Product
Features Why Beagle Security? How it works? Free Security Testing DevSecOps OWASP Security Testing WordPress Security Testing
Solutions
SaaS Fintech Healthcare Education E-commerce
Pricing Blog
05 Jun 2018

X-XSS-Protection header disabled

05 Jun 2018
OWASP 2013-A5 OWASP 2017-A6 CWE-693 ISO27001-A.14.1.2 WASC-15 WSTG-INPV-01

The X-XSS-Protection response header is one of the major features of most of the web browsers to stop cross-site scripting. It stops the pages from loading when they detect reflected cross-site scripting attacks. It is found that the X XSS Protection header is disabled in the application. This application is at risk due to its vulnerability to Cross-site Scripting attacks.The X-XSS-Protection header is designed to enable the cross-site scripting filter built into modern web browsers.

    X-XSS-Protection: 0                              # Disable XSS filtering
    X-XSS-Protection: 1                              # Enables filtering. If cross site scripting detected - the browser will sanitise
    X-XSS-Protection: 1; mode=block                  # Under this mode, when cross site scripting detected - the browser wont render the page
    X-XSS-Protection: 1; report=<reporting-uri>        # Enables filtering, when detected - the browser will sanitise and report the violation

Example

    X-XSS-Protection: 1; mode=block

Impact

The major impact for this violation is cross-scripting attacks.

Mitigation / Precaution

The only mitigation is to enable the X-XSS-Protection and set the value to 1.

PHP

    header("X-XSS-Protection: 1; mode=block");

Apache (.htaccess)

    <IfModule mod_headers.c>
      Header set X-XSS-Protection "1; mode=block"
    </IfModule>

Nginx

    add_header "X-XSS-Protection" "1; mode=block";

Latest Articles

API Security Testing: Importance, Risks and Best Practices
August 27 2021
POODLE Attack
July 14 2021
VBulletin SQLI
June 16 2021
VBulletin Pre-Auth RCE
June 16 2021
FuelCMS 1.4.1 - Remote Code Execution
June 16 2021

Explore morearrow



Popular in Injection

Union Query SQL Injection (SQLi)
July 4 2018
Stacked Queries SQL Injection (SQLi)
July 4 2018
SQL injection(SQLi)
July 4 2018
Inline Queries SQL Injection (SQLi)
July 4 2018
Error based SQL Injection (SQLi)
July 4 2018

Explore morearrow

Categories

Client Side URL Redirect HSTS Cookies Attributes IBM SQL injection injection Time Based Blind SQL Injection SSL Injection CRLF Content Security Policy CSRF CORS Information Leakage status code SRI metadata X-XSS-Protection owasp Clickjacking XSS Cookies Directory traversal DOM XSS RFI SQL Injection Blind SQL Injection XML Injection blog Web server TLS WordPress web security SMB Cyber attacks AI Wordpress Data Security DOMECTF2020 Container security CMS Security Code Execution Content security policy Htaccess Bypass

Latest Articles

Explore More
POODLE Attack
SSL
POODLE Attack
14 Jul 2021
HTTP Request Smuggling
Bypass
HTTP Request Smuggling
09 Jun 2021
Vulnerable Javascript Library
Vulnerable Javascript Library
08 Jun 2021
Serverless Computing: Security and Challenges
Serverless Computing: Security and Challenges
31 May 2021
Cross Domain JavaScript Source File Inclusion
Cross Domain JavaScript Source File Inclusion
21 May 2021
Htaccess Bypass
Htaccess
Htaccess Bypass
30 Apr 2021
Insecure File Upload
Insecure File Upload
27 Apr 2021
Content Security Policy (CSP): Use Cases and Examples
Content security policy
Content Security Policy (CSP): Use Cases and Examples
20 Apr 2021
Remote Code Execution (RCE)
Code Execution
Remote Code Execution (RCE)
08 Apr 2021
Building Application Security in the Azure DevOps Pipeline
web security
Building Application Security in the Azure DevOps Pipeline
10 Feb 2021
How to Improve Web Application Security?
web security
How to Improve Web Application Security?
29 Jan 2021
How AI is Transforming Cyber Security
AI
How AI is Transforming Cyber Security
20 Jan 2021
Here's What You Need to Know About WhatsApp's New Privacy Policy
Data Security
Here's What You Need to Know About WhatsApp's New Privacy Policy
10 Jan 2021
Session Security
web security
Session Security
29 Dec 2020
Server Side Request Forgery Attack
Injection
Server Side Request Forgery Attack
15 Dec 2020
Man-in-the-Middle (MITM) Attack: Types, Techniques and Prevention
Cyber attacks
Man-in-the-Middle (MITM) Attack: Types, Techniques and Prevention
03 Dec 2020
How to Respond to a Cyber Attack?
Cyber attacks
How to Respond to a Cyber Attack?
23 Nov 2020
Nginx Server Security: Nginx Hardening Guide
Web server
Nginx Server Security: Nginx Hardening Guide
13 Nov 2020
CMS Vulnerabilities: Why are CMS platforms common hacking targets?
CMS Security
CMS Vulnerabilities: Why are CMS platforms common hacking targets?
05 Nov 2020
Docker Container Security: Attacking Docker Vulnerabilities
Container security
Docker Container Security: Attacking Docker Vulnerabilities
29 Oct 2020
10 Common WordPress Errors That Should be Fixed
WordPress
10 Common WordPress Errors That Should be Fixed
19 Oct 2020
Machine Learning for Web Automation
AI
Machine Learning for Web Automation
09 Oct 2020
Explore More