I run pci dss security scan, and my fortigate 600c, with 5.2.11 fimware, and found vulnerability:
HTTP Security Header Not Detected HTTP Security Header Not Detected
RESULT: X-XSS-Protection HTTP Header missing on port 443. GET / HTTP/1.0
THREAT: This QID reports the absence of the following HTTP headers according to CWE-693: Protection Mechanism Failure: X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a "UI redress attack", allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page. X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSSProtection: 0; disables this functionality. X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIMEtype. Content-Security-Policy: This HTTP header helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS), packet sniffing attacks and data injection attacks. Public-Key-Pins: The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.
How to fix it ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Correct and those X headers are not mandatory from a vulnerability scan. You can take 10 scanners and come up with 10 different scan results on what the "vulnerability" is. A SSLVPN is just that a VPN not a webserver
Ken Felix
PCNSE
NSE
StrongSwan
hello there,
I also concern this issue.
how to disable web portal mode?
so outside can't our vpn web portal
thanks
BWiebe wrote:Sorry for snapping. I don't see why I responded like that. Must have been a bad day. No excuse though.The folks with _FTNT are from Fortinet.
darwin_FTNT likely wants to check the status internally on the issue.
Jerry Paul White
Network Engineer/Tech Supervisor
" 01001000 01100001 01110110 01100101 00100000 01100001 00100000 01000111 01101111 01101111 01100100 00100000 01000100 01100001 01111001"
I listed as a false positive and provided the documentation for the 3rd party SSL cert. But also make sure to remove TLS 1.0 from the accepted protocols on the VPN.
The commands to do that are:
config vpn ssl settings set tlsv1-1 disable end
That disables TLSv1 from the SSL VPN. Also make sure of the following:
config vpn ssl settings set sslv3 disable set tlsv1-0 disable set tlsv1-1 disable end
If you upgrade:
In 6.2 you can add
Config vpn ssl settings Set x-content-type-options enable end
https://kb.fortinet.com/k....do?externalID=FD48141
a 6.0 reference
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/109372/http-headers
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.