PCI Scan Vulnerability - Script Src Integrity Check & Cross Site Forgery Detection

Technical Q&A
1

Hi, Running an AVS scan and this was one of the risks, wonder what our description and response will be:

  1. “Report external script resources not using integrity.”

Screen Shot 2021-09-02 at 1.48.09 PM.png
Screen Shot 2021-09-02 at 1.48.09 PM.png1153×702 48.5 KB

  1. We also got another one:

Cross-Site Request Forgery Detection
“The remote web server might be prone to cross-site request forgery attacks.”

Screen Shot 2021-09-02 at 1.50.50 PM.png
Screen Shot 2021-09-02 at 1.50.50 PM.png1146×919 73.8 KB

  1. Lastly they noted port: 2096 may have been closed during the scan.
    And what response would that get as well
2

Hi jaykappa!

We are making progress fixing the scanner.

In the meantime, you can submit these false positive explanations for these to your ASV company.

1. “Report external script resources not using integrity.”

False positive explanation for ASV company:

  • Host is controlled by a PCI DSS compliant service provider.
  • Host is not vulnerable to payment entry data exfiltration.
  • Javascript inclusions are verified third parties.

2. “Remote web server might be prone to cross-site request forgery attacks - CGI scripts not protected by random tokens”

False positive explanation for ASV company:

  • Remote web server is NOT prone to cross-site request forgery attacks.
  • Remote web server does not have CGI scripts.

3. “Any finding related to port 2096”

False positive explanation for ASV company:

  • This port is not in scope. This port is unused and terminated at Cloudflare where the offending content is found. This port is not related to the storage, processing, or transmission of cardholder data.
3

Hi jaykappa,

I have some new words for the ASV company to include in your false positive explanation for #2, Apparently the description the ASV provides of the finding they identify is incorrect.

Updated text for False Positive for #2 - Cross-Site Request Forgery Detection

“ All forms identified in the ASV report are forms that do not require authenticated access, therefore no CSRF vulnerability has been identified. Shopify uses random tokens to prevent CSRF attacks on authenticated forms.”

Shawn.