OWASP, Penetration Testing

OWASP Secure Headers

OWASP Secure Headers Project involves setting headers from the server is easy and often doesn’t require any code changes. Once set, they can restrict modern browsers from running into easily preventable vulnerabilities. OWASP Secure Headers Project intends to raise awareness and use of these headers. – https://www.owasp.org/index.php/OWASP_Secure_Headers_Project

Response Headers
* HTTP Strict Transport Security (HSTS)
* Public Key Pinning Extension for HTTP (HPKP)
* X-Frame-Options
* X-XSS-Protection
* X-Content-Type-Options
* Content-Security-Policy
* X-Permitted-Cross-Domain-Policies

HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. (Strict-Transport-Security).

Public Key Pinning Extension for HTTP (HPKP)
HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. Can greatly reduce the risk of man-in-the-middle (MITM) attacks and other false authentication problems for their users without incurring undue risk. (Public-Key-Pins)

X-Frame-Options
X-Frame-Options response header improve the protection of web applications against Clickjacking. It declares a policy communicated from a host to the client browser on whether the browser must not display the transmitted content in frames of other web pages. (X-Frame-Options)

X-XSS-Protection
This header enables the Cross-site scripting (XSS) filter in your browser. (X-XSS-Protection)

X-Content-Type-Options
Setting this header will prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers. (X-Content-Type-Options)

Content-Security-Policy
Content Security Policy (CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections. (Content-Security-Policy)

X-Permitted-Cross-Domain-Policies
A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat permission to handle data across domains. When clients request content hosted on a particular source domain and that content make requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain, allowing the client to continue the transaction. You can declare a meta-policy using the X-Permitted-Cross-Domain-Policies HTTP response header. (X-Permitted-Cross-Domain-Policies)

To test a website or a web application, during Penetration Testing, if it makes use of the secure headers you could use the following python script:

https://github.com/maldevel/PenTestKit/blob/master/secure-headers-checker.py

git clone https://github.com/maldevel/PenTestKit.git
pip install -r requirements.txt
python secure-headers-checker.py -H http://example.com