Sysadmin PCI check vulnerabilities

Andy · Aug 13, 2020

If you have a merchant account to process payment, you will need to scan and verify your website is PCI compliant every 3 months.
Failing this will have severe consequences i.e stopping payment, higher fees, etc.
My last PCI scan was in May and passed but I have to scan again today and it failed with several errors. I'm not sure if there is any updates from CMM that caused the difference.
I hope @eva2000 can help provide some input on how to fix these.

Andy · Aug 13, 2020

1. Possible Scan Interference
Solution: Whitelist the Qualys scanner to scan without interference from the IDS or IPS.

2. HTTP Security Header Not Detected on port 80 and 443

Scan result

GET / HTTP/1.1
Host: 209.222.101.10
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Wed, 12 Aug 2020 10:48:26 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 25713
Connection: keep-alive
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Last-Modified: Wed, 12 Aug 2020 10:48:26 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, no-cache, max-age=0
Set-Cookie: xf_csrf=Jak0h3rgm7TouCL1; path=/; secure
Server: nginx centminmod
X-Powered-By: centminmod
Strict-Transport-Security: max-age=31536000;" style="box-sizing: border-box; color: rgb(99, 102, 106); font-family: Roboto, Tahoma, Arial, Helvetica, sans-serif; font-size: 14px; background-color: rgb(255, 255, 255);">X-XSS-Protection HTTP Header missing on port 443.

GET / HTTP/1.1
Host: 209.222.101.10
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Wed, 12 Aug 2020 10:48:26 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 25713
Connection: keep-alive
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Last-Modified: Wed, 12 Aug 2020 10:48:26 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, no-cache, max-age=0
Set-Cookie: xf_csrf=Jak0h3rgm7TouCL1; path=/; secure
Server: nginx centminmod
X-Powered-By: centminmod
Strict-Transport-Security: max-age=31536000;
Click to expand...

Solution

Note: To better debug the results of this QID, it is requested that customers execute commands to simulate the following functionality: curl -lkL --verbose.

CWE-693: Protection Mechanism Failure mentions the following - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.

Customers are advised to set proper X-Frame-Options, X-XSS-Protection, X-Content-Type-Options and Strict-Transport-Security HTTP response headers.

Depending on their server software, customers can set directives in their site configuration or Web.config files. Few examples are:

X-Frame-Options:
Apache: Header always append X-Frame-Options SAMEORIGIN
nginx: add_header X-Frame-Options SAMEORIGIN;
HAProxy: rspadd X-Frame-Options:\ SAMEORIGIN
IIS: <HTTPPROTOCOL><CUSTOMHEADERS><ADD NAME="X-Frame-Options" VALUE="SAMEORIGIN"></ADD></CUSTOMHEADERS></HTTPPROTOCOL>

X-XSS-Protection:
Apache: Header always set X-XSS-Protection "1; mode=block"
PHP: header("X-XSS-Protection: 1; mode=block");

X-Content-Type-Options:
Apache: Header always set X-Content-Type-Options: nosniff

HTTP Strict-Transport-Security:
Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Nginx: add_header Strict-Transport-Security max-age=31536000;

Note: Network devices that include a HTTP/HTTPS console for administrative/management purposes often do not include all/some of the security headers. This is a known issue and it is recommend to contact the vendor for a solution.
Click to expand...

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

Sysadmin PCI check vulnerabilities

Andy Active Member

Andy Active Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

Sysadmin PCI check vulnerabilities

Andy Active Member

Andy Active Member

.