Getting Data In

HTTP Security Header Not Detected

Hidebrando
New Member

Durante o scan de vulnerabilidades identificamos o seguinte issue HTTP Security Header Not Detected no agent do splunk universal-forwarder port 8089.

Quero saber como corrigir este issue encontrado pelo scanner Qualys.
Detalhes no arquivo em anexo.

[Edit: Added translation]

During the vulnerability scan we have identified the following HTTP Security Header Not Detected issue in the splunk universal-forwarder port 8089 agent.
I want to know how to fix this issue found by the Qualys scanner.
Details in attached file

0 Karma

Tetonka
Engager

Did you find a solution for this challenge?

0 Karma

felipesewaybric
Contributor

Estava tendo o mesmo problema, ao atualizar no nosso master para 7.2 e os forwarders para o mais recente, nossos scans deixaram de apresentar o problema. Quais versões estão instaladas?

0 Karma

nickhills
Ultra Champion

The vunerability is highlighting a potential xss vector on the universal forwarders managment port.
I am not sure which version of the UF you are running, if later than 6.6 you can add the missing headers as per:
https://answers.splunk.com/answers/412210/configuring-x-xss-protection-security-header.html
replyHeader.X-Frame-Options = SAMEORIGIN

Alternativly, you could chose to disable the MGT port on your UF entirely:
https://answers.splunk.com/answers/233170/can-you-disable-the-management-port-8089-on-client.html

p.s. I edited your question to include a translation and accidentally added the +25 bounty. I have asked for this to be removed.


A vunerability está destacando um potencial vetor xss na porta de gerenciamento de encaminhadores universais.
Eu não tenho certeza sobre qual versão do UF você está executando, se, mais tarde do que 6.6, você pode adicionar os cabeçalhos ausentes conforme:
https://answers.splunk.com/answers/412210/configuring-x-xss-protection-security-header.html
responseHeader.X-Frame-Options = SAMEORIGIN

Alternativamente, você poderia optar por disable a porta MGT em seu UF inteiramente:
https://answers.splunk.com/answers/233170/can-you-disable-the-management-port-8089-on-client.html

p.s. Eu editei sua pergunta para incluir uma tradução e adicionei acidentalmente a generosidade +25. Pedi que isso fosse removido.

If my comment helps, please give it a thumbs up!

jkat54
SplunkTrust
SplunkTrust

@nickhillscpl, can you edit the question again and remove the bounty?

0 Karma

ppablo
Retired

Interestingly, there doesn't seem to be a way to reverse it when editing the question. I'll bring this up to the developers of the site to look into this. I've granted @Hidebrando karma points as buffer if/when there is an accepted answer on this question.

Thanks for pointing it out @nickhillscpl and @jkat54 for the suggestion 🙂

0 Karma

Hidebrando
New Member

THREAT: This QID reports the absence of the following HTTP headers according to CWE-693: Protection Mechanism Failure: X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a "UI redress attack", allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page. X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSS-Protection: 0; disables this functionality. X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIME-type. Content-Security-Policy: This HTTP header helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS), packet sniffing attacks and data injection attacks. Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. QID Detection Logic: This unauthenticated QID looks for the presence of the following HTTP responses: Valid directives for X-Frame-Options are: X-Frame-Options: DENY - The page cannot be displayed in a frame, regardless of the site attempting to do so. X-Frame-Options: SAMEORIGIN - The page can only be displayed in a frame on the same origin as the page itself. X-Frame-Options: ALLOW-FROM RESOURCE-URL - The page can only be displayed in a frame on the specified origin. Content-Security-Policy: frame-ancestors - This directive specifies valid parents that may embed a page using frame, iframe, object, embed, or applet Valid directives for X-XSS-Protections are: X-XSS-Protection: 1 - Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts). X-XSS-Protection: 1; mode=block - Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected. X-XSS-Protection: 1; report=URI - Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report. X-XSS-Protection: 0 disables this directive and hence is also treated as not detected. A valid directive for X-Content-Type-Options: nosniff A valid directive for Content-Security-Policy: ; A valid HSTS directive Strict-Transport-Security: max-age=; [; includeSubDomains][; preload] NOTE: All report-only directives (where applicable) are considered invalid.
IMPACT: Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.
SOLUTION: CWE-693: Protection Mechanism Failure mentions the following - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...