Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WSTG-CONF-XX - Security Header Misconfiguration #1172

Open
websecnl opened this issue Dec 10, 2024 · 8 comments
Open

WSTG-CONF-XX - Security Header Misconfiguration #1172

websecnl opened this issue Dec 10, 2024 · 8 comments
Labels
enhancement A new or improved feature for the WSTG or repo

Comments

@websecnl
Copy link

websecnl commented Dec 10, 2024
edited
Loading

Can i submit a pull request for a content update for a new CONF item for "Security Header Misconfiguration"

  • Security Header with a Empty Value
  • Security Header with an invalid value or name (Typos)
  • Overpermissive Security Headers (Allow-Credentials, *)
  • Duplicate Security Headers
  • Legacy Security Headers (which are no longer supported such as HPKP)

There doesnt seem to be anyone which covers these scenarios yet. Please do let me know if I am wrong.

Otherwise, what do you guys think?
@websecnl websecnl added the enhancement A new or improved feature for the WSTG or repo label Dec 10, 2024
@kingthorin
Copy link
Collaborator

I'd be fine with this. Just give me a few days to consider if it belong amongst an existing section

@websecnl
Copy link
Author

I'd be fine with this. Just give me a few days to consider if it belong amongst an existing section

Sure, take your time.

@rbsec
Copy link
Collaborator

rbsec commented Dec 13, 2024

Another one to add to the list would be headers in places where they're not valid - such as a Strict-Transport-Security header being returned in a HTTP response (rather than over HTTPS).

@kingthorin
Copy link
Collaborator

I'm really sorry, I'm not ignoring this but I might not get to sit and look at it until after the holidays.

@websecnl
Copy link
Author

I'm really sorry, I'm not ignoring this but I might not get to sit and look at it until after the holidays.

No problem, take your time buddy. I'll also be a bit busy until a few weeks into 2025 anyways.

@kingthorin
Copy link
Collaborator

Okay I finally found a few mins to look at this. Here's my proposal:

  1. For now it's added as a new WSTG-CONF-14 - Test Other HTTP Security Related Headers (or something like that?)
  2. For 5.x we combine 14, 12, and 07 into a single item.

@ThunderSon @rbsec thoughts/complaints? 😄

@rbsec
Copy link
Collaborator

rbsec commented Jan 2, 2025

Seems reasonable, and gives us a catch-all for any future header checks we want to add.

@websecnl
Copy link
Author

websecnl commented Jan 2, 2025

Okay I finally found a few mins to look at this. Here's my proposal:

  1. For now it's added as a new WSTG-CONF-14 - Test Other HTTP Security Related Headers (or something like that?)
  2. For 5.x we combine 14, 12, and 07 into a single item.

@ThunderSon @rbsec thoughts/complaints? 😄

I'll review it a bit better when I get back from holidays, but so far it sounds fair. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement A new or improved feature for the WSTG or repo
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rbsec @kingthorin @websecnl