Impacted Resources bref/src/Event/Http/HttpResponse.php:61-90 Description When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. Precisely, if PHP generates a response with two headers having the same key but different values only the latest one is kept. Impact If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple Content-Security-Policy headers, then Bref would just reflect the latest one. PoC Create a new Bref project. Create an index.php file with the following content: “`php alert(document.domain) 3. Use the following `serverless.yml` to deploy the Lambda:yaml service: app provider: name: aws region: eu-central-1 plugins: – ./vendor/bref/bref functions: api: handler: index.php description: '' runtime: php-81-fpm timeout: 28 # in seconds (API Gateway has a timeout of 29 seconds) events: – httpApi: '*' Exclude files from deployment package: patterns: – '!node_modules/' – '!tests/' “ 4. Browse the Lambda URL. 5. Notice that the JavaScript code is executed as theContent-Security-Policy: script-src 'none'header has been removed. 6. Notice that the external image has not been loaded as theContent-Security-Policy: img-src 'self'header has been kept. 7. Start a PHP server inside the project…Read More