Security Vulnerability in RabbitMQ Management Plugin #2786
Description
Vulnerabilities reported in security scan -
F 3.2
MEDIUM
Missing Cross-Frame Scripting Protection
Recommendation
A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or CrossSite Request Forgery attacks.
X-Frame-Options header should be present in header of each server response. It will inform web browsers whether it can be framed on certain sites. "X-FrameOptions" header must be present in every server response, including 404 Page Not Found or 500 Internal Server Error.
Missing HTTP StrictTransport-Security Header
Recommendation
HTTP StrictTransport-Security header was not found in HTTP responses.
Include HTTP StrictTransport-SecurityHeader into each server's HTTP response.
Fix required in RabbitMQ management plugin -
In a security audit in which we do a scan using tools like OWASP, Qualys and Nessus it came up in the scan report these vulnerabilities are related to headers that are missing in RabbitMQ management plugin URL. An application deployed over a server should have headers like the below :
Strict-Transport-Security:max-age=31536000; includeSubDomains
x-frame-options:SAMEORIGIN
Fix required in rabbitMQ management plugin for Strict-Transport-Security is : https://www.valencynetworks.com/kb/strict-transport-security-header-missing.html
To understand more on Cross Frame Click jacking vulnerability : https://owasp.org/www-community/attacks/Cross_Frame_Scripting