pls share with me if any demo available.

On Wed, Apr 16, 2025 at 5:37 PM Nate Kerkhofs <nate.kerkh...@ikan.be> wrote:

> Hi,
>
>
>
> Note that Struts 7 has a built-in CSP header interceptor that also has
> support for cryptographic nonces in JavaScript tags. They may have
> interceptors for these other missing headers as well, but I’m not sure.
> More information can be found in the documentation.
>
>
>
> Regards,
>
>
>
> Nate
>
>
>
> *From:* Shivam Agrahari <shivamagrahari2...@gmail.com>
> *Sent:* Wednesday, 16 April 2025 13:36
> *To:* Struts Users Mailing List <user@struts.apache.org>
> *Subject:* Re: Request for Assistance with OWASP ZAP Vulnerabilities in
> Struts-Based Java Web Application
>
>
>
> Hi,
>
>
>
> The application is currently showing the following security
> vulnerabilities:
>
> Content security Policy (CSP) Header not set (3 instances)-
>
>     GET: http://localhost:8080/favicon.ico
>
>     GET: http://localhost:8080/favicon.test
>
>     GET: http://localhost:8080/favicon.test\
> <http://localhost:8080/favicon.test/>
>
>
>
> Missing Anti-clickjacking Header (2 instances)-
>
>     GET: http://localhost:8080/favicon.test
>
>     GET: http://localhost:8080/favicon.test\
> <http://localhost:8080/favicon.test/>
>
>
>
> Cookie without SameSite Attribute (2 instances)
>
>     GET: http://localhost:8080/favicon.test
>
>     GET: http://localhost:8080/favicon.test\
> <http://localhost:8080/favicon.test/>
>
>
>
> X-Content-Type-Options Header Missing (2 instances)
>
>     GET: http://localhost:8080/favicon.test
>
>     GET: http://localhost:8080/favicon.test\
> <http://localhost:8080/favicon.test/>
>
>
>
> I’ve made efforts to address these vulnerabilities and have shared the
> relevant code snippet below for your reference. The code is intended to
> mitigate CSRF and other related issues:
>
>
>
> @Override
> public String intercept(ActionInvocation ai) throws Exception {
> final ActionContext ac = ai.getInvocationContext();
> HttpServletResponse myresponse = ac.getServletResponse();
> HttpSession session =
> org.apache.struts2.ServletActionContext.getRequest().getSession();
> final String jsessionid = session.getId();
> String cookieValue = "JSESSIONID=" + jsessionid + "; Path=/test;
>  HttpOnly; SameSite=Strict";
> myresponse.setHeader("Set-Cookie", cookieValue);
> myresponse.setHeader("X-Frame-Options", "SAMEORIGIN");
> myresponse.setHeader("X-Content-Type-Options", "nosniff");
> myresponse.setHeader("Content-Security-Policy", "default-src 'self';
> img-src 'self'; frame-src 'self';  connect-src 'self'; frame-ancestors
> 'self'; font-src 'self'; base-uri 'self'; form-action 'self';
>  'unsafe-inline' 'unsafe-eval'  prefetch-src 'none'; manifest-src 'none';
> object-src 'self'; media-src 'none'; ");
> String resultString = ai.invoke();
> System.out.println("before result");
> return resultString;
> }
>
>
>
> Pls suggest necessary improvements.
>
>
>
> Regards,
>
> Shivam
>
>
>
> [image: Image removed by sender.] test.war
> <https://drive.google.com/open?id=1ChtdOQKVdehi27j0Q-xth0w_9H7qD3wg>
>
>
>
> On Wed, Apr 16, 2025 at 4:17 PM Lukasz Lenart <lukaszlen...@apache.org>
> wrote:
>
> śr., 16 kwi 2025 o 07:30 Shivam Agrahari
> <shivamagrahari2...@gmail.com> napisał(a):
> > Could you please advise on how to resolve these issues? For your
> reference, I have attached the WAR file of the test project along with a
> few relevant pages.
>
> The best option is to read through OWASP recommendations PDFs and
> apply them one by one
>
> Cheers
> Łukasz
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>

Reply via email to