As a part of the Secure Development Lifecycle initiative being applied to JBoss EAP we are in the process of enabling Dynamic Application Security Testing (DAST) using RapiDast https://github.com/RedHatProductSecurity/rapidast, the tool maintained by Red Hat Product Security Team to perform DAST testing. We run RapiDast against EAP and get set of reports we need to triage further to understand if it is indicative of a problem or a vulnerability.

Depending on the result of the triage the Product Security team require the ability to retain the option to embargo any resulting bug reports so please keep any discussion internal and the outcome of the triage to this EAPSUP, if bug reports need to be raised we will coordinate their creation with the Product Security Team.

This EAPSUP is being raised to please request triage for the "Medium Risk Level" issue "Content Security Policy (CSP) Header Not Set" raised in the following report:

[^report.zip]

To get to this report locally follow these steps:

# Configure EAP
/bin/add-user.sh -u 'admin' -p 'admin'

# Bind management to 0.0.0.0 to be able for RapiDast in podman to access host.containers.internal
$JBOSS_HOME/bin/standalone.sh -bmanagement=0.0.0.0

# Run RapiDast
# Those commands are taken from https://docs.engineering.redhat.com/display/PRODSEC/RapiDAST+QuickStart+Guide#RapiDASTQuickStartGuide-SetupanenvironmentforRapiDASTscanning

# Get RapiDast repo
git clone https://github.com/RedHatProductSecurity/rapidast.git --branch main

# Set python environment
cd rapidast
python3 -m venv venv
source venv/bin/activate
pip install -U pip
pip install -r requirements.txt

# Run RapiDast
# Download rapidast-config.yaml from jira attachemnt
./rapidast.py --config rapidast-config.yaml

#Check report in path (example, timestamp included) /rapidast/results/MyApp-1.0/DAST-20231109-084619-RapiDAST-MyApp-1.0/zap/zap-report.html