I run pci dss security scan, and my fortigate 600c, with 5.2.11 fimware, and found vulnerability:
HTTP Security Header Not Detected HTTP Security Header Not Detected
RESULT: X-XSS-Protection HTTP Header missing on port 443. GET / HTTP/1.0
THREAT: This QID reports the absence of the following HTTP headers according to CWE-693: Protection Mechanism Failure: X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a "UI redress attack", allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page. X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSSProtection: 0; disables this functionality. X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIMEtype. Content-Security-Policy: This HTTP header helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS), packet sniffing attacks and data injection attacks. Public-Key-Pins: The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.
How to fix it ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Do you have HTTP and HTTPS enabled on the outside interface of the Gate? What does the scan say when you turn that off?
Mike Pruett
MikePruett wrote:Do you have HTTP and HTTPS enabled on the outside interface of the Gate? What does the scan say when you turn that off?
No, only SSL VPN is listening on this port.
Hi
I cannot read from your post what was scanned by your scanner? Was it firewall's management GUI (on HTTP/HTTPS) or some web service that is behind the firewall?
Z.
Yes, curious mines want to know. FWIW none of the webGUI logins for mgmt or sslvpn have a X-XSS-Protection header when using curl and monitoring the server response. These are on a fortiOS 5.2.11 btw
Please use curl and dump the http.header here.
e.g
< HTTP/1.1 200 OK < Date: Sun, 15 Oct 2017 06:56:00 GMT < Vary: Accept-Encoding < Last-Modified: Fri, 21 Apr 2017 22:33:57 GMT < ETag: "af9_4f_58fa88d5" < Accept-Ranges: bytes < Content-Length: 79 < Content-Type: text/html; charset=utf-8 < X-Frame-Options: SAMEORIGIN < X-UA-Compatible: IE=Edge
5.6.x shows
< HTTP/1.1 200 OK < Date: Sun, 15 Oct 2017 06:59:21 GMT < Server: xxxxxxxx-xxxxx <- I like the masked server header ;) < Vary: Accept-Encoding < Content-Length: 79 < Content-Type: text/html; charset=utf-8 < X-Frame-Options: SAMEORIGIN < Content-Security-Policy: frame-ancestors 'self' < X-UA-Compatible: IE=Edge < <html> <script language=javascript> top.location="/login"; </script> </html>
Ken
PCNSE
NSE
StrongSwan
It's fortigate SSL VPN.
The full report about this issue:
QID:11827Severity:2 CVSS Base:4.3 AV:N/AC:M/Au:N/C:N/I:P/A:NCVSS Temporal:3.5 E:U/RL:U/RC:URPCI Compliance Status:FAIL
This QID reports the absence of the following [link=https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers]HTTP headers[/link] according to [link=https://cwe.mitre.org/data/definitions/693.html]CWE-693: Protection Mechanism Failure[/link]: X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a "UI redress attack", allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page. X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSS-Protection: 0; disables this functionality. X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIME-type. Content-Security-Policy: This HTTP header helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS), packet sniffing attacks and data injection attacks. Public-Key-Pins: The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.
QID Detection Logic: This unauthenticated QID looks for the presence of the following HTTP responses: Valid directives for X-Frame-Options are: X-Frame-Options: DENY - The page cannot be displayed in a frame, regardless of the site attempting to do so. X-Frame-Options: SAMEORIGIN - The page can only be displayed in a frame on the same origin as the page itself. X-Frame-Options: ALLOW-FROM RESOURCE-URL - The page can only be displayed in a frame on the specified origin.
Content-Security-Policy: frame-ancestors - This directive specifies valid parents that may embed a page using frame, iframe, object, embed, or appletValid directives for X-XSS-Protections are: X-XSS-Protection: 1 - Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts). X-XSS-Protection: 1; mode=block - Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected. X-XSS-Protection: 1; report=URI - Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report. X-XSS-Protection: 0 disables this directive and hence is also treated as not detected.
A valid directive for X-Content-Type-Options: nosniff
A valid directive for Content-Security-Policy: <policy-directive>; <policy-directive>
A valid HPKP directive Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"]
A valid HSTS directive Strict-Transport-Security: max-age=<expire-time>; [; includeSubDomains][; preload]
NOTE: All report-only directives (where applicable) are considered invalid.
Impact:Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.
Solution:CWE-693: Protection Mechanism Failure mentions the following - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.
Customers are advised to set proper [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options]X-Frame-Options[/link], [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection]X-XSS-Protection[/link], [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP]Content Security Policy[/link], [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options]X-Content-Type-Options[/link], [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning]Public Key Pinning[/link] and [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security]Strict-Transport-Security[/link] HTTP response headers.
Depending on their server software, customers can set directives in their site configuration or Web.config files. Few examples are:
X-Frame-Options: Apache: Header always append X-Frame-Options SAMEORIGIN nginx: add_header X-Frame-Options SAMEORIGIN; HAProxy: rspadd X-Frame-Options:\ SAMEORIGIN IIS: <HTTPPROTOCOL><CUSTOMHEADERS><ADD NAME="X-Frame-Options" VALUE="SAMEORIGIN"></ADD></CUSTOMHEADERS></HTTPPROTOCOL>
X-XSS-Protection: Apache: Header always set X-XSS-Protection "1; mode=block" PHP: header("X-XSS-Protection: 1; mode=block");
X-Content-Type-Options: Apache: Header always set X-Content-Type-Options: nosniff
Content-Security-Policy: (Please note that these values may differ from website to website. The values below are for informational purposes only. The scanner simply looks for the presence of the security header.) Apache: Header set Content-Security-Policy "script-src 'self'; object-src 'self'" IIS: <SYSTEM.WEBSERVER><HTTPPROTOCOL><CUSTOMHEADERS><ADD NAME="Content-Security-Policy" VALUE="default-src 'self';"></ADD></CUSTOMHEADERS></HTTPPROTOCOL></SYSTEM.WEBSERVER> nginx: add_header Content-Security-Policy "default-src 'self'; script-src 'self';
HTTP Public Key Pinning (HPKP): Apache: Header always set Public-Key-Pins "pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains" Lighttpd: setenv.add-response-header = ( "Public-Key-Pins" => "pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains")
HTTP Strict-Transport-Security: Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Nginx: add_header Strict-Transport-Security max-age=31536000;
Result:X-XSS-Protection HTTP Header missing on port 443.
GET / HTTP/1.0
Host: x.x.x.x
X-Content-Type-Options HTTP Header missing on port 443.
Content-Security-Policy HTTP Header missing on port 443.
Public-Key-Pins HTTP Header missing on port 443.
Strict-Transport-Security HTTP Header missing on port 443.
I would not worried about it.
It's a X- header to begin with, and you have no means to inject or remove headers from a SSLVPN portal-access interface or even the WebGUI as far as that goes
2nd if the site is true SSLVPN tunnel, who cares about the header to begin with since this traffic is NOT HTTP ( those reports reflect HTTP headers btw )
Ken
PCNSE
NSE
StrongSwan
We are not usig VPN portal, we only using ssl-vpn clients, is it possible to turn it off ?
The problem is that scan is reporting that we are not compliant, and I must give them some arguments, to make it false positive finding.
Hi Salas,
I'm thinking of a few options you could try:
- First option:
config vpn ssl web portal
edit "my ssl portal"
set skip-check-for-unsupported-browser disable" -> it's usually to deny access for browsers that can't launch an activeX or Java Applet... Worth a try, but you probably won't earn a lot of security points here. You might need to enable some host-checking though (which would still be good for your clients!).
end
- second option :
migrate your tunnel portal from a public interface to a loopback - you'll need a FW rule with a VIP to forward traffic from Wan to your loopback - then activate IPS on the very rule. Another good protection here :) however adding an HSTS header isn't a NGFW possibility...
- third option (fortinet sales Approved! ) : use a FortiWeb :)
This third one is a little bit for trolling, but if your company is concerned about PCI DSS compliancy, they might consider the option, especially if you run other web services. And it will be the most 'by the book' way of improving your score (Even though I suppose that you're posting this thread precisely to avoid this option)
Let us know what you'll do, even if it's nothing!
BR,
Michael
last option if it's SSLVPN only, disable the web portal.
Under the portal "set web mode disable"
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.