Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign up[Java]: CWE-523 Insecure HSTS configuration #90
Comments
|
Hi @luchua-bc Thanks for the submission! We have reviewed your report and validated your findings. After internally assessing the findings and the query we have determined this query is not eligible for a reward under the Bug Bounty program for the following reason: The security relevance in most findings for this query is highly application context dependent (e.g. if the application itself does not even configure TLS, it would not care about HSTS per definition). This would be a good query for an org that wanted to check a set of specific application configurations for that specific issue, but it becomes very noisy in the context of a general purpose security alert query. This is one of those cases where even though technically the FP rate is low in the sense that the HSTS configuration is indeed missing from a given web.xml, the threat model requirements and application specific context of the findings yield a result set that requires a lot of manual verification and triage, similar to a query that has a high FP ratio. Even though this issue was assessed as being ineligible, we appreciate you bringing it to our attention, and would still like to offer you $250. Best regards and happy hacking! |
|
Thanks @xcorail for reviewing the issue and the bounty. I agree the PR handles an issue that is too specific. |
CVE ID(s)
List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.
Report
Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.
HSTS (HTTP Strict Transport Security) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. HSTS is specified in RFC 6797 and is supported by all major browsers and web servers. Missing or incorrect configuration allows unprotected transport of credentials.
HSTS started to be widely accepted and configured in recent years. This query detects insecure HSTS configuration with the Tomcat server. I've tested the query against some GitHub projects, and a test case has been submitted as well. The relevant PR is PR #3534.
Yes, I enjoy working with CodeQL queries and contributing to the project.