Web Browser XXS Protection not enabled
462 views
Skip to first unread message
Steve Smith
Jun 18, 2017, 12:15:42 PM6/18/17
to OWASP ZAP User Group
Hi,
I am new to OWASP Zap and Linux,
I am trying to secure a ubuntu lamp website.
I believe I have been quite successful in locking the server down.
So I thought I would try Zap to see the results, running Kali
What I do not understand is why I get alerts
ip/sitemaps.xml file does not exist on the server
various folders
ip/xxx/index php.
web browser XSS Protection is not enabled.
When I use chrome to inspect the site I can see
Server:Apache
Vary:Accept-Encoding
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-XSS-Protection:1; mode=block
Do I have to add X-XXS to various folders?
Any recommendation on training material / books would be very helpful.
Regards
Steve
kingthorin+owaspzap
Jun 19, 2017, 8:27:02 AM6/19/17
to OWASP ZAP User Group
You can see the code for the test here: https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/pscanrules/HeaderXssProtectionScanner.java
It looks for the header on every HTML response (or text response if threshold is low). Check the response listed in ZAP that corresponds to the Alert in question. Checking via Chrome may be incorrect for more than one reason:
It looks for the header on every HTML response (or text response if threshold is low). Check the response listed in ZAP that corresponds to the Alert in question. Checking via Chrome may be incorrect for more than one reason:
- May not be the exact same URL/response.
- The app may have browser dependent responses.
Reply all
Reply to author
Forward
0 new messages