vulnerabilities detected on https://appvpn.xxxx.xxx through our Bitsight

Alpalo · ‎06-18-2024

Hi team,

We use a cybersecurity tool called Bitsight in order to discover vulnerabilities in our organization. This time the tool has found out some in our https://appvpn.xxxx.xxx subdomain which is a web portal to download the GlobalProtect client.

The Bitsight finding in this case are related to the Content-Security-Policy header configuration. I send you some detail about this below. Do you have any experience with this? Could you provide us some information to solve this problem?

Content-Security-Policy (Potencially insecure policy)

Directive: default-src

Issue: No issue

Remediation instructions: No remediation needed

Directive: script-src

Issue: “Unsafe-inline” is insecure

Remediation instructions: Remove the "unsafe-inline" keyword from your content security policy.

Directive: img-src

Issue: Asterisks in the source are insecure

Remediation instructions: Remove any instances of the asterisk character (*) that are by itself from your content security policy.

Directive: style-src

Issue: “Unsafe-inline” is insecure

Remediation instructions: Remove the "unsafe-inline" keyword from your content security policy.

Directive: reporting-objective

Issue: No reporting directive in use

Remediation instructions: Include a reporting directive with a valid location or group.

Directive: form-action-objective

Issue: Application privilege limitation (Form-Actions)

Remediation instructions: Include the form-actions directive in your CSP.

Directive: code-injection-objective

Issue: Limited code injection prevention

Remediation instructions: Do not use any "unsafe" keywords and use explicit hosts for any source-list directives.

Directive: Strict-Transport-Security

Issue: No issue

Remediation instructions: No remediation needed

Directive: X-Content-Type-Options

Issue: No issue

Remediation instructions: No remediation needed

More information about this finding:

Issue: Potentially insecure policy

Details: This Content-Security-Policy (CSP) has issues that possibly makes it insecure.

Remediation Tip: Remove any instances of "unsafe-" directives and "blob, data, filesystem" sources. Ensure your CSP directives are correctly configured. Learn more at W3C CSP. https://www.w3.org/TR/CSP/

Issue: Ineffective headers: Content-Security-Policy

Details: The implementation of these header(s) do not follow security best practices.

Remediation Tip: Ensure your headers are implemented correctly, as outlined in RFC-7231 https://tools.ietf.org/html/rfc7231. Your headers should not permit caching of encrypted content. They should also have specific permissions (as opposed to using wildcards or other generalizations) and be formatted properly.

Regards

kiwi · ‎06-20-2024

Hi @Alpalo ,

These are suggested enhancements in the CSP header the directives (unsafe-inline set to self, frame-ancestors not available yet), which is not a vulnerability.

The new HTML standard and the latest browsers now support the Content-Security-Policy config setting which is a stronger and recommended way of protection.

X-FRAME-OPTIONS config setting (already set to DENY) is the old way of protecting Cross-Frame Scripting attacks. Frame-ancestors: none is equivalent to X-Frame-Options: DENY which already exists as a protection.

You may verify the existence of X-Frame-options: DENY via curl :

curl -v https://appvpn.xxx.xxx <<<<<<<<<<<<<<<<<<<<<<<<<<<<

VERBOSE: GET with 0-byte payload
VERBOSE: received 170-byte response of content type text/html


StatusCode : 200
StatusDescription : OK
Content : <script LANGUAGE=JavaScript>
window.location="/global-protect/login.esp";
</script>
<html><head></head><body><p>JavaScript must be enabled to continue!</p></body></html>
RawContent : HTTP/1.1 200 OK
Connection: keep-alive
Pragma: private
X-FRAME-OPTIONS: DENY <<<<<<<<<<<<<<<<<<<<<<<<<<<<
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content...
Forms : {}
Headers : {[Connection, keep-alive], [Pragma, private], [X-FRAME-OPTIONS, DENY], [Strict-Transport-Security, max-age=31536000;]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : System.__ComObject
RawContentLength : 170

Based on that, this one is an enhancement for best practice purposes and there's no configuration workaround as it takes actual source code change.

Since it is a Firewall-based website, and there are limited options you can do on the Portal, the vulnerability is not a threat. There has not been a CVE so far that would require this fix.

That said,the enhancement is already planned to be included in future PAN-OS releases, however, there is no ETA.

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

kiwi · ‎06-20-2024

Hi @Alpalo ,

These are suggested enhancements in the CSP header the directives (unsafe-inline set to self, frame-ancestors not available yet), which is not a vulnerability.

The new HTML standard and the latest browsers now support the Content-Security-Policy config setting which is a stronger and recommended way of protection.

X-FRAME-OPTIONS config setting (already set to DENY) is the old way of protecting Cross-Frame Scripting attacks. Frame-ancestors: none is equivalent to X-Frame-Options: DENY which already exists as a protection.

You may verify the existence of X-Frame-options: DENY via curl :

curl -v https://appvpn.xxx.xxx <<<<<<<<<<<<<<<<<<<<<<<<<<<<

VERBOSE: GET with 0-byte payload
VERBOSE: received 170-byte response of content type text/html


StatusCode : 200
StatusDescription : OK
Content : <script LANGUAGE=JavaScript>
window.location="/global-protect/login.esp";
</script>
<html><head></head><body><p>JavaScript must be enabled to continue!</p></body></html>
RawContent : HTTP/1.1 200 OK
Connection: keep-alive
Pragma: private
X-FRAME-OPTIONS: DENY <<<<<<<<<<<<<<<<<<<<<<<<<<<<
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content...
Forms : {}
Headers : {[Connection, keep-alive], [Pragma, private], [X-FRAME-OPTIONS, DENY], [Strict-Transport-Security, max-age=31536000;]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : System.__ComObject
RawContentLength : 170

Based on that, this one is an enhancement for best practice purposes and there's no configuration workaround as it takes actual source code change.

Since it is a Firewall-based website, and there are limited options you can do on the Portal, the vulnerability is not a threat. There has not been a CVE so far that would require this fix.

That said,the enhancement is already planned to be included in future PAN-OS releases, however, there is no ETA.

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Unlock your full community experience!

vulnerabilities detected on https://appvpn.xxxx.xxx through our Bitsight

vulnerabilities detected on https://appvpn.xxxx.xxx through our Bitsight

Show your appreciation!