⇤ How is the Web Application Security Risk Vector Assessed?
Assessment of web application implementations regarding security hardening or unnecessary features and privileges.
Table of Contents
- Internal Server Error
- Reverse Tabnabbing
- Directory Listing Exposure
- CORS Violation
- Overly-Permissive CORS Whitelist
- HTTPS to HTTP Redirect
- TLS Errors on Page Resource Fetch (Deprecated)
Internal Server Error
This assessment highlights the presence of HTTP Internal Server Errors (500, 502, 503, 504) which may represent bugs or other errors.
Finding Message: Web application generated an internal server error
Framework References
| Organization | Framework |
|---|---|
| OWASP | A04:2021 - Insecure Design |
| CWE | CWE-550: Server-generated Error Message Containing Sensitive Information |
Grading & Conditions
Weight:
1increased to10Possible Grades:
Weight =
10Condition = We issue a single WARN finding for every website with at least one internal server error.
Mitigation
An internal server error indicates an unhandled exception. Review the error logs on the server listed in the finding to determine the cause. The error itself does not necessarily mean there is a vulnerability, but may expose information that could be of use to an attacker.
Remediation for these findings varies depending on the cause of the exception. In general, you should address any potential bugs that may have caused the error or implement a specific error message to handle it. This message should avoid exposing information that could be of use to an attacker.
Reverse Tabnabbing
When a user navigates to a link with a target value of _blank, the link opens in a new tab, and the opener object is passed to the new browsing context. This enables the new browsing context to potentially redirect the (now backgrounded) previous tab in a manner that is not obvious to the user, which can facilitate phishing attacks. The presence of a rel attribute with the value of noopener or noreferrer prevents the opener object from being passed to the new browsing context.
Finding Message: Link defined with the target "_blank" and with the attribute rel with value opener
Framework References
| Organization | Framework |
|---|---|
| OWASP | A04:2021 - Insecure Design |
| CWE | CWE-1022: Use of Web Link to Untrusted Target with window.opener Access |
Grading & Conditions
Weight: Not Applicable
Possible Grades:
Condition = Reverse Tabnabbing findings are informational only.
Mitigation
Currently, the default behavior of most websites prevents this issue. However, sites can still become vulnerable if they set the rel attribute to the opener value. This should be avoided.
Directory Listing Exposure
Certain files are often inadvertently or inappropriately included in the web root, potentially exposing sensitive system information.
Finding Message: Web server directory listing exposed to the internet
Framework References
| Organization | Framework |
|---|---|
| OWASP | A01:2021 - Broken Access Control |
| CWE | CWE-548: Exposure of Information Through Directory Listing |
Grading & Conditions
Weight: Not Applicable
Possible Grades:
Condition = Directory listing exposure findings are informational only.
Mitigation
Website owners should configure their web servers not to automatically generate file listings, as they may reveal potentially sensitive information to an attacker.
CORS Violation
Browsers generate an error when a webpage contains content that violates the browser’s Cross-Origin Resource Sharing (CORS) policies. The presence of such errors suggests that:
- the website content and security policies are incongruent
- the website is unknowingly including certain third-party content
- malicious code is injected into the website (but blocked by policy)
CORS allows site A to give permission to site B to read data from site A using the visitor's browser and credentials. This is different from CSP, which allows a site to prevent itself from loading potentially malicious content from unexpected sources, typically as a defense against Cross-Site Scripting attacks.
Finding Message: One or more Cross-Origin Resource Sharing (CORS) violation found
Framework References
| Organization | Framework |
|---|---|
| OWASP | A05:2021 - Security Misconfiguration |
| CWE | None |
Grading &
We count the number of unique CORS violation messages per website and issue a finding grade as follows.
Minimum weight:
0Maximum weight:
1Possible Grades:
Weight =
0
Weight = Between
>0and≤1Condition = At least one unique CORS violation was found.
Mitigation
Website owners should review their sites for CORS violation messages. These are usually a sign that the site is attempting to violate the policy of the sites from which it is loading resources and could be a sign of malicious code or a change in policy in the destination websites.
Overly-Permissive CORS Whitelist
The web application uses a cross-domain policy file that includes domains that should not be trusted.
CORS allows site A to give permission to site B to read data from site A using the visitor's browser and credentials. This is different from CSP, which allows a site to prevent itself from loading potentially malicious content from unexpected sources, typically as a defense against Cross-Site Scripting attacks.
Finding Message: The Access-Control-Allow-Origin HTTP header is configured with the wildcard value '*'
Framework References
| Organization | Framework |
|---|---|
| OWASP | A05:2021 - Security Misconfiguration |
| CWE | CWE-942: Permissive Cross-domain Policy with Untrusted Domains |
Grading & Conditions
We look for the HTTP header Access-Control-Allow-Origin with the permissive wildcard value ‘*’ and issue a finding whenever we find this header/value combination on a website.
Minimum weight:
0Maximum weight:
1increased to10Possible Grades:
Weight =
0Weight =
10Condition = The CORS policy is overly permissive.
Mitigation
Website owners should review their sites for overly permissive CORS policy. Having such a permissive CORS policy allows malicious websites to abuse customer credentials and sessions and perform actions on behalf of a user. There are a very limited number of situations where this would be justified. Website owners should ensure that CORS permissions are set to the minimum set of required sites and permissions.
HTTPS to HTTP Redirects
This assessment identifies websites that are loaded securely via HTTPS but redirect the browser to insecure (HTTP) locations.
Finding Message: Connection security downgrade
Framework References
| Organization | Framework |
|---|---|
| OWASP | A01:2021 - Broken Access Control |
| CWE | CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
Grading & Conditions
Weight:
1increased to1000Possible Grades:
Weight =
1000Condition = All HTTPS to HTTP Redirect findings are graded BAD. The website loaded securely via HTTPS, but it redirects to an insecure (HTTP) location.
For example, if we discover a URL in https[:]//test.com/page/ that is redirecting to http[:]//othersite.com/, then we will issue a BAD finding to test.com:443.
Mitigation
Any secure website should not automatically attempt to redirect users to insecure or unencrypted sites. Website owners should ensure that there are no redirects from secure pages (HTTPS) to insecure pages (HTTP).
TLS Errors on Page Resource Fetch (deprecated)
This assessment was deprecated on December 5, 2023. Old findings can still be viewed, but new findings are not recorded.
A resource on the page failed to load due to a TLS error or uses a weak configuration.
Finding Message: TLS error generated when loading an external resource
Framework References
| Organization | Framework |
|---|---|
| OWASP | A02:2021 - Cryptographic Failures |
| CWE | CWE-319: Cleartext Transmission of Sensitive Information |
Grading & Conditions
We separate TLS error messages into the following categories:
-
Certificate errors (high severity), such as:
- The site is missing a valid, trusted certificate
-
Obsolete connection settings errors (lower severity), such as:
- Obsolete connections settings: The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM
-
Other (informational), such as:
- Network loading failed with error: net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH
- The certificate chain for this site contains a certificate signed using SHA-1
- The certificate for this site does not contain a Subject Alternative Name
We assign weights to these messages in the following way:
Condition: No errors or only informational TLS errors were found.
Finding Grade =
Condition: At least one low-severity TLS error was found.
Finding Grade =
Condition: At least one high-severity TLS error was found.
Finding Grade =
Mitigation
TLS errors erode the trust users have in a website and, in some circumstances, browsers will prevent users from connecting to the website altogether.
We recommend two different types of mitigation depending on the type of error detected:
- Mitigations for Certificate errors: These are errors related to the issuance of the certificate itself. Users should check that the certificate is not expired, was issued by a valid trusted Certificate Authority, and that its common name matches the configured site’s hostname.
- Mitigations for Obsolete connection settings errors: These are errors related to the configuration of the TLS settings of the website. In order to mitigate these errors, website owners should configure their TLS options to ensure that the website does not allow obsolete and insecure cipher suites.
- March 4, 2025: Updated weights per changes implemented December 16, 2024.
- February 11, 2025: Added additional mitigation guidance for Internal Server Error findings.
- January 15, 2025: Linked finding messages.
Feedback
0 comments
Please sign in to leave a comment.