QUALYS software findings for the Vantage Web Client

Products

Vantage Storage Resource Manager

Issue/Introduction

Our QUALYS software is finding the following deficiencies when scanning the Vantage WebUI. We need the proper configuration in the Vantage WebUI to address this.

The QUALYS software is reporting that the following HTTP headers are missing: X-Frame-Options, X-XSS-Protection HTTP and X-Content-Type-Options.

Here are some of the diagnostics produced by the QUALYS software:

Please make a request for the starting URI in your web application and check its response headers using a proxy. One or more of the above headers must be missing in the response.

X-Frame-Options response header is used to secure applications against clickjacking vulnerability. A web application is protected against the clickjacking vulnerability if the response page for any link on the site has the above HTTP response header set. In order for the page to be protected the value for X-Frame-Options should either be either DENY or SAMEORIGIN and it is not case sensitive.
X-XSS-Protection HTTP header enables the XSS filter on the browser to prevent cross-site scripting attacks.
X-Content-Type-Options HTTP header is used to prevent attacks based on MIME-type mismatch. If this header is set, the content type specified in this header is taken in to consideration during interpretation of the content.

Environment

Release : 14.0

Component : CA Vantage Storage Resource Manager

Vantage WebUI (Client)

Cause

Various settings in the Vantage Web UI file 'web.xml' need to be activated/enabled/modified to avoid this security exposure.

Resolution

To resolve this problem of missing HTTP headers (as reported by the QUALYS software product) - 'X-Frame-Options', 'X-XSS-Protection HTTP', and 'X-Content-Type-Options' -
we need to enable the Secure HTTP Header in Apache Tomcat. Here are the steps to do this:

1. Stop the Vantage WebUI task.

2. Navigate to the 'conf' directory of the tomcat 'runtime' directory and find file 'web.xml', such as:

/WebUI/runtime/apache-tomcat-8.5.51/conf

This location is the Vantage WebUI 'runtime'.

3. Open for edit the file 'web.xml' (you can use ISPF option =3.17 and edit it as ASCII).

4. Navigate to line 493 and uncomment the following section:

... by removing the '' before and after the filter.

5. Navigate to line 590 and uncomment and edit the following section:

... by removing the comment in XML '' before and after the '<filter-mapping>', and delete the line with the text '<dispatcher>'.
Your filter mapping should look like this after the change:

0591 <filter-mapping>
0592 <filter-name>httpHeaderSecurity</filter-name>
0593 <url-pattern>/*</url-pattern>
0594 </filter-mapping>
0595

6. Save the file.

7. Start the Vantage WebUI task.

After applying this configuration change the result in the HTTP headers will be:

X-Frame-Options DENY
X-Content-Type-Options nosniff
X-XSS-Protection 1;mode=block

To see the configuration results in the HTTP headers, you can use the 'curl' command, such as:

curl -X HEAD -I http://[URL]:[PORT]/VantageGMI/

You can perform 'curl' from your PC. If you are using Windows 10, it should already be installed:

Open the Windows command prompt ( Start -> run -> cmd)

... then try the 'curl' command from the command prompt. If you are running Linux, then the 'curl' command should already be available. Either way, it is best to have 'curl' available (installed) on your workstation and then perform the 'curl' call to verify the HTTP headers.

Sample output of the 'curl' would appear, such as:

HTTP/1.1 200
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Accept-Ranges: bytes
ETag: W/"2478-1606940326000"
Last-Modified: Wed, 02 Dec 2020 20:18:46 GMT
Content-Type: text/html
Content-Length: 2478
Date: Mon, 12 Apr 2021 13:53:57 GMT

The Postman user interface can also be used to verify the headers, such as:

https://www.postman.com/

A 'Get' call can be performed on the Vantage WebUI, and the header section will be visible with the required information, as demonstrated above.