⇤ How is the Web Application Security Risk Vector Assessed?
Assessment of web application implementations regarding security hardening or unnecessary features and privileges.
Table of Contents
- Internal Server Error
- Reverse Tabnabbing
- TLS Errors on Page Resource Fetch
- Directory Listing Exposure
- CORS Violation
- Overly-Permissive CORS Whitelist
- HTTPS to HTTP Redirect
Internal Server Error
This assessment highlights the presence of HTTP Internal Server Errors (500, 502, 503, 504) which may represent bugs or other errors.
Framework References
| Organization | Framework |
|---|---|
| OWASP | A04:2021 - Insecure Design |
| CWE | CWE-550: Server-generated Error Message Containing Sensitive Information |
Grading
We issue a single WARN finding for every website with at least one internal server error.
Mitigation
Website owners should review the errors produced and ensure all possible errors are taken care of.
Reverse Tabnabbing
When a user navigates to a link with a target value of _blank, the link opens in a new tab, and the opener object is passed to the new browsing context. This enables the new browsing context to potentially redirect the (now backgrounded) previous tab in a manner that is not obvious to the user, which can facilitate phishing attacks. The presence of a rel attribute with the value of noopener or noreferrer prevents the opener object from being passed to the new browsing context.
Framework References
| Organization | Framework |
|---|---|
| OWASP | A04:2021 - Insecure Design |
| CWE | CWE-1022: Use of Web Link to Untrusted Target with window.opener Access |
Grading
Findings of this type are informational only; they receive a NEUTRAL grade.
Mitigation
Currently, the default behavior of most websites prevents this issue. However, sites can still become vulnerable if they set the rel attribute to the opener value. This should be avoided.
TLS Errors on Page Resource Fetch
A resource on the page failed to load due to a TLS error or uses a weak configuration.
Framework References
| Organization | Framework |
|---|---|
| OWASP | A02:2021 - Cryptographic Failures |
| CWE | CWE-319: Cleartext Transmission of Sensitive Information |
Grading
We separate TLS error messages into the following categories:
- Certificate errors (high severity), such as:
- The site is missing a valid, trusted certificate
- Obsolete connection settings errors (lower severity), such as:
- Obsolete connections settings: The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM
- Other (informational), such as:
- Network loading failed with error: net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH
- The certificate chain for this site contains a certificate signed using SHA-1
- The certificate for this site does not contain a Subject Alternative Name
We assign weights to these messages in the following way:
| Condition | Grade |
|---|---|
| No errors or only informational TLS errors were found | GOOD |
| At least one lower-severity TLS error was found. | FAIR |
| At least one high-severity TLS error was found. | WARN |
Mitigation
TLS errors erode the trust users have in a website and, in some circumstances, browsers will prevent users from connecting to the website altogether.
We recommend two different types of mitigation depending on the type of error detected:
- Mitigations for Certificate errors: These are errors related to the issuance of the certificate itself. Users should check that the certificate is not expired, was issued by a valid trusted Certificate Authority, and that its common name matches the configured site’s hostname.
- Mitigations for Obsolete connection settings errors: These are errors related to the configuration of the TLS settings of the website. In order to mitigate these errors, website owners should configure their TLS options to ensure that the website does not allow obsolete and insecure cipher suites.
Directory Listing Exposure
Certain files are often inadvertently or inappropriately included in the web root, potentially exposing sensitive system information.
Framework References
| Organization | Framework |
|---|---|
| OWASP | A01:2021 - Broken Access Control |
| CWE | CWE-548: Exposure of Information Through Directory Listing |
Grading
Findings of this type are informational only; they receive a NEUTRAL grade.
Mitigation
Website owners should configure their web servers not to automatically generate file listings, as they may reveal potentially sensitive information to an attacker.
CORS Violation
Browsers generate an error when a webpage contains content that violates the browser’s Cross-Origin Resource Sharing (CORS) policies. The presence of such errors suggests that:
- the website content and security policies are incongruent
- the website is unknowingly including certain third-party content
- malicious code is injected into the website (but blocked by policy)
CORS allows site A to give permission to site B to read data from site A using the visitor's browser and credentials. This is different from CSP, which allows a site to prevent itself from loading potentially malicious content from unexpected sources, typically as a defense against Cross-Site Scripting attacks.
Framework References
| Organization | Framework |
|---|---|
| OWASP | A05:2021 - Security Misconfiguration |
| CWE | None |
Grading
We count the number of unique CORS violation messages per website and issue a finding grade as follows.
| Condition | Grade |
|---|---|
| One unique CORS violation found | FAIR |
| More than one unique CORS violation found | WARN |
Mitigation
Website owners should review their sites for CORS violation messages. These are usually a sign that the site is attempting to violate the policy of the sites from which it is loading resources and could be a sign of malicious code or a change in policy in the destination websites.
Overly-Permissive CORS Whitelist
The web application uses a cross-domain policy file that includes domains that should not be trusted.
CORS allows site A to give permission to site B to read data from site A using the visitor's browser and credentials. This is different from CSP, which allows a site to prevent itself from loading potentially malicious content from unexpected sources, typically as a defense against Cross-Site Scripting attacks.
Framework References
| Organization | Framework |
|---|---|
| OWASP | A05:2021 - Security Misconfiguration |
| CWE | CWE-942: Permissive Cross-domain Policy with Untrusted Domains |
Grading
We look for the HTTP header Access-Control-Allow-Origin with the permissive wildcard value ‘*’ and issue a finding whenever we find this header/value combination on a website.
| Condition | Grade |
|---|---|
| Website contains permissive CORS policy. | WARN |
Mitigation
Website owners should review their sites for overly permissive CORS policy. Having such a permissive CORS policy allows malicious websites to abuse customer credentials and sessions and perform actions on behalf of a user. There are a very limited number of situations where this would be justified. Website owners should ensure that CORS permissions are set to the minimum set of required sites and permissions.
HTTPS to HTTP Redirects
This assessment identifies websites that are loaded securely via HTTPS but redirect the browser to insecure (HTTP) locations.
Framework References
| Organization | Framework |
|---|---|
| OWASP | A01:2021 - Broken Access Control |
| CWE | CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
Grading
All findings of this type receive a BAD grade.
For example, if we discover a URL in https[:]//test.com/page/ that is redirecting to http[:]//othersite.com/, then we will issue a BAD finding to test.com:443.
Mitigation
Any secure website should not automatically attempt to redirect users to insecure or unencrypted sites. Website owners should ensure that there are no redirects from secure pages (HTTPS) to insecure pages (HTTP).