X-XSS-Protection Not Implemented

By
Sooraj V Nair
Published on
19 Jun 2018
1 min read
Vulnerability
X-XSS-Protection

The X-XSS-Protection response header is one of the major feature of Internet Explorer, Chrome and Safari to stop cross-site scripting. It stops the pages from loading, when they detect reflected cross-site scripting attacks. In this webpage X-XSS-Protection header is not found.The X-XSS-Protection header is designed to enable the cross-site scripting filter, which is builtin to modern web browsers.This vulnerablility exposes the application to a Cross site Scripting attacks.

    X-XSS-Protection: 0                              # Disable XSS filtering
    X-XSS-Protection: 1                              # Enables filtering. If cross site scripting detected - the browser will sanitise
    X-XSS-Protection: 1; mode=block                  # Under this mode, when cross site scripting detected - the browser wont render the page
    X-XSS-Protection: 1; report=<reporting-uri>        # Enables filtering, when detected - the browser will sanitise and report the violation

  

Example

    X-XSS-Protection: 1; mode=block

  

Impact

The major impact for this violation is cross-scripting attacks.

Mitigation / Precaution

The only mitigation is to enable the X-XSS-Protection and set the value to 1.

PHP

    header("X-XSS-Protection: 1; mode=block");

  

Apache (.htaccess)

    <IfModule mod_headers.c>
      Header set X-XSS-Protection "1; mode=block"
    </IfModule>

  

Nginx

    add_header "X-XSS-Protection" "1; mode=block";

  
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Sooraj V Nair
Sooraj V Nair
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.