diff options
Diffstat (limited to 'doc/user/application_security/dast/checks')
-rw-r--r-- | doc/user/application_security/dast/checks/1004.1.md | 41 | ||||
-rw-r--r-- | doc/user/application_security/dast/checks/16.1.md | 33 | ||||
-rw-r--r-- | doc/user/application_security/dast/checks/16.2.md | 44 | ||||
-rw-r--r-- | doc/user/application_security/dast/checks/16.3.md | 35 | ||||
-rw-r--r-- | doc/user/application_security/dast/checks/16.4.md | 28 | ||||
-rw-r--r-- | doc/user/application_security/dast/checks/16.5.md | 30 | ||||
-rw-r--r-- | doc/user/application_security/dast/checks/614.1.md | 40 | ||||
-rw-r--r-- | doc/user/application_security/dast/checks/693.1.md | 36 | ||||
-rw-r--r-- | doc/user/application_security/dast/checks/index.md | 20 |
9 files changed, 307 insertions, 0 deletions
diff --git a/doc/user/application_security/dast/checks/1004.1.md b/doc/user/application_security/dast/checks/1004.1.md new file mode 100644 index 00000000000..cbbcea1d34d --- /dev/null +++ b/doc/user/application_security/dast/checks/1004.1.md @@ -0,0 +1,41 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Sensitive cookie without `HttpOnly` attribute + +## Description + +The {cookie_name} cookie was transmitted in a `Set-Cookie` header without the `HttpOnly` attribute set. +To prevent JavaScript being able to access the cookie value - usually via `document.cookies` - all +cookies that are used for authorization or contain sensitive information should have the `HttpOnly` attribute +set. + +## Remediation + +Most web application frameworks allow configuring how cookies are sent to user-agents. Consult your framework's +documentation for more information on how to enable various security directives when assigning cookies to clients. + +If the application is assigning cookies via writing to the response headers directly, ensure all responses include +the `HttpOnly` attribute. By enabling this protection, the application is able to mitigate the impact of +certain Cross-Site Scripting (XSS) attacks. + +Example: + +```http +Set-Cookie: {cookie_name}=<random secure value>; HttpOnly +``` + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 1004.1 | false | 1004 | Passive | Low | + +## Links + +- [owasp](https://owasp.org/www-community/HttpOnly) +- [cwe](https://cwe.mitre.org/data/definitions/1004.html) +- [Mozilla MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) diff --git a/doc/user/application_security/dast/checks/16.1.md b/doc/user/application_security/dast/checks/16.1.md new file mode 100644 index 00000000000..bb030d2f9c4 --- /dev/null +++ b/doc/user/application_security/dast/checks/16.1.md @@ -0,0 +1,33 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Missing Content-Type header + +## Description + +The `Content-Type` header ensures that user agents correctly interpret the data being received. Without this header +being sent, the browser may misinterpret the data, leading to MIME confusion attacks. If an attacker were able +to upload files that are accessible by using a browser, they could upload files that may be interpreted as +HTML and so execute Cross-Site Scripting (XSS) attacks. + +## Remediation + +Ensure all resources return a proper `Content-Type` header that matches their format. As an example, +when returning JavaScript files, the response header should be: `Content-Type: application/javascript` + +For added protection, we recommend that all resources return the `X-Content-Type-Options: nosniff` +header to disable user agents from mis-interpreting resources. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 16.1 | true | 16 | Passive | Low | + +## Links + +- [cwe](https://cwe.mitre.org/data/definitions/16.html) +- [Mozilla Blog on MIME Confusion attacks](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/) diff --git a/doc/user/application_security/dast/checks/16.2.md b/doc/user/application_security/dast/checks/16.2.md new file mode 100644 index 00000000000..95461e8677d --- /dev/null +++ b/doc/user/application_security/dast/checks/16.2.md @@ -0,0 +1,44 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Server header exposes version information + +## Description + +The target website returns the `Server` header and version information of this website. By +exposing these values, attackers may attempt to identify if the target software is vulnerable to known +vulnerabilities, or catalog known sites running particular versions to exploit in the future when a +vulnerability is identified in the particular version. + +## Remediation + +We recommend that the version information be removed from the `Server` header. + +Apache: +For Apache based web sites, set the `ServerTokens` to `Prod` in the `httpd.conf` configuration file. + +NGINX: +For NGINX based websites, set the `server_tokens` configuration value to `off` in the `nginx.conf` file. + +IIS: +For IIS based websites version 10 and above you can use the `removeServerHeader` element to the `requestFiltering` +section of the `Web.config` file. + +For all other server types, please consult your product's documentation on how to redact the version information from +the `Server` header. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 16.2 | true | 16 | Passive | Low | + +## Links + +- [cwe](https://cwe.mitre.org/data/definitions/16.html) +- [Apache ServerTokens](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/) +- [NGINX server_tokens](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) +- [IIS 10 Remove Server Header](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/#attributes) diff --git a/doc/user/application_security/dast/checks/16.3.md b/doc/user/application_security/dast/checks/16.3.md new file mode 100644 index 00000000000..e4dcf3ece4b --- /dev/null +++ b/doc/user/application_security/dast/checks/16.3.md @@ -0,0 +1,35 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# X-Powered-By header exposes version information + +## Description + +The target website returns the `X-Powered-By` header and version information of this website. By +exposing these values, attackers may attempt to identify if the target software is vulnerable to known +vulnerabilities, or catalog known sites running particular versions to exploit in the future when a +vulnerability is identified in the particular version. + +## Remediation + +We recommend that the version information be removed from the `X-Powered-By` header. + +PHP: +For PHP based web sites, set the `expose_php` option to `off` in the `php.ini` configuration file. + +For all other server types, please consult your product's documentation on how to redact the version +information from the `X-Powered-By` header. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 16.3 | true | 16 | Passive | Low | + +## Links + +- [cwe](https://cwe.mitre.org/data/definitions/16.html) +- [PHP expose_php](https://www.php.net/manual/en/ini.core.php#ini.expose-php) diff --git a/doc/user/application_security/dast/checks/16.4.md b/doc/user/application_security/dast/checks/16.4.md new file mode 100644 index 00000000000..c0161c910b0 --- /dev/null +++ b/doc/user/application_security/dast/checks/16.4.md @@ -0,0 +1,28 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# X-Backend-Server header exposes server information + +## Description + +The target website returns the `X-Backend-Server` header which includes potentially internal/hidden IP addresses +or hostnames. By exposing these values, attackers may attempt to circumvent security proxies and access these +hosts directly. + +## Remediation + +Consult your proxy/load balancer documentation or provider on how to disable revealing the +`X-Backend-Server` header value. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 16.4 | true | 16 | Passive | Info | + +## Links + +- [cwe](https://cwe.mitre.org/data/definitions/16.html) diff --git a/doc/user/application_security/dast/checks/16.5.md b/doc/user/application_security/dast/checks/16.5.md new file mode 100644 index 00000000000..8a6f3cd8b6a --- /dev/null +++ b/doc/user/application_security/dast/checks/16.5.md @@ -0,0 +1,30 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# AspNet Header(s) exposes version information + +## Description + +The target website returns AspNet header(s) and version information of this website. By +exposing these values attackers may attempt to identify if the target software is vulnerable to known +vulnerabilities, or catalog known sites running particular versions to exploit in the future when a +vulnerability is identified in the particular version. + +## Remediation + +To remove the `X-AspNet-Version` header set `<httpRuntime enableVersionHeader="false" />` in the `<system.Web>` +section of the `Web.config` file. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 16.5 | true | 16 | Passive | Low | + +## Links + +- [cwe](https://cwe.mitre.org/data/definitions/16.html) +- [IIS Remove Unwanted Headers](https://techcommunity.microsoft.com/t5/iis-support-blog/remove-unwanted-http-response-headers/ba-p/369710) diff --git a/doc/user/application_security/dast/checks/614.1.md b/doc/user/application_security/dast/checks/614.1.md new file mode 100644 index 00000000000..74ac73935f1 --- /dev/null +++ b/doc/user/application_security/dast/checks/614.1.md @@ -0,0 +1,40 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Sensitive cookie without `Secure` attribute + +## Description + +The {cookie_name} cookie was transmitted in a `Set-Cookie` response without the `Secure` attribute set. +To prevent sensitive cookie values being accidentally transmitted over clear-text HTTP we +recommended that cookies are declared with the `Secure` attribute. + +## Remediation + +Most web application frameworks allow configuring how cookies are sent to user agents. Consult your framework's +documentation for more information on how to enable various security attributes when assigning cookies to clients. + +If the application is assigning cookies via writing to the response headers directly, ensure all responses include +the `Secure` attribute. By enabling this protection, the application will no longer send sensitive cookies over +HTTP. + +Example: + +```http +Set-Cookie: {cookie_name}=<random secure value>; Secure +``` + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 614.1 | false | 614 | Passive | Low | + +## Links + +- [owasp](https://owasp.org/www-community/controls/SecureCookieAttribute) +- [cwe](https://cwe.mitre.org/data/definitions/614.html) +- [Mozilla MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) diff --git a/doc/user/application_security/dast/checks/693.1.md b/doc/user/application_security/dast/checks/693.1.md new file mode 100644 index 00000000000..07cb368b39a --- /dev/null +++ b/doc/user/application_security/dast/checks/693.1.md @@ -0,0 +1,36 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Missing X-Content-Type-Options: nosniff + +## Description + +The `X-Content-Type-Options` header with the value `nosniff` ensures that user agents do not attempt to +guess the format of the data being received. User Agents such as browsers, commonly attempt to guess +what the resource type being requested is, through a process called MIME type sniffing. + +Without this header being sent, the browser may misinterpret the data, leading to MIME confusion attacks. +If an attacker were able to upload files that are accessible by using a browser, they could upload files +that could be interpreted as HTML and execute Cross-Site Scripting (XSS) attacks. + +## Remediation + +We recommend that the header and value of `X-Content-Type-Options: nosniff` be set server wide. +This ensures any resources that are mistakenly missing a `Content-Type` value are not +misinterpreted. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 693.1 | true | 693 | Passive | Low | + +## Links + +- [owasp](https://owasp.org/www-project-secure-headers/#x-content-type-options) +- [cwe](https://cwe.mitre.org/data/definitions/693.html) +- [Mozilla Blog on MIME Confusion attacks](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/) +- [Mozilla MDN on X-Content-Type-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options) diff --git a/doc/user/application_security/dast/checks/index.md b/doc/user/application_security/dast/checks/index.md new file mode 100644 index 00000000000..f1a68387eb1 --- /dev/null +++ b/doc/user/application_security/dast/checks/index.md @@ -0,0 +1,20 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# DAST browser-based crawler vulnerability checks **(ULTIMATE)** + +The [DAST browser-based crawler](../browser_based.md) provides a number of vulnerability checks that are used to scan for vulnerabilities in the site under test. + +| ID | Check | Severity | Type | +|:---|:------|:---------|:-----| +| [1004.1](1004.1.md) | Sensitive cookie without `HttpOnly` attribute | Low | Passive | +| [16.1](16.1.md) | Missing Content-Type header | Low | Passive | +| [16.2](16.2.md) | Server header exposes version information | Low | Passive | +| [16.3](16.3.md) | X-Powered-By header exposes version information | Low | Passive | +| [16.4](16.4.md) | X-Backend-Server header exposes server information | Info | Passive | +| [16.5](16.5.md) | AspNet Header(s) exposes version information | Low | Passive | +| [614.1](614.1.md) | Sensitive cookie without `Secure` attribute | Low | Passive | +| [693.1](693.1.md) | Missing X-Content-Type-Options: nosniff | Low | Passive | |