We need to fix a vulnerability in JBoss EAP 6.4 which is related to HTTP Security Header Not Detected (QID 11827).
This vulnerability is reported on the application server layer, and not on IHS.
All the suggestions online are for JBoss EAP 7.x (undertow subsystem), and not applicable to JBoss EAP 6.4 (web subsystem).
I have tried to add filters under the WEB subsystem, in the standalone.xml, but it has not worked. Probably I am not using the correct format/syntax.
Please advise.
The aforementioned QID (11827) is detected when the following HTTP Headers are missing:
X-Frame-Options
X-XSS-Protection HTTP
X-Content-Type-Options
Strict-Transport-Security
A nice and easy way to set theses headers is by implementing a custom filter. Please note that this is for a specific web application !
If you want to set these http headers globally, then you must implement a custom valve!
Related
We are working in an environment where UI Requests flow to a WildFly Server (where the WAR is deployed) versioned 10.1.0 via an Apache Web Server versioned 2.4
We were running Security tests and when using a VirtualDirContext, it was possible to bypass the security constraints and view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request via Burp.
How we reproduce the vulnerability in Burp:
We capture a random Request via the UI and replicate it in Burp.
We turn the Request into a GET Request, mention the path of a JSP file and add %2520 to it.
This issue is reproducible even if the Requests go directly to the WildFly Server instead of via the Apache Web Server.
Is there a way to prevent this vulnerability? We believe validating each Request for the presence of %2520 in it in the Filter layer may not be a comprehensive fix.
In simple words, when we use a URL that contains the path of a JSP file present in the code, appended with %2520, the content of the JSP was disclosed. Is there a way to prevent this?
I tried editing the default configuration but i couldnt find the X-XSS-Protection i could find only x-frame options.
Undertow subsystem is not available in my standalone.xml .
There are 2 options.
The first one, is to set this header in a custom filter which should be placed in your web application's lib folder. The second option, is to develop a custom valve and set this header there.
I'm using PrettyFaces in my project. We recently started using SSL (Https), however, when calling, for example pretty:main-page in a commandlink the https protocol is modified to http. If I used a normal call without pretty: the protocol is not modified.
The answer of PrettyFaces leader was:
"AFAIK there are basically two ways to work around this issue:
You could configure Glassfish to assume the https scheme for the http listeners. AFAIK there is a scheme property on the http listener in the latest Glassfish version. See this issue for details.
If you are using a load balances / reverse proxy, you could rewrite the Location header before sending it back to the requesting client. That should be easy but depends on you load balances setup. If you are using mod_proxy, you can use the ProxyPassReverse command to achieve this."
github.com/ocpsoft/rewrite/issues/257#issuecomment-355737351
OK!
I have a client who uses ColdFusion 10 and IIS 7.5 on Win 2k3 R2. The ColdFusion admin uses frames. When I log into the CF admin I'm seeing a blank white screen in Chrome and in IE I am seeing a message telling me this:
This content cannot be displayed in a frame
To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame.
I see a few of this message (1 for each frame) in the chrome dev console:
Refused to display 'http://localhost/CFIDE/Administrator/navserver.cfm' in a frame because it set 'X-Frame-Options' to 'DENY'.
Looking at the response headers in Chrome, I can see that this is set to DENY.
I can't figure out where this is coming from. All of the sites on this server now are outputting this header. I never explicitly configured anything to output this header. I know CF wouldn't have done so in a patch because it would break its own admin interface.
IIS's root server-wide configuration HTTP Response Headers doesn't have a X-Frame-Options set and neither do any of the configured websites.
If I explicitly add an X-Frame-Options header and set it to sameorigin I see both headers (deny and sameorigin).
Is there perhaps some software the client's security team might have installed that would be injecting this header?
I'm accessing the site on localhost so I can't imagine that it's a network device causing the problem. It must be on the server itself, right?
Any ideas?
This could be set within ColdFusion, assuming it's been locked down. Look in
(instancename)/wwwroot/WEB-INF/web.xml for the rules around clickjack. Might look something like this:
<filter-mapping>
<filter-name>CFClickJackFilterDeny</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Another way to test to see if this is being caused by IIS is to set up a frame sample with straight HTML pages and if it works the block is at the ColdFusion level. If straight HTML does not work then it is happening at IIS or some other server location.
In IIS, HTTP Response Headers can be set server-wide (affecting all sites) and/or site-wide (affecting only the current site).
Reading your question again, I see I may not have helped you. Good luck.
I'm not sure if this was a change in IIS 7 or if someone before me actively removed X-Server from the HTTP response headers but I need to be able to tell which server in the farm served the current page. I don't see X-Server in the custom variables section of IIS but I'm not sure if it was a custom variable in the first place or if it's in the defaults and it's been disabled via web.config. How do I get my headers back?
You can use custom headers (http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders) to add any header you like.