search cancel

SV: Vulnerability - X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP Headers missing on port 51112

book

Article ID: 201461

calendar_today

Updated On:

Products

CA Cloud Test Mobile CA Application Test

Issue/Introduction

HTTP Security Header Not Detected:

X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP Headers missing on port 51112.
X-XSS-Protection HTTP Header missing on port 51112.
X-Content-Type-Options HTTP Header missing on port 51112.

Port 51112 (Occupied by Java)

The only application using Java on this machine is DevTest. 

Cause

Vulnerability.

Environment

Release : 10.6 & 107

Component : CA Service Virtualization

Resolution

Do the below steps:
 
1. Go to <LISA_HOME>/IdentityAccessManager/standalone/configuration folder.
 
2. Take the back up of standalone.xml
 
3. Open standalone.xml of configuration folder.
 
4. Search for <subsystem xmlns="urn:jboss:domain:undertow:4.0"> block. It has a tag name <host> for ( 10.6)
<subsystem xmlns="urn:jboss:domain:undertow:12.0" > block  and look for the <host> tag  for (10.7.x)
 
5. In the <host > tag and below <http-invoker security-realm="ApplicationRealm"/>, add the below lines: 
    <filter-ref name="X-Frame-Options"/>
    <filter-ref name="x-xss-protection"/>
    <filter-ref name="strict-transport-security"/>
    <filter-ref name="content-security-policy"/>
    <filter-ref name="x-Content-type-options"/>
  
6. Now add the below lines under <handlers></handlers> tag in the same <subsystem xmlns="urn:jboss:domain:undertow:4.0">block for 10.6
    or in <subsystem xmlns="urn:jboss:domain:undertow:12.0">   for 10.7.x
 
    <filters>
       <response-header name="X-Frame-Options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
       <response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
       <response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/>
       <response-header name="content-security-policy" header-name="content-security-policy" header-value="default-src ; style-src 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline';         connect-src * 'unsafe-inline'; frame-src *;"/>
       <response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
    </filters>
 
7. What the section looks like after the changes:
 
        </subsystem>
      <subsystem xmlns="urn:jboss:domain:undertow:4.0"> or   <subsystem xmlns="urn:jboss:domain:undertow:12.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" security-realm="iamRealm" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                    <filter-ref name="X-Frame-Options"/>
                    <filter-ref name="x-xss-protection"/>
                    <filter-ref name="strict-transport-security"/>
                    <filter-ref name="content-security-policy"/>
                    <filter-ref name="x-Content-type-options"/>
                </host>
            </server>
            <servlet-container name="default">
                <jsp-config/>
                <websockets/>
            </servlet-container>
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
            <filters>
                <response-header name="X-Frame-Options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
                <response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
                <response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/>
                <response-header name="content-security-policy" header-name="content-security-policy" header-value="default-src ; style-src 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline';         connect-src * 'unsafe-inline'; frame-src *;"/>
                <response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
            </filters>
        </subsystem>

8. Save and exit.
9. Restart IAM.
10. Have the security team re-run the scan and this resolves the vulnerability.