Web Browser XSS Protection Not Enabled #12

sveeke · 2018-06-18T11:06:46Z

The X-XSS-Protection HTTP Header is not set on surf-dev2.edubadges.nl and badgr-dev2.edubadges.nl. This header enables the Cross-Site Scripting (XSS) filter built into most recent web browsers.

sveeke · 2018-06-18T11:07:10Z

threatLevel="Low" type="Missing HTTP Header"

The X-XSS-Protection HTTP Header is not set on surf-dev2.edubadges.nl and badgr-dev2.edubadges.nl. This header enables the Cross-Site Scripting (XSS) filter built into most recent web browsers.

Cross-site scripting (XSS) filters in browsers check if the URL contains possible harmful XSS payloads and if they are reflected in the response page. If such a condition is recognized, the injected code is changed in a way, that it is not executed anymore to prevent a succesful XSS attack.
By setting the X-XSS-Protection header the browser is instructed to not render the page if an XSS attack is detected. It is therefore a client-side defense mechanism.

impact:
Disabling (not using) this option increases the attack surface for XSS attacks.

recommendation:
Add the HTTP header in the response as X-XSS-Protection: 1; mode=block

sveeke self-assigned this Jun 18, 2018

sveeke added bug-infrastructure Bugs inside SURFnet's infrastructure risk-low Security issues with a low impact labels Jun 18, 2018

sveeke added this to the Pilot 2018 milestone Jun 18, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Web Browser XSS Protection Not Enabled #12

Web Browser XSS Protection Not Enabled #12

sveeke commented Jun 18, 2018

sveeke commented Jun 18, 2018

Web Browser XSS Protection Not Enabled #12

Web Browser XSS Protection Not Enabled #12

Comments

sveeke commented Jun 18, 2018

sveeke commented Jun 18, 2018