UnderDefense
ApplicationSecurityAudit
forClient
CompliancewithOWASPASVSL1:
Failed
June15,2017
Notice
UnderDefensehasmadeeveryreasonableattempttoensurethattheinformationcontainedwithinthisreportiscorrect,currentandproperly
setsforththefindingsashavebeendeterminedtodate.Thepartiesacknowledgeandagreethattheotherpartyassumesnoresponsibilityfor
errorsthatmaybecontainedinorformisinterpretationsthatreadersmayinferfromthisdocument.
UnderDefenseConfidential 2
Insidethisreport
Executive summary .............................................................................................................................................3
Summary of business risks ..................................................................................................................................4
Findings overview ...............................................................................................................................................6
Findings for Client SaaS application ..................................................................................................................7
Findings for Client server ................................................................................................................................. 22
Appendix A: Covered test cases according to OWASP ASVS Level 1 ....................................................... 28
UnderDefenseConfidential 3
Executive summary ThisreportpresentstheresultsofthesecurityassessmentforClientenrollmentapplicationsconducted
asapartofproductexcellenceandcertificationprocess.Thisassessmentwasperformedunderthe
auspicesoftwocertifiedandlicensedpenetrationtestersemployedbyUnderDefenseduringJune1–15,
2017.
Results overview Thetestuncoveredafewvulnerabilitiesthatmaycausecompromiseuserdata,applicationsettingsand
usersettingsmodifications,informationdisclosure,orreputationaldamageforcompany.During
penetrationtesting,UnderDefensesecurityexpertsfound3highrisk,14mediumriskvulnerabilities,and
4lowseverityissues.
The"DetailedFindings"sectionineachfindingaimedathelpingsystem/applicationownerstorecreate
thefindingsbyfollowingthestepsmentionedinthesection.
Scope Organization Client
Application ClientSaaS
Audittype OWASPTop10ASVSL1andManualPenetrationTesting
AssetURL https://client.com
Auditperiod June1–15,2017
Contact details Reviewedby JohnSmith
Preparedby JohnSmith,DowJohns
Security tools used for ASVS Level 1 • BurpSuitePro[CommercialEdition]
• TenableNessus[CommercialEdition]
• Acunetix9[CommercialEdition]
• MetasploitPro[CommercialEdition]
• OWASPMantra
• OWASPZap
• Nmap
• Sqlmap
Project limitations Testingwasconductedagainstthestagingenvironmentonly.
UnderDefenseConfidential 4
Summary of business risks Usinghighriskattacks,itispossibleforattackertocompromiseallusersofClientSaaSapplication.
Combinationofseveralmediumandlowriskvulnerabilitiesmaycauseseriousdamagetotheintegrity
andconfidentialityofapplications.
High-level recommendation TheapplicationrequiresfinalsecurityreviewaccordingSDLCbestpracticesbeforethefinalrelease,
becausesomeimportantfunctionalityisnotfullyimplemented,andremediationtestingisrequired.
Itisrecommendedtousewebapplicationfirewalltofilterapplicationlevelattacksagainsttheproduction
environment.
Methodology UnderDefenseApplicationSecurityAssessmentMethodologyisgroundedonfollowingguidesand
standards:
• PentestExecutionStandard
• SANS:ConductingaPenetrationTestonanOrganization
• SANS:NetworkApplicationSecurityAssessmentandEthicalHacking
• TheOpenSourceSecurityTestingMethodology
OpenWebApplicationSecurityProject(OWASP)isanindustryinitiativeforwebapplicationsecurity.
OWASPhasidentifiedthe10mostcommonattacksthatsucceedagainstwebapplications.These
comprisetheOWASPTop10.
UnderDefenseapplicationpenetrationtestincludesalltheitemsintheOWASPTop10andmore.
ThepenetrationtesterremotelytrytocompromisetheOWASPTop10flaws.TheflawslistedbyOWASP
initsmostrecentTop10andthestatusoftheapplicationagainstthosearedepictedinthetablebelow.
OWASPASVSLevel1istypicallyappropriateforapplicationswherelowconfidenceinthecorrectuseof
securitycontrolsisrequired,forprovidingaquickanalysisofenterpriseapplications,orforassistingin
developingaprioritizedlistofsecurityrequirementsasapartofamultiphaseeffort.Level1controlscan
beensuredeitherautomaticallybytoolsorsimplymanuallywithoutaccesstosourcecode.Weconsider
Level1theminimumrequiredforallapplications.Threatstotheapplicationwillmostlikelybefrom
attackerswhoareusingsimpleandlowefforttechniquestoidentifyeasy-to-findandeasy-to-exploit
vulnerabilities.Thisisincontrasttoadeterminedattackerwhowillspendfocusedenergytospecifically
targettheapplication.
Ifthedataprocessedbyyourapplicationhashighvalue,youwouldrarelywanttostopataLevel1
review.
UnderDefenseConfidential 5
Performed tests • AllsetofapplicableOWASPTop10SecurityTests
• AllsetofapplicableSANS25SecurityThreats
• AllsetofapplicablefromOWASPASVSLevel1(seeAppendixAwithakeychecklist)
CriteriaLabel Status
Safeagainstpopularattacks Failscriteria
Protectssensitivedataduringtransmission Meetscriteria
Safeguardspasswords Meetscriteria
Protectsagainstpasswordguessing Failscriteria
SecureForgotPasswordImplementation Failscriteria
Insecureconfigurationsettingsonserversaccessibledirectlybyusers Meetscriteria
Sensitivedatanottobestoredonclient Meetscriteria
Sensitivedatanothiddeninpages Meetscriteria
Nosensitivedataincludedinerrormessages Failscriteria
Codeobfuscationforsecrets N/A
Re-authenticationrequiredforsensitiveactivities Meetscriteria
Nosensitivedatainrequeststoexternalsites Meetscriteria
Webserverserviceprotectedagainstknownvulnerabilities Meetscriteria
Nosampleortestapplications Meetscriteria
Nosensitivedatainsourcecode N/A
UnderDefenseConfidential 6
Findings overview UnderDefensesecurityexpertsperformedmanualsecuritytestingaccordingtoOWASPWebApplication
TestingMethodology,whichdemonstratethefollowingresults.
Risklevel Highrisk Mediumrisk Lowrisk Informational
#ofvulnerabilities 3 14 4 1
Severity • High–Directthreattokeybusinessprocesses.
• Medium–Indirectthreattokeybusinessprocessesorpartialthreattobusinessprocesses.
• Low–Nodirectthreatexists.Vulnerabilitymaybeexploitedusingothervulnerabilities.
• Informational–Thisfindingdoesnotindicatevulnerability,butstatesacommentthatnotifiesabout
designflawsandimproperimplementationthatmightcauseaprobleminthelongrun.
3
14
4
1
Findingsbyseverity
High
Medium
Low
Informational
UnderDefenseConfidential 7
Findings for Client SaaS application ThissectionscoversdetailsofallfindingsforClientSaaSapplication.
Reflected Cross-Site Scripting Issueseverity:High
Businessimpact:High
Issuedescription:Cross-SiteScripting(XSS)attacksareatypeofinjection,inwhichmaliciousscriptsare
injectedintobenignandtrustedwebsites.XSSattacksoccurwhenanattackerusesawebapplicationto
sendmaliciouscode,generallyintheformofabrowsersidescript,toadifferentenduser.Flawsthat
allowtheseattackstosucceedarequitewidespreadandoccuranywhere:awebapplicationinsertsinput
fromauserintotheoutputwithoutvalidatingorencodingit.
AnattackercanuseXSStosendamaliciousscripttoanunsuspectinguser.Theenduser’sbrowserhasno
waytoknowthatthescriptshouldnotbetrusted,andwillexecutethescript.Becauseitthinksthescript
camefromatrustedsource,themaliciousscriptcanaccessanycookies,sessiontokens,orothersensitive
informationretainedbythebrowserandusedwiththatsite.Thesescriptscanevenrewritethecontent
oftheHTMLpage.
AttackercancraftanURLthatwilltriggermaliciousJavaScriptpayloadtostealusersession,redirectuser
toanotherresource,andsoon.
VulnerableURL:
https://client.com/***?filter=%2Fzport%2Fdmd%2FDevices%2F%3E&depth=2&objid=192.168%252%22
%2F%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Ca%3D%22&submitted=true
Scriptissuccessfullytriggered:
Recommendations:Tofilteruserinputsufficiently,considerXSSPreventionCheatSheet.
Stored Cross-Site Scripting Issueseverity:High
Businessimpact:High
UnderDefenseConfidential 8
Issuedescription:Storedattacksarethosewheretheinjectedscriptispermanentlystoredonthetarget
servers,suchasinadatabase,inamessageforum,visitorlog,commentfield,andsoon.Thevictimthen
retrievesthemaliciousscriptfromtheserverwhenitrequeststhestoredinformation.StoredXSSisalso
sometimesreferredtoasPersistentorType-IXSS.
AttackercaninjectmaliciousJavaScriptcodeintopage(underaManagerrole),whichwillbereflected
acrossallusersofthesystem.
POST /Events/evclasses_router HTTP/1.1 Host: Client.com Connection:close
Content-Length:198
Origin:https://Client.com
X-Requested-With:XMLHttpRequest
User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64)AppleWebKit/537.36(KHTML,likeGecko)
Chrome/50.0.2661.102Safari/537.36
Content-Type:application/json
Accept:*/*
Referer:https://Client.com/***
Accept-Encoding:gzip,deflate,br
Accept-Language:uk-UA,uk;q=0.8,ru;q=0.6,en-US;q=0.4,en;q=0.2
Cookie:
beaker.session="556ab79ec31a6cf70a30a21ff225c2b4805aa19058ad3e3e284e4bb599e07e449076f1aa";
ZAuthToken="58ad3e3e284e4bb599e07e449076f1aa";***_update=1465473596.928
{"action":"EventClassesRouter","method":"editEventClassDescription","data":[{"uid":"/***/License","desc
ription":"12345'</span><img src=a onerror='alert(document.cookie);'/>"}],"type":"rpc","tid":101}
UnderDefenseConfidential 10
Payloadistriggeredacrossallusers.
Recommendations:Tofilteruserinputsufficiently,considerXSSPreventionCheatSheetoruse
frameworkspecificcomponentsavailable.
DOM-based Cross-Site Scripting Issueseverity:High
Businessimpact:High
Issuedescription:DOM-basedXSS(orasitiscalledinsometexts,“type-0XSS”)isanXSSattack,wherein
theattackpayloadisexecutedasaresultofmodifyingtheDOM“environment”inthevictim’sbrowser
usedbytheoriginalclientsidescript,sothattheclientsidecoderunsinan“unexpected”manner.That
is,thepageitself(theHTTPresponse)doesnotchange,buttheclientsidecode,whichiscontainedon
thepage,isexecuteddifferentlyduetothemaliciousmodificationsthathaveoccurredintheDOM
environment.
AttackercaninjectmaliciousJavaScriptcodeontopage(undertheManagerrole)ontheDiscover Networkspage.
UnderDefenseConfidential 11
SNMPfieldisnotfilteredproperly.
Cookie is echoed successfully.
Recommendations:Tofilteruserinputsufficiently,considerXSSPreventionCheatSheet.
UnderDefenseConfidential 13
Insufficient session expiration [CWE-613] Issueseverity:Medium
Businessimpact:Medium
Issuedescription:Sessionisactiveaftermorethan50hoursofuserinactivity.Insufficientsession
expirationweaknessisaresultofpoorlyimplementedsessionmanagement.Thisweaknesscanariseon
designandimplementationlevelsandcanbeusedbyattackerstogainanunauthorizedaccesstothe
application.
Whenhandlingsessions,webdeveloperscanrelyeitheronservertokensorgeneratesessionidentifiers
withintheapplication.EachsessionshouldbedestroyedaftertheuserclickstheLog offbutton,orafteracertainperiodoftime(calledtimeout).Unfortunately,codingerrorsandservermisconfigurationsmay
influencesessionhandlingprocess,whichcanresultinanunauthorizedaccess.
Sessionexpirationiscomprisedoftwotimeouttypes:
• Inactivity–suchtimeoutistheamountofidletimeallowedbeforethesessionisinvalidated.
• Absolute–suchtimeoutisdefinedbythetotalamountoftimeasessioncanbevalidwithoutre-
authentication.
Thelackofpropersessionexpirationmayincreasethelikelihoodofsuccessofcertainattacks.Long
expirationtimeincreasesanattacker'schanceofsuccessfullyguessingavalidsessionID.Thelongerthe
expirationtime,themoreconcurrentopensessionswillexistatanygiventime.Thelargerthepoolof
sessions,themorelikelyitwillbeforanattackertoguessoneatrandom.Althoughashortsession
inactivitytimeoutdoesnothelpifatokenisimmediatelyused,theshorttimeouthelpstoinsurethatthe
tokenishardertocapturewhileitisstillvalid.
Recommendations:AWebapplicationshouldinvalidateasessionafterapredefinedidletimehas
passed(atimeout)andprovidetheuserthemeanstoinvalidatetheirownsession(logout);thishelpsto
keep
thelifespanofasessionIDasshortaspossibleandisnecessaryinasharedcomputingenvironment,
wheremorethanonepersonhasunrestrictedphysicalaccesstoacomputer.
UnderDefenseConfidential 14
Session fixation (WASC-37) Issueseverity:Medium
Businessimpact:Medium
Issuedescription:Usercanusethesamesessiontokenafterlogoutorpasswordchange.Attackercan
repeatrequestwithtokenthatshouldbemarkedasinvalidated.
curl-i-s-k-X'GET'\
-H'User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64;rv:18.0)Gecko/20100101Firefox/18.0'-H'Referer:
https://.Client.com/***?submitted=true'\
-b'j***=1464960334.259;
beaker.session="1d1f9a946b96613b622171adeafe6bcfbbe8c4045650fc37ef7243ca9a1801a8be8bfeac";
ZAuthToken="5650fc37ef7243ca9a1801a8be8bfeac"'\
'https://Client.com/***'
Recommendations:Thelogoutfunctionshouldbeprominentlyvisibletotheuser,explicitlyinvalidatea
user’ssessionanddisallowreuseofthesessiontoken.Servershouldprovidenewsessionidtouser
browserafterlogout.
UnderDefenseConfidential 15
Cookie without Secure flag set Issueseverity:Medium
Businessimpact:Medium
Issuedescription:Sessioncookiebeaker.sessionissetwithoutSecureflag.Secureflagforcesbrowsernot to send cookieoverunsecurechannel(useHTTPSinsteadofHTTP).Beaker.sessioncookieisthemostcriticalandtheonlyonethatisrequiredtoexecuterequeststoaserver.Accordingtoourtesting,
theresttwocookiesareoptional,andwedidnotobserveanyserver-sidevalidationforthem.
Proof of vulnerability
Recommendations:EnsurethatwebserversetsSecureflagonsessioncookies.
UnderDefenseConfidential 16
Verbose error log disclosures information about Client internals Issueseverity:Low
Businessimpact:Medium
Issuedescription:Sendingspecialcraftedrequestattackercangetverboseerrorlog,whichmayreveal
usefulinformation,suchassoftwareversions,errortypes,andsoon.
Proofofvulnerability
Request:
GET /zport HTTP/1.1 Host: Client.com Connection:close
Origin:https://Client.com
User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64)AppleWebKit/537.36(KHTML,likeGecko)
Chrome/50.0.2661.102Safari/537.36
Content-Type:application/json
Accept:*/*
Referer:https://Client.com/***/Dashboard
Accept-Encoding:gzip,deflate,br
Accept-Language:uk-UA,uk;q=0.8,ru;q=0.6,en-US;q=0.4,en;q=0.2
Cookie:
beaker.session="556ab79ec31a6cf70a30a21ff225c2b4805aa19058ad3e3e284e4bb599e07e449076f1aa";
ZAuthToken="58ad3e3e284e4bb599e07e449076f1aa";***_update=1465473596.928
Responsewithverboseerror:
Recommendations:Ensurethatserverdoesnotrevealanyusefulinformationinanyform,evenasa
debuginfoinerrorlogs.
UnderDefenseConfidential 17
Open-redirect vulnerability Issueseverity:Medium
Businessimpact:Medium
Issuedescription:Anopenredirectisanapplicationthattakesaparameterandredirectsausertothe
parametervaluewithoutanyvalidation.Thisvulnerabilityisusedinphishingattackstogetuserstovisit
malicioussiteswithoutrealizingit.
Proofofvulnerability
Request:
POST http://google.com HTTP/1.1 Host: Client.com Connection:close
Content-Length:0
Origin:https://Client.com
X-Requested-With:XMLHttpRequest
User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64)AppleWebKit/537.36(KHTML,likeGecko)
Chrome/***.102Safari/537.36
Content-Type:application/json
Accept:*/*
Referer:https://Client.com/***/devices/10.***/***detail
Accept-Encoding:gzip,deflate,br
Accept-Language:uk-UA,uk;q=0.8,ru;q=0.6,en-US;q=0.4,en;q=0.2
Cookie:
beaker.session="878d18d2254d148ddb6bc7d217508be212786b2bc3d47ffc0c414ed080b12a694f356993";*
**_update=1465199235.61;***UserId=oeu1465209245134r0.752719618090913;
***ments=%7B%222299272282%22%3A%22false%22%2C%222299580245%22%3A%22direct%22%2C%222
305520179%22%3A%22gc%22%7D;***uckets=%7B%7D;_ga=GA***;
ZAuthToken="c3d47ffc0c414ed080b12a694f356993"
Responsewitharedirecttoanotherwebsite:
HTTP/1.1 301 Moved Permanently Location: http://google.com/ Date:Wed,08Jun201609:24:47GMT
Content-Length:0
Content-Type:text/plain;charset=utf-8
Connection:close
Aftersucharequest,browserwillbesuccessfullyredirectedtoanarbitrarywebsite.
Recommendations: Ensure that server does not redirect client to untrusted domains.
UnderDefenseConfidential 18
Cookie without HTTPOnly flag set Issueseverity:Medium
Businessimpact:Medium
Issuedescription:Sessioncookiebeaker.sessionissetwithoutHTTPOnlyflag.ThisflagensuresthatanattackercannotstealcookiewithJavascriptonaclientside.
Proofofvulnerability
Recommendations:EnsurethatwebserversetsHTTPonlyflagonsessioncookies.
Password bruteforce is possible Issueseverity:Medium
Businessimpact:Medium
Issue description: https://Client.com/zport/***/login
Becauseapplicationdoesnotblockauserafterafewfailedloginattempts,itispossibletoenumerate
passwordsusingtheloginform.Attackercanharvestusercredentialsandhaveunauthorizedaccessto
applicationfunctionalityandconfidentialdata.
Proofofvulnerability:Applicationdoesnotcheckthequantityoffailedrequestsandletsuserinupona
successfulone.Attackercanautomatethisattackandperformpasswordbruteforcingusingthisrequest.
Vulnerable request:
UnderDefenseConfidential 19
POST /***/login HTTP/1.1 Host: Client.com Connection:close
Content-Length:131
Cache-Control:max-age=0
Origin:https://Client.com
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/51.0.2704.84Safari/537.36
Content-Type:application/x-www-form-urlencoded
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer:https://Client.com/***/login_form?came_from=https%3A//Client.com/***/
Accept-Encoding:gzip,deflate,br
Accept-Language:uk-UA,uk;q=0.8,ru;q=0.6,en-US;q=0.4,en;q=0.2
Cookie:***_update=1465906625.949
came_from=https%3A%2F%2FClient.com%2F***%2F***%2F&submitted=true&fragment=&__ac_name=pentest02&__ac_password=passwo
Recommendations:Makesurethatusernameisblockedforsometimeafterseveralfailedlogins.Block
IPaddressafterseveralsamerequestswithdifferentvalues.Enablecaptcha.
Exponentially increase the amount of time a user has to wait between authentication attempts until it reaches a rate that makes brute-forcing impractical (for example, 24 hours). Explanation: (Common Weaknesses Enumeration ID: 307http://cwe.mitre.org/data/definitions/307)
HTML form without CSRF protection Issueseverity:Medium
Businessimpact:Medium
Issuedescription:Cross-siterequestforgery,alsoknownasaone-clickattackorsessionriding
(abbreviatedasCSRForXSRF),isatypeofmaliciousexploitofawebsite,wherebyunauthorized
commandsaretransmittedfromauserthatthewebsitetrusts.
Theimpactofthisvulnerability:Anattackermayforcetheusersofawebapplicationtoexecute
actionsoftheattacker'schoosing.AsuccessfulCSRFexploitcancompromiseenduserdataandoperation
incaseofnormaluser.Ifthetargetedenduseristheadministratoraccount,thiscancompromisethe
entirewebapplication.
Proof of vulnerability: “Change email” request can be triggered without anti-CSRF token. An
attacker can trick user to successfully perform this request.
POST /***/pentest07 HTTP/1.1
UnderDefenseConfidential 20
Host: Client.com Connection:close
Content-Length:224
Cache-Control:max-age=0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin:https://Client.com
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64)AppleWebKit/537.36(KHTML,likeGecko)
Chrome/50.0.2661.102Safari/537.36
Content-Type:application/x-www-form-urlencoded
Referer:https://Client.com/***/pentest07
Accept-Encoding:gzip,deflate,br
Accept-Language:uk-UA,uk;q=0.8,ru;q=0.6,en-US;q=0.4,en;q=0.2
Cookie:
beaker.session="878d18d2254d148ddb6bc7d217508be212786b2bc3d47ffc0c414ed080b12a694f356993"
***=editUserSettings.pt&email=***%40inc.coma&pager=&defaultPageSize=40&net***=&timezone=America%2FChicago&password=&sndpassword=&oldpassword=&***_editUserSettings%3Amethod=+Save+Settings+
Recommendations:CheckifthisformrequiresCSRFprotectionandimplementCSRFcountermeasuresif
necessary.
Ananti-CSRFtokenisasession-specificoreventransaction-specificrandomstringappendedasa
parametertoimportanttransactions.Uponhandlingtheclient'srequest,theserverensuresthatthe
CSRFtokenisthevalueexpectedforthatsession/transaction.Ifthetokenisnotcorrect,thenthe
applicationdeniesthetransaction.ThishelpsprotectagainstCSRFbecauseeachrequestwillhaveatleast
oneuniqueparameterthatanattackercannotknowaheadoftime.
NotethatyoumaybeabletomitigatetheriskofCSRFbyusinganalternativeuser-specifictoken,suchas
theuserid,ratherthanaspecificanti-CSRFtoken.
Whenawebserverisdesignedtoreceivearequestfromaclientwithoutanymechanismforverifying
thatitwasintentionallysent,thenitmightbepossibleforanattackertotrickaclientintomakingan
unintentionalrequesttothewebserverwhichwillbetreatedasanauthenticrequest.Thiscanbedone
viaaURL,imageload,XMLHttpRequest,andothers,andcanresultindatadisclosureorunintendedcode
execution(CommonWeaknessesEnumerationID:352-http://cwe.mitre.org/data/definitions/352).
UnderDefenseConfidential 21
Username enumeration Issueseverity:Medium
Businessimpact:Medium
Issuedescription:“Forgotpassword”functionalityresponseidentifiesifausernameisalready
registered.Attackercanlaunchbruteforceordictionaryattacktoharvestusernamesofclients.
Theapplicationshouldnotleakanyinformation—regardingthevalidityoftheusername,anysuspension
oftheaccount,andsoon—intheeventoffailedresponsestothechallenge.
Recommendations:Providelessverboseresponsesinthe“Forgotpassword”functionality.Makesure
thatsecurityquestionvalueischeckedproperly.BlockIPaddressafterseveralsamerequestswith
differentvalues.Enablecaptcha.
No clickjacking protection Issueseverity:Low
Businessimpact:Low
Issuedescription:Clickjacking,alsoknownasa"UIredressattack",iswhenanattackerusesmultiple
transparentoropaquelayerstotrickauserintoclickingabuttonoralinkonanotherpagewhenthey
wereintendingtoclickthetop-levelpage.Thus,theattackeris"hijacking"clicksmeantfortheirpageand
routingthemtoanotherpage,mostlikelyownedbyanotherapplication,domain,orboth.
Usingasimilartechnique,keystrokescanalsobehijacked.Withacarefullycraftedcombinationof
stylesheets,iframes,andtextboxes,ausercanbeledtobelievetheyaretypinginthepasswordtotheir
emailorbankaccount,butareinsteadtypingintoaninvisibleframecontrolledbytheattacker.
Proofofvulnerability:
Framedpageexample:
UnderDefenseConfidential 22
Code snippet:
Recommendations: There are two main ways to prevent clickjacking:
• SendingtheproperX-Frame-OptionsHTTPresponseheadersthatinstructthebrowsertonotallow
framingfromotherdomains.
• EmployingdefensivecodeintheUItoensurethatthecurrentframeisthemosttop-levelwindow.
References:
• https://www.owasp.org/index.php/Clickjacking
• https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
Lack of Content-Security-Policy Issueseverity:Low
Businessimpact:Low
Issuedescription:ThenewContent-Security-PolicyHTTPresponseheaderhelpsyoureduceXSSriskson
modernbrowsersbydeclaringwhatdynamicresourcesareallowedtoloadviaaHTTPHeader.
Recommendations:AddContent-Security-Policysupporttotargetapplication.
References:
• https://www.owasp.org/index.php/List_of_useful_HTTP_headers
• http://content-security-policy.com/
Lack of X-XSS-Protection Issueseverity:Low
Businessimpact:Low
Issuedescription:Toimprovethesecurityofyoursiteagainstsometypesofcross-sitescripting(XSS)
attacks,itisrecommendedthatyouaddthefollowingheadertoyoursite:
X-XSS-Protection:1;mode=block
Recommendations: Add X-XSS-Protection header to the target application.
Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Findings for Client server
UnderDefenseConfidential 23
No brute-force protection Issueseverity:Medium
Businessimpact:Medium
Issuedescription:https://Client.com/#/login
Applicationallowsanattackertobrute-forcepasswordsagainstControlCenterapplication.Anaccountor
attackerIPaddressisnotblockedforsomeperiodoftime.Moreadvancedsolutiontostopbrute-force
attacksistousecaptcha.Itshouldbegeneratedincaseofbrute-forceafter5unsuccessfullogin
attempts.
Proofofvulnerability
Recommendations:Enablecaptchaforblockingbrute-force.Thiswillensurethattherequestwillfail
duringautomatedattacks.
UnderDefenseConfidential 24
Using components with known vulnerabilities Issueseverity:Medium
Businessimpact:Medium
Issue description: https://Client.com/#/login
CWE-937:OWASPTopTen2013CategoryA9:
1. VulnerabilityDetails:CVE-2014-4326
Logstash1.4.2andpriorversionsarevulnerabletoadirectorytraversalattackthatallowsanattacker
tooverwritefilesontheserverrunningLogstash.
2. VulnerabilityDetails:CVE-2015-4152
ElasticsearchLogstash1.0.14through1.4.xbefore1.4.2allowsremoteattackerstoexecutearbitrary
commandsviaacraftedeventin(1)zabbix.rbor(2)nagios_nsca.rbinoutputs.
https://packetstormsecurity.com/files/132233/Logstash-1.4.2-Directory-Traversal.html
CVSSscore 7.5
Confidentialityimpact Partial(Thereisaconsiderableinformationaldisclosure.)
Integrityimpact Partial(Modificationofsomesystemfilesorinformationispossible,butthe
attackerdoesnothavecontroloverwhatcanbemodified,orthescopeofwhat
theattackercanaffectislimited.)
Availabilityimpact Partial(Thereisreducedperformanceorinterruptionsinresourceavailability.)
Accesscomplexity Low(Specializedaccessconditionsorextenuatingcircumstancesdonotexist.Very
littleknowledgeorskillisrequiredtoexploit.)
Authentication Notrequired(Authenticationisnotrequiredtoexploitthevulnerability.)
Gainedaccess None
Vulnerabilitytype(s) Executecode
UnderDefenseConfidential 25
Proofofvulnerability
curl-i-s-k-X'GET'\
-H'User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64;rv:18.0)Gecko/20100101Firefox/18.0'-H
'Referer:https://Client.com/static/logview/'\
-b'token=ZSQw9+6f6lZlVxi5XWI0nSyP6qy0uTN62IKVbvK3qJw=;username=pentest'\
'https://Client.com/api/***/elastic/***
Recommendations:Usersthatcurrentlyusethefileoutputpluginormayuseitinthefutureshould
upgradeto1.5.0or1.4.3.Thiswilladdressthevulnerabilityandpreservefileoutputfunctionality.
Usersthatdonotwanttoupgradecanaddressthevulnerabilitybydisablingthefileoutputplugin.
Information leakage
UnderDefenseConfidential 26
Issueseverity:Info
Businessimpact:Info
Issuedescription:https://Client.com/#/login
Aninformationleakistheintentionalorunintentionaldisclosureofinformationthateither(1)isregarded
assensitivewithintheproduct'sownfunctionality,suchasaprivatemessage,or(2)providesinformation
abouttheproductoritsenvironmentthatcouldbeusefulinanattackbutisnormallynotavailabletothe
attacker,suchastheinstallationpathofaproductthatisremotelyaccessible.
Manyinformationleaksareresultant(forexample,pathdisclosureinPHPscripterror),buttheycanalso
beprimary(forexample,timingdiscrepanciesincrypto).Therearemanydifferenttypesofproblemsthat
involveinformationleaks.Theirseveritycanrangewidelydependingonthetypeofinformationthatis
leaked.
Proofofvulnerability
Responseswithsensitiveinfointemplate.
UnderDefenseConfidential 27
Recommendations:Ensurethattemplatesreturnedtotheclientdonotcontainsensitiveinformation,
whichmaybeusefulforanattacker.
HSTS missing from HTTPS server Issueseverity:Medium
Businessimpact:Medium
Issuedescription:TheremoteHTTPSserverisnotenforcingHTTPStrictTransportSecurity(HSTS).The
lackofHSTSallowsdowngradeattacks,SSL-strippingman-in-the-middleattacks,andweakenscookie-
hijackingprotections.
Recommendations:ConfiguretheremotewebservertouseHSTS.
UnderDefenseConfidential 28
Appendix A: Covered test cases according to OWASP ASVS Level 1
# Category Detail Level1
1.1 V1.Architecture,design,
andthreatmodelling
Verifythatalltheneededapplicationcomponentsare
identifiedandareknown.
Covered
2.1 V2:Authentication
VerificationRequirements
Verifythatallpagesandresourcesbydefaultrequire
authenticationexceptthosespecificallyintendedtobe
public(principleofcompletemediation).
Covered
2.2 V2:Authentication
VerificationRequirements
Verifythatallpasswordfieldsdonotechotheuser’s
passwordwhenitisentered.
Covered
2.4 V2:Authentication
VerificationRequirements
Verifythatallauthenticationcontrolsareenforcedon
theserverside.
Covered
2.6 V2:Authentication
VerificationRequirements
Verifythatallauthenticationcontrolsfailsecurelyto
ensureattackerscannotlogin.
Covered
2.7 V2:Authentication
VerificationRequirements
Verifythatpasswordentryfieldsalloworencourage
theuseofpassphrases,anddonotpreventlong
passphrases/highlycomplexpasswordsfrombeing
entered.
Covered
2.8 V2:Authentication
VerificationRequirements
Verifyallaccountidentityauthenticationfunctions
(suchasupdateprofile,forgotpassword,disabled/lost
token,helpdeskorIVR)thatmightregainaccesstothe
accountareatleastasresistanttoattackastheprimary
authenticationmechanism.
Covered
2.9 V2:Authentication
VerificationRequirements
Verifythatthechangepasswordfunctionalityincludes
theoldpassword,thenewpassword,andapassword
confirmation.
Covered
2.16 V2:Authentication
VerificationRequirements
Verifythatcredentialsaretransportedusingasuitable
encryptedlinkandthatallpages/functionsthatrequire
ausertoentercredentialsaredonesousingan
encryptedlink.
Covered
2.17 V2:Authentication
VerificationRequirements
Verifythattheforgottenpasswordfunctionandother
recoverypathsdonotrevealthecurrentpasswordand
thatthenewpasswordisnotsentincleartexttothe
user.
Covered
2.18 V2:Authentication
VerificationRequirements
Verifythatinformationenumerationisnotpossiblevia
login,passwordreset,orforgotaccountfunctionality.
Covered
UnderDefenseConfidential 29
# Category Detail Level1
2.19 V2:Authentication
VerificationRequirements
Verifythattherearenodefaultpasswordsinusefor
theapplicationframeworkoranycomponentsusedby
theapplication(suchas“admin/password”).
Covered
2.20 V2:Authentication
VerificationRequirements
Verifythatrequestthrottlingisinplacetoprevent
automatedattacksagainstcommonauthentication
attackssuchasbrute-forceattacksordenialofservice
attacks.
Covered
2.22 V2:Authentication
VerificationRequirements
Verifythatforgottenpasswordandotherrecovery
pathsuseasofttoken,mobilepush,oranoffline
recoverymechanism.
Covered
2.24 V2:Authentication
VerificationRequirements
Verifythatifknowledge-basedquestions(alsoknown
as"secretquestions")arerequired,thequestions
shouldbestrongenoughtoprotecttheapplication.
Covered
2.27 V2:Authentication
VerificationRequirements
Verifythatmeasuresareinplacetoblocktheuseof
commonlychosenpasswordsandweakpassphrases.
Covered
2.30 V2:Authentication
VerificationRequirements
Verifythatifanapplicationallowsusersto
authenticate,theyuseaprovensecureauthentication
mechanism.
Covered
2.32 V2:Authentication
VerificationRequirements
Verifythatadministrativeinterfacesarenotaccessible
tountrustedparties.
Covered
3.1 V3:SessionManagement
VerificationRequirements
Verifythatthereisnocustomsessionmanagerorthat
acustomsessionmanagerisresistantagainstall
commonsessionmanagementattacks.
Covered
3.2 V3:SessionManagement
VerificationRequirements
Verifythatsessionsareinvalidatedwhentheuserlogs
out.
Covered
3.3 V3:SessionManagement
VerificationRequirements
Verifythatsessionstimeoutafteraspecifiedperiodof
inactivity.
Covered
3.5 V3:SessionManagement
VerificationRequirements
Verifythatallpagesthatrequireauthenticationhave
easyandvisibleaccesstologoutfunctionality.
Covered
3.6 V3:SessionManagement
VerificationRequirements
VerifythatthesessionidisneverdisclosedinURLs,
errormessages,orlogs.Thisincludesverifyingthatthe
applicationdoesnotsupportURLrewritingofsession
cookies.
Covered
3.7 V3:SessionManagement
VerificationRequirements
Verifythatallsuccessfulauthenticationandre-
authenticationgeneratesanewsessionandsessionid.
Covered
UnderDefenseConfidential 30
# Category Detail Level1
3.12 V3:SessionManagement
VerificationRequirements
Verifythatsessionidsstoredincookieshavetheirpath
settoanappropriatelyrestrictivevalueforthe
application,andauthenticationsessiontokens
additionallysetthe“HttpOnly”and“secure”attributes.
Covered
3.16 V3:SessionManagement
VerificationRequirements
Verifythattheapplicationlimitsthenumberofactive
concurrentsessions.
Covered
3.17 V3:SessionManagement
VerificationRequirements
Verifythatanactivesessionlistisdisplayedinthe
accountprofileorsimilarofeachuser.Theusershould
beabletoterminateanyactivesession.
Covered
3.18 V3:SessionManagement
VerificationRequirements
Verifythattheuserispromptedwiththeoptionto
terminateallotheractivesessionsafterasuccessful
changepasswordprocess.
Covered
4.1 V4:AccessControl
VerificationRequirements
Verifythattheprincipleofleastprivilegeexists:users
shouldonlybeabletoaccessfunctions,datafiles,URLs,
controllers,services,andotherresources,forwhich
theypossessspecificauthorization.Thisimplies
protectionagainstspoofingandelevationofprivilege.
Covered
4.4 V4:AccessControl
VerificationRequirements
Verifythataccesstosensitiverecordsisprotected,such
thatonlyauthorizedobjectsordataisaccessibleto
eachuser(forexample,protectagainstuserstampering
withaparametertoseeoralteranotheruser's
account).
Covered
4.5 V4:AccessControl
VerificationRequirements
Verifythatdirectorybrowsingisdisabledunless
deliberatelydesired.Additionally,applicationsshould
notallowdiscoveryordisclosureoffileordirectory
metadata,suchasThumbs.db,.DS_Store,.git,or.svn
folders.
Covered
4.8 V4:AccessControl
VerificationRequirements
Verifythataccesscontrolsfailsecurely. Covered
4.9 V4:AccessControl
VerificationRequirements
Verifythatthesameaccesscontrolrulesimpliedbythe
presentationlayerareenforcedontheserverside.
Covered
4.13 V4:AccessControl
VerificationRequirements
Verifythattheapplicationorframeworkusesstrong
randomanti-CSRFtokensorhasanothertransaction
protectionmechanism.
Covered
4.16 V4:AccessControl
VerificationRequirements
Verifythattheapplicationcorrectlyenforcescontext-
sensitiveauthorizationsoastonotallowunauthorized
manipulationbymeansofparametertampering.
Covered
UnderDefenseConfidential 31
# Category Detail Level1
5.1 V5:Maliciousinput
handlingverification
requirements
Verifythattheruntimeenvironmentisnotsusceptible
tobufferoverflows,orthatsecuritycontrolsprevent
bufferoverflows.
Covered
5.3 V5:Maliciousinput
handlingverification
requirements
Verifythatserver-sideinputvalidationfailuresresultin
requestrejectionandarelogged.
Covered
5.5 V5:Maliciousinput
handlingverification
requirements
Verifythatinputvalidationroutinesareenforcedon
theserverside.
Covered
5.10 V5:Maliciousinput
handlingverification
requirements
VerifythatallSQLqueries,HQL,OSQL,NOSQL,and
storedprocedures,callingofstoredproceduresare
protectedbytheuseofpreparedstatementsorquery
parameterization;thus,notsusceptibletoSQL
injection.
Covered
5.11 V5:Maliciousinput
handlingverification
requirements
VerifythattheapplicationisnotsusceptibletoLDAP
InjectionorthatsecuritycontrolspreventLDAP
Injection.
Covered
5.12 V5:Maliciousinput
handlingverification
requirements
VerifythattheapplicationisnotsusceptibletoOS
CommandInjectionorthatsecuritycontrolspreventOS
CommandInjection.
Covered
5.13 V5:Maliciousinput
handlingverification
requirements
VerifythattheapplicationisnotsusceptibletoRemote
FileInclusion(RFI)orLocalFileInclusion(LFI)when
contentisusedthatisapathtoafile.
Covered
5.14 V5:Maliciousinput
handlingverification
requirements
Verifythattheapplicationisnotsusceptibleto
commonXMLattacks,suchasXPathquerytampering,
XMLExternalEntityattacks,andXMLinjectionattacks.
Covered
5.15 V5:Maliciousinput
handlingverification
requirements
EnsurethatallstringvariablesplacedintoHTMLor
otherwebclientcodeiseitherproperlycontextually
encodedmanually,orutilizetemplatesthat
automaticallyencodecontextuallytoensurethe
applicationisnotsusceptibletoreflected,storedand
DOMCross-SiteScripting(XSS)attacks.
Covered
5.22 V5:Maliciousinput
handlingverification
requirements
MakesureuntrustedHTMLfromWYSIWYGeditorsor
similarareproperlysanitizedwithanHTMLsanitizer
andhandleitappropriatelyaccordingtotheinput
validationtaskandencodingtask.
Covered
UnderDefenseConfidential 32
# Category Detail Level1
7.2 V7:Cryptographyatrest
verificationrequirements
Verifythatallcryptographicmodulesfailsecurely,and
errorsarehandledinawaythatdoesnotenableoracle
padding.
Covered
7.7 V7:Cryptographyatrest
verificationrequirements
Verifythatcryptographicalgorithmsusedbythe
applicationhavebeenvalidatedagainstFIPS140-2or
anequivalentstandard.
Covered
8.1 V8:Errorhandlingand
loggingverification
requirements
Verifythattheapplicationdoesnotoutputerror
messagesorstacktracescontainingsensitivedatathat
couldassistanattacker,includingsessionid,
software/frameworkversionsandpersonal
information.
Covered
9.1 V9:Dataprotection
verificationrequirements
Verifythatallformscontainingsensitiveinformation
havedisabledclient-sidecaching,including
autocompletefeatures.
Covered
9.3 V9:Dataprotection
verificationrequirements
Verifythatallsensitivedataissenttotheserverinthe
HTTPmessagebodyorheaders(i.e.,URLparameters
areneverusedtosendsensitivedata).
Covered
9.4 V9:Dataprotection
verificationrequirements
Verifythattheapplicationsetsappropriateanti-caching
headersaspertheriskoftheapplication,suchasthe
following:
Expires:Tue,03Jul200106:00:00GMT
Last-Modified:{now}GMT
Cache-Control:no-store,no-cache,must-revalidate,
max-age=0
Cache-Control:post-check=0,pre-check=0
Pragma:no-cache
Covered
9.9 V9:Dataprotection
verificationrequirements
Verifythatdatastoredinclientsidestorage(suchas
HTML5localstorage,sessionstorage,IndexedDB,
regularcookiesorFlashcookies)doesnotcontain
sensitiveorPII.
Covered
10.1 V10:Communications
securityverification
requirements
VerifythatapathcanbebuiltfromatrustedCAtoeach
TransportLayerSecurity(TLS)servercertificate,and
thateachservercertificateisvalid.
Covered
10.3 V10:Communications
securityverification
requirements
VerifythatTLSisusedforallconnections(including
bothexternalandbackendconnections)thatare
authenticatedorthatinvolvesensitivedataor
functions,anddoesnotfallbacktoinsecureor
unencryptedprotocols.Ensurethestrongest
alternativeisthepreferredalgorithm.
Covered
UnderDefenseConfidential 33
# Category Detail Level1
10.11 V10:Communications
securityverification
requirements
VerifythatHTTPStrictTransportSecurityheadersare
includedonallrequestsandforallsubdomains,suchas
Strict-Transport-Security:max-age=15724800;
includeSubdomains
Covered
10.13 V10:Communications
securityverification
requirements
Ensureforwardsecrecyciphersareinusetomitigate
passiveattackersrecordingtraffic.
Covered
10.14 V10:Communications
securityverification
requirements
Verifythatpropercertificationrevocation,suchas
OnlineCertificateStatusProtocol(OSCP)Stapling,is
enabledandconfigured.
Covered
10.15 V10:Communications
securityverification
requirements
Verifythatonlystrongalgorithms,ciphers,and
protocolsareused,throughallthecertificatehierarchy,
includingrootandintermediarycertificatesofyour
selectedcertifyingauthority.
Covered
10.16 V10:Communications
securityverification
requirements
VerifythattheTLSsettingsareinlinewithcurrent
leadingpractice,particularlyascommonconfigurations,
ciphers,andalgorithmsbecomeinsecure.
Covered
11.1 V11:HTTPsecurity
configurationverification
requirements
Verifythattheapplicationacceptsonlyadefinedsetof
requiredHTTPrequestmethods,suchasGETandPOST
areaccepted,andunusedmethods(forexample,
TRACE,PUT,andDELETE)areexplicitlyblocked.
Covered
11.2 V11:HTTPsecurity
configurationverification
requirements
VerifythateveryHTTPresponsecontainsacontent
typeheaderspecifyingasafecharacterset(for
example,UTF-8,ISO8859-1).
Covered
11.5 V11:HTTPsecurity
configurationverification
requirements
VerifythattheHTTPheadersoranypartoftheHTTP
responsedonotexposedetailedversioninformationof
systemcomponents.
Covered
11.6 V11:HTTPsecurity
configurationverification
requirements
VerifythatallAPIresponsescontainX-Content-Type-
Options:nosniffandContent-Disposition:attachment;
filename="api.json"(orotherappropriatefilenamefor
thecontenttype).
Covered
11.7 V11:HTTPsecurity
configurationverification
requirements
VerifythattheContentSecurityPolicyV2(CSP)isinuse
inawaythateitherdisablesinlineJavaScriptor
providesanintegritycheckoninlineJavaScriptwithCSP
noncingorhashing.
Covered
UnderDefenseConfidential 34
# Category Detail Level1
11.8 V11:HTTPsecurity
configurationverification
requirements
VerifythattheX-XSS-Protection:1;mode=blockheader
isinplace.
Covered
16.1 V16:Filesandresources
verificationrequirements
VerifythatURLredirectsandforwardsonlyallow
whitelisteddestinations,orshowawarningwhen
redirectingtopotentiallyuntrustedcontent.
Covered
16.2 V16:Filesandresources
verificationrequirements
Verifythatuntrustedfiledatasubmittedtothe
applicationisnotuseddirectlywithfileI/Ocommands,
particularlytoprotectagainstpathtraversal,localfile
include,filemimetype,andOScommandinjection
vulnerabilities.
Covered
16.3 V16:Filesandresources
verificationrequirements
Verifythatfilesobtainedfromuntrustedsourcesare
validatedtobeofexpectedtypeandscannedby
antivirusscannerstopreventuploadofknown
maliciouscontent.
Covered
16.4 V16:Filesandresources
verificationrequirements
Verifythatuntrusteddataisnotusedwithininclusion,
classloader,orreflectioncapabilitiestoprevent
remote/localfileinclusionvulnerabilities.
Covered
16.5 V16:Filesandresources
verificationrequirements
Verifythatuntrusteddataisnotusedwithincross-
domainresourcesharing(CORS)toprotectagainst
arbitraryremotecontent.
Covered
16.8 V16:Filesandresources
verificationrequirements
Verifytheapplicationcodedoesnotexecuteuploaded
dataobtainedfromuntrustedsources.
Covered
16.9 V16:Filesandresources
verificationrequirements
DonotuseFlash,Active-X,Silverlight,NACL,client-side
Javaorotherclientsidetechnologiesnotsupported
nativelyviaW3Cbrowserstandards.
Covered
17.1 V17:Mobileverification
requirements
VerifythatIDvaluesstoredonthedeviceand
retrievablebyotherapplications,suchastheUDIDor
IMEInumberarenotusedasauthenticationtokens.
Covered
17.2 V17:Mobileverification
requirements
Verifythatthemobileappdoesnotstoresensitivedata
ontopotentiallyunencryptedsharedresourcesonthe
device(forexample,SDcardorsharedfolders).
Covered
17.3 V17:Mobileverification
requirements
Verifythatsensitivedataisnotstoredunprotectedon
thedevice,eveninsystemprotectedareassuchaskey
chains.
Covered
UnderDefenseConfidential 35
# Category Detail Level1
17.7 V17:Mobileverification
requirements
Verifythattheapplicationsensitivecodeislaidout
unpredictablyinmemory(forexample,ASLR).
Covered
17.9 V17:Mobileverification
requirements
Verifythattheappdoesnotexportsensitiveactivities,
intents,contentproviders,andsoonforothermobile
appsonthesamedevicetoexploit.
Covered
17.11 V17:Mobileverification
requirements
Verifythattheapp’sexposedactivities,intents,content
providers,andothersvalidateallinputs.
Covered
18.1 V18:Webservices
verificationrequirements
Verifythatthesameencodingstyleisusedbetween
theclientandtheserver.
Covered
18.2 V18:Webservices
verificationrequirements
Verifythataccesstoadministrationandmanagement
functionswithintheWebServiceApplicationislimited
towebserviceadministrators.
Covered
18.3 V18:Webservices
verificationrequirements
VerifythatXMLorJSONschemaisinplaceandverified
beforeacceptinginput.
Covered
18.4 V18:Webservices
verificationrequirements
Verifythatallinputislimitedtoanappropriatesize
limit.
Covered
18.5 V18:Webservices
verificationrequirements
VerifythatSOAPbasedwebservicesarecompliantwith
WebServices-Interoperability(WS-I)BasicProfileat
minimum.
Covered
18.6 V18:Webservices
verificationrequirements
Verifytheuseofsession-basedauthenticationand
authorization.Avoidtheuseofstatic"APIkeys"and
similar.
Covered
18.7 V18:Webservices
verificationrequirements
VerifythattheRESTserviceisprotectedfromCross-Site
RequestForgery.
Covered
19.1 V19.Configuration Allcomponentsshouldbeuptodatewithproper
securityconfiguration(s)andversion(s).Thisshould
includeremovalofunneededconfigurationsand
folderssuchassampleapplications,platform
documentation,anddefaultorexampleusers.
Covered