Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WSTG-CONF-XX - Security Header Misconfiguration #1172

Open
websecnl opened this issue Dec 10, 2024 · 13 comments · May be fixed by #1185
Open

WSTG-CONF-XX - Security Header Misconfiguration #1172

websecnl opened this issue Dec 10, 2024 · 13 comments · May be fixed by #1185
Assignees
@websecnl
Labels
enhancement A new or improved feature for the WSTG or repo new New content to write
Milestone
v4.3 Release

Comments

@websecnl
Copy link

websecnl commented Dec 10, 2024
edited
Loading

Can i submit a pull request for a content update for a new CONF item for "Security Header Misconfiguration"

  • Security Header with a Empty Value
  • Security Header with an invalid value or name (Typos)
  • Overpermissive Security Headers (Allow-Credentials, *)
  • Duplicate Security Headers
  • Legacy Security Headers (which are no longer supported such as HPKP)

There doesnt seem to be anyone which covers these scenarios yet. Please do let me know if I am wrong.

Otherwise, what do you guys think?
@websecnl websecnl added the enhancement A new or improved feature for the WSTG or repo label Dec 10, 2024
@kingthorin
Copy link
Collaborator

I'd be fine with this. Just give me a few days to consider if it belong amongst an existing section

@websecnl
Copy link
Author

I'd be fine with this. Just give me a few days to consider if it belong amongst an existing section

Sure, take your time.

@rbsec
Copy link
Collaborator

rbsec commented Dec 13, 2024

Another one to add to the list would be headers in places where they're not valid - such as a Strict-Transport-Security header being returned in a HTTP response (rather than over HTTPS).

@kingthorin
Copy link
Collaborator

I'm really sorry, I'm not ignoring this but I might not get to sit and look at it until after the holidays.

@websecnl
Copy link
Author

I'm really sorry, I'm not ignoring this but I might not get to sit and look at it until after the holidays.

No problem, take your time buddy. I'll also be a bit busy until a few weeks into 2025 anyways.

@kingthorin
Copy link
Collaborator

Okay I finally found a few mins to look at this. Here's my proposal:

  1. For now it's added as a new WSTG-CONF-14 - Test Other HTTP Security Related Headers (or something like that?)
  2. For 5.x we combine 14, 12, and 07 into a single item.

@ThunderSon @rbsec thoughts/complaints? 😄

@rbsec
Copy link
Collaborator

rbsec commented Jan 2, 2025

Seems reasonable, and gives us a catch-all for any future header checks we want to add.

@websecnl
Copy link
Author

websecnl commented Jan 2, 2025

Okay I finally found a few mins to look at this. Here's my proposal:

  1. For now it's added as a new WSTG-CONF-14 - Test Other HTTP Security Related Headers (or something like that?)
  2. For 5.x we combine 14, 12, and 07 into a single item.

@ThunderSon @rbsec thoughts/complaints? 😄

I'll review it a bit better when I get back from holidays, but so far it sounds fair. Thank you!

@websecnl
Copy link
Author

websecnl commented Feb 4, 2025
edited
Loading

@kingthorin Could you please confirm if under "WSTG-CONF-14" the following apply:

  • Security Header with a Empty Value
  • Security Header with an invalid value or name (Typos)
  • Overpermissive Security Headers (Allow-Credentials, *)
  • Duplicate Security Headers
  • Legacy Security Headers (which are no longer supported such as HPKP)

If so, wouldn't a better name be "WSTG-CONF-14 - Other HTTP Security Header Misconfigurations"
@ThunderSon @rbsec What do you guys think?

Any ETA on the release of this item?

@kingthorin
Copy link
Collaborator

Sure I'd be good with that naming.

Any ETA on the release of this item?

There isn't an ETA. Once someone does the work, it'll be reviewed, and ultimately merged and hit the live release. There is not yet a schedule for the release of v4.3.

@websecnl
Copy link
Author

websecnl commented Feb 4, 2025

@kingthorin You okay if i do the work, i'll just make the pull request and then you guys can review it?

@kingthorin
Copy link
Collaborator

Absolutely 💯

@kingthorin kingthorin added this to the v4.3 Release milestone Feb 4, 2025
@kingthorin kingthorin added the new New content to write label Feb 4, 2025
@rbsec
Copy link
Collaborator

rbsec commented Feb 4, 2025

Sounds good to me.

@websecnl websecnl linked a pull request Feb 5, 2025 that will close this issue
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@websecnl websecnl

Labels
enhancement A new or improved feature for the WSTG or repo new New content to write
Projects
None yet
Milestone
v4.3 Release
Development

Successfully merging a pull request may close this issue.

WSTG-CONF-14 websecnl/wstg
3 participants
@rbsec @kingthorin @websecnl