The last review was a financial magazine website.
Let’s be honest, security matters far more to a bank than to a magazine site; and rightly so.
So this time, we’re taking a look at https://usbank.com
Misssing headers for main site response
- X-Frame-Options
- Missing Referrer-Policy
- Missing Content-Security-Policy
- HSTS flag present
- HSTS header missing preload
- HSTS header does not include subdomains
- Missing Feature-Policy
The above means that the users are susceptible to clickjacking, the site could leak sensitive data in the referer header to 3rd party websites, they do not have the most modern security option configured (Content-Security-Policy), HSTS configuration could be improved to increase its effectiveness, and lastly, Feature-Policy is a newer header which allows the organization to specify exactly which features it needs to use in a whitelist format so that if any malicious code is injected into the website to do something like use your gyroscope or GPS data, it cannot do so.
Lastly, they have Access-Control-Allow-Origin: * set which is a bad practice as it leaves the site susceptible to CORS vulnerabilities.
Login
The login page gives the following response:
HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html; charset=utf-8
Cache-Control: private,no-cache, no-store, must-revalidate
Pragma: private,no-cache
Expires: -1
X-FRAME-OPTIONS: ALLOW-FROM https://www.usbank.com
WEB: OBCOF
Strict-Transport-Security: max-age=31536000
X-Akamai-Transformed: 9 47030 0 pmb=mTOE,1
Vary: Accept-Encoding
Content-Encoding: gzip
Date: Wed, 16 Oct 2019 02:45:00 GMT
Content-Length: 10941
Connection: keep-alive
Set-Cookie: ObSSOCookie=[redacted];secure; httponly; path=/; domain=.usbank.com
Set-Cookie: ObSSOCookie=loggedout; domain=.usbank.com; expires=Tue, 15-Oct-2019 02:45:00 GMT; path=/
Set-Cookie: CE=; domain=.usbank.com; expires=Tue, 16-Oct-2029 02:45:00 GMT; path=/; secure; HttpOnly
Set-Cookie: BR=; domain=.usbank.com; expires=Tue, 15-Oct-2019 02:45:00 GMT; path=/; secure; HttpOnly
Set-Cookie: EXTOLB=; expires=Mon, 16-Sep-2019 02:45:00 GMT
Set-Cookie: NLSessionSolbs=; expires=Mon, 16-Sep-2019 02:45:00 GMT
Set-Cookie: OLBWeb=; expires=Mon, 16-Sep-2019 02:45:00 GMT
Fortunately, UsBank prevents clickjacking on their login page using X-Frame-Options, enforces HSTS, and secures their cookies with the Secure and HttpOnly flags to prevent client-side JavaScript from accessing the cookie data and ensuring it is only transmitted over TLS.
However, they do not set up a Content-Security-Policy, Referrer-Policy, or X-Content-Type-Options. This could leave users vulnerable to cross-site scripting attacks, referer leakage of sensitive data, and attacks which utilize MIME-Sniffing.
Header Score: C
Privacy & Trackers
DuckDuckGo extension detected 4 trackers on the site:
Adobe
- dpm.demdex.net Advertising
- usbank.demdex.net Advertising
Ensighten
- nexus.ensighten.com Analytics
ForeSee Results
- gateway.foresee.com Analytics
Tracker Score: B
Verdict: For a bank, USBank.com could use some improvements.