From 1567dae146197b14348e9f73ae6dafe2735dc415 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 01:02:42 +0100 Subject: [PATCH 01/44] Create 14-test_other_http_security_header_misconfigurations.md --- ..._http_security_header_misconfigurations.md | 124 ++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-test_other_http_security_header_misconfigurations.md diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-test_other_http_security_header_misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-test_other_http_security_header_misconfigurations.md new file mode 100644 index 0000000000..06460640bf --- /dev/null +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-test_other_http_security_header_misconfigurations.md @@ -0,0 +1,124 @@ +--- +layout: col-document +title: WSTG - Latest +tags: WSTG +--- + +{% include breadcrumb.html %} +# Test Other HTTP Security Header Misconfigurations + +|ID | +|------------| +|WSTG-CONF-14| + +## Summary + +Security headers play a vital role in protecting web applications from a wide range of attacks, including Cross-Site Scripting (XSS), Clickjacking, and data injection attacks. These headers instruct the browser on how to handle security-related aspects of a website’s communication, reducing exposure to known attack vectors. However, misconfigurations can lead to vulnerabilities, weakening the intended security protections or rendering the existing security protections ineffective. This section outlines common security header misconfigurations, their risks, and how to properly test for them. + +### Common Security Header Misconfigurations: +- **Security Header with an Empty Value**: Headers present but lacking a value may be ignored by browsers, making them ineffective. +- **Security Header with an Invalid Value or Name (Typos)**: Incorrect header names or misspellings result in headers not being recognized or enforced. +- **Overpermissive Security Headers**: Overpermissive headers can leak information or allow access to resources beyond the intended scope. +- **Duplicate Security Headers**: Conflicting definitions of the same header can lead to unpredictable browser behavior and potentially disable security measures. +- **Legacy Security Headers**: The inclusion of obsolete headers, can create unnecessary risks instead of improving security. +- **Invalid Placement of Security Headers**: Certain headers must be delivered over specific conditions or protocols; using these headers when the right conditions are not met renders them ineffective. + +## Risks of Misconfigured Security Headers + +- **Reduced Effectiveness**: If headers are misconfigured, they may not provide the intended protection, allowing exploits such as XSS, Clickjacking, or CORS-related attacks. +- **Breakage of Security Measures**: Duplicate headers may lead to unexpected behavior, with some browsers completley ignoring the HTTP security headers because of this. +- **Legacy and Deprecated Headers**: Using obsolete security headers can introduce new attack vectors instead of securing the application. + +## Test Objectives + +- Identify security headers that are improperly configured. +- Assess the impact of misconfigured security headers. +- Validate correct implementation of required security headers. + +## How to Test + +### Fetch and Review HTTP Security Headers + +To inspect the security headers used by an application, different methods can be applied: + +- Use an intercepting proxy such as **Burp Suite** or **OWASP ZAP** to analyze server responses. +- Run the following curl command to retrieve HTTP response headers: + +```bash + curl -I https://example.com +``` + +- Utilize browser developer tools to check server responses: + - Open developer tools (F12) → Navigate to the **Network** tab → Select a request → View the **Headers** section. + +### Check for Overly Permissive Security Headers + +To evaluate overly permissive security headers, consider the following methods, especially when wildcard characters (*) are used or when certain security headers are configured too broadly: + +1. Identify the headers that could allow excessive access, such as: + +``` + Access-Control-Allow-Origin + Access-Control-Allow-Credentials + X-Permitted-Cross-Domain-Policies + Referrer-Policy +``` + +2. Verify if strict directives are enforced or not, here is an example of overpermissive security headers. + +``` + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + X-Permitted-Cross-Domain-Policies: all + Referrer-Policy: unsafe-url +``` + +And here is an example of its strict directive (secure) equivalents: + +``` + Access-Control-Allow-Origin: {theallowedoriginurl} + X-Permitted-Cross-Domain-Policies: none + Referrer-Policy: no-referrer +``` + +To verify the directives make sure you search the header name on the [Mozilla Developer Network: Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) website as this will give you a proper overview of secure and insecure directives for each header. + +3. Finally, ensure that the strict directives are implemented but keep in mind that sometimes strict directives can break normal functionality so always check that it works with your application. + +### Check for Duplicate, Deprecated / Obsolete Headers + +To detect duplicate or deprecated headers, perform the following: + +- Look for multiple occurrences of the same security header with conflicting values. +- Be aware of obsolete headers such as HPKP or header directives such as, ALLOW-FROM in X-Frame-Options, which is no longer supported by modern browsers. Again, you can verify the deprecation status of headers on Mozilla's website: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options). +- Ensure deprecated headers are removed or replaced with modern equivalents. + +### Confirm Proper Placement of Security Headers + +Similar to the ```Secure``` flag in cookies, some HTTP security headers are only effective under specific conditions. For instance, certain headers must be delivered over HTTPS; sending them over HTTP renders them ineffective. + +To ensure security headers are correctly positioned: + +- Validate that the correct conditions required for the header to work are present. For example; for HSTS make sure TLS/SSL is present. + +## Remediation + +- **Ensure headers are correctly configured**: Avoid empty or invalid values, and double-check for typos. +- **Apply strict directives**: Configure headers to minimize security risks (e.g., avoid using * in CORS policies unless required). +- **Remove deprecated headers**: Remove headers like HPKP that are no longer supported. +- **Beware of conditional exclusive headers**: Ensure that security headers like HSTS are correctly applied only in HTTPS responses. + +## Tools + +- [Mozilla Observatory](https://observatory.mozilla.org/) +- [OWASP ZAP](https://www.zaproxy.org/) +- [Burp Suite](https://portswigger.net/burp) +- Browser Developer Tools (Chrome, Firefox, Edge) + +## References + +- [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/) +- [RFC 6797 - HTTP Strict Transport Security (HSTS)](https://datatracker.ietf.org/doc/html/rfc6797) +- [Mozilla Developer Network: Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) +- [Google Web Security Guidelines](https://web.dev/security-headers/) +- [HPKP is No More](https://scotthelme.co.uk/hpkp-is-no-more/) From 8bf1b66510cbbd1f6552d01459209883d79ab572 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 01:03:28 +0100 Subject: [PATCH 02/44] Update README.md --- .../README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/README.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/README.md index 049451e7a6..e501008763 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/README.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/README.md @@ -25,3 +25,5 @@ 4.2.12 [Test for Content Security Policy](12-Test_for_Content_Security_Policy.md) 4.2.13 [Test for Path Confusion](13-Test_for_Path_Confusion.md) + +4.2.14 [Test for Other HTTP Security Header Misconfigurations](14-Test_Other_HTTP_Security_Header_Misconfigurations.md) From 29554cf92e03e92c0cd2785b3e672035ba8f9cdc Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 01:04:07 +0100 Subject: [PATCH 03/44] Rename 14-test_other_http_security_header_misconfigurations.md to 14-Test_Other_Http_Security_Header_Misconfigurations.md --- ...md => 14-Test_Other_Http_Security_Header_Misconfigurations.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/{14-test_other_http_security_header_misconfigurations.md => 14-Test_Other_Http_Security_Header_Misconfigurations.md} (100%) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-test_other_http_security_header_misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_Http_Security_Header_Misconfigurations.md similarity index 100% rename from document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-test_other_http_security_header_misconfigurations.md rename to document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_Http_Security_Header_Misconfigurations.md From 5635429ba3ce030cf9a8d3c8d78ed96593e07925 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 01:05:12 +0100 Subject: [PATCH 04/44] Rename 14-Test_Other_Http_Security_Header_Misconfigurations.md to 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- ...md => 14-Test_Other_HTTP_Security_Header_Misconfigurations.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/{14-Test_Other_Http_Security_Header_Misconfigurations.md => 14-Test_Other_HTTP_Security_Header_Misconfigurations.md} (100%) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_Http_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md similarity index 100% rename from document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_Http_Security_Header_Misconfigurations.md rename to document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md From 18a909a23c999062b9d5790902e5d6790753b0fc Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 01:06:08 +0100 Subject: [PATCH 05/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- ...-Test_Other_HTTP_Security_Header_Misconfigurations.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 06460640bf..6d6a095c35 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -1,12 +1,3 @@ ---- -layout: col-document -title: WSTG - Latest -tags: WSTG ---- - -{% include breadcrumb.html %} -# Test Other HTTP Security Header Misconfigurations - |ID | |------------| |WSTG-CONF-14| From fa6f6b8ca979631ea99408d13284fb0fe0ffbac8 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 18:53:12 +0100 Subject: [PATCH 06/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md Co-authored-by: Rick M --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 6d6a095c35..b13e1e858f 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -102,7 +102,7 @@ To ensure security headers are correctly positioned: ## Tools - [Mozilla Observatory](https://observatory.mozilla.org/) -- [OWASP ZAP](https://www.zaproxy.org/) +- [ZAP](https://www.zaproxy.org/) - [Burp Suite](https://portswigger.net/burp) - Browser Developer Tools (Chrome, Firefox, Edge) From 7f76e6641b3fb399eaced3f9b869a00af43e247d Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 18:53:28 +0100 Subject: [PATCH 07/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md Co-authored-by: Rick M --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index b13e1e858f..7374cc6373 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -86,7 +86,7 @@ To detect duplicate or deprecated headers, perform the following: ### Confirm Proper Placement of Security Headers -Similar to the ```Secure``` flag in cookies, some HTTP security headers are only effective under specific conditions. For instance, certain headers must be delivered over HTTPS; sending them over HTTP renders them ineffective. +Similar to the `Secure` flag in cookies, some HTTP security headers are only effective under specific conditions. For instance, certain headers must be delivered over HTTPS; sending them over HTTP renders them ineffective. To ensure security headers are correctly positioned: From b49842e11b662b9ceb0c8d746d6c743e0cc59628 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 18:53:40 +0100 Subject: [PATCH 08/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md Co-authored-by: Rick M --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 7374cc6373..caeef0aeb7 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -36,7 +36,7 @@ To inspect the security headers used by an application, different methods can be - Run the following curl command to retrieve HTTP response headers: ```bash - curl -I https://example.com +curl -I https://example.com ``` - Utilize browser developer tools to check server responses: From a6c13ca2765f26d4580fc02b41b8e928591795bd Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 18:54:10 +0100 Subject: [PATCH 09/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md Co-authored-by: Rick M --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index caeef0aeb7..a56c0913a9 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -32,7 +32,7 @@ Security headers play a vital role in protecting web applications from a wide ra To inspect the security headers used by an application, different methods can be applied: -- Use an intercepting proxy such as **Burp Suite** or **OWASP ZAP** to analyze server responses. +- Use an intercepting proxy such as **Burp Suite** or **ZAP** to analyze server responses. - Run the following curl command to retrieve HTTP response headers: ```bash From a984fa1c071de1c9eac21bc73fd59c02724221a9 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 18:54:25 +0100 Subject: [PATCH 10/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md Co-authored-by: Rick M --- ...4-Test_Other_HTTP_Security_Header_Misconfigurations.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index a56c0913a9..2026a878f2 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -49,10 +49,10 @@ To evaluate overly permissive security headers, consider the following methods, 1. Identify the headers that could allow excessive access, such as: ``` - Access-Control-Allow-Origin - Access-Control-Allow-Credentials - X-Permitted-Cross-Domain-Policies - Referrer-Policy +Access-Control-Allow-Origin +Access-Control-Allow-Credentials +X-Permitted-Cross-Domain-Policies +Referrer-Policy ``` 2. Verify if strict directives are enforced or not, here is an example of overpermissive security headers. From 8d45182104adaffe92775c82de63c439cfaf7e8c Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 18:54:36 +0100 Subject: [PATCH 11/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md Co-authored-by: Rick M --- ...4-Test_Other_HTTP_Security_Header_Misconfigurations.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 2026a878f2..83e4b18de7 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -58,10 +58,10 @@ Referrer-Policy 2. Verify if strict directives are enforced or not, here is an example of overpermissive security headers. ``` - Access-Control-Allow-Origin: * - Access-Control-Allow-Credentials: true - X-Permitted-Cross-Domain-Policies: all - Referrer-Policy: unsafe-url +Access-Control-Allow-Origin: * +Access-Control-Allow-Credentials: true +X-Permitted-Cross-Domain-Policies: all +Referrer-Policy: unsafe-url ``` And here is an example of its strict directive (secure) equivalents: From eea1f4099fac6f14cc5e60f45bb0071be7e2ba95 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 18:54:42 +0100 Subject: [PATCH 12/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md Co-authored-by: Rick M --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 83e4b18de7..f76426d765 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -66,7 +66,7 @@ Referrer-Policy: unsafe-url And here is an example of its strict directive (secure) equivalents: -``` +```http Access-Control-Allow-Origin: {theallowedoriginurl} X-Permitted-Cross-Domain-Policies: none Referrer-Policy: no-referrer From ab20e9ebbbe812dc2d52d5afdbad50e973959064 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 18:54:53 +0100 Subject: [PATCH 13/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md Co-authored-by: Rick M --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index f76426d765..8313a0c564 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -55,7 +55,7 @@ X-Permitted-Cross-Domain-Policies Referrer-Policy ``` -2. Verify if strict directives are enforced or not, here is an example of overpermissive security headers. +2. Verify if strict directives are enforced or not. Here is an example of overpermissive security headers. ``` Access-Control-Allow-Origin: * From ec7e77bf6d211de9c78969548cfee44e682921b7 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 18:55:21 +0100 Subject: [PATCH 14/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md Co-authored-by: Rick M --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 8313a0c564..4498497823 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -72,7 +72,7 @@ And here is an example of its strict directive (secure) equivalents: Referrer-Policy: no-referrer ``` -To verify the directives make sure you search the header name on the [Mozilla Developer Network: Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) website as this will give you a proper overview of secure and insecure directives for each header. +To verify the directives make sure you search the header name on the [Mozilla Developer Network: Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) website as this will give you a proper overview of secure and insecure directives for each header. 3. Finally, ensure that the strict directives are implemented but keep in mind that sometimes strict directives can break normal functionality so always check that it works with your application. From 65db337b0bc97209dcec388aa9ceffed7c5821dc Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 18:55:45 +0100 Subject: [PATCH 15/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md Co-authored-by: Rick M --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 4498497823..27645eb6fa 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -109,7 +109,7 @@ To ensure security headers are correctly positioned: ## References - [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/) -- [RFC 6797 - HTTP Strict Transport Security (HSTS)](https://datatracker.ietf.org/doc/html/rfc6797) - [Mozilla Developer Network: Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) +- [RFC 6797 - HTTP Strict Transport Security (HSTS)](https://datatracker.ietf.org/doc/html/rfc6797) - [Google Web Security Guidelines](https://web.dev/security-headers/) - [HPKP is No More](https://scotthelme.co.uk/hpkp-is-no-more/) From 51e94a433a2a3e889677e1591a08e60fbebcf8a9 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 19:06:39 +0100 Subject: [PATCH 16/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md Co-authored-by: Rick M --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 27645eb6fa..36fbdbd9b7 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -81,7 +81,7 @@ To verify the directives make sure you search the header name on the [Mozilla De To detect duplicate or deprecated headers, perform the following: - Look for multiple occurrences of the same security header with conflicting values. -- Be aware of obsolete headers such as HPKP or header directives such as, ALLOW-FROM in X-Frame-Options, which is no longer supported by modern browsers. Again, you can verify the deprecation status of headers on Mozilla's website: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options). +- Be aware of obsolete headers such as HPKP or header directives such as, ALLOW-FROM in X-Frame-Options, which is no longer supported by modern browsers. Again, you can verify the deprecation status of headers on Mozilla's website for example: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options). - Ensure deprecated headers are removed or replaced with modern equivalents. ### Confirm Proper Placement of Security Headers From c009355744d2d633a6d582f55a9e719f69176ef4 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 19:08:00 +0100 Subject: [PATCH 17/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md Co-authored-by: Rick M --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 36fbdbd9b7..788872af9a 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -67,9 +67,9 @@ Referrer-Policy: unsafe-url And here is an example of its strict directive (secure) equivalents: ```http - Access-Control-Allow-Origin: {theallowedoriginurl} - X-Permitted-Cross-Domain-Policies: none - Referrer-Policy: no-referrer +Access-Control-Allow-Origin: {theallowedoriginurl} +X-Permitted-Cross-Domain-Policies: none +Referrer-Policy: no-referrer ``` To verify the directives make sure you search the header name on the [Mozilla Developer Network: Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) website as this will give you a proper overview of secure and insecure directives for each header. From df63f7674bc25dc884200a6c81593d04d81bc60e Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 19:08:12 +0100 Subject: [PATCH 18/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md Co-authored-by: Rick M --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 788872af9a..ced74a38bf 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -57,7 +57,7 @@ Referrer-Policy 2. Verify if strict directives are enforced or not. Here is an example of overpermissive security headers. -``` +```http Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true X-Permitted-Cross-Domain-Policies: all From 58a3eeae99bb4ee7b93baeff3fab33ae2df0a5b7 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 19:10:14 +0100 Subject: [PATCH 19/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index ced74a38bf..aad19c404f 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -48,7 +48,7 @@ To evaluate overly permissive security headers, consider the following methods, 1. Identify the headers that could allow excessive access, such as: -``` +```http Access-Control-Allow-Origin Access-Control-Allow-Credentials X-Permitted-Cross-Domain-Policies From b09726a2c3c44382aa221cd0b2782bdcba387ecd Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 19:11:11 +0100 Subject: [PATCH 20/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index aad19c404f..b7b41dd2b0 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -48,7 +48,7 @@ To evaluate overly permissive security headers, consider the following methods, 1. Identify the headers that could allow excessive access, such as: -```http +```text Access-Control-Allow-Origin Access-Control-Allow-Credentials X-Permitted-Cross-Domain-Policies From 16640c87e84f7bb5e20709319fafcd83aba36f5d Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 19:11:25 +0100 Subject: [PATCH 21/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index b7b41dd2b0..ced74a38bf 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -48,7 +48,7 @@ To evaluate overly permissive security headers, consider the following methods, 1. Identify the headers that could allow excessive access, such as: -```text +``` Access-Control-Allow-Origin Access-Control-Allow-Credentials X-Permitted-Cross-Domain-Policies From e6d3138ca1155e77d0164179d7c926831003419e Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 5 Feb 2025 19:56:40 +0100 Subject: [PATCH 22/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md Co-authored-by: Rick M --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index ced74a38bf..a0233f8492 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -1,3 +1,5 @@ +# Test Other HTTP Security Header Misconfigurations + |ID | |------------| |WSTG-CONF-14| From 1c366b401e937d36916c72adb26770d849f21074 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Sat, 8 Feb 2025 15:01:56 +0100 Subject: [PATCH 23/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md Moved Test Objectives before Common Security Header Misconfigurations --- ...t_Other_HTTP_Security_Header_Misconfigurations.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index a0233f8492..dd1ceed33a 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -8,6 +8,12 @@ Security headers play a vital role in protecting web applications from a wide range of attacks, including Cross-Site Scripting (XSS), Clickjacking, and data injection attacks. These headers instruct the browser on how to handle security-related aspects of a website’s communication, reducing exposure to known attack vectors. However, misconfigurations can lead to vulnerabilities, weakening the intended security protections or rendering the existing security protections ineffective. This section outlines common security header misconfigurations, their risks, and how to properly test for them. +## Test Objectives + +- Identify security headers that are improperly configured. +- Assess the impact of misconfigured security headers. +- Validate correct implementation of required security headers. + ### Common Security Header Misconfigurations: - **Security Header with an Empty Value**: Headers present but lacking a value may be ignored by browsers, making them ineffective. - **Security Header with an Invalid Value or Name (Typos)**: Incorrect header names or misspellings result in headers not being recognized or enforced. @@ -22,12 +28,6 @@ Security headers play a vital role in protecting web applications from a wide ra - **Breakage of Security Measures**: Duplicate headers may lead to unexpected behavior, with some browsers completley ignoring the HTTP security headers because of this. - **Legacy and Deprecated Headers**: Using obsolete security headers can introduce new attack vectors instead of securing the application. -## Test Objectives - -- Identify security headers that are improperly configured. -- Assess the impact of misconfigured security headers. -- Validate correct implementation of required security headers. - ## How to Test ### Fetch and Review HTTP Security Headers From 66812f92b86c03bd3d3f4455c03a2a9ad4292138 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Mon, 24 Feb 2025 10:27:21 +0100 Subject: [PATCH 24/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- ..._HTTP_Security_Header_Misconfigurations.md | 172 +++++++++++------- 1 file changed, 106 insertions(+), 66 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index dd1ceed33a..f960769226 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -1,105 +1,145 @@ # Test Other HTTP Security Header Misconfigurations -|ID | -|------------| -|WSTG-CONF-14| +| ID | +|-------------| +| WSTG-CONF-14 | ## Summary -Security headers play a vital role in protecting web applications from a wide range of attacks, including Cross-Site Scripting (XSS), Clickjacking, and data injection attacks. These headers instruct the browser on how to handle security-related aspects of a website’s communication, reducing exposure to known attack vectors. However, misconfigurations can lead to vulnerabilities, weakening the intended security protections or rendering the existing security protections ineffective. This section outlines common security header misconfigurations, their risks, and how to properly test for them. +Security headers play a vital role in protecting web applications from a wide range of attacks, including Cross-Site Scripting (XSS), Clickjacking, and data injection attacks. These headers instruct the browser on how to handle security-related aspects of a website’s communication, reducing exposure to known attack vectors. However, misconfigurations can lead to vulnerabilities, weakening the intended security protections or rendering them ineffective. This section outlines common security header misconfigurations, their risks, and how to properly test for them. ## Test Objectives -- Identify security headers that are improperly configured. -- Assess the impact of misconfigured security headers. -- Validate correct implementation of required security headers. +- **Identify improperly configured security headers.** +- **Assess the impact of misconfigured security headers.** +- **Validate the correct implementation of required security headers.** -### Common Security Header Misconfigurations: -- **Security Header with an Empty Value**: Headers present but lacking a value may be ignored by browsers, making them ineffective. -- **Security Header with an Invalid Value or Name (Typos)**: Incorrect header names or misspellings result in headers not being recognized or enforced. -- **Overpermissive Security Headers**: Overpermissive headers can leak information or allow access to resources beyond the intended scope. -- **Duplicate Security Headers**: Conflicting definitions of the same header can lead to unpredictable browser behavior and potentially disable security measures. -- **Legacy Security Headers**: The inclusion of obsolete headers, can create unnecessary risks instead of improving security. -- **Invalid Placement of Security Headers**: Certain headers must be delivered over specific conditions or protocols; using these headers when the right conditions are not met renders them ineffective. +## Common Security Header Misconfigurations -## Risks of Misconfigured Security Headers +- **Security Header with an Empty Value:** + Headers that are present but lack a value may be ignored by browsers, making them ineffective. -- **Reduced Effectiveness**: If headers are misconfigured, they may not provide the intended protection, allowing exploits such as XSS, Clickjacking, or CORS-related attacks. -- **Breakage of Security Measures**: Duplicate headers may lead to unexpected behavior, with some browsers completley ignoring the HTTP security headers because of this. -- **Legacy and Deprecated Headers**: Using obsolete security headers can introduce new attack vectors instead of securing the application. +- **Security Header with an Invalid Value or Name (Typos):** + Incorrect header names or misspellings result in headers not being recognized or enforced. -## How to Test +- **Overpermissive Security Headers:** + Headers configured too broadly (e.g., using wildcard characters `*` or overly permissive directives) can leak information or allow access to resources beyond the intended scope. -### Fetch and Review HTTP Security Headers +- **Duplicate Security Headers:** + Multiple occurrences of the same header with conflicting values can lead to unpredictable browser behavior, potentially disabling the security measures entirely. -To inspect the security headers used by an application, different methods can be applied: +- **Legacy or Deprecated Headers:** + Inclusion of obsolete headers (e.g., HPKP) or directives (e.g., `ALLOW-FROM` in X-Frame-Options) that are no longer supported by modern browsers may create unnecessary risks. -- Use an intercepting proxy such as **Burp Suite** or **ZAP** to analyze server responses. -- Run the following curl command to retrieve HTTP response headers: - -```bash -curl -I https://example.com -``` +- **Invalid Placement of Security Headers:** + Some headers are only effective under specific conditions. For example, headers like HSTS must be delivered over HTTPS; if sent over HTTP, they become ineffective. -- Utilize browser developer tools to check server responses: - - Open developer tools (F12) → Navigate to the **Network** tab → Select a request → View the **Headers** section. +- **META Tag Handling Mistakes:** + In cases where security policies such as Content-Security-Policy (CSP) are enforced via both HTTP headers and META tags (using `http-equiv`), there is a risk that the META tag value might override or conflict with the secure logic defined in the HTTP header. This can lead to a scenario where an insecure policy inadvertently takes precedence, weakening the overall security posture. -### Check for Overly Permissive Security Headers +## Risks of Misconfigured Security Headers -To evaluate overly permissive security headers, consider the following methods, especially when wildcard characters (*) are used or when certain security headers are configured too broadly: +- **Reduced Effectiveness:** + Misconfigured headers might not provide the intended protection, leaving the application vulnerable to attacks such as XSS, Clickjacking, or CORS-related exploits. -1. Identify the headers that could allow excessive access, such as: - -``` -Access-Control-Allow-Origin -Access-Control-Allow-Credentials -X-Permitted-Cross-Domain-Policies -Referrer-Policy -``` +- **Breakage of Security Measures:** + Duplicate headers or conflicting directives can result in browsers ignoring the HTTP security headers entirely, thereby disabling the intended protections. -2. Verify if strict directives are enforced or not. Here is an example of overpermissive security headers. +- **Introduction of New Attack Vectors:** + The use of legacy or deprecated headers may introduce risks rather than mitigate them if modern browsers no longer support the intended security measures. -```http -Access-Control-Allow-Origin: * -Access-Control-Allow-Credentials: true -X-Permitted-Cross-Domain-Policies: all -Referrer-Policy: unsafe-url -``` +## How to Test -And here is an example of its strict directive (secure) equivalents: +### Fetch and Review HTTP Security Headers -```http -Access-Control-Allow-Origin: {theallowedoriginurl} -X-Permitted-Cross-Domain-Policies: none -Referrer-Policy: no-referrer -``` +To inspect the security headers used by an application, employ the following methods: -To verify the directives make sure you search the header name on the [Mozilla Developer Network: Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) website as this will give you a proper overview of secure and insecure directives for each header. +- **Intercepting Proxies:** + Use tools such as **Burp Suite** or **curl** to analyze server responses. + +- **Command Line Tools:** + Execute a curl command to retrieve HTTP response headers: + ```bash + curl -I https://example.com + + Sometimes the web application will redirect to a new page, in order to follow redirect use the following command: + curl -L -I https://example.com -3. Finally, ensure that the strict directives are implemented but keep in mind that sometimes strict directives can break normal functionality so always check that it works with your application. + Some Firewalls may block curl's default User-Agent and some TLS/SSL errors will also prevent it from returning the correct information, in thise case you could try to use the following command: + + curl -I -L --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" https://example.com + ``` + +- **Browser Developer Tools:** + Open developer tools (F12), navigate to the **Network** tab, select a request, and view the **Headers** section. + +### Check for Overly Permissive Security Headers + +1. **Identify Risky Headers:** + Look for headers that could allow excessive access, such as: + ``` + Access-Control-Allow-Origin + Access-Control-Allow-Credentials + X-Permitted-Cross-Domain-Policies + Referrer-Policy + ``` + +2. **Evaluate Directives:** + Verify whether strict directives are enforced. For example, an overpermissive setup might appear as: + ```http + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + X-Permitted-Cross-Domain-Policies: all + Referrer-Policy: unsafe-url + ``` + A safe configuration would look like: + ```http + Access-Control-Allow-Origin: {theallowedoriginurl} + X-Permitted-Cross-Domain-Policies: none + Referrer-Policy: no-referrer + ``` + +3. **Cross-Reference Documentation:** + Use resources such as the [Mozilla Developer Network: Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) to review secure and insecure directives. ### Check for Duplicate, Deprecated / Obsolete Headers -To detect duplicate or deprecated headers, perform the following: +- **Duplicate Headers:** + Ensure that the same header is not defined multiple times with conflicting values. + +- **Obsolete Headers:** + Identify and remove deprecated headers (e.g., HPKP) and outdated directives (e.g., `ALLOW-FROM` in X-Frame-Options). + Refer to sources like [Mozilla Developer Network: X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) for current standards. -- Look for multiple occurrences of the same security header with conflicting values. -- Be aware of obsolete headers such as HPKP or header directives such as, ALLOW-FROM in X-Frame-Options, which is no longer supported by modern browsers. Again, you can verify the deprecation status of headers on Mozilla's website for example: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options). -- Ensure deprecated headers are removed or replaced with modern equivalents. +### Confirm Proper Placement of Security Headers -### Confirm Proper Placement of Security Headers +- **Protocol-Specific Requirements:** + Validate that headers intended for secure contexts (e.g., HSTS) are delivered only under appropriate conditions (i.e., over HTTPS). -Similar to the `Secure` flag in cookies, some HTTP security headers are only effective under specific conditions. For instance, certain headers must be delivered over HTTPS; sending them over HTTP renders them ineffective. +- **Conditional Delivery:** + Some headers may only be effective under specific circumstances. Verify that these conditions are met for the header to function as intended. -To ensure security headers are correctly positioned: +### Evaluate META Tag Handling -- Validate that the correct conditions required for the header to work are present. For example; for HSTS make sure TLS/SSL is present. +- **Dual Enforcement Checks:** + When a security policy like CSP is applied through both an HTTP header and a META tag using `http-equiv`, confirm that the HTTP header (which is generally considered more authoritative) is not inadvertently overridden by the META tag. + +- **Review Browser Behavior:** + Test the application in various browsers to see if any differences occur due to the presence of conflicting directives. Where possible, avoid using dual definitions to prevent unintended security lapses. ## Remediation -- **Ensure headers are correctly configured**: Avoid empty or invalid values, and double-check for typos. -- **Apply strict directives**: Configure headers to minimize security risks (e.g., avoid using * in CORS policies unless required). -- **Remove deprecated headers**: Remove headers like HPKP that are no longer supported. -- **Beware of conditional exclusive headers**: Ensure that security headers like HSTS are correctly applied only in HTTPS responses. +- **Correct Header Configuration:** + Ensure that headers are correctly implemented with proper values and no typos. + +- **Enforce Strict Directives:** + Configure headers with the most secure settings that still allow for required functionality. For example, avoid using `*` in CORS policies unless absolutely necessary. + +- **Remove Deprecated Headers:** + Replace legacy security headers with modern equivalents and remove any that are no longer supported. + +- **Avoid Conflicting Definitions:** + Prevent duplicate header definitions and ensure that META tags do not conflict with HTTP headers for security policies. ## Tools From acb0dd6a396e05a35accceac6b3b798800825416 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Mon, 24 Feb 2025 10:32:44 +0100 Subject: [PATCH 25/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index f960769226..d0039f2da7 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -2,7 +2,7 @@ | ID | |-------------| -| WSTG-CONF-14 | +|WSTG-CONF-14| ## Summary From be3e8c700a45a2469f070f5c1bad2970f365e429 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Mon, 24 Feb 2025 10:37:30 +0100 Subject: [PATCH 26/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- ...4-Test_Other_HTTP_Security_Header_Misconfigurations.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index d0039f2da7..588e598404 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -10,9 +10,9 @@ Security headers play a vital role in protecting web applications from a wide ra ## Test Objectives -- **Identify improperly configured security headers.** -- **Assess the impact of misconfigured security headers.** -- **Validate the correct implementation of required security headers.** +- Identify improperly configured security headers. +- Assess the impact of misconfigured security headers. +- Validate the correct implementation of required security headers. ## Common Security Header Misconfigurations @@ -59,7 +59,7 @@ To inspect the security headers used by an application, employ the following met - **Command Line Tools:** Execute a curl command to retrieve HTTP response headers: - ```bash + ```HTTP curl -I https://example.com Sometimes the web application will redirect to a new page, in order to follow redirect use the following command: From f29ea61e36530f08ca562e0c8f23d9cea67ff473 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Mon, 24 Feb 2025 10:37:47 +0100 Subject: [PATCH 27/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 588e598404..648f895fe8 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -59,7 +59,7 @@ To inspect the security headers used by an application, employ the following met - **Command Line Tools:** Execute a curl command to retrieve HTTP response headers: - ```HTTP + ```bash curl -I https://example.com Sometimes the web application will redirect to a new page, in order to follow redirect use the following command: From b7d412d0ba459834d6d57a72ecaef39578a240a1 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Mon, 24 Feb 2025 10:38:37 +0100 Subject: [PATCH 28/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 648f895fe8..0c07d48061 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -67,7 +67,7 @@ To inspect the security headers used by an application, employ the following met Some Firewalls may block curl's default User-Agent and some TLS/SSL errors will also prevent it from returning the correct information, in thise case you could try to use the following command: - curl -I -L --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" https://example.com + curl -I -L -k --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" https://example.com ``` - **Browser Developer Tools:** From d012a3450e4cd5ff2afc20e9cfaf05cc41e63492 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Mon, 24 Feb 2025 10:39:58 +0100 Subject: [PATCH 29/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 0c07d48061..4914309ab9 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -60,14 +60,14 @@ To inspect the security headers used by an application, employ the following met - **Command Line Tools:** Execute a curl command to retrieve HTTP response headers: ```bash - curl -I https://example.com + curl **-I** https://example.com Sometimes the web application will redirect to a new page, in order to follow redirect use the following command: - curl -L -I https://example.com + curl **-L** -I https://example.com Some Firewalls may block curl's default User-Agent and some TLS/SSL errors will also prevent it from returning the correct information, in thise case you could try to use the following command: - curl -I -L -k --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" https://example.com + curl -I -L **-k** **--user-agent** "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" https://example.com ``` - **Browser Developer Tools:** From 96846b64fe0f85892d7519d2252d1696c66cd677 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Mon, 24 Feb 2025 10:40:18 +0100 Subject: [PATCH 30/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 4914309ab9..0c07d48061 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -60,14 +60,14 @@ To inspect the security headers used by an application, employ the following met - **Command Line Tools:** Execute a curl command to retrieve HTTP response headers: ```bash - curl **-I** https://example.com + curl -I https://example.com Sometimes the web application will redirect to a new page, in order to follow redirect use the following command: - curl **-L** -I https://example.com + curl -L -I https://example.com Some Firewalls may block curl's default User-Agent and some TLS/SSL errors will also prevent it from returning the correct information, in thise case you could try to use the following command: - curl -I -L **-k** **--user-agent** "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" https://example.com + curl -I -L -k --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" https://example.com ``` - **Browser Developer Tools:** From b8ff726f9bf5e228c3816f746ec9b1526059036a Mon Sep 17 00:00:00 2001 From: Rick M Date: Mon, 24 Feb 2025 05:54:06 -0500 Subject: [PATCH 31/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 0c07d48061..ca620550b7 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -67,8 +67,7 @@ To inspect the security headers used by an application, employ the following met Some Firewalls may block curl's default User-Agent and some TLS/SSL errors will also prevent it from returning the correct information, in thise case you could try to use the following command: - curl -I -L -k --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" https://example.com - ``` +`curl -I -L -k --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" https://example.com` - **Browser Developer Tools:** Open developer tools (F12), navigate to the **Network** tab, select a request, and view the **Headers** section. From 17e07cafe1e98c8cf0c584511c2ec086427ff514 Mon Sep 17 00:00:00 2001 From: Rick M Date: Mon, 24 Feb 2025 05:57:34 -0500 Subject: [PATCH 32/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- ...Other_HTTP_Security_Header_Misconfigurations.md | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index ca620550b7..d11cf5690d 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -54,18 +54,12 @@ Security headers play a vital role in protecting web applications from a wide ra To inspect the security headers used by an application, employ the following methods: -- **Intercepting Proxies:** - Use tools such as **Burp Suite** or **curl** to analyze server responses. +- **Intercepting Proxies:** Use tools such as **Burp Suite** or **curl** to analyze server responses. -- **Command Line Tools:** - Execute a curl command to retrieve HTTP response headers: - ```bash - curl -I https://example.com - - Sometimes the web application will redirect to a new page, in order to follow redirect use the following command: - curl -L -I https://example.com +- **Command Line Tools:** Execute a curl command to retrieve HTTP response headers: ` curl -I https://example.com` +Sometimes the web application will redirect to a new page, in order to follow redirect use the following command:`curl -L -I https://example.com` - Some Firewalls may block curl's default User-Agent and some TLS/SSL errors will also prevent it from returning the correct information, in thise case you could try to use the following command: +Some Firewalls may block curl's default User-Agent and some TLS/SSL errors will also prevent it from returning the correct information, in thise case you could try to use the following command: `curl -I -L -k --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" https://example.com` From cf5d8eb3c3a8970e122d6d0993f6de0c2240782a Mon Sep 17 00:00:00 2001 From: Rick M Date: Mon, 24 Feb 2025 05:59:29 -0500 Subject: [PATCH 33/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- ...Other_HTTP_Security_Header_Misconfigurations.md | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index d11cf5690d..f522f8f4d8 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -54,17 +54,13 @@ Security headers play a vital role in protecting web applications from a wide ra To inspect the security headers used by an application, employ the following methods: -- **Intercepting Proxies:** Use tools such as **Burp Suite** or **curl** to analyze server responses. - -- **Command Line Tools:** Execute a curl command to retrieve HTTP response headers: ` curl -I https://example.com` -Sometimes the web application will redirect to a new page, in order to follow redirect use the following command:`curl -L -I https://example.com` - -Some Firewalls may block curl's default User-Agent and some TLS/SSL errors will also prevent it from returning the correct information, in thise case you could try to use the following command: +- **Intercepting Proxies:** Use tools such as **Burp Suite** or **curl** to analyze server responses. +- **Command Line Tools:** Execute a curl command to retrieve HTTP response headers: ` curl -I https://example.com` + - Sometimes the web application will redirect to a new page, in order to follow redirect use the following command:`curl -L -I https://example.com` + - Some Firewalls may block curl's default User-Agent and some TLS/SSL errors will also prevent it from returning the correct information, in thise case you could try to use the following command: `curl -I -L -k --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" https://example.com` - -- **Browser Developer Tools:** - Open developer tools (F12), navigate to the **Network** tab, select a request, and view the **Headers** section. +- **Browser Developer Tools:** Open developer tools (F12), navigate to the **Network** tab, select a request, and view the **Headers** section. ### Check for Overly Permissive Security Headers From 0e89b64aca301e4674e84b2ca84d07925e3b490b Mon Sep 17 00:00:00 2001 From: Rick M Date: Mon, 24 Feb 2025 06:00:43 -0500 Subject: [PATCH 34/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- ..._HTTP_Security_Header_Misconfigurations.md | 27 +++++-------------- 1 file changed, 7 insertions(+), 20 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index f522f8f4d8..7ff4daf4b3 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -16,26 +16,13 @@ Security headers play a vital role in protecting web applications from a wide ra ## Common Security Header Misconfigurations -- **Security Header with an Empty Value:** - Headers that are present but lack a value may be ignored by browsers, making them ineffective. - -- **Security Header with an Invalid Value or Name (Typos):** - Incorrect header names or misspellings result in headers not being recognized or enforced. - -- **Overpermissive Security Headers:** - Headers configured too broadly (e.g., using wildcard characters `*` or overly permissive directives) can leak information or allow access to resources beyond the intended scope. - -- **Duplicate Security Headers:** - Multiple occurrences of the same header with conflicting values can lead to unpredictable browser behavior, potentially disabling the security measures entirely. - -- **Legacy or Deprecated Headers:** - Inclusion of obsolete headers (e.g., HPKP) or directives (e.g., `ALLOW-FROM` in X-Frame-Options) that are no longer supported by modern browsers may create unnecessary risks. - -- **Invalid Placement of Security Headers:** - Some headers are only effective under specific conditions. For example, headers like HSTS must be delivered over HTTPS; if sent over HTTP, they become ineffective. - -- **META Tag Handling Mistakes:** - In cases where security policies such as Content-Security-Policy (CSP) are enforced via both HTTP headers and META tags (using `http-equiv`), there is a risk that the META tag value might override or conflict with the secure logic defined in the HTTP header. This can lead to a scenario where an insecure policy inadvertently takes precedence, weakening the overall security posture. +- **Security Header with an Empty Value:** Headers that are present but lack a value may be ignored by browsers, making them ineffective. +- **Security Header with an Invalid Value or Name (Typos):** Incorrect header names or misspellings result in headers not being recognized or enforced. +- **Overpermissive Security Headers:** Headers configured too broadly (e.g., using wildcard characters `*` or overly permissive directives) can leak information or allow access to resources beyond the intended scope. +- **Duplicate Security Headers:** Multiple occurrences of the same header with conflicting values can lead to unpredictable browser behavior, potentially disabling the security measures entirely. +- **Legacy or Deprecated Headers:** Inclusion of obsolete headers (e.g., HPKP) or directives (e.g., `ALLOW-FROM` in X-Frame-Options) that are no longer supported by modern browsers may create unnecessary risks. +- **Invalid Placement of Security Headers:** Some headers are only effective under specific conditions. For example, headers like HSTS must be delivered over HTTPS; if sent over HTTP, they become ineffective. +- **META Tag Handling Mistakes:** In cases where security policies such as Content-Security-Policy (CSP) are enforced via both HTTP headers and META tags (using `http-equiv`), there is a risk that the META tag value might override or conflict with the secure logic defined in the HTTP header. This can lead to a scenario where an insecure policy inadvertently takes precedence, weakening the overall security posture. ## Risks of Misconfigured Security Headers From 9b5197d01ad86233e86a07a33d33eeb17dfbc15c Mon Sep 17 00:00:00 2001 From: Rick M Date: Mon, 24 Feb 2025 06:01:29 -0500 Subject: [PATCH 35/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- ...st_Other_HTTP_Security_Header_Misconfigurations.md | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 7ff4daf4b3..e66c8514d0 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -26,14 +26,9 @@ Security headers play a vital role in protecting web applications from a wide ra ## Risks of Misconfigured Security Headers -- **Reduced Effectiveness:** - Misconfigured headers might not provide the intended protection, leaving the application vulnerable to attacks such as XSS, Clickjacking, or CORS-related exploits. - -- **Breakage of Security Measures:** - Duplicate headers or conflicting directives can result in browsers ignoring the HTTP security headers entirely, thereby disabling the intended protections. - -- **Introduction of New Attack Vectors:** - The use of legacy or deprecated headers may introduce risks rather than mitigate them if modern browsers no longer support the intended security measures. +- **Reduced Effectiveness:** Misconfigured headers might not provide the intended protection, leaving the application vulnerable to attacks such as XSS, Clickjacking, or CORS-related exploits. +- **Breakage of Security Measures:** Duplicate headers or conflicting directives can result in browsers ignoring the HTTP security headers entirely, thereby disabling the intended protections. +- **Introduction of New Attack Vectors:** The use of legacy or deprecated headers may introduce risks rather than mitigate them if modern browsers no longer support the intended security measures. ## How to Test From 407b4afa233a8faf92e997bae182d74787b16f02 Mon Sep 17 00:00:00 2001 From: Rick M Date: Mon, 24 Feb 2025 06:03:33 -0500 Subject: [PATCH 36/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index e66c8514d0..46504b32fd 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -1,7 +1,7 @@ # Test Other HTTP Security Header Misconfigurations -| ID | -|-------------| +| ID | +|------------| |WSTG-CONF-14| ## Summary From c5d6ebd4e97e0232cfe826f7af9f7f5a33bce793 Mon Sep 17 00:00:00 2001 From: Rick M Date: Mon, 24 Feb 2025 06:05:53 -0500 Subject: [PATCH 37/44] Apply suggestions from code review --- ..._HTTP_Security_Header_Misconfigurations.md | 36 ++++++------------- 1 file changed, 10 insertions(+), 26 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 46504b32fd..fcd88b4342 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -46,32 +46,16 @@ To inspect the security headers used by an application, employ the following met ### Check for Overly Permissive Security Headers -1. **Identify Risky Headers:** - Look for headers that could allow excessive access, such as: - ``` - Access-Control-Allow-Origin - Access-Control-Allow-Credentials - X-Permitted-Cross-Domain-Policies - Referrer-Policy - ``` - -2. **Evaluate Directives:** - Verify whether strict directives are enforced. For example, an overpermissive setup might appear as: - ```http - Access-Control-Allow-Origin: * - Access-Control-Allow-Credentials: true - X-Permitted-Cross-Domain-Policies: all - Referrer-Policy: unsafe-url - ``` - A safe configuration would look like: - ```http - Access-Control-Allow-Origin: {theallowedoriginurl} - X-Permitted-Cross-Domain-Policies: none - Referrer-Policy: no-referrer - ``` - -3. **Cross-Reference Documentation:** - Use resources such as the [Mozilla Developer Network: Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) to review secure and insecure directives. +1. **Identify Risky Headers:** Look for headers that could allow excessive access, such as: + +2. **Evaluate Directives:** Verify whether strict directives are enforced. For example, an overpermissive setup might appear as: +```http +Access-Control-Allow-Origin: * +Access-Control-Allow-Credentials: true +X-Permitted-Cross-Domain-Policies: all +Referrer-Policy: unsafe-url + +3. **Cross-Reference Documentation:** Use resources such as the [Mozilla Developer Network: Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) to review secure and insecure directives. ### Check for Duplicate, Deprecated / Obsolete Headers From 076e17040d48c783199d414d0c26eb9200a09bfe Mon Sep 17 00:00:00 2001 From: Rick M Date: Mon, 24 Feb 2025 06:06:36 -0500 Subject: [PATCH 38/44] Update document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index fcd88b4342..91d39b0bc3 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -55,8 +55,6 @@ Access-Control-Allow-Credentials: true X-Permitted-Cross-Domain-Policies: all Referrer-Policy: unsafe-url -3. **Cross-Reference Documentation:** Use resources such as the [Mozilla Developer Network: Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) to review secure and insecure directives. - ### Check for Duplicate, Deprecated / Obsolete Headers - **Duplicate Headers:** From 3316437b215ee36c2d843ae25147fa24d7fbd97e Mon Sep 17 00:00:00 2001 From: Rick M Date: Mon, 24 Feb 2025 06:09:38 -0500 Subject: [PATCH 39/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- ..._HTTP_Security_Header_Misconfigurations.md | 45 ++++++------------- 1 file changed, 14 insertions(+), 31 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 91d39b0bc3..5401bf799f 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -37,62 +37,45 @@ Security headers play a vital role in protecting web applications from a wide ra To inspect the security headers used by an application, employ the following methods: - **Intercepting Proxies:** Use tools such as **Burp Suite** or **curl** to analyze server responses. -- **Command Line Tools:** Execute a curl command to retrieve HTTP response headers: ` curl -I https://example.com` +- **Command Line Tools:** Execute a curl command to retrieve HTTP response headers: `curl -I https://example.com` - Sometimes the web application will redirect to a new page, in order to follow redirect use the following command:`curl -L -I https://example.com` - Some Firewalls may block curl's default User-Agent and some TLS/SSL errors will also prevent it from returning the correct information, in thise case you could try to use the following command: - `curl -I -L -k --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36" https://example.com` - **Browser Developer Tools:** Open developer tools (F12), navigate to the **Network** tab, select a request, and view the **Headers** section. ### Check for Overly Permissive Security Headers -1. **Identify Risky Headers:** Look for headers that could allow excessive access, such as: +- **Identify Risky Headers:** Look for headers that could allow excessive access, such as: +- **Evaluate Directives:** Verify whether strict directives are enforced. For example, an overpermissive setup might appear as: -2. **Evaluate Directives:** Verify whether strict directives are enforced. For example, an overpermissive setup might appear as: ```http Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true X-Permitted-Cross-Domain-Policies: all Referrer-Policy: unsafe-url +``` ### Check for Duplicate, Deprecated / Obsolete Headers -- **Duplicate Headers:** - Ensure that the same header is not defined multiple times with conflicting values. - -- **Obsolete Headers:** - Identify and remove deprecated headers (e.g., HPKP) and outdated directives (e.g., `ALLOW-FROM` in X-Frame-Options). - Refer to sources like [Mozilla Developer Network: X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) for current standards. +- **Duplicate Headers:** Ensure that the same header is not defined multiple times with conflicting values. +- **Obsolete Headers:** Identify and remove deprecated headers (e.g., HPKP) and outdated directives (e.g., `ALLOW-FROM` in X-Frame-Options). Refer to sources like [Mozilla Developer Network: X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) for current standards. ### Confirm Proper Placement of Security Headers -- **Protocol-Specific Requirements:** - Validate that headers intended for secure contexts (e.g., HSTS) are delivered only under appropriate conditions (i.e., over HTTPS). - -- **Conditional Delivery:** - Some headers may only be effective under specific circumstances. Verify that these conditions are met for the header to function as intended. +- **Protocol-Specific Requirements:** Validate that headers intended for secure contexts (e.g., HSTS) are delivered only under appropriate conditions (i.e., over HTTPS). +- **Conditional Delivery:** Some headers may only be effective under specific circumstances. Verify that these conditions are met for the header to function as intended. ### Evaluate META Tag Handling -- **Dual Enforcement Checks:** - When a security policy like CSP is applied through both an HTTP header and a META tag using `http-equiv`, confirm that the HTTP header (which is generally considered more authoritative) is not inadvertently overridden by the META tag. - -- **Review Browser Behavior:** - Test the application in various browsers to see if any differences occur due to the presence of conflicting directives. Where possible, avoid using dual definitions to prevent unintended security lapses. +- **Dual Enforcement Checks:** When a security policy like CSP is applied through both an HTTP header and a META tag using `http-equiv`, confirm that the HTTP header (which is generally considered more authoritative) is not inadvertently overridden by the META tag. +- **Review Browser Behavior:** Test the application in various browsers to see if any differences occur due to the presence of conflicting directives. Where possible, avoid using dual definitions to prevent unintended security lapses. ## Remediation -- **Correct Header Configuration:** - Ensure that headers are correctly implemented with proper values and no typos. - -- **Enforce Strict Directives:** - Configure headers with the most secure settings that still allow for required functionality. For example, avoid using `*` in CORS policies unless absolutely necessary. - -- **Remove Deprecated Headers:** - Replace legacy security headers with modern equivalents and remove any that are no longer supported. - -- **Avoid Conflicting Definitions:** - Prevent duplicate header definitions and ensure that META tags do not conflict with HTTP headers for security policies. +- **Correct Header Configuration:** Ensure that headers are correctly implemented with proper values and no typos. +- **Enforce Strict Directives:** Configure headers with the most secure settings that still allow for required functionality. For example, avoid using `*` in CORS policies unless absolutely necessary. +- **Remove Deprecated Headers:** Replace legacy security headers with modern equivalents and remove any that are no longer supported. +- **Avoid Conflicting Definitions:** Prevent duplicate header definitions and ensure that META tags do not conflict with HTTP headers for security policies. ## Tools From c18a6bf2fde3f6fbef906a2ce15384c4be7a2783 Mon Sep 17 00:00:00 2001 From: Rick M Date: Mon, 24 Feb 2025 06:12:58 -0500 Subject: [PATCH 40/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- ...-Test_Other_HTTP_Security_Header_Misconfigurations.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 5401bf799f..737041b85d 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -47,13 +47,20 @@ To inspect the security headers used by an application, employ the following met - **Identify Risky Headers:** Look for headers that could allow excessive access, such as: - **Evaluate Directives:** Verify whether strict directives are enforced. For example, an overpermissive setup might appear as: - ```http Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true X-Permitted-Cross-Domain-Policies: all Referrer-Policy: unsafe-url ``` + +A safe configuration would look like: +```http +Access-Control-Allow-Origin: {theallowedoriginurl} +X-Permitted-Cross-Domain-Policies: none +Referrer-Policy: no-referrer +``` +- **Cross-Reference Documentation:** Use resources such as the [Mozilla Developer Network: Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) to review secure and insecure directives. ### Check for Duplicate, Deprecated / Obsolete Headers From be7e4c31fa7fcba460f631542f413620bc7edc40 Mon Sep 17 00:00:00 2001 From: Rick M Date: Mon, 24 Feb 2025 06:26:11 -0500 Subject: [PATCH 41/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- ..._HTTP_Security_Header_Misconfigurations.md | 25 +++++++++---------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 737041b85d..41598ad0d0 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -47,19 +47,18 @@ To inspect the security headers used by an application, employ the following met - **Identify Risky Headers:** Look for headers that could allow excessive access, such as: - **Evaluate Directives:** Verify whether strict directives are enforced. For example, an overpermissive setup might appear as: -```http -Access-Control-Allow-Origin: * -Access-Control-Allow-Credentials: true -X-Permitted-Cross-Domain-Policies: all -Referrer-Policy: unsafe-url -``` - -A safe configuration would look like: -```http -Access-Control-Allow-Origin: {theallowedoriginurl} -X-Permitted-Cross-Domain-Policies: none -Referrer-Policy: no-referrer -``` + ```http + Access-Control-Allow-Origin: * + Access-Control-Allow-Credentials: true + X-Permitted-Cross-Domain-Policies: all + Referrer-Policy: unsafe-url + ``` + A safe configuration would look like: + ```http + Access-Control-Allow-Origin: {theallowedoriginurl} + X-Permitted-Cross-Domain-Policies: none + Referrer-Policy: no-referrer + ``` - **Cross-Reference Documentation:** Use resources such as the [Mozilla Developer Network: Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) to review secure and insecure directives. ### Check for Duplicate, Deprecated / Obsolete Headers From 60d4d326bc05065e00843e18251f96e07232c5fc Mon Sep 17 00:00:00 2001 From: Rick M Date: Mon, 24 Feb 2025 06:49:44 -0500 Subject: [PATCH 42/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 41598ad0d0..7ee3712a7c 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -47,13 +47,16 @@ To inspect the security headers used by an application, employ the following met - **Identify Risky Headers:** Look for headers that could allow excessive access, such as: - **Evaluate Directives:** Verify whether strict directives are enforced. For example, an overpermissive setup might appear as: + ```http Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true X-Permitted-Cross-Domain-Policies: all Referrer-Policy: unsafe-url ``` + A safe configuration would look like: + ```http Access-Control-Allow-Origin: {theallowedoriginurl} X-Permitted-Cross-Domain-Policies: none From 68a6f79faf8859621b68b27d767719e49c7db643 Mon Sep 17 00:00:00 2001 From: Rick M Date: Mon, 24 Feb 2025 06:51:23 -0500 Subject: [PATCH 43/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 1 + 1 file changed, 1 insertion(+) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index 7ee3712a7c..f72d803b57 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -62,6 +62,7 @@ To inspect the security headers used by an application, employ the following met X-Permitted-Cross-Domain-Policies: none Referrer-Policy: no-referrer ``` + - **Cross-Reference Documentation:** Use resources such as the [Mozilla Developer Network: Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) to review secure and insecure directives. ### Check for Duplicate, Deprecated / Obsolete Headers From 0ba9624fb4c5354333abd280fb995c98b9bab169 Mon Sep 17 00:00:00 2001 From: Joel Aviad Ossi Date: Wed, 26 Mar 2025 19:28:52 +0100 Subject: [PATCH 44/44] Update 14-Test_Other_HTTP_Security_Header_Misconfigurations.md small update, removed 'curl' from the interception proxies context as this is not an interception proxy. --- .../14-Test_Other_HTTP_Security_Header_Misconfigurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md index f72d803b57..caee07b11d 100644 --- a/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md +++ b/document/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/14-Test_Other_HTTP_Security_Header_Misconfigurations.md @@ -36,7 +36,7 @@ Security headers play a vital role in protecting web applications from a wide ra To inspect the security headers used by an application, employ the following methods: -- **Intercepting Proxies:** Use tools such as **Burp Suite** or **curl** to analyze server responses. +- **Intercepting Proxies:** Use tools such as **Burp Suite** to analyze server responses. - **Command Line Tools:** Execute a curl command to retrieve HTTP response headers: `curl -I https://example.com` - Sometimes the web application will redirect to a new page, in order to follow redirect use the following command:`curl -L -I https://example.com` - Some Firewalls may block curl's default User-Agent and some TLS/SSL errors will also prevent it from returning the correct information, in thise case you could try to use the following command: