Security scanning tools are a great resource to broadly monitor many IT assets across the enterprise, including Web applications like MetaLocator. Every such scanning tool uses a database of signatures associated with vulnerabilities. When those signatures match a detected resource, the vulnerabilities is considered present and can produce an alert inside the scanning software.
MetaLocator monitors our application closely for security issues and we perform our own scans using in house testing, as well as external scanning and penetration testing tools.
There are a few detections consistently flagged with our application that are incorrectly marked as vulnerabilities. The two most popular as follows:
Missing Anti-Clickjacking Header - Most scanners consider a login screen that can live inside an IFRAME as a security issue. A clickjacking header prevents an application from being inside a FRAMESET or IFRAME, protecting against attackers that might insert the IFRAME into another page, tricking the user into entering their credentials. MetaLocator is designed to live within an IFRAME and so must not be blocked from being IFRAMEd.
βAbsence of Anti-CSRF Tokens - This is detected because most scanners look for an input token called "csrf" or similar. Our application uses a dynamically generated input name which represents the CSRF token and so it is rarely properly detected by scanning software, including OWASP ZAP.
βCross Site Scripting (Reflected) - MetaLocator supports deep linking, which allows manipulation of the Interface via special URL parameters. This is sometimes flagged as XSS by security scanning tools, however; it is safe an intentional behavior.
β
If your scanning system has detected a security issue with MetaLocator, certainly contact us and we will gladly review.