X-XSS-Protection
Lack of X-XSS-Protection Header
Overview of the Vulnerability
A lack of the HTTP response header for X-XSS-Protection can lead to sensitive user data being retrieved by an attacker through Cross-Site Scripting (XSS) attacks. There are multiple HTTP response headers used in communication between the server and client which can be implemented to improve security against well documented vulnerabilities. For example, the X-XSS-Protection security header is used in legacy versions of Internet Explorer, Safari, and Chrome to prevent clients from loading reflected XSS attacks.
An advanced attacker can leverage a missing X-XSS-Protection header to bypass security controls of an application to execute code within a user's browser.
Business Impact
Not having a X-XSS-Protection header can lead to reputational damage and indirect financial loss to the business due to an advanced attacker’s ability to access data through a XSS attack. The degree of impact is dependent on the sensitivity of data being stored and transmitted by the application, and the sophistication of the attacker’s abilities.
Steps to Reproduce
Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
Navigate to the following endpoint using a browser: {{URL}}
Capture the request using the HTTP interception proxy and review the response
Observe that no
X-XSS-Protectionheader is implemented within the HTTP headers
Proof of Concept (PoC)
The screenshot below demonstrates the missing header:
{{screenshot}}
Recommendation(s)
The X-XSS-Protection header should not be used in modern browsers as it can create XSS vulnerabilities in websites. It has been deprecated by the Content Security Policy (CSP) security header. The CSP header, Content-Security-Policy, should be used to prevent XSS attacks.
The Content-Security-Policy header should be configured in a way that reduces the attack surface of the application. The CSP header is not set as a catch-all, due to its permissive design. Therefore, It is important to ensure that the CSP heading is not too permissive for the application's needs, and has directives appropriately set.
For older browsers that do not support the CSP header, the X-XSS-Protection header should be set to instruct browsers how to filter and block XSS attacks. For example:
X-XSS-Protection: 1; mode=block
This directive enables XSS filtering then prevents rendering of the web page if a XXS attack is detected.
For more information, please see:
Last updated