05 Jun 2018
X-XSS-Protection header disabled
05 Jun 2018
The X-XSS-Protection response header is one of the major features of most of the web browsers to stop cross-site scripting. It stops the pages from loading when they detect reflected cross-site scripting attacks. It is found that the X XSS Protection header is disabled in the application. This application is at risk due to its vulnerability to Cross-site Scripting attacks.The X-XSS-Protection header is designed to enable the cross-site scripting filter built into modern web browsers.
X-XSS-Protection: 0 # Disable XSS filtering
X-XSS-Protection: 1 # Enables filtering. If cross site scripting detected - the browser will sanitise
X-XSS-Protection: 1; mode=block # Under this mode, when cross site scripting detected - the browser wont render the page
X-XSS-Protection: 1; report=<reporting-uri> # Enables filtering, when detected - the browser will sanitise and report the violation
Example
X-XSS-Protection: 1; mode=block
Impact
The major impact for this violation is cross-scripting attacks.
Mitigation / Precaution
The only mitigation is to enable the X-XSS-Protection and set the value to 1.
PHP
header("X-XSS-Protection: 1; mode=block");
Apache (.htaccess)
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>
Nginx
add_header "X-XSS-Protection" "1; mode=block";
Latest Articles
Htaccess Bypass
April 30 2021
Insecure File Upload
April 27 2021
Remote Code Execution (RCE)
April 8 2021
Building Application Security in the Azure DevOps Pipeline
February 10 2021
Popular in Injection
Union Query SQL Injection (SQLi)
July 4 2018
Stacked Queries SQL Injection (SQLi)
July 4 2018
SQL injection(SQLi)
July 4 2018
Inline Queries SQL Injection (SQLi)
July 4 2018
Error based SQL Injection (SQLi)
July 4 2018
Categories
Client Side URL Redirect HSTS Cookies Attributes IBM SQL injection injection Time Based Blind SQL Injection SSL Injection CRLF Content Security Policy CSRF CORS Information Leakage status code SRI metadata X-XSS-Protection owasp Clickjacking XSS Cookies Directory traversal DOM XSS RFI SQL Injection Blind SQL Injection XML Injection blog Web Server TLS WordPress web security SMB Cyber attacks AI Web server Wordpress DATA SECURITY DOMECTF2020 Container security CMS Security Data Security Code Execution Content security policy Htaccess
Latest Articles
