconfigurations |
| 11 | + |
| 12 | +| ID | |
| 13 | +|------------| |
| 14 | +|WSTG-CONF-14| |
| 15 | + |
| 16 | +## Summary |
| 17 | + |
| 18 | +Security headers play a vital role in protecting web applications from a wide range of attacks, including Cross-Site Scripting (XSS), Clickjacking, and data injection attacks. These headers instruct the browser on how to handle security-related aspects of a website’s communication, reducing exposure to known attack vectors. However, misconfigurations can lead to vulnerabilities, weakening the intended security protections or rendering them ineffective. This section outlines common security header misconfigurations, their risks, and how to properly test for them. |
| 19 | + |
| 20 | +## Test Objectives |
| 21 | + |
| 22 | +- Identify improperly configured security headers. |
| 23 | +- Assess the impact of misconfigured security headers. |
| 24 | +- Validate the correct implementation of required security headers. |
| 25 | + |
| 26 | +## Common Security Header Misconfigurations |
| 27 | + |
| 28 | +- **Security Header with an Empty Value:** Headers that are present but lack a value may be ignored by browsers, making them ineffective. |
| 29 | +- **Security Header with an Invalid Value or Name (Typos):** Incorrect header names or misspellings result in headers not being recognized or enforced. |
| 30 | +- **Overpermissive Security Headers:** Headers configured too broadly (e.g., using wildcard characters `*` or overly permissive directives) can leak information or allow access to resources beyond the intended scope. |
| 31 | +- **Duplicate Security Headers:** Multiple occurrences of the same header with conflicting values can lead to unpredictable browser behavior, potentially disabling the security measures entirely. |
| 32 | +- **Legacy or Deprecated Headers:** Inclusion of obsolete headers (e.g., HPKP) or directives (e.g., `ALLOW-FROM` in X-Frame-Options) that are no longer supported by modern browsers may create unnecessary risks. |
| 33 | +- **Invalid Placement of Security Headers:** Some headers are only effective under specific conditions. For example, headers like HSTS must be delivered over HTTPS; if sent over HTTP, they become ineffective. |
| 34 | +- **META Tag Handling Mistakes:** In cases where security policies such as Content-Security-Policy (CSP) are enforced via both HTTP headers and META tags (using `http-equiv`), there is a risk that the META tag value might override or conflict with the secure logic defined in the HTTP header. This can lead to a scenario where an insecure policy inadvertently takes precedence, weakening the overall security posture. |
| 35 | + |
| 36 | +## Risks of Misconfigured Security Headers |
| 37 | + |
| 38 | +- **Reduced Effectiveness:** Misconfigured headers might not provide the intended protection, leaving the application vulnerable to attacks such as XSS, Clickjacking, or CORS-related exploits. |
| 39 | +- **Breakage of Security Measures:** Duplicate headers or conflicting directives can result in browsers ignoring the HTTP security headers entirely, thereby disabling the intended protections. |
| 40 | +- **Introduction of New Attack Vectors:** The use of legacy or deprecated headers may introduce risks rather than mitigate them if modern browsers no longer support the intended security measures. |
| 41 | + |
| 42 | +## How to Test |
| 43 | + |
| 44 | +### Fetch and Review HTTP Security Headers |
| 45 | + |
| 46 | +To inspect the security headers used by an application, employ the following methods: |
| 47 | + |
| 48 | +- **Intercepting Proxies:** Use tools such as **Burp Suite** to analyze server responses. |
| 49 | +- **Command Line Tools:** Execute a curl command to retrieve HTTP response headers: `curl -I https://example.com` |
| 50 | + - Sometimes the web application will redirect to a new page, in order to follow redirect use the following command:`curl -L -I https://example.com` |
| 51 | + - Some Firewalls may block curl's default User-Agent and some TLS/SSL errors will also prevent it from returning the correct information, in thise case you could try to use the following command: |
| 52 | +`curl -I -L -k --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" https://example.com` |
| 53 | +- **Browser Developer Tools:** Open developer tools (F12), navigate to the **Network** tab, select a request, and view the **Headers** section. |
| 54 | + |
| 55 | +### Check for Overly Permissive Security Headers |
| 56 | + |
| 57 | +- **Identify Risky Headers:** Look for headers that could allow excessive access, such as: |
| 58 | +- **Evaluate Directives:** Verify whether strict directives are enforced. For example, an overpermissive setup might appear as: |
| 59 | + |
| 60 | + ```http |
| 61 | + Access-Control-Allow-Origin: * |
| 62 | + Access-Control-Allow-Credentials: true |
| 63 | + X-Permitted-Cross-Domain-Policies: all |
| 64 | + Referrer-Policy: unsafe-url |
| 65 | + ``` |
| 66 | +
|
| 67 | + A safe configuration would look like: |
| 68 | +
|
| 69 | + ```http |
| 70 | + Access-Control-Allow-Origin: {theallowedoriginurl} |
| 71 | + X-Permitted-Cross-Domain-Policies: none |
| 72 | + Referrer-Policy: no-referrer |
| 73 | + ``` |
| 74 | +
|
| 75 | +- **Cross-Reference Documentation:** Use resources such as the [Mozilla Developer Network: Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) to review secure and insecure directives. |
| 76 | +
|
| 77 | +### Check for Duplicate, Deprecated / Obsolete Headers |
| 78 | +
|
| 79 | +- **Duplicate Headers:** Ensure that the same header is not defined multiple times with conflicting values. |
| 80 | +- **Obsolete Headers:** Identify and remove deprecated headers (e.g., HPKP) and outdated directives (e.g., `ALLOW-FROM` in X-Frame-Options). Refer to sources like [Mozilla Developer Network: X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) for current standards. |
| 81 | +
|
| 82 | +### Confirm Proper Placement of Security Headers |
| 83 | +
|
| 84 | +- **Protocol-Specific Requirements:** Validate that headers intended for secure contexts (e.g., HSTS) are delivered only under appropriate conditions (i.e., over HTTPS). |
| 85 | +- **Conditional Delivery:** Some headers may only be effective under specific circumstances. Verify that these conditions are met for the header to function as intended. |
| 86 | +
|
| 87 | +### Evaluate META Tag Handling |
| 88 | +
|
| 89 | +- **Dual Enforcement Checks:** When a security policy like CSP is applied through both an HTTP header and a META tag using `http-equiv`, confirm that the HTTP header (which is generally considered more authoritative) is not inadvertently overridden by the META tag. |
| 90 | +- **Review Browser Behavior:** Test the application in various browsers to see if any differences occur due to the presence of conflicting directives. Where possible, avoid using dual definitions to prevent unintended security lapses. |
| 91 | +
|
| 92 | +## Remediation |
| 93 | +
|
| 94 | +- **Correct Header Configuration:** Ensure that headers are correctly implemented with proper values and no typos. |
| 95 | +- **Enforce Strict Directives:** Configure headers with the most secure settings that still allow for required functionality. For example, avoid using `*` in CORS policies unless absolutely necessary. |
| 96 | +- **Remove Deprecated Headers:** Replace legacy security headers with modern equivalents and remove any that are no longer supported. |
| 97 | +- **Avoid Conflicting Definitions:** Prevent duplicate header definitions and ensure that META tags do not conflict with HTTP headers for security policies. |
| 98 | +
|
| 99 | +## Tools |
| 100 | +
|
| 101 | +- [Mozilla Observatory](https://observatory.mozilla.org/) |
| 102 | +- [ZAP](https://www.zaproxy.org/) |
| 103 | +- [Burp Suite](https://portswigger.net/burp) |
| 104 | +- Browser Developer Tools (Chrome, Firefox, Edge) |
| 105 | +
|
| 106 | +## References |
| 107 | +
|
| 108 | +- [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/) |
| 109 | +- [Mozilla Developer Network: Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) |
| 110 | +- [RFC 6797 - HTTP Strict Transport Security (HSTS)](https://datatracker.ietf.org/doc/html/rfc6797) |
| 111 | +- [Google Web Security Guidelines](https://web.dev/security-headers/) |
| 112 | +- [HPKP is No More](https://scotthelme.co.uk/hpkp-is-no-more/) |
0 commit comments