Python : XSS protection is disabled
Classification
Overview
The X-XSS-Protection header is explicitly disabled which may increase the risk of cross-site scripting attacks.
The X-XSS-Protection refers to a header that is automatically enabled in Internet Explorer 8 upwards and the latest versions of Chrome. When the header value is set to false (0) cross-site scripting protection is disabled.
The header can be set in multiple locations and should be checked for both misconfiguration as well as malicious tampering.
Mako is a Python templating system often used to build web applications. It is the default templating system used in Pylons and Pyramid.
Unlike Jinja2 (an alternative templating system), Mako has no environment wide variable escaping mechanism. Because of this, all input variables must be carefully escaped before use to prevent possible vulnerabilities to Cross Site Scripting (XSS) attacks.
References
- OWASP: Cross-site Scripting (XSS)
- django-secure
- SECURE_BROWSER_XSS_FILTER¶
- CWE-79: Improper Neutralization of Input During Web Page Generation
- Types of Cross-Site Scripting - OWASP
- DOM Based XSS attacks: what is the most dangerous example?
- OWASP: XSS Prevention Cheat Sheet
- OWASP Top 10 2017-A6-Security Misconfiguration
- OWASP Top 10-2017 A7-Cross-Site Scripting (XSS)
- CWE CATEGORY: OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure
- CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- CWE-81: Improper Neutralization of Script in an Error Message Web Page
- CWE-83: Improper Neutralization of Script in Attributes in a Web Page