topic Re: vulnerabilities detected on https://appvpn.xxxx.xxx through our Bitsight in General Topics

vulnerabilities detected on https://appvpn.xxxx.xxx through our Bitsight

Alpalo — Tue, 18 Jun 2024 14:04:21 GMT

Hi team,

We use a cybersecurity tool called Bitsight in order to discover vulnerabilities in our organization. This time the tool has found out some in our https://appvpn.xxxx.xxx subdomain which is a web portal to download the GlobalProtect client.

The Bitsight finding in this case are related to the Content-Security-Policy header configuration. I send you some detail about this below. Do you have any experience with this? Could you provide us some information to solve this problem?

Content-Security-Policy (Potencially insecure policy)

Directive: default-src

Issue: No issue

Remediation instructions: No remediation needed

Directive: script-src

Issue: “Unsafe-inline” is insecure

Remediation instructions: Remove the "unsafe-inline" keyword from your content security policy.

Directive: img-src

Issue: Asterisks in the source are insecure

Remediation instructions: Remove any instances of the asterisk character (*) that are by itself from your content security policy.

Directive: style-src

Issue: “Unsafe-inline” is insecure

Remediation instructions: Remove the "unsafe-inline" keyword from your content security policy.

Directive: reporting-objective

Issue: No reporting directive in use

Remediation instructions: Include a reporting directive with a valid location or group.

Directive: form-action-objective

Issue: Application privilege limitation (Form-Actions)

Remediation instructions: Include the form-actions directive in your CSP.

Directive: code-injection-objective

Issue: Limited code injection prevention

Remediation instructions: Do not use any "unsafe" keywords and use explicit hosts for any source-list directives.

Directive: Strict-Transport-Security

Issue: No issue

Remediation instructions: No remediation needed

Directive: X-Content-Type-Options

Issue: No issue

Remediation instructions: No remediation needed

More information about this finding:

Issue: Potentially insecure policy

Details: This Content-Security-Policy (CSP) has issues that possibly makes it insecure.

Remediation Tip: Remove any instances of "unsafe-" directives and "blob, data, filesystem" sources. Ensure your CSP directives are correctly configured. Learn more at W3C CSP. https://www.w3.org/TR/CSP/

Issue: Ineffective headers: Content-Security-Policy

Details: The implementation of these header(s) do not follow security best practices.

Remediation Tip: Ensure your headers are implemented correctly, as outlined in RFC-7231 https://tools.ietf.org/html/rfc7231. Your headers should not permit caching of encrypted content. They should also have specific permissions (as opposed to using wildcards or other generalizations) and be formatted properly.

Regards

Re: vulnerabilities detected on https://appvpn.xxxx.xxx through our Bitsight

kiwi — Thu, 20 Jun 2024 07:52:43 GMT

Hi @Alpalo ,

These are suggested enhancements in the CSP header the directives (unsafe-inline set to self, frame-ancestors not available yet), which is not a vulnerability.

The new HTML standard and the latest browsers now support the Content-Security-Policy config setting which is a stronger and recommended way of protection.

X-FRAME-OPTIONS config setting (already set to DENY) is the old way of protecting Cross-Frame Scripting attacks. Frame-ancestors: none is equivalent to X-Frame-Options: DENY which already exists as a protection.

You may verify the existence of X-Frame-options: DENY via curl :

curl -v https://appvpn.xxx.xxx <<<<<<<<<<<<<<<<<<<<<<<<<<<< VERBOSE: GET with 0-byte payload VERBOSE: received 170-byte response of content type text/html StatusCode : 200 StatusDescription : OK Content : <script LANGUAGE=JavaScript> window.location="/global-protect/login.esp"; </script> <html><head></head><body><p>JavaScript must be enabled to continue!</p></body></html> RawContent : HTTP/1.1 200 OK Connection: keep-alive Pragma: private X-FRAME-OPTIONS: DENY <<<<<<<<<<<<<<<<<<<<<<<<<<<< Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content... Forms : {} Headers : {[Connection, keep-alive], [Pragma, private], [X-FRAME-OPTIONS, DENY], [Strict-Transport-Security, max-age=31536000;]...} Images : {} InputFields : {} Links : {} ParsedHtml : System.__ComObject RawContentLength : 170

Based on that, this one is an enhancement for best practice purposes and there's no configuration workaround as it takes actual source code change.

Since it is a Firewall-based website, and there are limited options you can do on the Portal, the vulnerability is not a threat. There has not been a CVE so far that would require this fix.

That said,the enhancement is already planned to be included in future PAN-OS releases, however, there is no ETA.

Kind regards,

-Kim.

Re: vulnerabilities detected on https://appvpn.xxxx.xxx through our Bitsight

anupam_chauhan — Wed, 18 Feb 2026 07:20:12 GMT

Dear Team ,

Do we have any ETA for this enhancement related to CSP header ?