Configuration Management / Strict Transport Security Not Enforced
Strict-Transport-Security (STS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should only interact with it using secure HTTPS connections and never via the insecure HTTP protocol. A configuration management vulnerability occurs when the STS header is not enforced, allowing a malicious attacker to intercept the traffic between the user and the server, potentially stealing sensitive data. This vulnerability is identified in the Common Weakness Enumeration (CWE) directory as CWE-319 and is identified in the OWASP Testing Guide as A9-Insufficient Transport Layer Protection.
The risk of this vulnerability is high as it allows for data to be intercepted and stolen by malicious actors. The unauthorized access to sensitive data can lead to financial losses, identity theft, and data leakage. Additionally, attackers can use the intercepted data to launch attacks, like phishing campaigns and other malicious activities.
The best way to fix this vulnerability is to enforce the STS header. This can be done by adding the following code to the web server configuration file:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
This code will tell the webserver to enforce the STS header for a period of two years. This will help to ensure that all web traffic is sent over secure HTTPS connections.
In 2016, a vulnerability (CVE-2016-6921) was discovered in the WordPress plugin WP-Slimstat. This plugin did not enforce the STS header, allowing malicious actors to intercept and steal sensitive data from WordPress websites.