OWASP.org headers

[drwetter]

It doesn't shed a good light on OWASP.

HTTP/1.1 200 OK
Date: Wed, 17 Mar 2021 07:49:21 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=ddfe0ceb2b46d839ba0b066adf413aaa31615967360; expires=Fri, 16-Apr-21 07:49:20 GMT; path=/; domain=.owasp.org; HttpOnly; SameSite=Lax; Secure
CF-Ray: 63149fc2b9cd4180-HAM
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Age: 24
Cache-Control: max-age=600
Expires: Wed, 17 Mar 2021 07:58:56 GMT
Last-Modified: Wed, 17 Mar 2021 01:27:29 GMT
Strict-Transport-Security: Strict-Transport-Security: max-age=31536000; includeSubDomains
Via: 1.1 varnish
CF-Cache-Status: DYNAMIC
cf-request-id: 08e0c22db7000041806eb46000000001
Content-Security-Policy: Content-Security-Policy: default-src 'self' owaspadmin.azurewebsites.net
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Permissions-Policy: geolocation=(self 'https://example.com'); microphone=(); usb=(); camera=()
Referrer-Policy: same-origin
X-Cache: HIT
X-Cache-Hits: 1
X-Content-Type-Options: nosniff
X-Fastly-Request-ID: 59f6634e88efc1329054be989957f0f080ff583d
X-Frame-Options: SAMEORIGIN
X-GitHub-Request-Id: 58FC:1145:28234C8:2954869:6051B468
x-origin-cache: HIT
x-origin-processing-time: 119.0000 ms
x-powered-by: RankSense/CW
x-proxy-cache: MISS
x-rs-cf-app-version: 1.0.45
x-rs-changes-amount: 1
x-rs-fixes-request-time: 451.0000
X-Served-By: cache-fra19180-FRA
X-Timer: S1615967361.697997,VS0,VE1
x-total-processing-time: 570.0000 ms
Server: cloudflare

• HSTS is not working (double header)
• CSP is not working (double header)
• CSP doesn't make sense also if you remove 1x Content-Security-Policy
• XFO is deprecated (use CSP frame-ancestors instead)
• while you're at it: Expect-CT is deprecated from June on
• Permissions-Policy: geolocation=(self 'https://example.com');: was that a copy & paste thing from MDN??
• Permissions-Policy: in principle it can't hurt. But do we allow content which potentially reads mic+cam?
• ACAO *, why ?

What do we do with owaspadmin.azurewebsites.net ? --> Your Functions 3.0 app is up and running Azure Functions is an event-based serverless compute experience to accelerate your development.

compute experience, really?

owaspadmin.azurewebsites.net doesn't redirect to https

[drwetter]

Kudos to Ben, ho pointed me yesterday to the double headers

[hblankenship]

Thank you for pointing out the errors. Much of the above has been updated.

[hblankenship]

That reminds me, as nobody is a web admin, any help formulating a decent CSP for a static website that allows leaders to include images from various sources, add video from various sources, implement all sorts of import tooling and bring in various twitter/facebook/etc media feeds all while keeping things decently locked down would be helpful too.

[drwetter]

Hi @hblankenship

Content-Security-Policy: default-src 'self' https://api.github.com https://*.githubusercontent.com https://*.google-analytics.com https://owaspadmin.azurewebsites.net https://*.twimg.com https://platform.twitter.com https://www.youtube.com; frame-ancestors 'self'; frame-src https://*.vuejs.org https://*.stripe.com https://*.wufoo.com https://*.sched.com https://*.google.com https://*.twitter.com https://www.youtube.com https://w.soundcloud.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cse.google.com https://*.vuejs.org https://*.stripe.com https://*.wufoo.com https://*.youtube.com https://*.meetup.com https://*.sched.com https://*.google-analytics.com https://unpkg.com https://buttons.github.io https://www.google.com https://*.gstatic.com https://*.twitter.com https://*.twimg.com; style-src 'self' 'unsafe-inline' https://www.google.com fonts.googleapis.com https://platform.twitter.com https://*.twimg.com; font-src 'self' fonts.gstatic.com; manifest-src 'self'https://pay.google.com; img-src 'self' data: www.w3.org https://licensebuttons.net https://img.shields.io https://*.twitter.com https://github.githubassets.com https://*.twimg.com https://platform.twitter.com https://*.githubusercontent.com https://*.vercel.app https://*.cloudfront.net https://*.coreinfrastructure.org https://*.securityknowledgeframework.org https://badges.gitter.im https://travis-ci.org https://api.travis-ci.org https://s3.amazonaws.com https://snyk.io https://coveralls.io https://requires.io https://github.com https://*.googleapis.com https://*.google.com https://*.gstatic.com

Do we have really that much third party content?? 😲 Then I think we might do something wrong in the first place. In general you can't catch every thing coming from third parties by CSP. This is a fundamental security question, E.g. lots of the google / twitter hosts are known for using JSONP endpoints. Don't know whether a user of Google or Twitter can control them. If they do: it affects our site. Also: I don't know whether through github PRs the unsafe-inline might hit us.

Maintainability is another general remark: If we have that many host and I suppose it'll change more or less often (enough) you should ask yourself who's going to maintain that?

If you want to maintain that: add object-src: none;

[drwetter]

What is the point with ACAO?

[ben-stock]

On that note: having google-analytics.com in the list of allowed script sources (notwithstanding the 'unsafe-inline'), you open yourself up to arbitrary execution as well. All script from Google Tag Manager (to which you can upload what you want) are also reachable via google-analytics.com. As an example, see https://www.google-analytics.com/gtm/js?id=GTM-PTPBVMC (you'll note that this includes another script, coming from persistent.kittenpics.org, but that could be just arbitrary other code).

For the ACAO: , this is a bit meaningless, but also not really dangerous. It's an entirely public page and even if you can login, ACAO: defaults securely (i.e., credentials requests are not allowed).

[drwetter]

https://www.google-analytics.com/gtm/js?id=GTM-PTPBVMC : w00t! "\u003Cscript src=\"https:\/\/persistent.kittenpics.org\"\u003E\u003C\/script\u003E\n\u003Ch1\u003EAwesome stuff!\u003C\/h1\u003E

https://*.githubusercontent.com includes e.g. https://raw.githubusercontent.com which is cool for attackers. (kudos to hanno)

You're right wrt ACAO. My humble guess was that there's a misconception here with ACAO: * here like I once in a while encounter like "if you don't use that third parties cannot read PDFs / images / other objects from your web site". Of course it does not a harm by itself but it's half way there when in addition e.g. "Access-Control-Allow-Credentials: true" is being used at some dangerous point some time. So what I suggest is to understand is why ACAO is there. Often it just can be removed which I suppose is the case here.

[ben-stock]

For ACAO: * with ACAC: true, there is no security issue. CORS defaults securely, i.e., you have to have an explicit origin allowed when using ACAC: true (see https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Note_3).

[drwetter]

Ah, thanks.

[martinmarsicano]

Nowadays there are some errors in the CSP of the home page.

• https://*.doubleclick.net , must be added to default-src
• data: , must be style-src

Below CSP header includes them and results in no errors. I supposed @hblankenship is the one that can modify this, I didn't find this on any repo.

Content-Security-Policy: default-src 'self' https://api.github.com https://*.githubusercontent.com https://*.google-analytics.com https://owaspadmin.azurewebsites.net https://*.twimg.com https://platform.twitter.com https://www.youtube.com https://*.doubleclick.net; frame-ancestors 'self'; frame-src https://*.vuejs.org https://*.stripe.com https://*.wufoo.com https://*.sched.com https://*.google.com https://*.twitter.com https://www.youtube.com https://w.soundcloud.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://app.diagrams.net https://cdnjs.cloudflare.com https://cse.google.com https://*.vuejs.org https://*.stripe.com https://*.wufoo.com https://*.youtube.com https://*.meetup.com https://*.sched.com https://*.google-analytics.com https://unpkg.com https://buttons.github.io https://www.google.com https://*.gstatic.com https://*.twitter.com https://*.twimg.com; style-src 'self' 'unsafe-inline' https://*.gstatic.com https://cdnjs.cloudflare.com https://www.google.com https://fonts.googleapis.com https://platform.twitter.com https://*.twimg.com data:; font-src 'self' fonts.gstatic.com; manifest-src 'self' https://pay.google.com; img-src 'self' data: www.w3.org https://licensebuttons.net https://img.shields.io https://*.twitter.com https://github.githubassets.com https://*.twimg.com https://platform.twitter.com https://*.githubusercontent.com https://*.vercel.app https://*.cloudfront.net https://*.coreinfrastructure.org https://*.securityknowledgeframework.org https://badges.gitter.im https://travis-ci.org https://api.travis-ci.org https://s3.amazonaws.com https://snyk.io https://coveralls.io https://requires.io https://github.com https://*.googleapis.com https://*.google.com https://*.gstatic.com

With this fixed I thinks this issue can be closed

[drwetter]

1) `object-src: none; `` or any other source is missing.

2) I believe maintaining the list doesn't work, realistically. At least if there's no central instance within OWASP which knows where all the content comes from and can notify the maintainer of any changes needed.

Allow me a remark: Still scratching my head why we have so many third parties delivering content. That is crazy!

[hblankenship]

I made the additions per Martin. Regarding the so many third parties issue - it is either because the foundation utilizes these third parties in the website (vue.js, for instance) or various projects/chapters were already using them and we didn't want to break their pages.