Download pdf - Compliance with OWASP ASVS L1: Failed - UnderDefense · Compliance with OWASP ASVS L1: Failed ... • Pentest Execution Standard • SANS: ... (see Appendix A with a key checklist)

UnderDefense

ApplicationSecurityAudit

forClient

CompliancewithOWASPASVSL1:

Failed

June15,2017

Notice

UnderDefensehasmadeeveryreasonableattempttoensurethattheinformationcontainedwithinthisreportiscorrect,currentandproperly

setsforththefindingsashavebeendeterminedtodate.Thepartiesacknowledgeandagreethattheotherpartyassumesnoresponsibilityfor

errorsthatmaybecontainedinorformisinterpretationsthatreadersmayinferfromthisdocument.

UnderDefenseConfidential 2

Insidethisreport

Executive summary .............................................................................................................................................3

Summary of business risks ..................................................................................................................................4

Findings overview ...............................................................................................................................................6

Findings for Client SaaS application ..................................................................................................................7

Findings for Client server ................................................................................................................................. 22

Appendix A: Covered test cases according to OWASP ASVS Level 1 ....................................................... 28


Executive summary ThisreportpresentstheresultsofthesecurityassessmentforClientenrollmentapplicationsconducted

asapartofproductexcellenceandcertificationprocess.Thisassessmentwasperformedunderthe

auspicesoftwocertifiedandlicensedpenetrationtestersemployedbyUnderDefenseduringJune1–15,

2017.

Results overview Thetestuncoveredafewvulnerabilitiesthatmaycausecompromiseuserdata,applicationsettingsand

usersettingsmodifications,informationdisclosure,orreputationaldamageforcompany.During

penetrationtesting,UnderDefensesecurityexpertsfound3highrisk,14mediumriskvulnerabilities,and

4lowseverityissues.

The"DetailedFindings"sectionineachfindingaimedathelpingsystem/applicationownerstorecreate

thefindingsbyfollowingthestepsmentionedinthesection.

Scope Organization Client

Application ClientSaaS

Audittype OWASPTop10ASVSL1andManualPenetrationTesting

AssetURL https://client.com

Auditperiod June1–15,2017

Contact details Reviewedby JohnSmith

Preparedby JohnSmith,DowJohns

Security tools used for ASVS Level 1 • BurpSuitePro[CommercialEdition]

• TenableNessus[CommercialEdition]

• Acunetix9[CommercialEdition]

• MetasploitPro[CommercialEdition]

• OWASPMantra

• OWASPZap

• Nmap

• Sqlmap

Project limitations Testingwasconductedagainstthestagingenvironmentonly.


Summary of business risks Usinghighriskattacks,itispossibleforattackertocompromiseallusersofClientSaaSapplication.

Combinationofseveralmediumandlowriskvulnerabilitiesmaycauseseriousdamagetotheintegrity

andconfidentialityofapplications.

High-level recommendation TheapplicationrequiresfinalsecurityreviewaccordingSDLCbestpracticesbeforethefinalrelease,

becausesomeimportantfunctionalityisnotfullyimplemented,andremediationtestingisrequired.

Itisrecommendedtousewebapplicationfirewalltofilterapplicationlevelattacksagainsttheproduction

environment.

Methodology UnderDefenseApplicationSecurityAssessmentMethodologyisgroundedonfollowingguidesand

standards:

• PentestExecutionStandard

• SANS:ConductingaPenetrationTestonanOrganization

• SANS:NetworkApplicationSecurityAssessmentandEthicalHacking

• TheOpenSourceSecurityTestingMethodology

OpenWebApplicationSecurityProject(OWASP)isanindustryinitiativeforwebapplicationsecurity.

OWASPhasidentifiedthe10mostcommonattacksthatsucceedagainstwebapplications.These

comprisetheOWASPTop10.

UnderDefenseapplicationpenetrationtestincludesalltheitemsintheOWASPTop10andmore.

ThepenetrationtesterremotelytrytocompromisetheOWASPTop10flaws.TheflawslistedbyOWASP

initsmostrecentTop10andthestatusoftheapplicationagainstthosearedepictedinthetablebelow.

OWASPASVSLevel1istypicallyappropriateforapplicationswherelowconfidenceinthecorrectuseof

securitycontrolsisrequired,forprovidingaquickanalysisofenterpriseapplications,orforassistingin

developingaprioritizedlistofsecurityrequirementsasapartofamultiphaseeffort.Level1controlscan

beensuredeitherautomaticallybytoolsorsimplymanuallywithoutaccesstosourcecode.Weconsider

Level1theminimumrequiredforallapplications.Threatstotheapplicationwillmostlikelybefrom

attackerswhoareusingsimpleandlowefforttechniquestoidentifyeasy-to-findandeasy-to-exploit

vulnerabilities.Thisisincontrasttoadeterminedattackerwhowillspendfocusedenergytospecifically

targettheapplication.

Ifthedataprocessedbyyourapplicationhashighvalue,youwouldrarelywanttostopataLevel1

review.


Performed tests • AllsetofapplicableOWASPTop10SecurityTests

• AllsetofapplicableSANS25SecurityThreats

• AllsetofapplicablefromOWASPASVSLevel1(seeAppendixAwithakeychecklist)

CriteriaLabel Status

Safeagainstpopularattacks Failscriteria

Protectssensitivedataduringtransmission Meetscriteria

Safeguardspasswords Meetscriteria

Protectsagainstpasswordguessing Failscriteria

SecureForgotPasswordImplementation Failscriteria

Insecureconfigurationsettingsonserversaccessibledirectlybyusers Meetscriteria

Sensitivedatanottobestoredonclient Meetscriteria

Sensitivedatanothiddeninpages Meetscriteria

Nosensitivedataincludedinerrormessages Failscriteria

Codeobfuscationforsecrets N/A

Re-authenticationrequiredforsensitiveactivities Meetscriteria

Nosensitivedatainrequeststoexternalsites Meetscriteria

Webserverserviceprotectedagainstknownvulnerabilities Meetscriteria

Nosampleortestapplications Meetscriteria

Nosensitivedatainsourcecode N/A


Findings overview UnderDefensesecurityexpertsperformedmanualsecuritytestingaccordingtoOWASPWebApplication

TestingMethodology,whichdemonstratethefollowingresults.

Risklevel Highrisk Mediumrisk Lowrisk Informational

#ofvulnerabilities 3 14 4 1

Severity • High–Directthreattokeybusinessprocesses.

• Medium–Indirectthreattokeybusinessprocessesorpartialthreattobusinessprocesses.

• Low–Nodirectthreatexists.Vulnerabilitymaybeexploitedusingothervulnerabilities.

• Informational–Thisfindingdoesnotindicatevulnerability,butstatesacommentthatnotifiesabout

designflawsandimproperimplementationthatmightcauseaprobleminthelongrun.

3

14

4

1

Findingsbyseverity

High

Medium

Low

Informational


Findings for Client SaaS application ThissectionscoversdetailsofallfindingsforClientSaaSapplication.

Reflected Cross-Site Scripting Issueseverity:High

Businessimpact:High

Issuedescription:Cross-SiteScripting(XSS)attacksareatypeofinjection,inwhichmaliciousscriptsare

injectedintobenignandtrustedwebsites.XSSattacksoccurwhenanattackerusesawebapplicationto

sendmaliciouscode,generallyintheformofabrowsersidescript,toadifferentenduser.Flawsthat

allowtheseattackstosucceedarequitewidespreadandoccuranywhere:awebapplicationinsertsinput

fromauserintotheoutputwithoutvalidatingorencodingit.

AnattackercanuseXSStosendamaliciousscripttoanunsuspectinguser.Theenduser’sbrowserhasno

waytoknowthatthescriptshouldnotbetrusted,andwillexecutethescript.Becauseitthinksthescript

camefromatrustedsource,themaliciousscriptcanaccessanycookies,sessiontokens,orothersensitive

informationretainedbythebrowserandusedwiththatsite.Thesescriptscanevenrewritethecontent

oftheHTMLpage.

AttackercancraftanURLthatwilltriggermaliciousJavaScriptpayloadtostealusersession,redirectuser

toanotherresource,andsoon.

VulnerableURL:

https://client.com/***?filter=%2Fzport%2Fdmd%2FDevices%2F%3E&depth=2&objid=192.168%252%22

%2F%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Ca%3D%22&submitted=true

Scriptissuccessfullytriggered:

Recommendations:Tofilteruserinputsufficiently,considerXSSPreventionCheatSheet.

Stored Cross-Site Scripting Issueseverity:High

Businessimpact:High


Issuedescription:Storedattacksarethosewheretheinjectedscriptispermanentlystoredonthetarget

servers,suchasinadatabase,inamessageforum,visitorlog,commentfield,andsoon.Thevictimthen

retrievesthemaliciousscriptfromtheserverwhenitrequeststhestoredinformation.StoredXSSisalso

sometimesreferredtoasPersistentorType-IXSS.

AttackercaninjectmaliciousJavaScriptcodeintopage(underaManagerrole),whichwillbereflected

acrossallusersofthesystem.

POST /Events/evclasses_router HTTP/1.1 Host: Client.com Connection:close

Content-Length:198

Origin:https://Client.com

X-Requested-With:XMLHttpRequest

User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64)AppleWebKit/537.36(KHTML,likeGecko)

Chrome/50.0.2661.102Safari/537.36

Content-Type:application/json

Accept:*/*

Referer:https://Client.com/***

Accept-Encoding:gzip,deflate,br

Accept-Language:uk-UA,uk;q=0.8,ru;q=0.6,en-US;q=0.4,en;q=0.2

Cookie:

beaker.session="556ab79ec31a6cf70a30a21ff225c2b4805aa19058ad3e3e284e4bb599e07e449076f1aa";

ZAuthToken="58ad3e3e284e4bb599e07e449076f1aa";***_update=1465473596.928

{"action":"EventClassesRouter","method":"editEventClassDescription","data":[{"uid":"/***/License","desc

ription":"12345'</span><img src=a onerror='alert(document.cookie);'/>"}],"type":"rpc","tid":101}


Vulnerableform.

Requestwithmaliciouspayload.


Payloadistriggeredacrossallusers.

Recommendations:Tofilteruserinputsufficiently,considerXSSPreventionCheatSheetoruse

frameworkspecificcomponentsavailable.

DOM-based Cross-Site Scripting Issueseverity:High

Businessimpact:High

Issuedescription:DOM-basedXSS(orasitiscalledinsometexts,“type-0XSS”)isanXSSattack,wherein

theattackpayloadisexecutedasaresultofmodifyingtheDOM“environment”inthevictim’sbrowser

usedbytheoriginalclientsidescript,sothattheclientsidecoderunsinan“unexpected”manner.That

is,thepageitself(theHTTPresponse)doesnotchange,buttheclientsidecode,whichiscontainedon

thepage,isexecuteddifferentlyduetothemaliciousmodificationsthathaveoccurredintheDOM

environment.

AttackercaninjectmaliciousJavaScriptcodeontopage(undertheManagerrole)ontheDiscover Networkspage.


SNMPfieldisnotfilteredproperly.

Cookie is echoed successfully.

Recommendations:Tofilteruserinputsufficiently,considerXSSPreventionCheatSheet.



Insufficient session expiration [CWE-613] Issueseverity:Medium

Businessimpact:Medium

Issuedescription:Sessionisactiveaftermorethan50hoursofuserinactivity.Insufficientsession

expirationweaknessisaresultofpoorlyimplementedsessionmanagement.Thisweaknesscanariseon

designandimplementationlevelsandcanbeusedbyattackerstogainanunauthorizedaccesstothe

application.

Whenhandlingsessions,webdeveloperscanrelyeitheronservertokensorgeneratesessionidentifiers

withintheapplication.EachsessionshouldbedestroyedaftertheuserclickstheLog offbutton,orafteracertainperiodoftime(calledtimeout).Unfortunately,codingerrorsandservermisconfigurationsmay

influencesessionhandlingprocess,whichcanresultinanunauthorizedaccess.

Sessionexpirationiscomprisedoftwotimeouttypes:

• Inactivity–suchtimeoutistheamountofidletimeallowedbeforethesessionisinvalidated.

• Absolute–suchtimeoutisdefinedbythetotalamountoftimeasessioncanbevalidwithoutre-

authentication.

Thelackofpropersessionexpirationmayincreasethelikelihoodofsuccessofcertainattacks.Long

expirationtimeincreasesanattacker'schanceofsuccessfullyguessingavalidsessionID.Thelongerthe

expirationtime,themoreconcurrentopensessionswillexistatanygiventime.Thelargerthepoolof

sessions,themorelikelyitwillbeforanattackertoguessoneatrandom.Althoughashortsession

inactivitytimeoutdoesnothelpifatokenisimmediatelyused,theshorttimeouthelpstoinsurethatthe

tokenishardertocapturewhileitisstillvalid.

Recommendations:AWebapplicationshouldinvalidateasessionafterapredefinedidletimehas

passed(atimeout)andprovidetheuserthemeanstoinvalidatetheirownsession(logout);thishelpsto

keep

thelifespanofasessionIDasshortaspossibleandisnecessaryinasharedcomputingenvironment,

wheremorethanonepersonhasunrestrictedphysicalaccesstoacomputer.


Session fixation (WASC-37) Issueseverity:Medium


Issuedescription:Usercanusethesamesessiontokenafterlogoutorpasswordchange.Attackercan

repeatrequestwithtokenthatshouldbemarkedasinvalidated.

curl-i-s-k-X'GET'\

-H'User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64;rv:18.0)Gecko/20100101Firefox/18.0'-H'Referer:

https://.Client.com/***?submitted=true'\

-b'j***=1464960334.259;

beaker.session="1d1f9a946b96613b622171adeafe6bcfbbe8c4045650fc37ef7243ca9a1801a8be8bfeac";

ZAuthToken="5650fc37ef7243ca9a1801a8be8bfeac"'\

'https://Client.com/***'

Recommendations:Thelogoutfunctionshouldbeprominentlyvisibletotheuser,explicitlyinvalidatea

user’ssessionanddisallowreuseofthesessiontoken.Servershouldprovidenewsessionidtouser

browserafterlogout.


Cookie without Secure flag set Issueseverity:Medium


Issuedescription:Sessioncookiebeaker.sessionissetwithoutSecureflag.Secureflagforcesbrowsernot to send cookieoverunsecurechannel(useHTTPSinsteadofHTTP).Beaker.sessioncookieisthemostcriticalandtheonlyonethatisrequiredtoexecuterequeststoaserver.Accordingtoourtesting,

theresttwocookiesareoptional,andwedidnotobserveanyserver-sidevalidationforthem.

Proof of vulnerability

Recommendations:EnsurethatwebserversetsSecureflagonsessioncookies.


Verbose error log disclosures information about Client internals Issueseverity:Low


Issuedescription:Sendingspecialcraftedrequestattackercangetverboseerrorlog,whichmayreveal

usefulinformation,suchassoftwareversions,errortypes,andsoon.

Proofofvulnerability

Request:

GET /zport HTTP/1.1 Host: Client.com Connection:close



Chrome/50.0.2661.102Safari/537.36


Accept:*/*

Referer:https://Client.com/***/Dashboard



Cookie:

beaker.session="556ab79ec31a6cf70a30a21ff225c2b4805aa19058ad3e3e284e4bb599e07e449076f1aa";

ZAuthToken="58ad3e3e284e4bb599e07e449076f1aa";***_update=1465473596.928

Responsewithverboseerror:

Recommendations:Ensurethatserverdoesnotrevealanyusefulinformationinanyform,evenasa

debuginfoinerrorlogs.


Open-redirect vulnerability Issueseverity:Medium


Issuedescription:Anopenredirectisanapplicationthattakesaparameterandredirectsausertothe

parametervaluewithoutanyvalidation.Thisvulnerabilityisusedinphishingattackstogetuserstovisit

malicioussiteswithoutrealizingit.


Request:

POST http://google.com HTTP/1.1 Host: Client.com Connection:close

Content-Length:0


X-Requested-With:XMLHttpRequest


Chrome/***.102Safari/537.36


Accept:*/*

Referer:https://Client.com/***/devices/10.***/***detail



Cookie:

beaker.session="878d18d2254d148ddb6bc7d217508be212786b2bc3d47ffc0c414ed080b12a694f356993";*

**_update=1465199235.61;***UserId=oeu1465209245134r0.752719618090913;

***ments=%7B%222299272282%22%3A%22false%22%2C%222299580245%22%3A%22direct%22%2C%222

305520179%22%3A%22gc%22%7D;***uckets=%7B%7D;_ga=GA***;

ZAuthToken="c3d47ffc0c414ed080b12a694f356993"

Responsewitharedirecttoanotherwebsite:

HTTP/1.1 301 Moved Permanently Location: http://google.com/ Date:Wed,08Jun201609:24:47GMT

Content-Length:0

Content-Type:text/plain;charset=utf-8

Connection:close

Aftersucharequest,browserwillbesuccessfullyredirectedtoanarbitrarywebsite.

Recommendations: Ensure that server does not redirect client to untrusted domains.


Cookie without HTTPOnly flag set Issueseverity:Medium


Issuedescription:Sessioncookiebeaker.sessionissetwithoutHTTPOnlyflag.ThisflagensuresthatanattackercannotstealcookiewithJavascriptonaclientside.


Recommendations:EnsurethatwebserversetsHTTPonlyflagonsessioncookies.

Password bruteforce is possible Issueseverity:Medium


Issue description: https://Client.com/zport/***/login

Becauseapplicationdoesnotblockauserafterafewfailedloginattempts,itispossibletoenumerate

passwordsusingtheloginform.Attackercanharvestusercredentialsandhaveunauthorizedaccessto

applicationfunctionalityandconfidentialdata.

Proofofvulnerability:Applicationdoesnotcheckthequantityoffailedrequestsandletsuserinupona

successfulone.Attackercanautomatethisattackandperformpasswordbruteforcingusingthisrequest.

Vulnerable request:


POST /***/login HTTP/1.1 Host: Client.com Connection:close

Content-Length:131

Cache-Control:max-age=0


Upgrade-Insecure-Requests:1

User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/51.0.2704.84Safari/537.36

Content-Type:application/x-www-form-urlencoded

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Referer:https://Client.com/***/login_form?came_from=https%3A//Client.com/***/



Cookie:***_update=1465906625.949

came_from=https%3A%2F%2FClient.com%2F***%2F***%2F&submitted=true&fragment=&__ac_name=pentest02&__ac_password=passwo

Recommendations:Makesurethatusernameisblockedforsometimeafterseveralfailedlogins.Block

IPaddressafterseveralsamerequestswithdifferentvalues.Enablecaptcha.

Exponentially increase the amount of time a user has to wait between authentication attempts until it reaches a rate that makes brute-forcing impractical (for example, 24 hours). Explanation: (Common Weaknesses Enumeration ID: 307http://cwe.mitre.org/data/definitions/307)

HTML form without CSRF protection Issueseverity:Medium


Issuedescription:Cross-siterequestforgery,alsoknownasaone-clickattackorsessionriding

(abbreviatedasCSRForXSRF),isatypeofmaliciousexploitofawebsite,wherebyunauthorized

commandsaretransmittedfromauserthatthewebsitetrusts.

Theimpactofthisvulnerability:Anattackermayforcetheusersofawebapplicationtoexecute

actionsoftheattacker'schoosing.AsuccessfulCSRFexploitcancompromiseenduserdataandoperation

incaseofnormaluser.Ifthetargetedenduseristheadministratoraccount,thiscancompromisethe

entirewebapplication.

Proof of vulnerability: “Change email” request can be triggered without anti-CSRF token. An

attacker can trick user to successfully perform this request.

POST /***/pentest07 HTTP/1.1


Host: Client.com Connection:close

Content-Length:224

Cache-Control:max-age=0

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8


Upgrade-Insecure-Requests:1


Chrome/50.0.2661.102Safari/537.36

Content-Type:application/x-www-form-urlencoded

Referer:https://Client.com/***/pentest07



Cookie:

beaker.session="878d18d2254d148ddb6bc7d217508be212786b2bc3d47ffc0c414ed080b12a694f356993"

***=editUserSettings.pt&email=***%40inc.coma&pager=&defaultPageSize=40&net***=&timezone=America%2FChicago&password=&sndpassword=&oldpassword=&***_editUserSettings%3Amethod=+Save+Settings+

Recommendations:CheckifthisformrequiresCSRFprotectionandimplementCSRFcountermeasuresif

necessary.

Ananti-CSRFtokenisasession-specificoreventransaction-specificrandomstringappendedasa

parametertoimportanttransactions.Uponhandlingtheclient'srequest,theserverensuresthatthe

CSRFtokenisthevalueexpectedforthatsession/transaction.Ifthetokenisnotcorrect,thenthe

applicationdeniesthetransaction.ThishelpsprotectagainstCSRFbecauseeachrequestwillhaveatleast

oneuniqueparameterthatanattackercannotknowaheadoftime.

NotethatyoumaybeabletomitigatetheriskofCSRFbyusinganalternativeuser-specifictoken,suchas

theuserid,ratherthanaspecificanti-CSRFtoken.

Whenawebserverisdesignedtoreceivearequestfromaclientwithoutanymechanismforverifying

thatitwasintentionallysent,thenitmightbepossibleforanattackertotrickaclientintomakingan

unintentionalrequesttothewebserverwhichwillbetreatedasanauthenticrequest.Thiscanbedone

viaaURL,imageload,XMLHttpRequest,andothers,andcanresultindatadisclosureorunintendedcode

execution(CommonWeaknessesEnumerationID:352-http://cwe.mitre.org/data/definitions/352).


Username enumeration Issueseverity:Medium


Issuedescription:“Forgotpassword”functionalityresponseidentifiesifausernameisalready

registered.Attackercanlaunchbruteforceordictionaryattacktoharvestusernamesofclients.

Theapplicationshouldnotleakanyinformation—regardingthevalidityoftheusername,anysuspension

oftheaccount,andsoon—intheeventoffailedresponsestothechallenge.

Recommendations:Providelessverboseresponsesinthe“Forgotpassword”functionality.Makesure

thatsecurityquestionvalueischeckedproperly.BlockIPaddressafterseveralsamerequestswith

differentvalues.Enablecaptcha.

No clickjacking protection Issueseverity:Low

Businessimpact:Low

Issuedescription:Clickjacking,alsoknownasa"UIredressattack",iswhenanattackerusesmultiple

transparentoropaquelayerstotrickauserintoclickingabuttonoralinkonanotherpagewhenthey

wereintendingtoclickthetop-levelpage.Thus,theattackeris"hijacking"clicksmeantfortheirpageand

routingthemtoanotherpage,mostlikelyownedbyanotherapplication,domain,orboth.

Usingasimilartechnique,keystrokescanalsobehijacked.Withacarefullycraftedcombinationof

stylesheets,iframes,andtextboxes,ausercanbeledtobelievetheyaretypinginthepasswordtotheir

emailorbankaccount,butareinsteadtypingintoaninvisibleframecontrolledbytheattacker.

Proofofvulnerability:

Framedpageexample:


Code snippet:

Recommendations: There are two main ways to prevent clickjacking:

• SendingtheproperX-Frame-OptionsHTTPresponseheadersthatinstructthebrowsertonotallow

framingfromotherdomains.

• EmployingdefensivecodeintheUItoensurethatthecurrentframeisthemosttop-levelwindow.

References:

• https://www.owasp.org/index.php/Clickjacking

• https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

Lack of Content-Security-Policy Issueseverity:Low

Businessimpact:Low

Issuedescription:ThenewContent-Security-PolicyHTTPresponseheaderhelpsyoureduceXSSriskson

modernbrowsersbydeclaringwhatdynamicresourcesareallowedtoloadviaaHTTPHeader.

Recommendations:AddContent-Security-Policysupporttotargetapplication.

References:

• https://www.owasp.org/index.php/List_of_useful_HTTP_headers

• http://content-security-policy.com/

Lack of X-XSS-Protection Issueseverity:Low

Businessimpact:Low

Issuedescription:Toimprovethesecurityofyoursiteagainstsometypesofcross-sitescripting(XSS)

attacks,itisrecommendedthatyouaddthefollowingheadertoyoursite:

X-XSS-Protection:1;mode=block

Recommendations: Add X-XSS-Protection header to the target application.

Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Findings for Client server


No brute-force protection Issueseverity:Medium


Issuedescription:https://Client.com/#/login

Applicationallowsanattackertobrute-forcepasswordsagainstControlCenterapplication.Anaccountor

attackerIPaddressisnotblockedforsomeperiodoftime.Moreadvancedsolutiontostopbrute-force

attacksistousecaptcha.Itshouldbegeneratedincaseofbrute-forceafter5unsuccessfullogin

attempts.


Recommendations:Enablecaptchaforblockingbrute-force.Thiswillensurethattherequestwillfail

duringautomatedattacks.


Using components with known vulnerabilities Issueseverity:Medium


Issue description: https://Client.com/#/login

CWE-937:OWASPTopTen2013CategoryA9:

1. VulnerabilityDetails:CVE-2014-4326

Logstash1.4.2andpriorversionsarevulnerabletoadirectorytraversalattackthatallowsanattacker

tooverwritefilesontheserverrunningLogstash.

2. VulnerabilityDetails:CVE-2015-4152

ElasticsearchLogstash1.0.14through1.4.xbefore1.4.2allowsremoteattackerstoexecutearbitrary

commandsviaacraftedeventin(1)zabbix.rbor(2)nagios_nsca.rbinoutputs.

https://packetstormsecurity.com/files/132233/Logstash-1.4.2-Directory-Traversal.html

CVSSscore 7.5

Confidentialityimpact Partial(Thereisaconsiderableinformationaldisclosure.)

Integrityimpact Partial(Modificationofsomesystemfilesorinformationispossible,butthe

attackerdoesnothavecontroloverwhatcanbemodified,orthescopeofwhat

theattackercanaffectislimited.)

Availabilityimpact Partial(Thereisreducedperformanceorinterruptionsinresourceavailability.)

Accesscomplexity Low(Specializedaccessconditionsorextenuatingcircumstancesdonotexist.Very

littleknowledgeorskillisrequiredtoexploit.)

Authentication Notrequired(Authenticationisnotrequiredtoexploitthevulnerability.)

Gainedaccess None

Vulnerabilitytype(s) Executecode



curl-i-s-k-X'GET'\

-H'User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64;rv:18.0)Gecko/20100101Firefox/18.0'-H

'Referer:https://Client.com/static/logview/'\

-b'token=ZSQw9+6f6lZlVxi5XWI0nSyP6qy0uTN62IKVbvK3qJw=;username=pentest'\

'https://Client.com/api/***/elastic/***

Recommendations:Usersthatcurrentlyusethefileoutputpluginormayuseitinthefutureshould

upgradeto1.5.0or1.4.3.Thiswilladdressthevulnerabilityandpreservefileoutputfunctionality.

Usersthatdonotwanttoupgradecanaddressthevulnerabilitybydisablingthefileoutputplugin.

Information leakage


Issueseverity:Info

Businessimpact:Info

Issuedescription:https://Client.com/#/login

Aninformationleakistheintentionalorunintentionaldisclosureofinformationthateither(1)isregarded

assensitivewithintheproduct'sownfunctionality,suchasaprivatemessage,or(2)providesinformation

abouttheproductoritsenvironmentthatcouldbeusefulinanattackbutisnormallynotavailabletothe

attacker,suchastheinstallationpathofaproductthatisremotelyaccessible.

Manyinformationleaksareresultant(forexample,pathdisclosureinPHPscripterror),buttheycanalso

beprimary(forexample,timingdiscrepanciesincrypto).Therearemanydifferenttypesofproblemsthat

involveinformationleaks.Theirseveritycanrangewidelydependingonthetypeofinformationthatis

leaked.


Responseswithsensitiveinfointemplate.


Recommendations:Ensurethattemplatesreturnedtotheclientdonotcontainsensitiveinformation,

whichmaybeusefulforanattacker.

HSTS missing from HTTPS server Issueseverity:Medium


Issuedescription:TheremoteHTTPSserverisnotenforcingHTTPStrictTransportSecurity(HSTS).The

lackofHSTSallowsdowngradeattacks,SSL-strippingman-in-the-middleattacks,andweakenscookie-

hijackingprotections.

Recommendations:ConfiguretheremotewebservertouseHSTS.


Appendix A: Covered test cases according to OWASP ASVS Level 1

# Category Detail Level1

1.1 V1.Architecture,design,

andthreatmodelling

Verifythatalltheneededapplicationcomponentsare

identifiedandareknown.

Covered

2.1 V2:Authentication

VerificationRequirements

Verifythatallpagesandresourcesbydefaultrequire

authenticationexceptthosespecificallyintendedtobe

public(principleofcompletemediation).

Covered



Verifythatallpasswordfieldsdonotechotheuser’s

passwordwhenitisentered.

Covered



Verifythatallauthenticationcontrolsareenforcedon

theserverside.

Covered



Verifythatallauthenticationcontrolsfailsecurelyto

ensureattackerscannotlogin.

Covered



Verifythatpasswordentryfieldsalloworencourage

theuseofpassphrases,anddonotpreventlong

passphrases/highlycomplexpasswordsfrombeing

entered.

Covered



Verifyallaccountidentityauthenticationfunctions

(suchasupdateprofile,forgotpassword,disabled/lost

token,helpdeskorIVR)thatmightregainaccesstothe

accountareatleastasresistanttoattackastheprimary

authenticationmechanism.

Covered



Verifythatthechangepasswordfunctionalityincludes

theoldpassword,thenewpassword,andapassword

confirmation.

Covered



Verifythatcredentialsaretransportedusingasuitable

encryptedlinkandthatallpages/functionsthatrequire

ausertoentercredentialsaredonesousingan

encryptedlink.

Covered



Verifythattheforgottenpasswordfunctionandother

recoverypathsdonotrevealthecurrentpasswordand

thatthenewpasswordisnotsentincleartexttothe

user.

Covered



Verifythatinformationenumerationisnotpossiblevia

login,passwordreset,orforgotaccountfunctionality.

Covered





Verifythattherearenodefaultpasswordsinusefor

theapplicationframeworkoranycomponentsusedby

theapplication(suchas“admin/password”).

Covered



Verifythatrequestthrottlingisinplacetoprevent

automatedattacksagainstcommonauthentication

attackssuchasbrute-forceattacksordenialofservice

attacks.

Covered



Verifythatforgottenpasswordandotherrecovery

pathsuseasofttoken,mobilepush,oranoffline

recoverymechanism.

Covered



Verifythatifknowledge-basedquestions(alsoknown

as"secretquestions")arerequired,thequestions

shouldbestrongenoughtoprotecttheapplication.

Covered



Verifythatmeasuresareinplacetoblocktheuseof

commonlychosenpasswordsandweakpassphrases.

Covered



Verifythatifanapplicationallowsusersto

authenticate,theyuseaprovensecureauthentication

mechanism.

Covered



Verifythatadministrativeinterfacesarenotaccessible

tountrustedparties.

Covered

3.1 V3:SessionManagement


Verifythatthereisnocustomsessionmanagerorthat

acustomsessionmanagerisresistantagainstall

commonsessionmanagementattacks.

Covered



Verifythatsessionsareinvalidatedwhentheuserlogs

out.

Covered



Verifythatsessionstimeoutafteraspecifiedperiodof

inactivity.

Covered



Verifythatallpagesthatrequireauthenticationhave

easyandvisibleaccesstologoutfunctionality.

Covered



VerifythatthesessionidisneverdisclosedinURLs,

errormessages,orlogs.Thisincludesverifyingthatthe

applicationdoesnotsupportURLrewritingofsession

cookies.

Covered



Verifythatallsuccessfulauthenticationandre-

authenticationgeneratesanewsessionandsessionid.

Covered





Verifythatsessionidsstoredincookieshavetheirpath

settoanappropriatelyrestrictivevalueforthe

application,andauthenticationsessiontokens

additionallysetthe“HttpOnly”and“secure”attributes.

Covered



Verifythattheapplicationlimitsthenumberofactive

concurrentsessions.

Covered



Verifythatanactivesessionlistisdisplayedinthe

accountprofileorsimilarofeachuser.Theusershould

beabletoterminateanyactivesession.

Covered



Verifythattheuserispromptedwiththeoptionto

terminateallotheractivesessionsafterasuccessful

changepasswordprocess.

Covered

4.1 V4:AccessControl


Verifythattheprincipleofleastprivilegeexists:users

shouldonlybeabletoaccessfunctions,datafiles,URLs,

controllers,services,andotherresources,forwhich

theypossessspecificauthorization.Thisimplies

protectionagainstspoofingandelevationofprivilege.

Covered



Verifythataccesstosensitiverecordsisprotected,such

thatonlyauthorizedobjectsordataisaccessibleto

eachuser(forexample,protectagainstuserstampering

withaparametertoseeoralteranotheruser's

account).

Covered



Verifythatdirectorybrowsingisdisabledunless

deliberatelydesired.Additionally,applicationsshould

notallowdiscoveryordisclosureoffileordirectory

metadata,suchasThumbs.db,.DS_Store,.git,or.svn

folders.

Covered



Verifythataccesscontrolsfailsecurely. Covered



Verifythatthesameaccesscontrolrulesimpliedbythe

presentationlayerareenforcedontheserverside.

Covered



Verifythattheapplicationorframeworkusesstrong

randomanti-CSRFtokensorhasanothertransaction

protectionmechanism.

Covered



Verifythattheapplicationcorrectlyenforcescontext-

sensitiveauthorizationsoastonotallowunauthorized

manipulationbymeansofparametertampering.

Covered



5.1 V5:Maliciousinput

handlingverification

requirements

Verifythattheruntimeenvironmentisnotsusceptible

tobufferoverflows,orthatsecuritycontrolsprevent

bufferoverflows.

Covered



requirements

Verifythatserver-sideinputvalidationfailuresresultin

requestrejectionandarelogged.

Covered



requirements

Verifythatinputvalidationroutinesareenforcedon

theserverside.

Covered



requirements

VerifythatallSQLqueries,HQL,OSQL,NOSQL,and

storedprocedures,callingofstoredproceduresare

protectedbytheuseofpreparedstatementsorquery

parameterization;thus,notsusceptibletoSQL

injection.

Covered



requirements

VerifythattheapplicationisnotsusceptibletoLDAP

InjectionorthatsecuritycontrolspreventLDAP

Injection.

Covered



requirements

VerifythattheapplicationisnotsusceptibletoOS

CommandInjectionorthatsecuritycontrolspreventOS

CommandInjection.

Covered



requirements

VerifythattheapplicationisnotsusceptibletoRemote

FileInclusion(RFI)orLocalFileInclusion(LFI)when

contentisusedthatisapathtoafile.

Covered



requirements

Verifythattheapplicationisnotsusceptibleto

commonXMLattacks,suchasXPathquerytampering,

XMLExternalEntityattacks,andXMLinjectionattacks.

Covered



requirements

EnsurethatallstringvariablesplacedintoHTMLor

otherwebclientcodeiseitherproperlycontextually

encodedmanually,orutilizetemplatesthat

automaticallyencodecontextuallytoensurethe

applicationisnotsusceptibletoreflected,storedand

DOMCross-SiteScripting(XSS)attacks.

Covered



requirements

MakesureuntrustedHTMLfromWYSIWYGeditorsor

similarareproperlysanitizedwithanHTMLsanitizer

andhandleitappropriatelyaccordingtotheinput

validationtaskandencodingtask.

Covered



7.2 V7:Cryptographyatrest

verificationrequirements

Verifythatallcryptographicmodulesfailsecurely,and

errorsarehandledinawaythatdoesnotenableoracle

padding.

Covered

7.7 V7:Cryptographyatrest


Verifythatcryptographicalgorithmsusedbythe

applicationhavebeenvalidatedagainstFIPS140-2or

anequivalentstandard.

Covered

8.1 V8:Errorhandlingand

loggingverification

requirements

Verifythattheapplicationdoesnotoutputerror

messagesorstacktracescontainingsensitivedatathat

couldassistanattacker,includingsessionid,

software/frameworkversionsandpersonal

information.

Covered

9.1 V9:Dataprotection


Verifythatallformscontainingsensitiveinformation

havedisabledclient-sidecaching,including

autocompletefeatures.

Covered



Verifythatallsensitivedataissenttotheserverinthe

HTTPmessagebodyorheaders(i.e.,URLparameters

areneverusedtosendsensitivedata).

Covered



Verifythattheapplicationsetsappropriateanti-caching

headersaspertheriskoftheapplication,suchasthe

following:

Expires:Tue,03Jul200106:00:00GMT

Last-Modified:{now}GMT

Cache-Control:no-store,no-cache,must-revalidate,

max-age=0

Cache-Control:post-check=0,pre-check=0

Pragma:no-cache

Covered



Verifythatdatastoredinclientsidestorage(suchas

HTML5localstorage,sessionstorage,IndexedDB,

regularcookiesorFlashcookies)doesnotcontain

sensitiveorPII.

Covered

10.1 V10:Communications

securityverification

requirements

VerifythatapathcanbebuiltfromatrustedCAtoeach

TransportLayerSecurity(TLS)servercertificate,and

thateachservercertificateisvalid.

Covered



requirements

VerifythatTLSisusedforallconnections(including

bothexternalandbackendconnections)thatare

authenticatedorthatinvolvesensitivedataor

functions,anddoesnotfallbacktoinsecureor

unencryptedprotocols.Ensurethestrongest

alternativeisthepreferredalgorithm.

Covered





requirements

VerifythatHTTPStrictTransportSecurityheadersare

includedonallrequestsandforallsubdomains,suchas

Strict-Transport-Security:max-age=15724800;

includeSubdomains

Covered



requirements

Ensureforwardsecrecyciphersareinusetomitigate

passiveattackersrecordingtraffic.

Covered



requirements

Verifythatpropercertificationrevocation,suchas

OnlineCertificateStatusProtocol(OSCP)Stapling,is

enabledandconfigured.

Covered



requirements

Verifythatonlystrongalgorithms,ciphers,and

protocolsareused,throughallthecertificatehierarchy,

includingrootandintermediarycertificatesofyour

selectedcertifyingauthority.

Covered



requirements

VerifythattheTLSsettingsareinlinewithcurrent

leadingpractice,particularlyascommonconfigurations,

ciphers,andalgorithmsbecomeinsecure.

Covered

11.1 V11:HTTPsecurity

configurationverification

requirements

Verifythattheapplicationacceptsonlyadefinedsetof

requiredHTTPrequestmethods,suchasGETandPOST

areaccepted,andunusedmethods(forexample,

TRACE,PUT,andDELETE)areexplicitlyblocked.

Covered



requirements

VerifythateveryHTTPresponsecontainsacontent

typeheaderspecifyingasafecharacterset(for

example,UTF-8,ISO8859-1).

Covered



requirements

VerifythattheHTTPheadersoranypartoftheHTTP

responsedonotexposedetailedversioninformationof

systemcomponents.

Covered



requirements

VerifythatallAPIresponsescontainX-Content-Type-

Options:nosniffandContent-Disposition:attachment;

filename="api.json"(orotherappropriatefilenamefor

thecontenttype).

Covered



requirements

VerifythattheContentSecurityPolicyV2(CSP)isinuse

inawaythateitherdisablesinlineJavaScriptor

providesanintegritycheckoninlineJavaScriptwithCSP

noncingorhashing.

Covered





requirements

VerifythattheX-XSS-Protection:1;mode=blockheader

isinplace.

Covered

16.1 V16:Filesandresources


VerifythatURLredirectsandforwardsonlyallow

whitelisteddestinations,orshowawarningwhen

redirectingtopotentiallyuntrustedcontent.

Covered



Verifythatuntrustedfiledatasubmittedtothe

applicationisnotuseddirectlywithfileI/Ocommands,

particularlytoprotectagainstpathtraversal,localfile

include,filemimetype,andOScommandinjection

vulnerabilities.

Covered



Verifythatfilesobtainedfromuntrustedsourcesare

validatedtobeofexpectedtypeandscannedby

antivirusscannerstopreventuploadofknown

maliciouscontent.

Covered



Verifythatuntrusteddataisnotusedwithininclusion,

classloader,orreflectioncapabilitiestoprevent

remote/localfileinclusionvulnerabilities.

Covered



Verifythatuntrusteddataisnotusedwithincross-

domainresourcesharing(CORS)toprotectagainst

arbitraryremotecontent.

Covered



Verifytheapplicationcodedoesnotexecuteuploaded

dataobtainedfromuntrustedsources.

Covered



DonotuseFlash,Active-X,Silverlight,NACL,client-side

Javaorotherclientsidetechnologiesnotsupported

nativelyviaW3Cbrowserstandards.

Covered

17.1 V17:Mobileverification

requirements

VerifythatIDvaluesstoredonthedeviceand

retrievablebyotherapplications,suchastheUDIDor

IMEInumberarenotusedasauthenticationtokens.

Covered


requirements

Verifythatthemobileappdoesnotstoresensitivedata

ontopotentiallyunencryptedsharedresourcesonthe

device(forexample,SDcardorsharedfolders).

Covered


requirements

Verifythatsensitivedataisnotstoredunprotectedon

thedevice,eveninsystemprotectedareassuchaskey

chains.

Covered




requirements

Verifythattheapplicationsensitivecodeislaidout

unpredictablyinmemory(forexample,ASLR).

Covered


requirements

Verifythattheappdoesnotexportsensitiveactivities,

intents,contentproviders,andsoonforothermobile

appsonthesamedevicetoexploit.

Covered


requirements

Verifythattheapp’sexposedactivities,intents,content

providers,andothersvalidateallinputs.

Covered

18.1 V18:Webservices


Verifythatthesameencodingstyleisusedbetween

theclientandtheserver.

Covered



Verifythataccesstoadministrationandmanagement

functionswithintheWebServiceApplicationislimited

towebserviceadministrators.

Covered



VerifythatXMLorJSONschemaisinplaceandverified

beforeacceptinginput.

Covered



Verifythatallinputislimitedtoanappropriatesize

limit.

Covered



VerifythatSOAPbasedwebservicesarecompliantwith

WebServices-Interoperability(WS-I)BasicProfileat

minimum.

Covered



Verifytheuseofsession-basedauthenticationand

authorization.Avoidtheuseofstatic"APIkeys"and

similar.

Covered



VerifythattheRESTserviceisprotectedfromCross-Site

RequestForgery.

Covered

19.1 V19.Configuration Allcomponentsshouldbeuptodatewithproper

securityconfiguration(s)andversion(s).Thisshould

includeremovalofunneededconfigurationsand

folderssuchassampleapplications,platform

documentation,anddefaultorexampleusers.

Covered
