pls share with me if any demo available. On Wed, Apr 16, 2025 at 5:37 PM Nate Kerkhofs <nate.kerkh...@ikan.be> wrote:
> Hi, > > > > Note that Struts 7 has a built-in CSP header interceptor that also has > support for cryptographic nonces in JavaScript tags. They may have > interceptors for these other missing headers as well, but I’m not sure. > More information can be found in the documentation. > > > > Regards, > > > > Nate > > > > *From:* Shivam Agrahari <shivamagrahari2...@gmail.com> > *Sent:* Wednesday, 16 April 2025 13:36 > *To:* Struts Users Mailing List <user@struts.apache.org> > *Subject:* Re: Request for Assistance with OWASP ZAP Vulnerabilities in > Struts-Based Java Web Application > > > > Hi, > > > > The application is currently showing the following security > vulnerabilities: > > Content security Policy (CSP) Header not set (3 instances)- > > GET: http://localhost:8080/favicon.ico > > GET: http://localhost:8080/favicon.test > > GET: http://localhost:8080/favicon.test\ > <http://localhost:8080/favicon.test/> > > > > Missing Anti-clickjacking Header (2 instances)- > > GET: http://localhost:8080/favicon.test > > GET: http://localhost:8080/favicon.test\ > <http://localhost:8080/favicon.test/> > > > > Cookie without SameSite Attribute (2 instances) > > GET: http://localhost:8080/favicon.test > > GET: http://localhost:8080/favicon.test\ > <http://localhost:8080/favicon.test/> > > > > X-Content-Type-Options Header Missing (2 instances) > > GET: http://localhost:8080/favicon.test > > GET: http://localhost:8080/favicon.test\ > <http://localhost:8080/favicon.test/> > > > > I’ve made efforts to address these vulnerabilities and have shared the > relevant code snippet below for your reference. The code is intended to > mitigate CSRF and other related issues: > > > > @Override > public String intercept(ActionInvocation ai) throws Exception { > final ActionContext ac = ai.getInvocationContext(); > HttpServletResponse myresponse = ac.getServletResponse(); > HttpSession session = > org.apache.struts2.ServletActionContext.getRequest().getSession(); > final String jsessionid = session.getId(); > String cookieValue = "JSESSIONID=" + jsessionid + "; Path=/test; > HttpOnly; SameSite=Strict"; > myresponse.setHeader("Set-Cookie", cookieValue); > myresponse.setHeader("X-Frame-Options", "SAMEORIGIN"); > myresponse.setHeader("X-Content-Type-Options", "nosniff"); > myresponse.setHeader("Content-Security-Policy", "default-src 'self'; > img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors > 'self'; font-src 'self'; base-uri 'self'; form-action 'self'; > 'unsafe-inline' 'unsafe-eval' prefetch-src 'none'; manifest-src 'none'; > object-src 'self'; media-src 'none'; "); > String resultString = ai.invoke(); > System.out.println("before result"); > return resultString; > } > > > > Pls suggest necessary improvements. > > > > Regards, > > Shivam > > > > [image: Image removed by sender.] test.war > <https://drive.google.com/open?id=1ChtdOQKVdehi27j0Q-xth0w_9H7qD3wg> > > > > On Wed, Apr 16, 2025 at 4:17 PM Lukasz Lenart <lukaszlen...@apache.org> > wrote: > > śr., 16 kwi 2025 o 07:30 Shivam Agrahari > <shivamagrahari2...@gmail.com> napisał(a): > > Could you please advise on how to resolve these issues? For your > reference, I have attached the WAR file of the test project along with a > few relevant pages. > > The best option is to read through OWASP recommendations PDFs and > apply them one by one > > Cheers > Łukasz > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
