edubadges / audit

Code audit repo for Edubadges
0 stars 0 forks source link

Missing HTTP Strict-Transport-Security Headers #2

Open sveeke opened 6 years ago

sveeke commented 6 years ago

The web servers for badgr-dev2.edubadges.nl do not respond with an HTTP Strict-Transport-Security header. This means there isn't a Strict Transport Security policy in place.

sveeke commented 6 years ago

threatLevel=Low type=Missing HTTP Header

The HTTP Strict Transport Security policy defines a timeframe where a browser must connect to the web server via HTTPS. Connections using HTTP are not allowed, which means that the user is protected against security downgrade attacks.

Note the output in the sample request does not show a HSTS header:

POST /api-auth/token HTTP/1.1
Host: badgr-dev2.edubadges.nl
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Referer: https://surf-dev2.edubadges.nl/auth/login
Content-Length: 58
Origin: https://surf-dev2.edubadges.nl
Connection: close

username=stefanpentest%2Bteacher%40gmail.com&password=test

HTTP/1.1 400 Bad Request
Server: nginx/1.12.2
Date: Thu, 07 Jun 2018 01:18:13 GMT
Content-Type: application/json
Connection: close
Vary: Authorization, Cookie
X-Frame-Options: ALLOW-FROM HTTP://CANVAS.EDUBADGES.NL/, HTTPS://CANVAS.EDUBADGES.NL
Access-Control-Allow-Origin: *
Allow: POST, OPTIONS
Content-Length: 68

{"non_field_errors":["Unable to log in with provided credentials."]}

impact: An attacker could trick the user into using the insecure version of the site, or a man-in-the-middle attacker could redirect traffic from the secure version to the insecure version. An attacker then could eavesdrop on the connection and obtain sensitive data.

recommendation: Make sure to set proper HTTP Strict-Transport-Security headers for all web servers that should send out content over HTTPS only.

sveeke commented 6 years ago

I'll do this one when building the new pilot environment.