2

Why does Alert Logic fail PCI Scans on “HTTP Strict Transport Security (HSTS) Missing” and how do I dispute it?

-

3 comments

  • Avatar
    Jesper Jurcenoks Official comment

    Background on  HTTP Strict Transport Security (HSTS)
    Introduced in 2012, the security standard has become best practice and protects against:

    • SSL Stripping Man-in-the-middle attack published by Moxie Marlinspike in 2009 1)
    • Misconfigure Web-servers that inadvertently allow sensitive traffic on HTTP 2)
    • User override of invalid certificates (typically introduced by Man-in-the-middle attacks, and prevented by HSTS) 2)
    • Browsers that miss an HTTP to HTTPS redirect, typically due to bookmark or deep link, as HSTS also forces redirects. 2)

     

    HSTS is relevant on both HTTP and HTTPS for servers that handle sensitive information.

    Alert Logic checks all HTTPS connections for HSTS

    “HSTS Missing” Fail PCI because:

    • At 5.8 the CVSS base score is above 4.0, additionally there are exploits in the wild. (AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C)

    and

    • This issue violates the OWASP Top 10 A6-Sensitive-Data Exposure subrequirement 5: "Are any browser security directives or headers missing when sensitive data is provided by / sent to the browser?".

     

    How to Dispute:

    For a PCI dispute to be approved for “HSTS Missing” the customer must substantiate either:

    1. That none of the 4 listed threats apply to the specific server
    2. That customer has 1 or more compensating controls which together goes “above and beyond” the protection that HSTS provides. 3)
    3. You are using a older Cisco AnyConnect VPN, which:  

      • Does not support HSTS on it's VPN port AND
      • Is running a supported version of Cisco IOS AND
      • You have enabled Cisco Strict Certificate Trust 4)
    4. You are using AWS S3 delivered via CloudFront where:
      • Only HTTPS is allowed
      • If HTTP to HTTPS redirect is used then is must be enforced on the CloudFront layer
      • S3 permissions deny access via HTTP to the S3 files

    Footnotes:

    1. BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
    2. Owasp HTTP Strict Transport Security Cheat sheet
    3. PCI on compensating controls
    4. http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#pgfId-43187

     

    Edited by Jesper Jurcenoks
  • 1
    Avatar
    Taylor Drescher

    What does this have to do with PCI,which PCI artifact is this listed under?

    As far as I'm aware this is an OWASP issue not PCI, this at most should be a recommendation/Warning not a hard fail.

     

    Edited by Taylor Drescher
  • 2
    Avatar
    Jesper Jurcenoks

    Great Question from Taylor as there is no direct references to Owasp Top 10 in the PCI ASV Program Guide 2.0

    HSTS - HTTP Strict Transport Security is covered under PCI using either of the following 2 requirements:

    1. Web server misconfigurations

    PCI ASV Program Guide 2.0 Page 18,

    The ASV scanning solution must be able to test for all known vulnerabilities and configuration issues on web servers.

    Since at least 2014 both PCI ASV Certification labs interpret the above to include OWASP Top 10 and enforce that the ASV scans can detect all of OWASP Top 10 as a requirement to be certified as an ASV.

    PCI ASV Program Guide 3.0 (Mandatory per June 1st 2017) Page 25 
    The ASV scan solution must be able to detect via automated or manual means current vulnerabilities and configuration issues (for example, OWASP Top 10, SANS CWE Top 25, etc.)

    2. CVSS Base score >= 4.0

    PCI ASV Program Guide 2.0 Page 22 and PCI ASV Program Guide 3.0 Page 30 
    "To assist customers in prioritizing the solution or mitigating identified issues, ASVs must assign a severity level to each identified vulnerability or misconfiguration, .... Whenever possible, ASVs must use...Common Vulnerability Scoring System (CVSS) version 2.0 ... any vulnerability with a CVSS base score of 4.0 or higher will result in a non-compliant scan, and all such vulnerabilities must be remediated by the scan customer

    Edited by Jesper Jurcenoks
Please sign in to leave a comment.