Details
-
Improvement
-
Resolution: Fixed
-
Major
-
3.18.1
Description
NXRM was scanned using Trustwave App Scanner (formerly known as Cenzic Hailstorm) software and violations for CWE-693 were detected for the following requests/responses:
HTTP Request: GET /service/extdirect/poll/rapture_State_get?_dc=1560398708204 HTTP/1.1 Host: nexusrm.example.com:8443 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, */* Accept-Language: en-us,en;q=0.5, en-US,en;q=0.5 Accept-Encoding: gzip,deflate Connection: keep-alive, keep-alive X-Nexus-UI: true NX-ANTI-CSRF-TOKEN: 0.6153046113914841 X-Requested-With: XMLHttpRequest Referer: https://nexusrm.example.com:8443/ HTTP Response: HTTP/1.1 200 OK Date: Thu, 03 Oct 2019 15:42:51 GMT Server: Nexus/3.18.1-01 (PRO) X-Content-Type-Options: nosniff Content-Type: application/json;charset=utf-8 Content-Length: 11137
HTTP Request: POST /service/rapture/session HTTP/1.1 Host: nexusrm.example.com:8443 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, */* Accept-Language: en-us,en;q=0.5, en-US,en;q=0.5 Accept-Encoding: gzip,deflate Connection: keep-alive, keep-alive X-Nexus-UI: true NX-ANTI-CSRF-TOKEN: 0.6153046113914841 X-Requested-With: XMLHttpRequest Referer: https://nexusrm.example.com:8443/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 57 HTTP Response: HTTP/1.1 204 No Content Date: Thu, 03 Oct 2019 15:43:11 GMT Server: Nexus/3.18.1-01 (PRO) X-Content-Type-Options: nosniff Set-Cookie: NXSESSIONID=f41c144e-f014-45dd-baf4-a9dd2d599926; Path=/; HttpOnly; Secure
Diagnosis
Investigation concluded these violations appear to be false positives for clickjacking, however to prevent the triggering of the scanner software, it is desired to return X-Frame-Options headers for these specific requests made from the UI.
Relevant to this ask is this thread:
The scenario where it makes sense to do this is exactly the one the OP mentioned - running a vulnerability scan.
If you do not return a correct X-Frame-Options header the scan will fail. This matters when proving to customers that your endpoint is safe.
It is much easier to provide your customer a passing report than have to argue why a missing header does not matter.
Remediation Tips
Use any one of the following header. The header tells browser whether to allow the page to be loaded
inside a frame.
- X-Frame-Options: SAMEORIGIN
- X-Frame-Options: DENY
Solution
The following changes have been made to bypass false positives reported by scanners.
For these URLs
/service/extdirect/* /service/rapture/session
NXRM will now return an additional response header:
X-Frame-Options: deny
And a Cache-Control response header value that used to be:
post-check=0, pre-check=0
and is now:
no-cache, no-store, max-age=0, must-revalidate, post-check=0, pre-check=0
Attachments
Issue Links
- testing discovered
-
NEXUS-21561
ServletHelper Cache-Control header value duplication
-
- New
-
