Fortigate vulnerability

Forum|Forum|8 years ago
October 11, 2017
4 replies
81807 views

I run pci dss security scan, and my fortigate 600c, with 5.2.11 fimware, and found vulnerability:

HTTP Security Header Not Detected HTTP Security Header Not Detected

RESULT: X-XSS-Protection HTTP Header missing on port 443. GET / HTTP/1.0

THREAT: This QID reports the absence of the following HTTP headers according to CWE-693: Protection Mechanism Failure: X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a "UI redress attack", allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page. X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSSProtection: 0; disables this functionality. X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIMEtype. Content-Security-Policy: This HTTP header helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS), packet sniffing attacks and data injection attacks. Public-Key-Pins: The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.

How to fix it ?

5.2

MikePruett

New Member

Do you have HTTP and HTTPS enabled on the outside interface of the Gate? What does the scan say when you turn that off?

SalasAuthor

New Member

MikePruett wrote:
Do you have HTTP and HTTPS enabled on the outside interface of the Gate? What does the scan say when you turn that off?

No, only SSL VPN is listening on this port.

zorro

New Member

Hi

I cannot read from your post what was scanned by your scanner? Was it firewall's management GUI (on HTTP/HTTPS) or some web service that is behind the firewall?

Z.

emnoc

New Member

Yes, curious mines want to know. FWIW none of the webGUI logins for mgmt or sslvpn have a X-XSS-Protection header when using curl and monitoring the server response. These are on a fortiOS 5.2.11 btw

Please use curl and dump the http.header here.

e.g

< HTTP/1.1 200 OK < Date: Sun, 15 Oct 2017 06:56:00 GMT < Vary: Accept-Encoding < Last-Modified: Fri, 21 Apr 2017 22:33:57 GMT < ETag: "af9_4f_58fa88d5" < Accept-Ranges: bytes < Content-Length: 79 < Content-Type: text/html; charset=utf-8 < X-Frame-Options: SAMEORIGIN < X-UA-Compatible: IE=Edge

5.6.x shows

< HTTP/1.1 200 OK < Date: Sun, 15 Oct 2017 06:59:21 GMT < Server: xxxxxxxx-xxxxx <- I like the masked server header ;) < Vary: Accept-Encoding < Content-Length: 79 < Content-Type: text/html; charset=utf-8 < X-Frame-Options: SAMEORIGIN < Content-Security-Policy: frame-ancestors 'self' < X-UA-Compatible: IE=Edge < <html> <script language=javascript> top.location="/login"; </script> </html>

Ken

SalasAuthor

New Member

Qualys accepted my explanation, thanks all for help. But i hope fortigate will do something with this issue in next firmare realeses, i also opened ticket in support.