Changed X-XSS-Protection to follow OWASP standards due to deprecation.

Endava / cats

CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. CATS automatically generates, runs and reports tests with minimum configuration and no coding effort. Tests are self-healing and do not require maintenance.

Apache License 2.0

1.17k stars 74 forks source link

Changed X-XSS-Protection to follow OWASP standards due to deprecation. #13

Closed LiamRiddell closed 3 years ago

LiamRiddell commented 3 years ago

Modified the CheckSecurityHeadersFuzzer.java to check that X-XSS-Protection header is disabled in order to align with the OWASP standards. As most browser vendors have deprecated or removed this feature due to the fact it can introduce additional security issues. Please view the following references:

OWASP:

Mozilla Developer Network Web Docs:

References: OWASP - https://owasp.org/www-project-secure-headers/#x-xss-protection MDN - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

en-milie commented 3 years ago

Thank you for raising this pull request. Even though this is marked as deprecated, there are still many frameworks still using 1; mode=block, which is not totally wrong per say. I would recommend enhancing this class to allow multiple valid values for the same header. An idea on how to do this:

make SECURITY_HEADERS a map, where the header name is the key
have a list of values associated to each header name, most of them will have one, only the X-XSS-Protection will have 2
when testing in getMissingSecurityHeaders use an anyMatch for possible values associated to each header

en-milie commented 3 years ago

This is now implemented in https://github.com/Endava/cats/releases/tag/cats-6.0.5