Security Vulnerabilities
Security Vulnerabilities
• The no-cache directive means that a browser may cache a response, but must first
submit a validation request to an origin server.
Cache-Control: no-cache
• The no-store directive means browsers aren’t allowed to cache a response and must
pull it from the server each time it’s requested. This setting is usually used
for sensitive data, such as personal banking details.
Cache-Control: no-store
• The must-revalidate response directive indicates that the response can be stored in
caches and can be reused while fresh. If the response becomes stale, it must be
validated with the origin server before reuse.
Cache-Control: max-age=604800, must-revalidate
Cross-Domain JavaScript Source File
Inclusion
• The page includes one or more script files from a third-party domain.
• Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be
controlled by end users of the application.
X-Content-Type-Options Header Missing
• The missing "X-Content-Type-Options" header enables a browser to perform MIME type
sniffing when the Content-Type header is not set or its value seems inappropriate. In other
words, when the browser gets the response from the server it tries to figure out on its own
what is the type of the content and how to handle it. In certain circumstances that can lead
to serious security issues (XSS attack).
• For example, if we have an application that allows an upload of jpg files, an attacker may
upload a file with jpg extension being in fact an html file with malicious js script inside. Some
other user may want to display the image in his browser. The browser gets the file with
Content-Type=image/jpg and finds out that content type is inappropriate. If the MIME type
sniffing is enabled, the browser handles the file as html and executes the malicious js script.
On the other hand, if the MIME type sniffing is disabled by setting the "X-Content-Type-
Options" header, the browser displays an error message and the script is not executed.
•
X-Content-Type-Options=nosniff
Private IP Disclosure
• A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for
example, ip-10-0-56-78) has been found in the HTTP response body. This information might
be helpful for further attacks targeting internal systems
• Discovering the private addresses used within an organization can help an attacker in carrying
out network-layer attacks aiming to penetrate the organization's internal infrastructure.
• There is not usually any good reason to disclose the internal IP addresses used within an
organization's infrastructure. If these are being returned in service banners or debug
messages, then the relevant services should be configured to mask the private addresses. If
they are being used to track back-end servers for load balancing purposes, then the
addresses should be rewritten with innocuous identifiers from which an attacker cannot infer
any useful information about the infrastructure.
Information Disclosure - Sensitive
Information in URL
Information Disclosure - Suspicious
Comments
Loosely Scoped Cookie
Timestamp Disclosure - Unix