vulnerabilities detected on https://appvpn.xxxx.xxx through our Bitsight

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

vulnerabilities detected on https://appvpn.xxxx.xxx through our Bitsight

L4 Transporter

Hi team,

We use a cybersecurity tool called Bitsight in order to discover vulnerabilities in our organization. This time the tool has found out some in our https://appvpn.xxxx.xxx subdomain which is a web portal to download the GlobalProtect client.

 

Alpalo_0-1718719318523.jpeg

 

 

The Bitsight finding in this case are related to the Content-Security-Policy header configuration. I send you some detail about this below. Do you have any experience with this? Could you provide us some information to solve this problem?

 

 

Content-Security-Policy (Potencially insecure policy)

 

Directive: default-src

Issue: No issue

Remediation instructions: No remediation needed

 

Directive: script-src

Issue: “Unsafe-inline” is insecure

Remediation instructions: Remove the "unsafe-inline" keyword from your content security policy.

 

Directive: img-src

Issue: Asterisks in the source are insecure

Remediation instructions: Remove any instances of the asterisk character (*) that are by itself from your content security policy.

 

Directive: style-src

Issue: “Unsafe-inline” is insecure

Remediation instructions: Remove the "unsafe-inline" keyword from your content security policy.

 

Directive: reporting-objective

Issue: No reporting directive in use

Remediation instructions: Include a reporting directive with a valid location or group.

 

Directive: form-action-objective

Issue: Application privilege limitation (Form-Actions)

Remediation instructions: Include the form-actions directive in your CSP.

 

Directive: code-injection-objective

Issue: Limited code injection prevention

Remediation instructions: Do not use any "unsafe" keywords and use explicit hosts for any source-list directives.

 

Directive: Strict-Transport-Security

Issue: No issue

Remediation instructions: No remediation needed

 

Directive: X-Content-Type-Options

Issue: No issue

Remediation instructions: No remediation needed

 

 

More information about this finding:

 

Issue: Potentially insecure policy

Details: This Content-Security-Policy (CSP) has issues that possibly makes it insecure.

Remediation Tip: Remove any instances of "unsafe-" directives and "blob, data, filesystem" sources. Ensure your CSP directives are correctly configured. Learn more at W3C CSP. https://www.w3.org/TR/CSP/

 

Issue: Ineffective headers: Content-Security-Policy

Details: The implementation of these header(s) do not follow security best practices.

Remediation Tip: Ensure your headers are implemented correctly, as outlined in RFC-7231 https://tools.ietf.org/html/rfc7231. Your headers should not permit caching of encrypted content. They should also have specific permissions (as opposed to using wildcards or other generalizations) and be formatted properly.

 

Regards

1 accepted solution

Accepted Solutions

Community Team Member

Hi @Alpalo ,

 

These are suggested enhancements in the CSP header the directives (unsafe-inline set to self, frame-ancestors not available yet), which is not a vulnerability.

The new HTML standard and the latest browsers now support the Content-Security-Policy config setting which is a stronger and recommended way of protection.

X-FRAME-OPTIONS config setting (already set to DENY) is the old way of protecting Cross-Frame Scripting attacks. Frame-ancestors: none is equivalent to X-Frame-Options: DENY which already exists as a protection.


You may verify the existence of X-Frame-options: DENY via curl :

 

curl -v https://appvpn.xxx.xxx <<<<<<<<<<<<<<<<<<<<<<<<<<<<

VERBOSE: GET with 0-byte payload
VERBOSE: received 170-byte response of content type text/html


StatusCode : 200
StatusDescription : OK
Content : <script LANGUAGE=JavaScript>
window.location="/global-protect/login.esp";
</script>
<html><head></head><body><p>JavaScript must be enabled to continue!</p></body></html>
RawContent : HTTP/1.1 200 OK
Connection: keep-alive
Pragma: private
X-FRAME-OPTIONS: DENY <<<<<<<<<<<<<<<<<<<<<<<<<<<<
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content...
Forms : {}
Headers : {[Connection, keep-alive], [Pragma, private], [X-FRAME-OPTIONS, DENY], [Strict-Transport-Security, max-age=31536000;]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : System.__ComObject
RawContentLength : 170



Based on that, this one is an enhancement for best practice purposes and there's no configuration workaround as it takes actual source code change.

Since it is a Firewall-based website, and there are limited options you can do on the Portal, the vulnerability is not a threat. There has not been a CVE so far that would require this fix.

 

That said,the enhancement is already planned to be included in future PAN-OS releases, however, there is no ETA.

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

1 REPLY 1

Community Team Member

Hi @Alpalo ,

 

These are suggested enhancements in the CSP header the directives (unsafe-inline set to self, frame-ancestors not available yet), which is not a vulnerability.

The new HTML standard and the latest browsers now support the Content-Security-Policy config setting which is a stronger and recommended way of protection.

X-FRAME-OPTIONS config setting (already set to DENY) is the old way of protecting Cross-Frame Scripting attacks. Frame-ancestors: none is equivalent to X-Frame-Options: DENY which already exists as a protection.


You may verify the existence of X-Frame-options: DENY via curl :

 

curl -v https://appvpn.xxx.xxx <<<<<<<<<<<<<<<<<<<<<<<<<<<<

VERBOSE: GET with 0-byte payload
VERBOSE: received 170-byte response of content type text/html


StatusCode : 200
StatusDescription : OK
Content : <script LANGUAGE=JavaScript>
window.location="/global-protect/login.esp";
</script>
<html><head></head><body><p>JavaScript must be enabled to continue!</p></body></html>
RawContent : HTTP/1.1 200 OK
Connection: keep-alive
Pragma: private
X-FRAME-OPTIONS: DENY <<<<<<<<<<<<<<<<<<<<<<<<<<<<
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content...
Forms : {}
Headers : {[Connection, keep-alive], [Pragma, private], [X-FRAME-OPTIONS, DENY], [Strict-Transport-Security, max-age=31536000;]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : System.__ComObject
RawContentLength : 170



Based on that, this one is an enhancement for best practice purposes and there's no configuration workaround as it takes actual source code change.

Since it is a Firewall-based website, and there are limited options you can do on the Portal, the vulnerability is not a threat. There has not been a CVE so far that would require this fix.

 

That said,the enhancement is already planned to be included in future PAN-OS releases, however, there is no ETA.

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 1 accepted solution
  • 671 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!