Web Application Assessment Report · A new certificate with the appropriate hostname should be installed. For hosts with multiple names, a wildcard certificate may be appropriate

Web Application Assessment Report

Multiple Reports

HP Fortify WebInspect

2 minutes : 36 seconds

2/17/2016 11:46:29 AM

24

10.40.244.10

Standard

22

Site: https://15.154.119.166:63002/index.html Scan Name:

Crawl Sessions:

Scan Duration:

Vulnerabilities:

Policy:

Scan Date:

Scan Version:

Site Scan Type: Client: FF

https://15.154.119.166:63002Server:

Transport Layer Protection: Weak SSL CipherCritical

Disable support for weak ciphers on the server. Weak ciphers are generally defined as:

· any cipher with key length less than 128 bits

· export-class cipher suites

· NULL ciphers

· ciphers that support unauthenticated modes

The following ciphers supported by the server are weak and should be disabled:

· TLS_RSA_WITH_DES_CBC_SHA

A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current methods and resources. An attacker may be able to execute a man-in-the-middle attack which would allow them to intercept, monitor and tamper with sensitive data.

Each weak cipher was enumerated by establishing an SSL connection with the target host and specifying the cipher to test in the Client Hello message of the SSL handshake.

Summary:

Fix:

WebInspect has detected support for weak TLS/SSL ciphers on server https://15.154.119.166:63002/ .

The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols provide a protection mechanism to ensure authenticity, confidentiality and integrity of the data transmitted between a client and web server. The strength of this protection mechanism is determined by the authentication, encryption and hashing algorithms, collectively known as a cipher suite, chosen for the transmission of sensitive information over the TLS/SSL channel. Most Web servers support a range of such cipher suites of varying strengths. Using a weak cipher or an encryption key of insufficient length, for example, could allow an attacker to defeat the protection mechanism and steal or modify sensitive information.

If misconfigured, a web server could be manipulated into choosing weak cipher suites. Recommendations include updating the web server configuration to always choose the strongest ciphers for encryption.

Execution:

Implication:

Report Date: 2/17/2016 2

Reference:


· For Apache, modify the following lines in httpd.conf or ssl.conf:

· SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!NULL:RC4+RSA:+HIGH:+MEDIUM

· For IIS, please refer to Microsoft Knowledge Base Articles:

· Article ID: 187498

· Article ID: 245030 and

· Security Guidance for IIS

· For other servers, please refer to vendor specific documentation.

The following ciphers supported by the server should provide adequate protection and may be left enabled:

· TLS_RSA_WITH_RC4_128_MD5

· TLS_RSA_WITH_RC4_128_SHA

· TLS_RSA_WITH_3DES_EDE_CBC_SHA

· TLS_RSA_WITH_AES_128_CBC_SHA


· TLS_RSA_WITH_CAMELLIA_128_CBC_SHA


· TLS_RSA_WITH_SEED_CBC_SHA

OWASP:Transport Layer Protection Cheat Sheet

PCI Security Standards Council:https://www.pcisecuritystandards.org/pdfs/pcissc_assessors_nl_2008-11.pdf

Microsoft:Knowledge Base Article ID: 187498Knowledge Base Article ID: 245030Security Guidance for IIS

Apache:SSL/TLS Strong Encryption: FAQ

File Names: https://15.154.119.166:63002/js/lib/badfile123.js

Server Misconfiguration: SSL Certificate Hostname DiscrepancyMedium

Summary:

This policy states that any area of the website or web application that contains sensitive information or access to privileged functionality such as remote site administration requires that the certificate used by the server is the same host as the server hostname. https://15.154.119.166:63002/ has failed this policy.


A new certificate with the appropriate hostname should be installed. For hosts with multiple names, a wildcard certificate may be appropriate.

The hostname specified by the certificate does not match the hostname being used to access the host. Such a discrepency can cause the validation process to fail, negating the security benefits of using a certificate to verify the server is trusted.

Fix:

Implication:

File Names: https://15.154.119.166:63002/

Server Misconfiguration: Cache PolicyLow

Reference:

Set Cache-Control directive to private, no-cache and/or no-store.

privateThis directive allows the server to prevent a shared cache from caching responses that are intended for a single user. The mechanism can be used to ensure that privileged information is not accidentally leaked to unauthorized users. The directive may still allow caching of responses by non-shared caches.

no-cacheFor sensitive resources requiring user authentication, servers can send the no-cache directive to prevent caches from serving a cached response without first requiring the user agent to validate the user identity. This directive can be specified with or without field names. When no field names are included, this directive applies to the entire request or response.When one or more field names are specified in the no-cache directive, the response is can be cached but the specified field(s) must be excluded. If the response must include the specified field, then the cache must ensure that the request triggers a revalidation with the origin server.Example: Cache-Control: no-cache="Set-Cookie"This directive can be used to ensure sensitive information leakage by requiring the server to confirm the user identity before serving the protected information.

no-storeTo completely disable caching of requests or responses, the server must specify the no-store directive in the Cache-Control header. This directive applies to the entire request and response regardless of whether the directive is sent in the request or the response.

Insecure caching policies could lead to content spoofing or information theft.

SSL provides secure encrypted channel to transfer information from source to user. The information server over SSL is considered sensitive and trusted to be only available to requestor. However, caching these content on disk in temporary internet files or in intermediate proxy server can compromise that trust by exposing it to everyone who has access to these temporary storage or proxy cache. Content served over SSL should have cache disabled.

Send a request to https://15.154.119.166:63002/js/hpsum/shell-require.js?BMN=1455689874449 and inspect the Cache-Control header value.

Summary:

Server Configuration:IISApache

HTTP 1.1 Specification:HTTP Header Field Definitions

OWASP:Browser Cache FAQ

Fix:

WebInspect has detected a potentially unsafe cache control policy for secure content. While content transmitted over an SSL/TLS channel is expected to guarantee confidentiality, administrators must nonetheless ensure that caching of sensitive content is disabled unless absolutely needed. The misconception that secure content caching is disabled by default by user-agents could cause the application to fail the organization’s cache policy by leaving the secure content cacheable by browsers. Unsafe specification such as Cache-Control: public would instruct the browser to persistently cache the content on the hard drive. Caching can be prevented by specifying one of the following three directives in the response headers

· Cache-control: private

· Cache-Control: no-cache

· Cache-Control: no-store

Execution:

Implication:


HTTP Caching:Tutorial

File Names: https://15.154.119.166:63002/js/hpsum/shell-require.js?BMN=1455689874449

https://15.154.119.166:63002/index.html

https://15.154.119.166:63002/js/lib/require.js

Server Misconfiguration: Response HeadersLow

Below example scenarios demonstrate the exploitation of the weakness:

Content Sniffing Mismatch

. Attacker uploads a file with .jpg extension and no Content-Type specification. The file contains malicious HTML and JavaScript content embedded inside.

. In the absence of the Content-Type header, the application saves the uploaded file along with the mime type of the .jpg

. The attacker uses social engineering to entice the desired target into accessing the uploaded file

. Upon receiving the requested file without the Content-Type header, the target's browser assumes the content type to be HTML based on the HTML and JavaScript content inside and renders the file causing attacker's JavaScript payload to be executed.

Character Set Mismatch

0. Attacker converts the desired payload of alert(document.location) into UTF-7 encoded string +ADw-

Summary:

Missing a Content-Type header in the HTTP Response could expose the application to Cross-Site Scripting vulnerabilities via:

Content Sniffing Mismatch Failure to explicitly specify the type of the content served by the requested resource can allow attackers to conduct Cross-Site Scripting attacks by exploiting the inconsistencies in content sniffing techniques employed by the browsers.The Content-Type header is used by:

· The web server to dictate how the requested resource is interpreted by the user agent. In the absence of this header the browser depends on content sniffing algorithms to guess the type of content and render or interpret it accordingly.

· File upload filters to discard file types not allowed by the application. In the absence of a Content-Type header, the file upload filter relies on the file extension or the content of the file to detect and store an appropriate mime type for the uploaded file.

The lack of explicit content type specification can allow attackers to exploit the mismatch between the mime sniffing algorithm used by the browser and upload filter. By uploading files with benign extensions (like .jpg), an attacker can easily bypass the upload filter to upload files containing malicious HTML content. The browser's content sniffing algorithm will however render it as HTML based on the content of the file thus executing any malicious scripts embedded within the HTML content.


Character set specification is part of the Content-Type header. Absence of this specification could allow attackers to bypass input validation filters or HTML entity escape functionality and conduct Cross-Site Scripting attacks against the target application. When the character set is not specified, browsers will attempt to guess the most appropriate character set. This could result in a mismatch between the character set assumed by the application during the generation of the content and by the browser during the parsing and interpretation of the same content. An attacker can exploit this inconsistency to encode attacks using a character set that'll hide the malicious payloads from the valdiation filters and escaping mechanisms put in place by the application but at the same time will be interpreted by the browser as a valid executable entity.

Execution:


Reference:

Configure the server to send the appropriate content type and character set information for the requested resource.

The application fails to impose constraints on the parsing and interpretation of the response content; allowing attackers to bypass validation filters or escaping functionality and introduce malicious scripts and force the browser to execute the desired payload.

0. Attacker converts the desired payload of alert(document.location) into UTF-7 encoded string +ADw-script+AD4-alert(document.location)+ADw-/script+AD4 and sends it to the vulnerable application.

. An application using the ISO-8859-1 character set for filtering or escaping special characters will fail to detect the the '' characters as dangerous

. The absence of character set specification due to the missing Content-Type header will force the browser to guess the character set to use for rendering the application response containing the attacker's payload. If the browser correctly guesses the encoding as UTF-7, the injected payload will be successfully executed.

Server ConfigurationMime Types in IIS 7Content Negotiation - Apache HTTP Server

Content Sniffing:Mime Sniffing StandardContent Sniffing SignaturesSecure Content Sniffing for Web Browsers [PDF]

OWASP:OWASP Testing Guide Appendix D: Encoded Injection

Fix:

Implication:

File Names: https://15.154.119.166:63002/js/lib/location%20||%20pkgObj.name,

https://15.154.119.166:63002/js/lib/non-.js

https://15.154.119.166:63002/js/lib/context.nameToUrl(normalize(moduleNamePlusExt,

https://15.154.119.166:63002/js/lib/moduleName

https://15.154.119.166:63002/js/lib/pkg.location

https://15.154.119.166:63002/js/lib/pkg.location;

https://15.154.119.166:63002/js/lib/syms.join(

https://15.154.119.166:63002/js/lib/src.length

https://15.154.119.166:63002/img/hp-piano/down-arrow-select.png")%20no-repeat%20right%20center,%20-w

https://15.154.119.166:63002/js/hpsum/src/test/js/require-base.js

https://15.154.119.166:63002/js/hpsum/src/tour/js/tour/tour-require.js

https://15.154.119.166:63002/js/hpsum/hpsum/hpsum_version.js

https://15.154.119.166:63002/js/hpsum/index.html

https://15.154.119.166:63002/js/hpsum/src/tour/js/tour/css/compiled/hpsum.css

https://15.154.119.166:63002/js/hpsum/hpsum/css/compiled/hpsum.css

https://15.154.119.166:63002/js/hpsum/src/test/js/css/compiled/hpsum.css

Insecure SSL: Missing Http Strict TransportLow

Summary:

Http Strict Transport Security (HSTS) policy enables web applications to enforce web browsers to restrict communication with the server over an encrypted SSL/TLS connection for a set period. Policy is declared via special Strict Transport Security response header. Encrypted connection protects sensitive user and session data from attackers eavesdropping on network connection. Consider following attack scenarios:


Reference:

Configure the web application under test to include Strict Transport Security header in every response generated by an HTTPS-enabled site. Any HTTP version of site on the same domain should permanently redirect to the secure encrypted site. Header should not be added to HTTP response as browsers will ignore it.

It is important to note that this header does not prevent from above mentioned attack scenarios during the very first connection to the site or any connections established after the set period has expired. To prevent such a scenario, the site must be added to the pre-loaded HSTS hosts list embedded in both Google Chrome and Mozilla Firefox browsers.

A successful MiTM attack such as SSLStrip or SSLsniff can lead to the compromise of sensitive user data such as financial information, Social Security Number, personal information etc. as well as grant unauthorized access to user accounts enabling attackers to perform privileged actions on client’s behalf.

Access location https://15.154.119.166:63002/js/lib/require.js and notice the absence of the Strict Transport Security header in the HTTP response.

http://tools.ietf.org/html/rfc6797

Fix:

Consider following attack scenarios:

· Users often omit the URI scheme i.e. https:// when typing a URL in location bar to access a website. Also third party websites can link to the site using the “http” scheme instead of "”https”. This could result in an initial connection to a HTTPS-enabled site over an unencrypted channel. An eavesdropping attacker can hijack this unencrypted connection and replace the intended use of HTTPS protocol with HTTP in an attack known as SSLStrip, granting unauthorized access to all subsequent traffic.

· Websites often transfer non-sensitive resources such as help documents over an unencrypted HTTP connection. Any cookies without a secure flag are sent along with such requests potentially disclosing sensitive user and session data to eavesdropper.

· Man-in-the-Middle attacks that exploit user tendencies to override invalid certification warnings, e.g. SSLSniff.

For web sites configured with an accurate HSTS policy, browsers automatically upgrade any HTTP connections to HTTPS. Furthermore, browsers prevent users from overriding any host certificate warnings. HSTS offers an effective defense against above attack scenarios.

Execution:

Implication:

File Names: https://15.154.119.166:63002/js/lib/require.js

System Information Leak: Filename Found in CommentsInformational

Summary:

A URL or filename was found in the comments of the file.

File Names: https://15.154.119.166:63002/index.html

https://15.154.119.166:63002/

Compliance Failure: Missing Privacy PolicyBest Practice

All of the web pages accessible within the scope of the scan are sampled for textual content that often constitutes a privacy policy statement. A violation is reported upon completion of the web application crawl without a successful match against any of the web pages.Note that the privacy policy of your application could be located on another host or within a section of the site that was not configured as part of the scan. To validate, please try to access the privacy policy of your website and check to see if it was part of the scan.The content of the following resources requires manual inspection to verify if it comprises the privacy policy statement.

· http://requirejs.org:80/docs/errors.html

Summary:

A privacy policy was not supplied by the web application within the scope of this audit. Many legislative initiatives require that organizations place a publicly accessible document within their web application that defines their website’s privacy policy. As a general rule, these privacy policies must detail what information an organization collects, the purpose for collecting it, potential avenues of disclosure, and methods for addressing potential grievances.Various laws governing privacy policies include the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), the California Online Privacy Protection Act of 2003, European Union's Data Protection Directive and others.

Execution:


Reference:

Declare a comprehensive privacy policy for the website, and ensure that it is accessible from every page that seeks personal information from users. To verify the fix, rescan the site in order to discover and audit the newly added resources.

Descriptions: Any standard web application privacy policy should include the following components:

· A description of the intended purpose for collecting the data.

· A description of the use of the data.

· Methods for limiting the use and disclosure of the information.

· A list of the types of third parties to whom the information might be disclosed.

· Contact information for inquires and complaints.

Most privacy laws are created to protect residents who are users of the website. Hence, organizations from any part of the world must adhere to these laws if they cater to customers residing in these geographical areas. Failing to do so could result in a lawsuit by the corresponding government against the organization.

California Online Privacy Protection Acthttp://oag.ca.gov/privacy/COPPA

National Conference of State Legislationhttp://www.ncsl.org/issues-research/telecom/state-laws-related-to-internet-privacy.aspx

Gramm-Leach-Bliley Acthttp://www.gpo.gov/fdsys/pkg/PLAW-106publ102/pdf/PLAW-106publ102.pdf

Health Insurance Portability and Accountability Act of 1996https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/downloads/HIPAALaw.pdf

Health Insurance Portability and Accountability Act of 1996http://ec.europa.eu/justice/policies/privacy/docs/guide/guide-ukingdom_en.pdf

Fix:

Implication:

File Names: https://15.154.119.166:63002/index.html

Insecure SSL: Missing Perfect Forward Secrecy Best Practice

PFS is enabled by turning on Diffie-Hellman Ephemeral (DHE) or Elliptic-Curve-Diffie-Hellman Ephemeral (ECDHE) based cipher suites on the server [2]. e.g.

· For Apache – Modify SSLCipherSuite parameter in server configuration to add ECDHE or DHE key exchange algorithm.

· For nginx – Modify ssl_ciphers in server configuration to add ECDHE or DHE key exchange algorithm.

· For IIS please refer to following knowledge base articles:

A stolen long-term private key can be used by an attacker to decrypt past intercepted communication putting user data at risk where data is still relevant. This shortcoming in SSL/TLS was accentuated in the wake of Heartbleed [4] vulnerability, a vulnerability in Openssl library[4], that allowed attackers to steal server’s private keys among other sensitive data.

A list of supported ciphers by this server can be obtained by running ServerAnalyzer tool from WebInspect toolkit. Notice the absence of “DHE“ and “ECDHE“ in the list of supported cipher-suite names.

Summary:

Fix:

Perfect Forward Secrecy (PFS) assures the secrecy of encrypted communications into the future in case SSL/TLS private key is compromised. PFS is a function of key-exchange protocols used for the establishment of shared secret between the client and the server [1]. On a non-forward secrecy server, both the authentication of the server and the encryption is done using long-term private key. Hence, compromised long-term private key can jeopardize all communications. PFS mitigates this by achieving authentication using a long-term private key and session data encryption using a short-term private key. PFS is commonly achieved using Diffie-Hellman in ephemeral-static mode (DHE) or Elliptic Curve Diffie-Hellman key agreement scheme with ephemeral keys (ECDHE) [2, 3, 4]. For every TLS session established with DHE- or ECDHE- as key exchange algorithm in cipher suite, the server is required to use a new Diffie-Hellman public/private key for the generation of the TLS master secret [8]. The server signs this Diffie-Hellman public key using the long-term private key to guarantee authenticity. The long-term private key is not used for the encryption of session contents. While a stolen ephemeral private key could allow an attacker to decipher encrypted communication, the compromise is confined to the specific session for which the ephemeral key was generated. It is recommended that ephemeral keys are not logged.

WebInspect has determined that the target server does not support any of the known PFS cipher suites.

Execution:

Implication:


Reference:


· http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

· http://support.microsoft.com/kb/245030

http://en.wikipedia.org/wiki/Forward_secrecyDierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008.Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 2631, June 1999.Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites for

Transport Layer Security (TLS)", RFC 4492, May 2006.http://tools.ietf.org/html/rfc4492https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160http://www.openssl.org/http://en.wikipedia.org/wiki/Diffie–Hellman_key_exchangehttp://nginx.org/en/docs/http/ngx_http_ssl_module.htmlhttp://httpd.apache.org/docs/2.2/mod/mod_ssl.html

File Names: https://15.154.119.166:63002/js/lib/badfile123.js


2 minutes : 36 seconds

2/17/2016 11:46:29 AM

24

10.40.244.10

Standard

22

Site: https://15.154.119.166:63002/index.html Scan Name:

Crawl Sessions:

Scan Duration:

Vulnerabilities:

Policy:

Scan Date:

Scan Version:

Site Scan Type: Client: FF

https://15.154.119.166:63002Server:

Critical Issues

Transport Layer Protection: Weak SSL Cipher ( 11285 ) View Description

CWE: 319,326,327

Kingdom: Environment

https://15.154.119.166:63002/js/lib/badfile123.jsPage:

Request:

GET /js/lib/badfile123.js HTTP/1.1Referer: https://15.154.119.166:6300...TRUNCATED...

Response:

HTTP/1.1 404 File not foundDate: Wed, 17 Feb 2016 14:26:30 G2TServer: HPSUM Engine 7.6.0Content-Length: 966

HPSUM 7.6.0 - Error

Error finding resource /js/lib/badfile123.js


TOC://Vulnerability\Site: https://15.154.119.166:63002/index.html\Appendix (Check Descriptions)\ Critical Issues\Transport Layer Protection: Weak SSL Cipher ( 11285 ) https://15.154.119.166:63002/js/lib/badfile123.js

Medium Issues

Server Misconfiguration: SSL Certificate Hostname Discrepancy ( 4725 ) View Description

CWE: 284,287


https://15.154.119.166:63002/Page:

Request:

GET / HTTP/1.1Referer: https://15.154.119.166:63002/js/lib/badfile123.jsAccept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Audit.Attack"; SID="D07A146EF38B9C6314FFDC5B9682C7EA"; PSID="CFF6313AEF782574BB620E5E879CB293"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Other"; OriginatingEngineID="3daa743d-51a1-4f6d-b750-0a97717fbf99"; AttackSequence="0"; AttackParamDesc=""; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="4725"; Engine="Certificate+Host+Check"; Retry="False"; SmartMode="NonServerSpecificOnly"; ThreadId="59"; ThreadType="AuditorStateRequestorPool"; X-RequestManager-Memo: sc="1"; ID="0cc3916d-36de-4035-9b55-70f6fc7838ea"; X-Request-Memo: ID="17e21d46-8464-47f0-ba0e-5f43599c1b19"; sc="1"; ThreadId="67";

Response:

HTTP/1.1 200 OKDate: Wed, 17 Feb 2016 14:26:31 GMTLast-Modified: Mon, 15 Feb 2016 09:57:04 GMTEtag: "56c1a0f0.978"Content-Type: text/htmlContent-Length: 978Connection: closeAccept-Ranges: bytes

HP SUM

var require = {

urlArgs : "BMN=" + new Date().getTime()};


TOC://Vulnerability\Site: https://15.154.119.166:63002/index.html\Appendix (Check Descriptions)\ Medium Issues\Server Misconfiguration: SSL Certificate Hostname Discrepancy ( 4725 ) https://15.154.119.166:63002/

};

Loading ...

Low Issues

Server Misconfiguration: Cache Policy ( 11306 ) View Description

CWE: 525


https://15.154.119.166:63002/js/hpsum/shell-require.js?BMN=1455689874449Page:

Request:

GET /js/hpsum/shell-require.js?BMN=1455689874449 HTTP/1...TRUNCATED...

Response:

HTTP/1.1 200 OKDate: Wed, 17 Feb 2016 14:26:23 GMTL...TRUNCATED...

https://15.154.119.166:63002/index.htmlPage:

Request:

GET /index.html HTTP/1.1Accept: */*Pragma: no-cache...TRUNCATED...

Response:

HTTP/1.1 200 OKDate: Wed, 17 Feb 2016 14:25:15 GMTL...TRUNCATED...

https://15.154.119.166:63002/js/lib/require.jsPage:

Request:

GET /js/lib/require.js HTTP/1.1Referer: https://15.15...TRUNCATED...

Response:

HTTP/1.1 200 OKDate: Wed, 17 Feb 2016 14:25:37 GMT


TOC://Vulnerability\Site: https://15.154.119.166:63002/index.html\Appendix (Check Descriptions)\ Low Issues\Server Misconfiguration: Cache Policy ( 11306 ) https://15.154.119.166:63002/js/hpsum/shell-require.js?BMN=1455689874449https://15.154.119.166:63002/index.htmlhttps://15.154.119.166:63002/js/lib/require.js

Date: Wed, 17 Feb 2016 14:25:37 GMTL...TRUNCATED...

Server Misconfiguration: Response Headers ( 11308 ) View Description

CWE: 79


https://15.154.119.166:63002/js/lib/location%20||%20pkgObj.name,Page:

Request:

GET /js/lib/location%20||%20pkgObj.name, HTTP/1.1Referer: https://15.154.119.166:63002/js/lib/require.jsAccept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="D6C19A7958038CA291F0BF53DA0AB2BB"; PSID="C4C62D8CAE7CA7538D7172E88F93F878"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="26"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="fda4d335-8ca5-4ee9-bbd1-2916b17705ee"; X-Request-Memo: ID="2f66c0b2-d27e-4fe0-9ec8-fbab8e39f87e"; sc="1"; ThreadId="62"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:

HTTP/1.1 404 File not foundDate: Wed, 17 Feb 2016 14:26:41 G2TServer: HPSUM Engine 7.6.0

https://15.154.119.166:63002/js/lib/non-.jsPage:

Request:

GET /js/lib/non-.js HTTP/1.1Referer: https://15.154.119.166:63002/js/lib/require.jsAccept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="70F761EF839657E1537721935CF9719B"; PSID="C4C62D8CAE7CA7538D7172E88F93F878"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="26"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="231a078f-d394-48ea-b249-c34cf1e1da76"; X-Request-Memo: ID="6ae87579-f831-4469-a25b-7c3f0b01ae2c"; sc="2"; ThreadId="62"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2


TOC://Vulnerability\Site: https://15.154.119.166:63002/index.html\Appendix (Check Descriptions)\ Low Issues\Server Misconfiguration: Response Headers ( 11308 ) https://15.154.119.166:63002/js/lib/location%20||%20pkgObj.name,https://15.154.119.166:63002/js/lib/non-.js

Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:


HPSUM 7.6.0 - Error

Error finding resource /js/lib/non-.js

https://15.154.119.166:63002/js/lib/context.nameToUrl(normalize(moduleNamePlusExt,Page:

Request:

GET /js/lib/context.nameToUrl(normalize(moduleNamePlusExt, HTTP/1.1Referer: https://15.154.119.166:63002/js/lib/require.jsAccept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="57733C8826F647AC6CE6009EAF057967"; PSID="C4C62D8CAE7CA7538D7172E88F93F878"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="26"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="e6cb0f02-5631-462f-8c9c-79a45b8fea1c"; X-Request-Memo: ID="e36f712a-ef4b-4a91-b8d5-ed15d241ab91"; sc="1"; ThreadId="63";


https://15.154.119.166:63002/js/lib/context.nameToUrl(normalize(moduleNamePlusExt,

ThreadId="63"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:


https://15.154.119.166:63002/js/lib/moduleNamePage:

Request:

GET /js/lib/moduleName HTTP/1.1Referer: https://15.154.119.166:63002/js/lib/require.jsAccept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="CC41288A568A66B042DE082166546C63"; PSID="C4C62D8CAE7CA7538D7172E88F93F878"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="26"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="2efb4ca8-8b37-48a7-a057-a57ba6d1b0d3"; X-Request-Memo: ID="1da09e26-2299-47f3-b483-acc4a7138c79"; sc="1"; ThreadId="65"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:


https://15.154.119.166:63002/js/lib/pkg.locationPage:

Request:

GET /js/lib/pkg.location HTTP/1.1Referer: https://15.154.119.166:63002/js/lib/require.jsAccept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="7DF9E7A98307FBA4A2237360007B0D20"; PSID="C4C62D8CAE7CA7538D7172E88F93F878"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="26"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="85556da4-dc6d-49a5-bc0c-3d59fd572892"; X-Request-Memo: ID="0bc4ee36-1f52-4c55-8fa8-e8e500402e88"; sc="1";


https://15.154.119.166:63002/js/lib/moduleNamehttps://15.154.119.166:63002/js/lib/pkg.location

X-Request-Memo: ID="0bc4ee36-1f52-4c55-8fa8-e8e500402e88"; sc="1"; ThreadId="64"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:


https://15.154.119.166:63002/js/lib/pkg.location;Page:

Request:

GET /js/lib/pkg.location; HTTP/1.1Referer: https://15.154.119.166:63002/js/lib/require.jsAccept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="61B52F7B4C4DC991D2A7F439ED67208C"; PSID="C4C62D8CAE7CA7538D7172E88F93F878"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="26"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="e9191037-8920-481f-bbe5-6bcff35b3c59"; X-Request-Memo: ID="d1edc7d7-4f83-4b38-9290-9efb674a385a"; sc="2"; ThreadId="61"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:


https://15.154.119.166:63002/js/lib/syms.join(Page:

Request:

GET /js/lib/syms.join( HTTP/1.1Referer: https://15.154.119.166:63002/js/lib/require.jsAccept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="F23816A7D6CEF2366049D22DE4A659BC"; PSID="C4C62D8CAE7CA7538D7172E88F93F878"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="26"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="64acb814-98ec-4817-ae93-69d6fdc25137";


https://15.154.119.166:63002/js/lib/pkg.location;https://15.154.119.166:63002/js/lib/syms.join(

69d6fdc25137"; X-Request-Memo: ID="ae62958b-27c8-4108-b2c9-97f490954bc3"; sc="2"; ThreadId="62"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:


https://15.154.119.166:63002/js/lib/src.lengthPage:

Request:

GET /js/lib/src.length HTTP/1.1Referer: https://15.154.119.166:63002/js/lib/require.jsAccept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="41525A532FB4B6D0F11EF0E0B85A987E"; PSID="C4C62D8CAE7CA7538D7172E88F93F878"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="26"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="2fd28969-51ca-4f2b-88d4-551ae675df53"; X-Request-Memo: ID="4d1f996e-1057-419f-8f3e-ae46cd98a2ec"; sc="2"; ThreadId="63"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:


https://15.154.119.166:63002/img/hp-piano/down-arrow-select.png")%20no-repeat%20right%20center,%20-webkit-gradient(linear,%20left%20top,%20left%20bottom,%20from(white),%20to(

Page:

Request:

GET /img/hp-piano/down-arrow-select.png")%20no-repeat%20right%20center,%20-webkit-gradient(linear,%20left%20top,%20left%20bottom,%20from(white),%20to( HTTP/1.1Referer: https://15.154.119.166:63002/css/compiled/hp-piano.cssAccept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="2E975A879D166A13C0650C9FB388BCE7"; PSID="539267EB536605D3421CD60119EE7B7A"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000


https://15.154.119.166:63002/js/lib/src.lengthhttps://15.154.119.166:63002/img/hp-piano/down-arrow-select.png")%20no-repeat%20right%20center,%20-webkit-gradient(linear,%20left%20top,%20left%20bottom,%20from(white),%20to(

CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="26"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="2bd759aa-b382-444d-9cee-578ea889c6ee"; X-Request-Memo: ID="141f5c41-5787-4755-b425-34a1beda7675"; sc="2"; ThreadId="65"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:


https://15.154.119.166:63002/js/hpsum/src/test/js/require-base.jsPage:

Request:

GET /js/hpsum/src/test/js/require-base.js HTTP/1.1Referer: https://15.154.119.166:63002/js/hpsum/shell-require.js?BMN=1455689874449Accept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="0BDA72BB1CF07D0F3CB0294D667CBCA6"; PSID="EE387E489633C080C0B3796C5C4E7508"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="26"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="be3f6b80-f9c5-49d6-809a-9d443447efe7"; X-Request-Memo: ID="6f56200a-2630-4420-ae97-bd9d2e185f12"; sc="2"; ThreadId="64"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:


HPSUM 7.6.0 - Error


https://15.154.119.166:63002/js/hpsum/src/test/js/require-base.js

Error finding resource /js/hpsum/src/test/js/require-base.js

https://15.154.119.166:63002/js/hpsum/src/tour/js/tour/tour-require.jsPage:

Request:

GET /js/hpsum/src/tour/js/tour/tour-require.js HTTP/1.1Referer: https://15.154.119.166:63002/js/hpsum/shell-require.js?BMN=1455689874449Accept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="8F59EFEB0483AF5638CD04ED13D10650"; PSID="EE387E489633C080C0B3796C5C4E7508"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="26"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="8bff5810-a0ec-4f95-981a-7db696c4b9f3"; X-Request-Memo: ID="28f5bdb3-52d3-4f5b-8403-c28a4ea77b61"; sc="2"; ThreadId="62"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:


HPSUM 7.6.0 - Error


https://15.154.119.166:63002/js/hpsum/src/tour/js/tour/tour-require.js

Error finding resource /js/hpsum/src/tour/js/tour/tour-require.js

https://15.154.119.166:63002/js/hpsum/hpsum/hpsum_version.jsPage:

Request:

GET /js/hpsum/hpsum/hpsum_version.js HTTP/1.1Referer: https://15.154.119.166:63002/js/hpsum/shell-require.js?BMN=1455689874449Accept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="03C170FBCEEFBDE06B2B417DA338B150"; PSID="EE387E489633C080C0B3796C5C4E7508"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="26"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="ee4ced9a-fcbf-433d-909f-f8c9eac13e74"; X-Request-Memo: ID="2b7005a1-6ad0-4719-ad2d-c0cb93a9ce75"; sc="2"; ThreadId="63"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:



https://15.154.119.166:63002/js/hpsum/hpsum/hpsum_version.js

HPSUM 7.6.0 - Error

Error finding resource /js/hpsum/hpsum/hpsum_version.js

https://15.154.119.166:63002/js/hpsum/index.htmlPage:

Request:

GET /js/hpsum/index.html HTTP/1.1Referer: https://15.154.119.166:63002/js/hpsum/shell-require.js?BMN=1455689874449Accept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="300D62330D4FE95412CBA93DD20F9BC4"; PSID="EE387E489633C080C0B3796C5C4E7508"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="26"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="4b979667-093c-4be1-9419-a127ad74b73a"; X-Request-Memo: ID="0fdf9c4f-19f9-4bc8-91b5-e7e30d8faf42"; sc="2"; ThreadId="61"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:



https://15.154.119.166:63002/js/hpsum/index.html

HPSUM 7.6.0 - Error

Error finding resource /js/hpsum/index.html

https://15.154.119.166:63002/js/hpsum/src/tour/js/tour/css/compiled/hpsum.cssPage:

Request:

GET /js/hpsum/src/tour/js/tour/css/compiled/hpsum.css HTTP/1.1Referer: https://15.154.119.166:63002/js/hpsum/src/tour/js/tour/tour-require.jsAccept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="127C3256E024D9968C248DC8E1FD81C9"; PSID="8F59EFEB0483AF5638CD04ED13D10650"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="26"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="5d0818e7-1029-40df-b683-d1da216799e9"; X-Request-Memo: ID="2fa18c39-54de-4207-9141-12376a6ea19a"; sc="2"; ThreadId="63"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:



https://15.154.119.166:63002/js/hpsum/src/tour/js/tour/css/compiled/hpsum.css

HPSUM 7.6.0 - Error

Error finding resource /js/hpsum/src/tour/js/tour/css/compiled/hpsum.css

https://15.154.119.166:63002/js/hpsum/hpsum/css/compiled/hpsum.cssPage:

Request:

GET /js/hpsum/hpsum/css/compiled/hpsum.css HTTP/1.1Referer: https://15.154.119.166:63002/js/hpsum/hpsum/hpsum_version.jsAccept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="88A50BF8F08A20FB85419611F144DE11"; PSID="03C170FBCEEFBDE06B2B417DA338B150"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="26"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="b2d352a4-8407-4965-8b57-81d75564f6bc"; X-Request-Memo: ID="5fc8d19e-8196-41b7-821e-21e23f331627"; sc="2"; ThreadId="62"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:



https://15.154.119.166:63002/js/hpsum/hpsum/css/compiled/hpsum.css

-->

HPSUM 7.6.0 - Error

Error finding resource /js/hpsum/hpsum/css/compiled/hpsum.css

https://15.154.119.166:63002/js/hpsum/src/test/js/css/compiled/hpsum.cssPage:

Request:

GET /js/hpsum/src/test/js/css/compiled/hpsum.css HTTP/1.1Referer: https://15.154.119.166:63002/js/hpsum/src/test/js/require-base.jsAccept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="255C2F4F89E886E5156FF69D472466D2"; PSID="0BDA72BB1CF07D0F3CB0294D667CBCA6"; SessionType="Crawl"; CrawlType="HTML"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="16"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="74f440bd-459f-4e2c-be22-3570988d3c6a"; X-Request-Memo: ID="fc146755-53c0-493d-8508-77ede38f0d0e"; sc="2"; ThreadId="65"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:


(C) Copyright 2011 Hewlett-Packard Development Company, L.P.-->

HPSUM 7.6.0 - Error

Error finding resource /js/hpsum/src/test/js/css/compiled/hpsum.css

Insecure SSL: Missing Http Strict Transport ( 11365 ) View Description

CWE: 319

Kingdom: Security Features

https://15.154.119.166:63002/js/lib/require.jsPage:

Request:

GET /js/lib/require.js HTTP/1.1Referer: https://15.154.119.166:63002/index.htmlHost: 15.154.119.166:63002Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflatePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="C4C62D8CAE7CA7538D7172E88F93F878"; PSID="6D70A8710830BBBD715A279F4857A5E1"; SessionType="Crawl"; CrawlType="ScriptInclude"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="158"; ThreadType="JScriptEvent"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="cce39f61-bf46-4184-9cf5-8442b322ef59"; X-Request-Memo: ID="b12a7c76-e280-4e93-9c96-1d5d2eefeeec"; sc="1"; ThreadId="158"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:

HTTP/1.1 200 OKDate: Wed, 17 Feb 2016 14:25:37 GMTLast-Modified: Mon, 15 Feb 2016 09:56:22 GMT


TOC://Vulnerability\Site: https://15.154.119.166:63002/index.html\Appendix (Check Descriptions)\ Low Issues\Insecure SSL: Missing Http Strict Transport ( 11365 ) https://15.154.119.166:63002/js/lib/require.js

Last-Modified: Mon, 15 Feb 2016 09:56:22 GMTEtag: "56c1a0c6.80196"Content-Type: application/x-javascriptContent-Length: 80196Connection: closeAccept-Ranges: bytes

/** vim: et:ts=4:sw=4:sts=4 * @license RequireJS 2.1.4 Copyright (c) 2010-2012, The Dojo Foundation All Rights Reserved. * Available via the MIT or new BSD license. * see: http://github.com/jrburke/requirejs for details *///Not using strict: uneven strict support in browsers, #392, and causes//problems with requirejs.exec()/transpiler plugins that may not be strict./*jslint regexp: true, nomen: true, sloppy: true *//*global window, navigator, document, importScripts, setTimeout, opera */

var requirejs, require, define;(function (global) { var req, s, head, baseElement, dataMain, src, interactiveScript, currentlyAddingScript, mainScript, subPath, version = '2.1.4', commentRegExp = /(\/\*([\s\S]*?)\*\/|([^:]|^)\/\/(.*)$)/mg, cjsRequireRegExp = /[^.]\s*require\s*$\s*["']([^'"\s]+)["']\s*$/g, jsSuffixRegExp = /\.js$/, currDirRegExp = /^\.\//, op = Object.prototype, ostring = op.toString, hasOwn = op.hasOwnProperty, ap = Array.prototype, apsp = ap.splice, isBrowser = !!(typeof window !== 'undefined' && navigator && document), isWebWorker = !isBrowser && typeof importScripts !== 'undefined', //PS3 indicates loaded and complete, but need to wait for complete //specifically. Sequence is 'loading', 'loaded', execution, // then 'complete'. The UA check is unfortunate, but not sure how //to feature test w/o causing perf issues. readyRegExp = isBrowser && navigator.platform === 'PLAYSTATION 3' ? /^complete$/ : /^(complete|loaded)$/, defContextName = '_', //Oh the tragedy, detecting opera. See the usage of isOpera for reason. isOpera = typeof opera !== 'undefined' && opera.toString() === '[object Opera]', contexts = {}, cfg = {}, globalDefQueue = [], useInteractive = false;

function isFunction(it) { return ostring.call(it) === '[object Function]'; }

function isArray(it) { return ostring.call(it) === '[object Array]'; }

/** * Helper function for iterating over an array. If the func returns * a true value, it will break out of the loop. */ function each(ary, func) {


if (ary) { var i; for (i = 0; i < ary.length; i += 1) { if (ary[i] && func(ary[i], i, ary)) { break; } } } }

/** * Helper function for iterating over an array backwards. If the func * returns a true value, it will break out of the loop. */ function eachReverse(ary, func) { if (ary) { var i; for (i = ary.length - 1; i > -1; i -= 1) { if (ary[i] && func(ary[i], i, ary)) { break; } } } }

function hasProp(obj, prop) { return hasOwn.call(obj, prop); }

function getOwn(obj, prop) { return hasProp(obj, prop) && obj[prop]; }

/** * Cycles over properties in an object and calls a function for each * property value. If the function returns a truthy value, then the * iteration is stopped. */ function eachProp(obj, func) { var prop; for (prop in obj) { if (hasProp(obj, prop)) { if (func(obj[prop], prop)) { break; } } } }

/** * Simple function to mix in properties from source into target, * but only if target does not already have a property of the same name. */ function mixin(target, source, force, deepStringMixin) { if (source) { eachProp(source, function (value, prop) { if (force || !hasProp(target, prop)) {

...TRUNCATED...


Informational

System Information Leak: Filename Found in Comments ( 3853 ) View Description

CWE: 200

Kingdom: Encapsulation


Request:

GET /index.html HTTP/1.1Accept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="6D70A8710830BBBD715A279F4857A5E1"; SessionType="ExternalAddedToCrawl"; CrawlType="None"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="42"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="aedde532-b83d-4658-9265-c2a089b3c4f1"; X-Request-Memo: ID="a366da32-1fd8-4d21-84e7-437e765e1ae8"; sc="1"; ThreadId="61"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:


HP SUM

var require = {


Loading ...

https://15.154.119.166:63002/Page:

Request:

GET / HTTP/1.1Referer: https://15.154.119.166:63002/js/lib/badfile123.jsAccept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Audit.Attack"; SID="D07A146EF38B9C6314FFDC5B9682C7EA"; PSID="CFF6313AEF782574BB620E5E879CB293"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Other"; OriginatingEngineID="3daa743d-51a1-4f6d-b750-0a97717fbf99"; AttackSequence="0"; AttackParamDesc=""; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="4725"; Engine="Certificate+Host+Check"; Retry="False"; SmartMode="NonServerSpecificOnly"; ThreadId="59"; ThreadType="AuditorStateRequestorPool"; X-RequestManager-Memo: sc="1"; ID="0cc3916d-36de-4035-9b55-70f6fc7838ea"; X-Request-Memo: ID="17e21d46-8464-47f0-ba0e-5f43599c1b19"; sc="1"; ThreadId="67";

Response:


HP SUM


https://15.154.119.166:63002/

resizable="true">

var require = {


Loading ...

Best Practices

Compliance Failure: Missing Privacy Policy ( 5546 ) View Description

CWE: 254



Request:

GET /index.html HTTP/1.1Accept: */*Pragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0Host: 15.154.119.166:63002Connection: Keep-AliveX-WIPP: AscVersion=10.40.244.10X-Scan-Memo: Category="Crawl"; SID="6D70A8710830BBBD715A279F4857A5E1"; SessionType="ExternalAddedToCrawl"; CrawlType="None"; AttackType="None"; OriginatingEngineID="00000000-0000-0000-0000-000000000000"; ThreadId="42"; ThreadType="CrawlBreadthFirstDBReader"; X-RequestManager-Memo: StateID="29"; sc="1"; ID="aedde532-b83d-4658-9265-c2a089b3c4f1"; X-Request-Memo: ID="a366da32-1fd8-4d21-84e7-437e765e1ae8"; sc="1"; ThreadId="61"; Cookie: CustomCookie=WebInspect112858ZXA23872188B28424F965B4EF2BDC62DF4Y84A2

Response:

HTTP/1.1 200 OKDate: Wed, 17 Feb 2016 14:25:15 GMTLast-Modified: Mon, 15 Feb 2016 09:57:04 GMTEtag: "56c1a0f0.978"Content-Type: text/html


TOC://Vulnerability\Site: https://15.154.119.166:63002/index.html\Appendix (Check Descriptions)\ Best Practices\Compliance Failure: Missing Privacy Policy ( 5546 ) https://15.154.119.166:63002/index.html

Content-Type: text/htmlContent-Length: 978Connection: closeAccept-Ranges: bytes

HP SUM

var require = {


Loading ...

Insecure SSL: Missing Perfect Forward Secrecy ( 11364 ) View Description

CWE: 326


https://15.154.119.166:63002/js/lib/badfile123.jsPage:

Request:

GET /js/lib/badfile123.js HTTP/1.1Referer: https://15.154.119.166:6300...TRUNCATED...

Response:


Author Srikanth Bemineni

A common error page if we are not able to find the resource/file in the web engine.

(C) Copyright 2011 Hewlett-Packard Development Company, L.P.-->

HPSUM 7.6.0 - Error

Error finding resource /js/lib/badfile123.js

Appendix (Check Descriptions)

Transport Layer Protection: Weak SSL Cipher ( 11285 )

Summary

WebInspect has detected support for weak TLS/SSL ciphers on server https://15.154.119.166:63002/ .

The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols provide a protection mechanism to ensure authenticity, confidentiality and integrity of the data transmitted between a client and web server. The strength of this protection mechanism is determined by the authentication, encryption and hashing algorithms, collectively known as a cipher suite, chosen for the transmission of sensitive information over the TLS/SSL channel. Most Web servers support a range of such cipher suites of varying strengths. Using a weak cipher or an encryption key of insufficient length, for example, could allow an attacker to defeat the protection mechanism and steal or modify sensitive information.

If misconfigured, a web server could be manipulated into choosing weak cipher suites. Recommendations include updating the web server configuration to always choose the strongest ciphers for encryption.

Execution

Each weak cipher was enumerated by establishing an SSL connection with the target host and specifying the cipher to test in the Client Hello message of the SSL handshake.

A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current methods and resources. An attacker may be able to execute a man-in-the-middle attack which would allow them to intercept,

Implication


methods and resources. An attacker may be able to execute a man-in-the-middle attack which would allow them to intercept, monitor and tamper with sensitive data.

Fix

Disable support for weak ciphers on the server. Weak ciphers are generally defined as:

· any cipher with key length less than 128 bits

· export-class cipher suites

· NULL ciphers

· ciphers that support unauthenticated modes

The following ciphers supported by the server are weak and should be disabled:


· For Apache, modify the following lines in httpd.conf or ssl.conf:

· SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!NULL:RC4+RSA:+HIGH:+MEDIUM

· For IIS, please refer to Microsoft Knowledge Base Articles:

· Article ID: 187498

· Article ID: 245030 and

· Security Guidance for IIS

· For other servers, please refer to vendor specific documentation.

The following ciphers supported by the server should provide adequate protection and may be left enabled:

· TLS_RSA_WITH_RC4_128_MD5

· TLS_RSA_WITH_RC4_128_SHA

· TLS_RSA_WITH_3DES_EDE_CBC_SHA





· TLS_RSA_WITH_SEED_CBC_SHA

Reference

OWASP:Transport Layer Protection Cheat Sheet

PCI Security Standards Council:https://www.pcisecuritystandards.org/pdfs/pcissc_assessors_nl_2008-11.pdf

Microsoft:


Microsoft:Knowledge Base Article ID: 187498Knowledge Base Article ID: 245030Security Guidance for IIS

Apache:SSL/TLS Strong Encryption: FAQ

Classifications

CWE-319: Cleartext Transmission of Sensitive Informationhttp://cwe.mitre.org/data/definitions/319.html

CWE-326: Inadequate Encryption Strengthhttp://cwe.mitre.org/data/definitions/326.html

CWE-327: Use of a Broken or Risky Cryptographic Algorithmhttp://cwe.mitre.org/data/definitions/327.html

Kingdom: Environmenthttp://www.hpenterprisesecurity.com/vulncat/en/vulncat/intro.html

Server Misconfiguration: SSL Certificate Hostname Discrepancy ( 4725 )

Summary

This policy states that any area of the website or web application that contains sensitive information or access to privileged functionality such as remote site administration requires that the certificate used by the server is the same host as the server hostname. https://15.154.119.166:63002/ has failed this policy.

The hostname specified by the certificate does not match the hostname being used to access the host. Such a discrepency can cause the validation process to fail, negating the security benefits of using a certificate to verify the server is trusted.

Implication

Fix

A new certificate with the appropriate hostname should be installed. For hosts with multiple names, a wildcard certificate may be appropriate.

Reference

Classifications

CWE-284: Access Control (Authorization) Issueshttp://cwe.mitre.org/data/definitions/284.html

CWE-287: Improper Authenticationhttp://cwe.mitre.org/data/definitions/287.html




Server Misconfiguration: Cache Policy ( 11306 )

Summary

WebInspect has detected a potentially unsafe cache control policy for secure content. While content transmitted over an SSL/TLS channel is expected to guarantee confidentiality, administrators must nonetheless ensure that caching of sensitive content is disabled unless absolutely needed. The misconception that secure content caching is disabled by default by user-agents could cause the application to fail the organization’s cache policy by leaving the secure content cacheable by browsers. Unsafe specification such as Cache-Control: public would instruct the browser to persistently cache the content on the hard drive. Caching can be prevented by specifying one of the following three directives in the response headers

· Cache-control: private

· Cache-Control: no-cache

· Cache-Control: no-store

Execution

Send a request to https://15.154.119.166:63002/js/hpsum/shell-require.js?BMN=1455689874449 and inspect the Cache-Control header value.

Insecure caching policies could lead to content spoofing or information theft.

SSL provides secure encrypted channel to transfer information from source to user. The information server over SSL is considered sensitive and trusted to be only available to requestor. However, caching these content on disk in temporary internet files or in intermediate proxy server can compromise that trust by exposing it to everyone who has access to these temporary storage or proxy cache. Content served over SSL should have cache disabled.

Implication

Fix

Set Cache-Control directive to private, no-cache and/or no-store.

privateThis directive allows the server to prevent a shared cache from caching responses that are intended for a single user. The mechanism can be used to ensure that privileged information is not accidentally leaked to unauthorized users. The directive may still allow caching of responses by non-shared caches.

no-cacheFor sensitive resources requiring user authentication, servers can send the no-cache directive to prevent caches from serving a cached response without first requiring the user agent to validate the user identity. This directive can be specified with or without field names. When no field names are included, this directive applies to the entire request or response.When one or more field names are specified in the no-cache directive, the response is can be cached but the specified field(s) must be excluded. If the response must include the specified field, then the cache must ensure that the request triggers a revalidation with the origin server.Example: Cache-Control: no-cache="Set-Cookie"This directive can be used to ensure sensitive information leakage by requiring the server to confirm the user identity before serving the protected information.

no-storeTo completely disable caching of requests or responses, the server must specify the no-store directive in the Cache-Control header. This directive applies to the entire request and response regardless of whether the directive is sent in the request or the response.

Reference

Server Configuration:


Server Configuration:IISApache

HTTP 1.1 Specification:HTTP Header Field Definitions

OWASP:Browser Cache FAQ

HTTP Caching:Tutorial

Classifications

CWE-525: Information Exposure Through Browser Cachinghttp://cwe.mitre.org/data/definitions/525.html


Server Misconfiguration: Response Headers ( 11308 )

Summary

Missing a Content-Type header in the HTTP Response could expose the application to Cross-Site Scripting vulnerabilities via:

Content Sniffing Mismatch Failure to explicitly specify the type of the content served by the requested resource can allow attackers to conduct Cross-Site Scripting attacks by exploiting the inconsistencies in content sniffing techniques employed by the browsers.The Content-Type header is used by:

· The web server to dictate how the requested resource is interpreted by the user agent. In the absence of this header the browser depends on content sniffing algorithms to guess the type of content and render or interpret it accordingly.

· File upload filters to discard file types not allowed by the application. In the absence of a Content-Type header, the file upload filter relies on the file extension or the content of the file to detect and store an appropriate mime type for the uploaded file.

The lack of explicit content type specification can allow attackers to exploit the mismatch between the mime sniffing algorithm used by the browser and upload filter. By uploading files with benign extensions (like .jpg), an attacker can easily bypass the upload filter to upload files containing malicious HTML content. The browser's content sniffing algorithm will however render it as HTML based on the content of the file thus executing any malicious scripts embedded within the HTML content.


Character set specification is part of the Content-Type header. Absence of this specification could allow attackers to bypass input validation filters or HTML entity escape functionality and conduct Cross-Site Scripting attacks against the target application. When the character set is not specified, browsers will attempt to guess the most appropriate character set. This could result in a mismatch between the character set assumed by the application during the generation of the content and by the browser during the parsing and interpretation of the same content. An attacker can exploit this inconsistency to encode attacks using a character set that'll hide the malicious payloads from the valdiation filters and escaping mechanisms put in place by the application but at the same time will be interpreted by the browser as a valid executable entity.

Execution

Below example scenarios demonstrate the exploitation of the weakness:

Content Sniffing Mismatch

. Attacker uploads a file with .jpg extension and no Content-Type specification. The file contains malicious HTML and JavaScript content embedded inside.


. In the absence of the Content-Type header, the application saves the uploaded file along with the mime type of the .jpg

. The attacker uses social engineering to entice the desired target into accessing the uploaded file

. Upon receiving the requested file without the Content-Type header, the target's browser assumes the content type to be HTML based on the HTML and JavaScript content inside and renders the file causing attacker's JavaScript payload to be executed.


0. Attacker converts the desired payload of alert(document.location) into UTF-7 encoded string +ADw-script+AD4-alert(document.location)+ADw-/script+AD4 and sends it to the vulnerable application.

. An application using the ISO-8859-1 character set for filtering or escaping special characters will fail to detect the the '' characters as dangerous

. The absence of character set specification due to the missing Content-Type header will force the browser to guess the character set to use for rendering the application response containing the attacker's payload. If the browser correctly guesses the encoding as UTF-7, the injected payload will be successfully executed.

The application fails to impose constraints on the parsing and interpretation of the response content; allowing attackers to bypass validation filters or escaping functionality and introduce malicious scripts and force the browser to execute the desired payload.

Implication

Fix

Configure the server to send the appropriate content type and character set information for the requested resource.

Reference

Server ConfigurationMime Types in IIS 7Content Negotiation - Apache HTTP Server

Content Sniffing:Mime Sniffing StandardContent Sniffing SignaturesSecure Content Sniffing for Web Browsers [PDF]

OWASP:OWASP Testing Guide Appendix D: Encoded Injection

Classifications

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')http://cwe.mitre.org/data/definitions/79.html


Insecure SSL: Missing Http Strict Transport ( 11365 )

Summary

Http Strict Transport Security (HSTS) policy enables web applications to enforce web browsers to restrict communication with the server over an encrypted SSL/TLS connection for a set period. Policy is declared via special Strict Transport Security response header. Encrypted connection protects sensitive user and session data from attackers eavesdropping on network connection. Consider following attack scenarios:

· Users often omit the URI scheme i.e. https:// when typing a URL in location bar to access a website. Also third party websites can link to the site using the “http” scheme instead of "”https”. This could result in an initial connection to a HTTPS-enabled site over an unencrypted channel. An eavesdropping attacker can hijack this unencrypted connection and replace the intended use of HTTPS protocol with HTTP in an attack known as SSLStrip, granting unauthorized access to all subsequent traffic.

· Websites often transfer non-sensitive resources such as help documents over an unencrypted HTTP connection. Any cookies without a secure flag are sent along with such requests potentially disclosing sensitive user and session data to eavesdropper.

· Man-in-the-Middle attacks that exploit user tendencies to override invalid certification warnings, e.g. SSLSniff.

For web sites configured with an accurate HSTS policy, browsers automatically upgrade any HTTP connections to HTTPS. Furthermore, browsers prevent users from overriding any host certificate warnings. HSTS offers an effective defense against above attack scenarios.

Execution

Access location https://15.154.119.166:63002/js/lib/require.js and notice the absence of the Strict Transport Security header in the HTTP response.

A successful MiTM attack such as SSLStrip or SSLsniff can lead to the compromise of sensitive user data such as financial information, Social Security Number, personal information etc. as well as grant unauthorized access to user accounts enabling attackers to perform privileged actions on client’s behalf.

Implication

Fix

Configure the web application under test to include Strict Transport Security header in every response generated by an HTTPS-enabled site. Any HTTP version of site on the same domain should permanently redirect to the secure encrypted site. Header should not be added to HTTP response as browsers will ignore it.

It is important to note that this header does not prevent from above mentioned attack scenarios during the very first connection to the site or any connections established after the set period has expired. To prevent such a scenario, the site must be added to the pre-loaded HSTS hosts list embedded in both Google Chrome and Mozilla Firefox browsers.

Reference

http://tools.ietf.org/html/rfc6797


Classifications

CWE-319: Cleartext Transmission of Sensitive Informationhttp://cwe.mitre.org/data/definitions/319.html

Kingdom: Security Featureshttp://www.hpenterprisesecurity.com/vulncat/en/vulncat/intro.html

System Information Leak: Filename Found in Comments ( 3853 )

Summary

A URL or filename was found in the comments of the file.

Fix

Reference

Classifications

CWE-200: Information Exposurehttp://cwe.mitre.org/data/definitions/200.html

Kingdom: Encapsulationhttp://www.hpenterprisesecurity.com/vulncat/en/vulncat/intro.html

Compliance Failure: Missing Privacy Policy ( 5546 )

Summary

A privacy policy was not supplied by the web application within the scope of this audit. Many legislative initiatives require that organizations place a publicly accessible document within their web application that defines their website’s privacy policy. As a general rule, these privacy policies must detail what information an organization collects, the purpose for collecting it, potential avenues of disclosure, and methods for addressing potential grievances.Various laws governing privacy policies include the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), the California Online Privacy Protection Act of 2003, European Union's Data Protection Directive and others.


Execution

All of the web pages accessible within the scope of the scan are sampled for textual content that often constitutes a privacy policy statement. A violation is reported upon completion of the web application crawl without a successful match against any of the web pages.Note that the privacy policy of your application could be located on another host or within a section of the site that was not configured as part of the scan. To validate, please try to access the privacy policy of your website and check to see if it was part of the scan.The content of the following resources requires manual inspection to verify if it comprises the privacy policy statement.

· http://requirejs.org:80/docs/errors.html

Most privacy laws are created to protect residents who are users of the website. Hence, organizations from any part of the world must adhere to these laws if they cater to customers residing in these geographical areas. Failing to do so could result in a lawsuit by the corresponding government against the organization.

Implication

Fix

Declare a comprehensive privacy policy for the website, and ensure that it is accessible from every page that seeks personal information from users. To verify the fix, rescan the site in order to discover and audit the newly added resources.

Descriptions: Any standard web application privacy policy should include the following components:

· A description of the intended purpose for collecting the data.

· A description of the use of the data.

· Methods for limiting the use and disclosure of the information.

· A list of the types of third parties to whom the information might be disclosed.

· Contact information for inquires and complaints.

Reference

California Online Privacy Protection Acthttp://oag.ca.gov/privacy/COPPA

National Conference of State Legislationhttp://www.ncsl.org/issues-research/telecom/state-laws-related-to-internet-privacy.aspx

Gramm-Leach-Bliley Acthttp://www.gpo.gov/fdsys/pkg/PLAW-106publ102/pdf/PLAW-106publ102.pdf

Health Insurance Portability and Accountability Act of 1996https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/downloads/HIPAALaw.pdf

Health Insurance Portability and Accountability Act of 1996http://ec.europa.eu/justice/policies/privacy/docs/guide/guide-ukingdom_en.pdf

Classifications


CWE-254: Security Featureshttp://cwe.mitre.org/data/definitions/254.html

Insecure SSL: Missing Perfect Forward Secrecy ( 11364 ) Report Date: 2/17/2016 40

Insecure SSL: Missing Perfect Forward Secrecy ( 11364 )

Summary

Perfect Forward Secrecy (PFS) assures the secrecy of encrypted communications into the future in case SSL/TLS private key is compromised. PFS is a function of key-exchange protocols used for the establishment of shared secret between the client and the server [1]. On a non-forward secrecy server, both the authentication of the server and the encryption is done using long-term private key. Hence, compromised long-term private key can jeopardize all communications. PFS mitigates this by achieving authentication using a long-term private key and session data encryption using a short-term private key. PFS is commonly achieved using Diffie-Hellman in ephemeral-static mode (DHE) or Elliptic Curve Diffie-Hellman key agreement scheme with ephemeral keys (ECDHE) [2, 3, 4]. For every TLS session established with DHE- or ECDHE- as key exchange algorithm in cipher suite, the server is required to use a new Diffie-Hellman public/private key for the generation of the TLS master secret [8]. The server signs this Diffie-Hellman public key using the long-term private key to guarantee authenticity. The long-term private key is not used for the encryption of session contents. While a stolen ephemeral private key could allow an attacker to decipher encrypted communication, the compromise is confined to the specific session for which the ephemeral key was generated. It is recommended that ephemeral keys are not logged.

WebInspect has determined that the target server does not support any of the known PFS cipher suites.

Execution

A list of supported ciphers by this server can be obtained by running ServerAnalyzer tool from WebInspect toolkit. Notice the absence of “DHE“ and “ECDHE“ in the list of supported cipher-suite names.

A stolen long-term private key can be used by an attacker to decrypt past intercepted communication putting user data at risk where data is still relevant. This shortcoming in SSL/TLS was accentuated in the wake of Heartbleed [4] vulnerability, a vulnerability in Openssl library[4], that allowed attackers to steal server’s private keys among other sensitive data.

Implication

Fix

PFS is enabled by turning on Diffie-Hellman Ephemeral (DHE) or Elliptic-Curve-Diffie-Hellman Ephemeral (ECDHE) based cipher suites on the server [2]. e.g.

· For Apache – Modify SSLCipherSuite parameter in server configuration to add ECDHE or DHE key exchange algorithm.

· For nginx – Modify ssl_ciphers in server configuration to add ECDHE or DHE key exchange algorithm.


· http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

· http://support.microsoft.com/kb/245030

Reference

http://en.wikipedia.org/wiki/Forward_secrecyDierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008.Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 2631, June 1999.Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites for

Transport Layer Security (TLS)", RFC 4492, May 2006.http://tools.ietf.org/html/rfc4492https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160http://www.openssl.org/http://en.wikipedia.org/wiki/Diffie–Hellman_key_exchangehttp://nginx.org/en/docs/http/ngx_http_ssl_module.htmlhttp://httpd.apache.org/docs/2.2/mod/mod_ssl.html

Classifications

CWE-326: Inadequate Encryption Strengthhttp://cwe.mitre.org/data/definitions/326.html




Vulnerability (Legacy)Site: https://15.154.119.166:63002/index.html15.154.119.166:63002Transport Layer Protection: Weak SSL Cipher (11285)Server Misconfiguration: SSL Certificate Hostname Discrepancy (4725)Server Misconfiguration: Cache Policy (11306)Server Misconfiguration: Response Headers (11308)Insecure SSL: Missing Http Strict Transport (11365)System Information Leak: Filename Found in Comments (3853)Compliance Failure: Missing Privacy Policy (5546)Insecure SSL: Missing Perfect Forward Secrecy (11364)

VulnerabilitySite: https://15.154.119.166:63002/index.html15.154.119.166:63002 Critical IssuesTransport Layer Protection: Weak SSL Cipher ( 11285 )

Medium IssuesServer Misconfiguration: SSL Certificate Hostname Discrepancy ( 4725 )

Low IssuesServer Misconfiguration: Cache Policy ( 11306 ) Server Misconfiguration: Response Headers ( 11308 ) Insecure SSL: Missing Http Strict Transport ( 11365 )

InformationalSystem Information Leak: Filename Found in Comments ( 3853 )

Best PracticesCompliance Failure: Missing Privacy Policy ( 5546 ) Insecure SSL: Missing Perfect Forward Secrecy ( 11364 )

Appendix (Check Descriptions) Critical IssuesTransport Layer Protection: Weak SSL Cipher ( 11285 )

Medium IssuesServer Misconfiguration: SSL Certificate Hostname Discrepancy ( 4725 )

Low IssuesServer Misconfiguration: Cache Policy ( 11306 ) Server Misconfiguration: Response Headers ( 11308 ) Insecure SSL: Missing Http Strict Transport ( 11365 )

InformationalSystem Information Leak: Filename Found in Comments ( 3853 )

Best PracticesCompliance Failure: Missing Privacy Policy ( 5546 ) Insecure SSL: Missing Perfect Forward Secrecy ( 11364 )

Documents

Web Application Assessment Report · A new certificate with the appropriate hostname should be installed. For hosts with multiple names, a wildcard certificate may be appropriate