Security Issue??????

57 views
Skip to first unread message

mikel...@gmail.com

unread,
Jul 9, 2020, 9:42:13 AM7/9/20
to web2py-users
Hi, in this days I'm acting pen-test on my web2py application, all tools used report me that there're some "important"  header are missing..
In particular:
  • X-Frame-Options Header Not Set (15)
  • Cross-Domain JavaScript Source File Inclusion (2)
  • Incomplete or No Cache-control and Pragma HTTP Header Set (26)
  • Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) (50)
  • X-Content-Type-Options Header Missing (48)
End also:
  • Absence of Anti-CSRF Tokens (13)
Where's the mistake? 
There's a security Issue???

BR

MS

Dave S

unread,
Jul 9, 2020, 5:13:13 PM7/9/20
to web2py-users


On Thursday, July 9, 2020 at 6:42:13 AM UTC-7, mikel...@gmail.com wrote:
Hi, in this days I'm acting pen-test on my web2py application, all tools used report me that there're some "important"  header are missing..
In particular:
  • X-Frame-Options Header Not Set (15)

prevents embedding the page in a frame (or iframe), as a preventative for click-jacking.  Geeks-for-geeks says obsoleted by CSP
 
  • [...]
  • Incomplete or No Cache-control and Pragma HTTP Header Set (26)
    prevents caching the page.   I am not sure what the security downside of caching the page is, unless there is privileged information like on a password reset page.
    • Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) (50)
    revealing the type of server can  tell the intruder which attacks might work 
    • X-Content-Type-Options Header Missing (48)
    a nosniff setting rejects requests if there is a "style" MIME-type that isn't txt/css or a JavaScript type.  (Geeks-for-geeks doesn't explain this well, in my opinion.)

    The real gurus can comment further.  For more on security practices, you might look at OWASP's recommendations.

    /dps


    Christian Varas

    unread,
    Jul 9, 2020, 5:30:38 PM7/9/20
    to web...@googlegroups.com
    Hi, 

    There is not much to worry about, they are just best practices, informational or low issues. Except by CSRF but web2py already handle this
    • X-Frame-Options Header Not Set (15)
    Prevent that your site is used under an iframe on another site. Depends of the usage of the app
    • Cross-Domain JavaScript Source File Inclusion (2)
    This is optional. Is not mandatory to have all the js in the same app. 
    • Incomplete or No Cache-control and Pragma HTTP Header Set (26)
    This header prevents the client from caching the response. 
    • Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) (50)
    It just discloses "web2py", like every other server header or technology. Is easy to hide if necessary 
    • X-Content-Type-Options Header Missing (48)
    The HTTP 'X-Content-Type-Options' response header prevents the browser from MIME-sniffing a response away from the declared content-type when. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the intended content type.

    • Absence of Anti-CSRF Tokens (13)
    All forms from web2py have an unique token to prevent this and also double submission.

    Anyway... all of this headers misconfiguration are classified as best practices, informational or low issues. Only csrf could be taken as medium or high issue, but web2py handles this.

    You can handle the headers at server (apache/nginx) level or at the application level.

    Cheers!

    --
    Resources:
    - http://web2py.com
    - http://web2py.com/book (Documentation)
    - http://github.com/web2py/web2py (Source code)
    - https://code.google.com/p/web2py/issues/list (Report Issues)
    ---
    You received this message because you are subscribed to the Google Groups "web2py-users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/55974bec-0b1a-4c30-affe-f3fe2d162d64n%40googlegroups.com.

    Jose C

    unread,
    Jul 10, 2020, 4:57:04 AM7/10/20
    to web2py-users
    In addition to the other replies, you can also set the headers easily yourself in web2py (although depending on your own web server settings, some may be overwritten).  For example, in a model (say):

    response.headers['Strict-Transport-Security'] = 'max-age=63072000; includeSubDomains; preload'
    response    .headers['Referrer-Policy'] = 'no-referrer-when-downgrade'
    response    .headers['X-Powered-By'] = ''
    response    .headers['X-Frame-Options'] = 'DENY'

    HTH,
    Jose
    Reply all
    Reply to author
    Forward
    0 new messages