Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Java]: CWE-523 Insecure HSTS configuration #90

Closed
luchua-bc opened this issue May 20, 2020 · 2 comments
Closed

[Java]: CWE-523 Insecure HSTS configuration #90

luchua-bc opened this issue May 20, 2020 · 2 comments
Labels

Comments

@luchua-bc
Copy link

@luchua-bc luchua-bc commented May 20, 2020

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

Report

Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.
HSTS (HTTP Strict Transport Security) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. HSTS is specified in RFC 6797 and is supported by all major browsers and web servers. Missing or incorrect configuration allows unprotected transport of credentials.

HSTS started to be widely accepted and configured in recent years. This query detects insecure HSTS configuration with the Tomcat server. I've tested the query against some GitHub projects, and a test case has been submitted as well. The relevant PR is PR #3534.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing
    Yes, I enjoy working with CodeQL queries and contributing to the project.
@xcorail
Copy link
Contributor

@xcorail xcorail commented Jun 19, 2020

Hi @luchua-bc

Thanks for the submission! We have reviewed your report and validated your findings. After internally assessing the findings and the query we have determined this query is not eligible for a reward under the Bug Bounty program for the following reason:

The security relevance in most findings for this query is highly application context dependent (e.g. if the application itself does not even configure TLS, it would not care about HSTS per definition). This would be a good query for an org that wanted to check a set of specific application configurations for that specific issue, but it becomes very noisy in the context of a general purpose security alert query. This is one of those cases where even though technically the FP rate is low in the sense that the HSTS configuration is indeed missing from a given web.xml, the threat model requirements and application specific context of the findings yield a result set that requires a lot of manual verification and triage, similar to a query that has a high FP ratio.

Even though this issue was assessed as being ineligible, we appreciate you bringing it to our attention, and would still like to offer you $250.

Best regards and happy hacking!

@xcorail xcorail closed this Jun 19, 2020
@luchua-bc
Copy link
Author

@luchua-bc luchua-bc commented Jun 19, 2020

Thanks @xcorail for reviewing the issue and the bounty. I agree the PR handles an issue that is too specific.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.