16
Views
1
Comments
PCI Scan Issues

Hi Team,

We have executed a PCI scan on our application and we are facing below issues:

1. Path-Based Vulnerability  (CWE-22)

2. Cookie Does Not Contain The "secure" Attribute.
We have enabled the Cookies from Lifetime, however, the issue still persists

3. Path-relative stylesheet import (PRSSI) vulnerability - Need correct steps to Add Header response throughout the application/ web server to apply X-Frame-Options: deny - and X-Content-Type-Options: nosniff

We have enabled the Content Security Policy from Lifetime and it takes <X-Content-Type-Options><nosniff>; and <X-Frame-Options><deny> response header itself. However, the issue still persists


We added a config file from FactoryConfiguration with <add name="X-Frame-Options" value="SAMEORIGIN" /> .


4. Clickjacking - Framable Page  

We have enabled the Content Security Policy from Lifetime, however, the issue still persists

5. Use of JavaScript Library with Known Vulnerability 

This issue needs an upgraded JS and jQuery version, we did not find any option to use upgraded version of the same.

Kindly suggest the configurational changes required for the same. 

(Generally, the issues are for anonymous pages in the applications)

Thanks in advance.

Neha Agrawal

Rank: #107

Hi Neha,


1. Path-Based Vulnerability  (CWE-22)

[Swatantra]: If you are using the on-premise infra, then disable the directory browsing in IIS. 


2. Cookie Does Not Contain The "secure" Attribute.
[Swatantra]: There are two types of cookies in the subject

  1. Session cookies: It can be enabled from the lifetime -Factory Configuration
  2. Application cookies: This needs to be done in the application at the time of calling SetCookie

Read about secure cookies in detail: How to enable secure session cookies and set application cookies as secure


3. Path-relative stylesheet import (PRSSI) vulnerability - Need correct steps to Add Header response throughout the application/ web server to apply X-Frame-Options: deny - and X-Content-Type-Options: nosniff

We have enabled the Content Security Policy from Lifetime and it takes <X-Content-Type-Options><nosniff>; and <X-Frame-Options><deny> response header itself. However, the issue still persists

We added a config file from FactoryConfiguration with <add name="X-Frame-Options" value="SAMEORIGIN" /> 

[Swatantra]: What you have done is already a good start and should be sufficient. However, I once noticed that the custom css classes which we define on the page level are resulting in Path-relative style sheet import vulnerability. To overcome this you may define your custom classes in the application specific theme. Though, I doubt if it is a considerable practise.


4. Clickjacking - Framable Page  

We have enabled the Content Security Policy from Lifetime, however, the issue still persists

[Swatantra]: Content security policy can be used to prevent application pages from ClickJacking attacks. Read the content security policy references


5. Use of JavaScript Library with Known Vulnerability 

This issue needs an upgraded JS and jQuery version, we did not find any option to use upgraded version of the same.

[Swatantra]: OutSystems uses jQuery version 1.8.3 which has known vulnerabilities, this is oftenly reported in the security analysis findings. However, this is a false positive finding. The explanation can be found at Penetration testing


Regards,

Swatantra Kumar