Config your server to use the "Content-Security-Policy" header with secure policies
sureshhcl opened this issue · 1 comments
Stratos Version
4.4.0
Frontend Deployment type
- Cloud Foundry Application (cf push)
- Kubernetes, using a helm chart
- Docker, single container deploying all components
- npm run start
- Other (please specify below)
Backend (Jet Stream) Deployment type
- Cloud Foundry Application (cf push)
- Kubernetes, using a helm chart
- Docker, single container deploying all components
- Other (please specify below)
Expected behaviour
AppScan DAST scan shouldn't show response contains the absolute paths and/or filenames of files on the server
Actual behaviour
AppScan DAST scan response contains the absolute paths and/or filenames of files on the server
Steps to reproduce the behavior
AppScan DAST scans for Stratos URL https://ui.169.53.186.50.nip.io.It is possible to retrieve the absolute path of the web server installation, which might help an attacker to develop further attacks and to gain information about the file system structure of the web application
Log output covering before error and any error statements
...===i)&&(p=!0,e="0",i="=");var O="$"===h?r:"#"===h&&/[boxX]/.test(w)?"0"+w.toLowerCase():"",C="$"===h?a:/[%p]/.test(w)?
m:"",x=d[w],A=/[defgprs%]/.test(w);function S(t){var r,a,c,d=O,h=C;if("c"===w)h=x(t)+h...
...
...
...G[W]WWE",/\d{4}W\d{3}/],["GGGG[W]WW",/\d{4}W\d{2}/,!1],["YYYYDDD",/\d{7}/]],me=[["HH:mm:ss.SSSS",/\d\d:\d\d:\d\d\.\d+/],
["HH:mm:ss,SSSS",/\d\d:\d\d:\d\d,\d+/],["HH:mm:ss",/\d
Detailed Description
Download the relevant security patch for your web server or web application.
Context
Possible Implementation
Issue header is nothing to do with content. There is no path in the linked code. Please be careful when creating issues using automated tools to first read what it produces and then apply some context.