Insecure or unset HTTP headers - X-XSS Protection - C-Sharp

Insecure or unset HTTP headers - X-XSS Protection - C-Sharp

Need

Implementation of secure and properly configured HTTP headers

Context

  • Usage of C# 8.0 for modern and efficient software development
  • Usage of Microsoft.AspNetCore for building web applications in .NET Core
  • Usage of Microsoft.AspNetCore.Hosting for hosting ASP.NET Core applications
  • Usage of Microsoft.AspNetCore.Builder for configuring and building ASP.NET Core applications
  • Usage of Microsoft.AspNetCore.Http for handling HTTP requests and responses in ASP.NET Core applications
  • Usage of Microsoft.Extensions.Hosting for hosting and managing .NET Core applications

Description

Non compliant code

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Home/Error");
        app.UseHsts();
    }

    app.UseHttpsRedirection();
    app.UseStaticFiles();

    app.UseRouting();

    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllerRoute(
            name: "default",
            pattern: "{controller=Home}/{action=Index}/{id?}");
    });

    app.Use(async (context, next) =>
    {
        context.Response.Headers.Add("X-XSS-Protection", "1");
        await next();
    });
}
        
        

The above code is from a typical ASP.NET Core application's Configure method in the Startup.cs file. This method is used to specify how the application will respond to HTTP requests.

The vulnerability lies in the following line of code:

                context.Response.Headers.Add("X-XSS-Protection", "1");

            


The X-XSS-Protection header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.

However, the X-XSS-Protection header is now deprecated in modern browsers, and its use can introduce additional security issues. For example, attackers can abuse the XSS auditor functionality in older versions of Chrome to expose sensitive information from the page.

Therefore, the use of the X-XSS-Protection header is not recommended. Instead, a strong Content Security Policy should be used.

Steps

  • Remove the line of code that adds the X-XSS-Protection header to the response headers.
  • Implement a Content Security Policy (CSP) to mitigate XSS attacks.
  • Ensure that user input is properly validated and sanitized before displaying it in the application.
  • Use a modern and secure framework or library that automatically handles XSS protection.
  • Regularly update the application and its dependencies to stay protected against new vulnerabilities.

Compliant code

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Home/Error");
        app.UseHsts();
    }

    app.UseHttpsRedirection();
    app.UseStaticFiles();

    app.UseRouting();

    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllerRoute(
            name: "default",
            pattern: "{controller=Home}/{action=Index}/{id?}");
    });
}
        
        

The updated code removes the line that adds the X-XSS-Protection header to the response headers. This header is considered deprecated and its use can lead to stored XSS vulnerabilities.

To further enhance the security of the application against XSS attacks, it is recommended to implement a Content Security Policy (CSP). CSP is a security layer that helps detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

In addition to implementing CSP, it is crucial to ensure that user input is properly validated and sanitized before it is displayed in the application. This can prevent malicious scripts from being injected into the application.

Using a modern and secure framework or library that automatically handles XSS protection can also help to secure the application. Regularly updating the application and its dependencies can ensure that the application stays protected against new vulnerabilities.

References