Web Application Security risk vector findings may include the following remediation tips:
The Access-Control-Allow-Origin HTTP header is configured with the wildcard value '*'
Message: The web application uses a cross-domain policy file that includes domains that should not be trusted. This allows malicious websites to abuse customer credentials and sessions and perform any action on behalf of a user.
Remediation tips: Review the websites for overly permissive CORS policy. Ensure that CORS permissions are set to the minimum set of required sites and permissions. See Overly-Permissive CORS Whitelist for more information.
Authentication over HTTP
Message: The web application is requesting credentials via the www-Authenticate header over an insecure non-HTTPS connection.
Remediation tips: All authentication mechanisms should always be served through a secure channel. See Authentication on Insecure Channel for more information.
Connection security downgrade
Message: A downgrade of the connection was detected on the redirect chain.
Remediation tips: Ensure there are no redirects from secure pages (HTTPS) to insecure (HTTP) pages at any point in the redirect chain. See HTTPS to HTTP Redirects for more information.
Cookie set without the SameSite attribute defined
Message: Cookies without the SameSite attribute may be passed to cross-origin browsing contexts and lead to attacks such as Cross Site Request Forgery (CSRF).
Remediation tips: Session and other tracking cookies should be explicit about how permissive the use of the cookie can be across origins. See Cookie SameSite Attribute for more information.
A cookie was blocked due to SameSite policy violation
Message: At least one of the following issues exists:
- The website is loading resources from a third-party site that has cookies that were blocked due to a SameSite policy.
- The website is attempting to set a cookie with "SameSite=None", but is not setting the secure cookie flag.
These can lead to attacks such as Cross Site Request Forgery (CSRF).
Remediation tips: Explicitly set “SameSite=None” policy as well as the secure flag for third-party cookies to be sent when loading external resources. See Cookie SameSite Blocked for more information.
A CSRF token does not contain a hidden attribute with at least 128 bits of entropy.
Message: Missing Cross-Site Request Forgery (CSRF) mechanism with adequate configuration. This can lead to a CSRF attack that forces authenticated users to submit a request to a web application against which they are currently authenticated.
Remediation tips: Whenever possible, 128 bits of entropy should be used to define CSRF tokens. See Cross-Site Request Forgery (CSRF) Mitigations Present for more information.
Exposed content management system (CMS) admin interface
Message: A CMS framework's administration login page is exposed to the Internet.
Remediation tips: Avoid exposing administrative interfaces to the Internet, instead only making them accessible via a virtual private network (VPN), internal network, or behind a firewall. See CMS Administration Portal Exposed for more information.
An insecure CSP configuration was detected.
Message: The Content Security Policy is not effective at meeting the security objectives defined for preventing Cross Site Scripting attacks, such as:
- Preventing loading of unauthorized content resources and scripts.
- Preventing clickjacking and other nested frame attacks.
- Ensuring that web forms and links are behaving as intended.
Remediation tips: To improve your configuration, make sure to:
- Implement directives that set valid and complete source restrictions for loading dynamic content ('script-src', 'object-src', 'default-src').
- Avoid the use of unsafe directives such as ‘unsafe-eval’ and ‘unsafe-inline’.
- Avoid typos or otherwise invalid CSP directives.
- Avoid wildcards, host-based allowlists, or bare URL schemes such as ‘HTTP’ in source directives.
- Use specific sources, such as "https://www.example.com". Remove generalizations, such as "http:", "https:", "https://*.com".
See Content Security Policy Configurations for more information.
Invalid Subresource Integrity (SRI) digest
Message: A cross-domain fetched script's hash does not match the provided integrity value.
Remediation tips: Review the third-party resources for changes by updating the digests on the website to reflect the newly updated resources. By doing so you will track and identify any malicious changes that may have been added. See Cross-Domain Subresource Integrity Failure for more information.
A known session token pattern is present in a URL
Message: A token that may be used as a session identifier is being passed in a URL field. This increases the risk that they will be captured by an attacker, increasing the risk of exposing sensitive information to unauthorized third parties.
Remediation tips: It is recommended to ensure that no session identifiers and otherwise sensitive information is passed via URL GET parameters. See Session Token in URL for more information.
Link defined with the target "_blank" and with the attribute rel with value opener
Message: With this configuration, the link is opened in a new tab and a redirect of the (now backgrounded) previous tab may be done in a manner that is not obvious to the user. This can facilitate phishing attacks.
Remediation tips: The default behavior of most websites currently prevents this issue. However, it is recommended to use a "rel" attribute with the value of "noopener" or "noreferrer" to prevent the opener object from being passed to the new browsing context. See Reverse Tabnabbing for more information.
Missing integrity attribute
Message: The page does not include an integrity attribute on cross-domain fetching of scripts.
Remediation tips: Avoid loading scripts from third-party resources to prevent exposure to content and JavaScript manipulation by third parties or in case of a network compromise. If third-party script loading is unavoidable, subresource integrity tags should be used whenever possible. See Cross-Domain Subresource Integrity Check for more information.
One or more Cross-Origin Resource Sharing (CORS) violation found
Message:
The webpage contains content that violates the browser’s Cross-Origin Resource Sharing (CORS) policies. The presence of such errors represents a latent reflection that:
- The website content and security policies are incongruent.
- The website is unknowingly including certain third-party content.
- Malicious code is injected into the website (but blocked by policy).
Remediation tips:
Review CORS violation messages. These are usually a sign that:
- The site is attempting to violate the policy of the sites from which it is loading resources from.
- Malicious code or a change in policy in the destination Websites.
Detailed information about the existing violations is available in the evidence details section. See CORS Violation for more information.
Password field on a non-secure page
Message: An authentication HTML form is being presented over an insecure non-HTTPS connection.
Remediation tips: All authentication mechanisms should always be served through a secure channel.
Password field on a non-secure page (Certificate Errors)
Message: Password forms requesting credentials on a site loaded with a missing or invalid certificate.
Remediation tips: All authentication mechanisms should always be served through a secure channel.
Password field on a non-secure page (Obsolete Connection Settings)
Message: Password forms requesting credentials on a site loaded with obsolete connection settings.
Remediation tips: All authentication mechanisms should always be served through a secure channel.
Referrer-Policy defined with unsafe-url
Message: The website contains the 'unsafe-url' Referrer Policy, which can lead to sensitive user data being leaked outside of secure channels.
Remediation tips: Avoid leaking internal URLs to third parties when possible. The use of 'unsafe-url' will send the origin, path, and query string when performing any request, regardless of security. See Unsafe Referrer Policy for more information.
Resource blocked by Content Security Policy (CSP)
Message: The page attempted to load a resource that was blocked by the CSP policy. The presence of such error suggests that:
- The website content and security policies are incongruent.
- The website unknowingly includes third-party content.
- Malicious code is injected into the website but blocked by the CSP.
Remediation tips: Review the website for CSP violation messages. Detailed information about the existing violations is available in the evidence details section and you may be able to find them on your browser of choice, on developer tools, under the Console tab. See Content Security Policy Violations for more information.
Secure cookie on insecure channel
Message: A cookie with a "secure" attribute is set from a non-HTTPS endpoint.
Remediation tips: Ensure the site is accessible through a secure connection. If that is not possible, ensure the application does not depend on cookies with the "secure" flag set. See Secure Cookie Set on an Insecure Channel for more information.
Secure page included non-secure content
Message: The page attempted to load an HTTP resource from an HTTPS context.
Remediation tips: Serve all content as HTTPS instead of HTTP. Ensure that every resource loaded from an HTTPS website is loaded securely. See Mixed Content for more information.
TLS error generated when loading an external resource
Message: A resource on the page fails to load due to a TLS error, or uses a weak configuration. These errors erode the trust users have on the website and, in some circumstances, browsers will prevent users from connecting altogether.
Remediation tips:
There are different classes of mitigations, depending on the type of error:
- Certificate errors: Check if the certificate is not expired, is issued by a valid trusted Certificate Authority and its common name matches the configured site’s hostname.
- Obsolete connection settings errors: Configure TLS options to ensure that the website does not allow obsolete and insecure cipher suites.
See TLS Errors on Page Resource Fetch for more information.
Use of one or more JavaScript libraries with known vulnerabilities
Message: One or more JavaScript libraries loaded by the page are known to contain a vulnerability.
Remediation tips: Upgrade the affected JavaScript libraries to versions that are not affected by known vulnerabilities or remove that dependency from the web application. Detailed information about the detected JavaScript library versions and their known vulnerabilities is available in the evidence details section. See JavaScript Libraries with Known Vulnerabilities for more information.
Web application generated an internal server error
Message: HTTP Internal Server Errors (500, 502, 503, 504) were found during scanning. This may represent bugs or other errors.
Remediation tips: Review the errors produced and ensure the URL or hostname are available for your visitors. See Internal Server Error for more information.
Web server directory listing exposed to the internet
Message: Files were inadvertently or inappropriately included in the web root. These may reveal potentially sensitive information to an attacker.
Remediation tips: Configure the web server to not automatically generate file listings, as they may reveal potentially sensitive information to an attacker. See Directory Listing Exposure for more information.
- December 6, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.