0

Filerun security

jorgen 9 months ago updated 9 months ago 2

I did a light scan of my filerun site with this tool: https://pentest-tools.com/ And got these warning, happy to see that there were to critical findings :-) Is this something that can/will be adressed in future updates? (tried to clean up the output and make it readable here)


Missing security header: Content-Security-Policy

Response headers do not include the HTTP Content-Security-Policy security header

The Content-Security-Policy (CSP) header activates a protection mechanism implemented in web browsers which prevents exploitation of Cross-Site Scripting vulnerabilities (XSS). If the target application is vulnerable to XSS, lack of this header makes it easily exploitable by attackers.

Configure the Content-Security-Header to be sent with each HTTP response in order to apply the specific policies needed by the application. Read more about CSP: https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy


Missing security header: X-Frame-Options

Response headers do not include the HTTP X-Frame-Options security header

Because the `X-Frame-Options` header is not sent by the server, an attacker could embed this website into an iframe of a third party website. By manipulating the display attributes of the iframe, the attacker could trick the user into performing mouse clicks in the application, thus performing activities without user's consent (ex: delete user, subscribe to newsletter, etc). This is called a Clickjacking attack and it is described in detail here: https://owasp.org/www-community/attacks/Clickjacking 

We recommend you to add the `X-Frame-Options` HTTP header with the values `DENY` or `SAMEORIGIN` to every page that you want to be protected against Clickjacking attacks. More information about this issue: https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html


Missing security header: X-XSS-Protection

Response headers do not include the HTTP X-XSS-Protection security header

The `X-XSS-Protection` HTTP header instructs the browser to stop loading web pages when they detect reflected Cross-Site Scripting (XSS) attacks. Lack of this header exposes application users to XSS attacks in case the web application contains such vulnerability.

We recommend setting the X-XSS-Protection header to `X-XSS-Protection: 1; mode=block`. More information about this issue: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection


Missing security header: X-Content-Type-Options

Response headers do not include the X-Content-Type-Options HTTP security header

The HTTP header `X-Content-Type-Options` is addressed to the Internet Explorer browser and prevents it from reinterpreting the content of a web page (MIME-sniffing) and thus overriding the value of the Content-Type header). Lack of this header could lead to attacks such as Cross-Site Scripting or phishing.

We recommend setting the X-Content-Type-Options header such as `X-Content-Type-Options: nosniff`. More information about this issue: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options.


Missing security header: Referrer-Policy

Response headers do not include the Referrer-Policy HTTP security header as well as the <meta> tag with name 'referrer' is not present in the response.

The Referrer-Policy HTTP header controls how much referrer information the browser will send with each request originated from the current web application. For instance, if a user visits the web page "http://example.com/pricing/" and it clicks on a link from that page going to e.g. "https://www.google.com", the browser will send to Google the full originating URL in the `Referer` header, assuming the Referrer-Policy header is not set. The originating URL could be considered sensitive information and it could be used for user tracking.

The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value `no-referrer` of this header instructs the browser to omit the Referer header entirely. Read more: https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns


Server software and technology found

SOFTWARE / VERSION                           CATEGORY

OpenResty                                                 Web servers

Nginx                                                          Web servers, Reverse proxies

ExtJS                                                         JavaScript frameworks

An attacker could use this information to mount specific attacks against the identified software type and version.

We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating system: HTTP server headers, HTML meta information, etc. More information about this issue: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server.html.


Security.txt file is missing

Missing: https://domant.tld/.well-known/security.txt

We have detected that the server is missing the security.txt file. There is no particular risk in not creating a valid Security.txt file for your server. However, this file is important because it offers a designated channel for reporting vulnerabilities and security issues.

We recommend you to implement the security.txt file according to the standard, in order to allow researchers or users report any security issues they find, improving the defensive mechanisms of your server. More information about the security.txt standard: https://securitytxt.org/


A lot of those changes can be/need to be implmented yourself with a reverse proxy manager. I personally use Nginx proxy manager for this.

ok, didn't realize that, thanks. I run the same proxy So i will take a look...  Fire up Google and see what I can learn 🤔🙃