WebScanPro

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

WebScanPro is a web application designed for the analysis of HTTP security headers. Developed with a user-friendly interface and robust scanning capabilities, WebScanPro helps developers to strengthen the security of their web applications. In addition WebScanPro also scans the TLS/SSL Version and provides feedback if it the certificate version should be updated or is up to date.

HTTP Headers

Content-Security-Policy

The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (Cross-site scripting).

Strict-Transport-Security (HSTS)

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. Most websites automatically redirect to https but this header should still be used e.g. to prevent SSL Stripping attacks (When users visit a website, they first connect with the HTTP version before getting rerouted to the HTTPS version. In SSL stripping attacks, hackers jump in this window to act as a man in the middle and prevent users from ever connecting with the HTTPS version of the site.)

X-XSS-Protection

Browser stops loading the page if it detects reflected XSS Use a Content Security Policy (CSP) that disables the use of inline JavaScript.

Do not set this header or explicitly turn it off.

X-Content-Type-Options

Blocks mime type sniffing and should be set as followed: X-Content-Type-Options: nosniff

X-Frame-Options

The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites. Should be set to DENY or SAMEORIGIN

Referrer-Policy

Referrer policy has been supported by browsers since 2014. Today, the default behavior in modern browsers is to no longer send all referrer information (origin, path, and query string) to the same site but to only send the origin to other sites. However, since not all users may be using the latest browsers and websites can (but should not!) have sensitive data in the query it is suggested forcing this behavior by sending this header on all responses.

X-Webkit-CSP & X-Content-Security-Policy

Deprecated. Should only be used to implement CSP for very old browsers (<2013)

Permissions-Policy

Permissions-Policy allows you to control which origins can use which browser features, both in the top-level page and in embedded frames. For every feature controlled by Feature Policy, the feature is only enabled in the current document or frame if its origin matches the allowed list of origins. This means that you can configure your site to never allow the camera or microphone to be activated.

This prevents that an injection, for example an XSS, enables the camera, the microphone, or other browser feature.

   Permissions-Policy: geolocation=(), camera=(), microphone=()
   This example is disabling geolocation, camera and microphne on all domains.

X-Powered-By-Policy

The X-Powered-By header describes the technologies used by the webserver. This information exposes the server to attackers. Using the information in this header, attackers can find vulnerabilities easier.

SSL/TLS Versions

TLS Version 1.3

TLS 1.3 is the latest and most secure version of the TLS protocol. It offers improved security, faster handshake, and enhanced privacy features.

It is strongly recommended to use TLS 1.3 for the highest level of security.

TLS Version 1.2

TLS 1.2 is a widely adopted and secure version of the TLS protocol. It provides strong encryption and security features. While not the latest version, it is still considered secure and is widely supported.

But an update to Version 1.3 is recommended.

TLS Version 1.1

TLS 1.1 is outdated and has known vulnerabilities. It is generally not recommended to use TLS 1.1 due to security concerns.

Upgrading to a newer version, preferably TLS 1.3, is highly recommended.

TLS Version 1.0

TLS 1.0 is outdated and has significant security vulnerabilities.

Upgrading to a newer version, preferably TLS 1.3, is highly recommended.

SSL Version 3

SSLv3 is obsolete and has serious security flaws, including the POODLE vulnerability.

Upgrading to a newer version, preferably TLS 1.3, is highly recommended.

SSL Version 2

SSLv2 is extremely outdated and insecure, with numerous vulnerabilities. Its use is strongly discouraged, and modern systems no longer support it.

Upgrading to a newer version, preferably TLS 1.3, is highly recommended.

Requirements

Architecture

Frontend:

Backend:


Description

Step 1

Install Node.js

Step 2

Clone WebScanPro respository

Step 3

Run npm install

Step 4

Run npm start

Step 5

Open localhost:3000

Hint: if this port is already in use, you can change

app.listen(3000)

in nest-js-server/main.ts to another port which is not in use.

Step 6

Start scanning your web application and check the results. Have fun!