Code-server Acunetix Scan Errors

[antofthy]

1.1140-vsc1.33.1
RHEL 7 with debian-slim (php-apache) docker container

Description

As part of a project development, digital security has performed a scan of code-server login, and reported 2 medium and 1 low problems.

• HTML form without CSRF protection (medium)
• Password field submitted using GET method (medium)
• Clickjacking: X-Frame-Options header missing (low)

I will detail the report of each of these in a separate comment below...

The only other things were informational comments by the scan...

• Content Security Policy (CSP) not implemented
• Password type input with auto-complete enabled

[antofthy]

Alert group HTML form without CSRF protection
Severity Medium
This alert requires manual confirmation
Description
Cross-Site Request Forgery (CSRF, or XSRF) is a vulnerability wherein an attacker tricks a
victim into making a request the victim did not intend to make. Therefore, with CSRF, an
attacker abuses the trust a web application has with a victim's browser.
Acunetix found an HTML form with no apparent anti-CSRF protection implemented. Consult
the 'Attack details' section for more information about the affected HTML form.
Verify if this form requires anti-CSRF protection and implement CSRF countermeasures if
necessary.
The recommended and the most widely used technique for preventing CSRF attacks is
know as an anti-CSRF token, also sometimes referred to as a synchronizer token. The
characteristics of a well designed anti-CSRF system involve the following attributes.
Recommendations
The anti-CSRF token should be unique for each user session
The session should automatically expire after a suitable amount of time
The anti-CSRF token should be a cryptographically random value of significant length
The anti-CSRF token should be cryptographically secure, that is, generated by a strong
Pseudo-Random Number Generator (PRNG) algorithm
The anti-CSRF token is added as a hidden field for forms, or within URLs (only
necessary if GET requests cause state changes, that is, GET requests are not
idempotent)
The server should reject the requested action if the anti-CSRF token fails validation
When a user submits a form or makes some other authenticated request that requires a
Cookie, the anti-CSRF token should be included in the request. Then, the web application
will then verify the existence and correctness of this token before processing the request. If
the token is missing or incorrect, the request can be rejected.

[antofthy]

Alert group Password field submitted using GET method
Severity Medium
Description This page contains a form with a password field. This form submits user data using the GET
method, therefore the contents of the password field will appear in the URL.Sensitive
information should not be passed via the URL. URLs could be logged or leaked via the
Referer header.
Recommendations The password field should be submitted through POST instead of GET.

[antofthy]

Alert group Clickjacking: X-Frame-Options header missing
Severity Low
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious
technique of tricking a Web user into clicking on something different from what the user
perceives they are clicking on, thus potentially revealing confidential information or taking
control of their computer while clicking on seemingly innocuous web pages.
Description
Recommendations
The server didn't return an X-Frame-Options header which means that this website could
be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used
to indicate whether or not a browser should be allowed to render a page inside a frame or
iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not
embedded into other sites.
Configure your web server to include an X-Frame-Options header. Consult Web references
for more information about the possible values for this header.

[Tanjmaxalb]

Do not you think that this is inappropriate?
The project is usually used inside the local network and unlikely will be subjected to attacks of social engineering (Clickjacking or CSRF) or sniffing.
Especially since you just submitted a report of Acunetix without PoC.

[antofthy]

Yes, but a scan was done (not by me), and felt that it was something the developers may like to know about so that can 'improve' things.
Using 'GET' for a password form is a very basic thing that just should not have been done in the first palce.
I agree that the ClickJacking XFrame item is 'Low' severity, an probably not really of great importance.

[sr229]

Please open this to Microsoft/vscode instead. This is something we can't solve

[code-asher]

Well, except for the login page which is our creation. Some of this may have been fixed in v2 though.