OWASP 10: Security vulnerabilities with default http server
343 views
Skip to first unread message
Glen Newton
Aug 16, 2015, 12:02:04 PM8/16/15
to golang-nuts
Hello,
The Open Web Application Security Project (OWASP)[1] is "focused on improving the security of software." [I have no affiliation]
The OWASP Top 10[2] are what OWASP believe are to be the 10 most important security vulnerabilities that are exposed in web applications/infrastructure.
The OWASP Zed Attack Proxy (ZAP)[3] is an "integrated penetration testing tool for finding vulnerabilities in web applications." It tests to see if a web application exposes any of the OWASP Top 10 vulnerabilities.
I compiled the http file server in the http docs: https://golang.org/pkg/net/http/#example_FileServer
go version go1.4.2 linux/amd64
And ran ZAP against the URL. It found some issues. The report it generated is attached.
It basically was unhappy with 3 headers not being set: X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options, all web security-oriented headers.
Based on this document[4] and the OWASP guidelines[5], I would suggest that the following headers be set with the following values, as default for the http server implemented in the standard library in Go:
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
[An argument could be made to set X-Frame-Options: SAMEORIGIN as default]
I am only aware of the OWASP10 as my organization's cybersecurity arm just had us make all of our Internet-facing web apps fix all OWASP 10 vulnerabilities (with exceptions, like the app is closed and is no longer supported or company no longer exists...).
Thanks,
Glen
[1]https://www.owasp.org/index.php/Main_Page
[2]https://www.owasp.org/index.php/Top_10_2013-Top_10
[3]https://github.com/zaproxy/zaproxy
[4]https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
[5]https://www.owasp.org/index.php/List_of_useful_HTTP_headers
The Open Web Application Security Project (OWASP)[1] is "focused on improving the security of software." [I have no affiliation]
The OWASP Top 10[2] are what OWASP believe are to be the 10 most important security vulnerabilities that are exposed in web applications/infrastructure.
The OWASP Zed Attack Proxy (ZAP)[3] is an "integrated penetration testing tool for finding vulnerabilities in web applications." It tests to see if a web application exposes any of the OWASP Top 10 vulnerabilities.
I compiled the http file server in the http docs: https://golang.org/pkg/net/http/#example_FileServer
go version go1.4.2 linux/amd64
And ran ZAP against the URL. It found some issues. The report it generated is attached.
It basically was unhappy with 3 headers not being set: X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options, all web security-oriented headers.
Based on this document[4] and the OWASP guidelines[5], I would suggest that the following headers be set with the following values, as default for the http server implemented in the standard library in Go:
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
[An argument could be made to set X-Frame-Options: SAMEORIGIN as default]
I am only aware of the OWASP10 as my organization's cybersecurity arm just had us make all of our Internet-facing web apps fix all OWASP 10 vulnerabilities (with exceptions, like the app is closed and is no longer supported or company no longer exists...).
Thanks,
Glen
[1]https://www.owasp.org/index.php/Main_Page
[2]https://www.owasp.org/index.php/Top_10_2013-Top_10
[3]https://github.com/zaproxy/zaproxy
[4]https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers
[5]https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Mihai B
Aug 16, 2015, 3:04:49 PM8/16/15
to golang-nuts
Not all the http APIs are developed for browsers. Isn't a filter more appropriate?
Giulio Iotti
Aug 16, 2015, 3:22:20 PM8/16/15
to golang-nuts
On Sunday, August 16, 2015 at 7:02:04 PM UTC+3, Glen Newton wrote:
Hello,
The Open Web Application Security Project (OWASP)[1] is "focused on improving the security of software." [I have no affiliation]
The OWASP Top 10[2] are what OWASP believe are to be the 10 most important security vulnerabilities that are exposed in web applications/infrastructure.
The OWASP Zed Attack Proxy (ZAP)[3] is an "integrated penetration testing tool for finding vulnerabilities in web applications." It tests to see if a web application exposes any of the OWASP Top 10 vulnerabilities.
I compiled the http file server in the http docs: https://golang.org/pkg/net/http/#example_FileServer
go version go1.4.2 linux/amd64
And ran ZAP against the URL. It found some issues. The report it generated is attached.
It basically was unhappy with 3 headers not being set: X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options, all web security-oriented headers.
Based on this document[4] and the OWASP guidelines[5], I would suggest that the following headers be set with the following values, as default for the http server implemented in the standard library in Go:
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
[An argument could be made to set X-Frame-Options: SAMEORIGIN as default]
Maybe you should just make a rule to use something like secure[1] with every HTTP server you write.
I am not sure the standard library should set any X- header by default. They are non-standard, although those that you mention became quite important for browsers.
--
Giulio Iotti
Reply all
Reply to author
Forward
0 new messages