Solutions for Common Vulnerabilities in WSO2 Products
Most of these kinds of vulnerabilities identified as false positive cases, thus some of those vulnerabilities will be ignored. JQuery AJAX get operations is not used in products to call external untrusted sources. API invocations and actions performed through AJAX operations will be based on trusted endpoints and direct user inputs are not accepted as calling URLs. Hence, this (https://github.com/jquery/jquery/issues/2432) has no bigger impact on the usage of the library within the products.
HTML form without CSRF protection
Cross-Site Request Forgery (CSRF, or XSRF) is a vulnerability wherein an attacker tricks a victim into making a request the victim did not intend to make. Therefore, with CSRF, an attacker abuses the trust a web application has with a victim’s browser. Since there is no user session before the user login to be protected, it is not required to protect the user session.
RC4 cipher suites detected vulnerability
RC4 can be restricted through the proxy or the load balancer in the production environment.
Clickjacking: X-Frame-Options header missing
Clickjacking is if an attacker uses multiple transparent/opaque layers to cheat a user into clicking on a button/link on a framed web page while they were intending to click on the top level web page. The server didn’t return an X-Frame-Options header, then that server is in a risk in Clickjacking.
As a solution,
Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains.
* DENY It completely denies to be loaded in frame/iframe.
* SAMEORIGIN It allows only if the site which wants to load has a same origin.
* ALLOW-FROM URL It grants a specific URL to load itself in a iframe. However please pay attention to that, not all browsers support this.
X-Frame-Options header can be set up through the proxy or the load balancer
[ 1 ] https://geekflare.com/add-x-frame-options-nginx/
Login page password-guessing attack
Since WSO2 Identity Server, Carbon Management Console is restricted to internal users relevant URL should not be accessible to untrusted networks / individuals. If guessing attacks need to be prevented further, “User Account Locking” [ 1 ] feature can be used to lock user account after several guessing attempts within a configured time interval.
[ 1 ]https://docs.wso2.com/pages/viewpage.action?pageId=34612027
Slow HTTP Denial of Service Attack
Recommend to load balancer level DoS prevention for webapps.
The POODLE attack (SSLv3 supported)
SSLv3 was blocked from the beginning and only TLSv1,TLSv1.1,TLSv1.2 and TLSv1.3 was supported, so SSL3 poodle attack is not possible. We have made couple of changes to have “Forward Secrecy” with following ciphers and confirmed it does not contain RC4
Go to CARBON_HOME/repository/conf/tomcat/catalina-server.xml
Make following changes inside the TLS connector element
SSL certificate public key less than 2048 bit
Generate the new certificate and can install into the server.