135 – Insecure or unset HTTP headers - X-XSS Protection

Description

The application uses the X-XSS Protection header considered deprecated. The use of this header may lead to stored XSS vulnerabilities.

Impact

Increase the chance of exploiting a stored XSS.

Recommendation

Disable the X-XSS Protection filter in the server responses. Instead, define security policies using CSP Header.

Threat

Unauthorized attacker from the Internet.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: A
• Confidentiality (VC): L
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 062 - Define standard configurations
• 175 - Protect pages from clickjacking
• 266 - Disable insecure functionalities
• 349 - Include HTTP security headers

Fixes

• Csharp
• Elixir
• Go
• Java
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/14