Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-27169

RapiDast Scan: Content Security Policy (CSP) Header Not Set

XMLWordPrintable

    • False
    • None
    • False

      As a part of the Secure Development Lifecycle initiative being applied to JBoss EAP we are in the process of enabling Dynamic Application Security Testing (DAST) using RapiDast https://github.com/RedHatProductSecurity/rapidast, the tool maintained by Red Hat Product Security Team to perform DAST testing. We run RapiDast against EAP and get set of reports we need to triage further to understand if it is indicative of a problem or a vulnerability.

      Depending on the result of the triage the Product Security team require the ability to retain the option to embargo any resulting bug reports so please keep any discussion internal and the outcome of the triage to this EAPSUP, if bug reports need to be raised we will coordinate their creation with the Product Security Team.

      This EAPSUP is being raised to please request triage for the "Medium Risk Level" issue "Content Security Policy (CSP) Header Not Set" raised in the following report:

      [^report.zip]

      To get to this report locally follow these steps:

      # Configure EAP
      /bin/add-user.sh -u 'admin' -p 'admin'
      
      # Bind management to 0.0.0.0 to be able for RapiDast in podman to access host.containers.internal
      $JBOSS_HOME/bin/standalone.sh -bmanagement=0.0.0.0
      
      # Run RapiDast
      # Those commands are taken from https://docs.engineering.redhat.com/display/PRODSEC/RapiDAST+QuickStart+Guide#RapiDASTQuickStartGuide-SetupanenvironmentforRapiDASTscanning
      
      # Get RapiDast repo
      git clone https://github.com/RedHatProductSecurity/rapidast.git --branch main
      
      # Set python environment
      cd rapidast
      python3 -m venv venv
      source venv/bin/activate
      pip install -U pip
      pip install -r requirements.txt
      
      # Run RapiDast
      # Download rapidast-config.yaml from jira attachemnt
      ./rapidast.py --config rapidast-config.yaml
      
      #Check report in path (example, timestamp included) /rapidast/results/MyApp-1.0/DAST-20231109-084619-RapiDAST-MyApp-1.0/zap/zap-report.html
      

            Unassigned Unassigned
            jdenise@redhat.com Jean Francois Denise
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: