AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Insecure X-XSS-Protection Configuration

The attacker can leverage XSS in order to steal user-related information, steal end-users credentials by making application showing them fake, rouge interfaces or HTML

Severity

Low

Fix Cost

Low

Trust Level

High

IE 8 and onwards Microsoft uses X-XSS-Protection HTTP header value in order to prevent a few categories of XSS attacks dynamically. This client side prevention is supported in Chrome, Safari and Internet Explorer.

The aim of X-XSS-Protection in browsers adds up to; if a malicious input is being reflected in the HTML document, the reflected part will either be removed or the whole document will not be rendered. The browser may show a warning and won’t allow certain javascript execution.

The default value of X-XSS-Protection is 1 (if it doesn’t appear in HTTP response headers) and that means removing “unsafe” parts from the document returned.

The mechanism itself shortcomings from time to time; abusing false positives and possible bypasses.

However, sometimes, we developers find this behaviour of removing certain parts of the documents returned as “pesky”, which leads to disabling the header effect by setting it to 0, as below;

            
Response.AppendHeader("X-XSS-Protection","0");
or in Web.config

<httpprotocol>
<customheaders>
<remove name="X-Powered-By">
<add name="X-XSS-Protection" value="0"> </add>
</remove>
</customheaders>
</httpprotocol>
                    
              

IE 8 and onwards Microsoft uses X-XSS-Protection HTTP header value in order to prevent a few categories of XSS attacks dynamically. This client side prevention is supported in Chrome, Safari and Internet Explorer.

The aim of X-XSS-Protection in browsers adds up to; if a malicious input is being reflected in the HTML document, the reflected part will either be removed or the whole document will not be rendered. The browser may show a warning and won’t allow certain javascript execution.

The default value of X-XSS-Protection is 1 (if it doesn’t appear in HTTP response headers) and that means removing “unsafe” parts from the document returned.

The mechanism itself shortcomings from time to time; abusing false positives and possible bypasses.

However, sometimes, we developers find this behaviour of removing certain parts of the documents returned as “pesky”, which leads to disabling the header effect by setting it to 0, as below;

            
response.addHeader("X-XSS-Protection","0");
or in Web.config

<http>
<headers>
<xss-protection block="false"/>
</headers>
</http>
                   

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!