Lack Of Security Headers
Lack of Security Headers
Overview of the Vulnerability
A lack of HTTP response security headers can lead to sensitive user data being retrieved by an attacker through Cross-Site Scripting (XSS), Machine-in-the-Middle (MitM), click-jacking, and some local network attacks. There are multiple HTTP response headers used in communication between the server and client which can be implemented to improve security against well documented vulnerabilities.
An advanced attacker can leverage a missing security headers to bypass security controls of an application to execute code within a user's browser or capture data in transit.
Business Impact
Not having security headers implemented following best practices can lead to reputational damage and indirect financial loss to the business due to an advanced attacker’s ability to access data through common attack vectors. The degree of impact is dependent on the sensitivity of data being stored and transmitted by the application, and the sophistication of the attacker’s abilities.
Steps to Reproduce
Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
Navigate to the following endpoint using a browser: {{URL}}
Capture the request using the HTTP interception proxy and review the response
Observe that the security headers are not implemented according to best practice
Proof of Concept (PoC)
The screenshot below demonstrates the missing header:
{{screenshot}}
Guidance
Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards.
Your submission must include evidence of the vulnerability and not be theoretical in nature.
Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).
Recommendation(s)
The HTTP security header should be set following best practice to prevent common attacks.
For more information on best practices for security headers, please see the following guides:
Last updated