RE: Request for Assistance with OWASP ZAP Vulnerabilities in Struts-Based Java Web Application

Wed, 16 Apr 2025 05:07:12 -0700 

Hi,

Note that Struts 7 has a built-in CSP header interceptor that also has support 
for cryptographic nonces in JavaScript tags. They may have interceptors for 
these other missing headers as well, but I’m not sure. More information can be 
found in the documentation.

Regards,

Nate

From: Shivam Agrahari <shivamagrahari2...@gmail.com>
Sent: Wednesday, 16 April 2025 13:36
To: Struts Users Mailing List <user@struts.apache.org>
Subject: Re: Request for Assistance with OWASP ZAP Vulnerabilities in 
Struts-Based Java Web Application

Hi,

The application is currently showing the following security vulnerabilities:
Content security Policy (CSP) Header not set (3 instances)-
    GET: http://localhost:8080/favicon.ico
    GET: http://localhost:8080/favicon.test
    GET: 
http://localhost:8080/favicon.test\<http://localhost:8080/favicon.test/>

Missing Anti-clickjacking Header (2 instances)-
    GET: http://localhost:8080/favicon.test
    GET: 
http://localhost:8080/favicon.test\<http://localhost:8080/favicon.test/>

Cookie without SameSite Attribute (2 instances)
    GET: http://localhost:8080/favicon.test
    GET: 
http://localhost:8080/favicon.test\<http://localhost:8080/favicon.test/>

X-Content-Type-Options Header Missing (2 instances)
    GET: http://localhost:8080/favicon.test
    GET: 
http://localhost:8080/favicon.test\<http://localhost:8080/favicon.test/>

I’ve made efforts to address these vulnerabilities and have shared the relevant 
code snippet below for your reference. The code is intended to mitigate CSRF 
and other related issues:

@Override
public String intercept(ActionInvocation ai) throws Exception {
final ActionContext ac = ai.getInvocationContext();
HttpServletResponse myresponse = ac.getServletResponse();
HttpSession session = 
org.apache.struts2.ServletActionContext.getRequest().getSession();
final String jsessionid = session.getId();
String cookieValue = "JSESSIONID=" + jsessionid + "; Path=/test;  HttpOnly; 
SameSite=Strict";
myresponse.setHeader("Set-Cookie", cookieValue);
myresponse.setHeader("X-Frame-Options", "SAMEORIGIN");
myresponse.setHeader("X-Content-Type-Options", "nosniff");
myresponse.setHeader("Content-Security-Policy", "default-src 'self'; img-src 
'self'; frame-src 'self';  connect-src 'self'; frame-ancestors 'self'; font-src 
'self'; base-uri 'self'; form-action 'self';  'unsafe-inline' 'unsafe-eval'  
prefetch-src 'none'; manifest-src 'none'; object-src 'self'; media-src 'none'; 
");
String resultString = ai.invoke();
System.out.println("before result");
return resultString;
}

Pls suggest necessary improvements.

Regards,
Shivam

[Image removed by sender.] 
test.war<https://drive.google.com/open?id=1ChtdOQKVdehi27j0Q-xth0w_9H7qD3wg>

On Wed, Apr 16, 2025 at 4:17 PM Lukasz Lenart 
<lukaszlen...@apache.org<mailto:lukaszlen...@apache.org>> wrote:
śr., 16 kwi 2025 o 07:30 Shivam Agrahari
<shivamagrahari2...@gmail.com<mailto:shivamagrahari2...@gmail.com>> napisał(a):
> Could you please advise on how to resolve these issues? For your reference, I 
> have attached the WAR file of the test project along with a few relevant 
> pages.

The best option is to read through OWASP recommendations PDFs and
apply them one by one

Cheers
Łukasz

---------------------------------------------------------------------
To unsubscribe, e-mail: 
user-unsubscr...@struts.apache.org<mailto:user-unsubscr...@struts.apache.org>
For additional commands, e-mail: 
user-h...@struts.apache.org<mailto:user-h...@struts.apache.org>

Reply via email to