Security Testing Report Hitachi Application Q1 Sep 2015
Post on 16-Apr-2017
137 Views
Preview:
Transcript
Security Testing Report 1 of 13
Security Testing Report of Ignify Application
Q1 -2015-16
Application Name Start Date End Date Report Date
Ignify Web Applications 22-Sep-2015 28-Sep-2015 29-Sep -2015
Copyright © 2013 by SPAN InfoTech (India) Pvt. Ltd… All rights reserved. The contents of this document are protected
by copyright law and international treaties. The reproduction or distribution of the document or any portion of it
thereof, in any form, or by any means without prior written permission of SPAN InfoTech (India) Pvt. Ltd. is prohibited
Security Testing Report
Security Test Report 2 of 13
TABLE OF CONTENTS
1 INTRODUCTION AND OBJECTIVE ................................................................................ 3
2 DETAILS OF TARGET UNDER VERIFICATION................................................................... 3
3 SCOPE .................................................................................................................. 3
3.1 In Scope ............................................................................................................. 3
3.2 Out of Scope ....................................................................................................... 3
4 TECHNICAL APPROACH AND METHODOLOGY ............................................................... 4
PART A – Executive Report .............................................................................................. 5
5 EXECUTIVE SUMMARY ............................................................................................. 5
5.1 Risk Statistics ...................................................................................................... 5
5.2 Application Security Confidence Level ....................................................................... 5
PART B –Vulnerability Report .......................................................................................... 7
6 RISKS/VULNERABILITIES ........................................................................................... 7
7 STATUS TRACKER .................................................................................................. 13
7.1 Application Vulnerability Status – Q1 Phase .............................................................. 13
8 CONCLUSION ....................................................................................................... 13
Security Testing Report
Security Test Report 3 of 13
1 Introduction and Objective
The objective of this report is to provide details on the Security testing conducted for Ignify application
during Phase 1 of the subscription period 2015-16. Report also contains possible
recommendations/mitigation plans to overcome the identified vulnerabilities. The tests were conducted
for Ignify application based on the scope defined in the Statement of Work document.
2 Details of Target Under Verification
Details of Target under Verification
Target Under Test Ignify Application
Target URL/IP Store Front application : http://ecom7.ignify.net
Manager Panel application :https://ecommanager.ignify.net
About Target IGNIFY application is an e-Commerce application for purchasing several apparels
online
Test Type Application Security Automated Scanning
3 Scope
This section provides the details on scope of the project.
3.1 In Scope
Automated security testing of Ignify application
o Store Front application
o Manager Panel application
Detailed reporting of vulnerabilities identified with possible impacts and countermeasures of same
Re-testing of previously identified vulnerabilities
3.2 Out of Scope
Hardening of the servers and application itself under test and fixing the identified vulnerabilities
Forensic Investigation of any security incidents
Functional testing and performance testing of application
Infrastructure Penetration Testing
Component level Web service Security Testing
Security Testing Report
Security Test Report 4 of 13
4 Technical Approach and Methodology
SPAN’s Security Testing methodology is modeled from OWASP ASVS guidelines and Common Attack Pattern
Enumeration and Classification (CAPEC).Outlined below is the high-level approach followed for conducting
Security tests.
Information Gathering: The first phase of Security testing. In this phase, the test team makes an effort to
understand the target system in order to engage it properly. This phase substantially provides the data
required for overall Security testing
Vulnerability Assessment: The objective of the phase is to uncover all the possible vulnerabilities in target
under test. This will be accomplished by a set of automated tools, skills, expertise and experience of the
Security Test Engineers
Penetration Testing: The target system is attacked or exploited manually with the information gathered in
the previous phases of testing, in order to confirm the identified vulnerabilities and to uncover vulnerabilities,
which are not covered by the automated scan
Security Test Reporting: A security test report is produced with all the identified vulnerabilities with their
implications and countermeasures
Security Test reporting
Penetration Testing
Vulnerability Assesment
Information Gathering
Security Testing Report
Security Test Report 5 of 13
PART A – Executive Report
5 Executive Summary
5.1 Risk Statistics
This section provides information about the overall statistics of the vulnerabilities identified during Ignify
application testing
A. Application Penetration Testing - Risk Statistics (Q1-2015-16)
Risk Level Number of Vulnerabilities
High 0
Medium 0
Low 0
Total 0
5.2 Application Security Confidence Level
The below table provides information about the confidence level of the target system under test after
Security Testing
Security level Confidence level Criteria Description
Secure A
No high severity or medium severity vulnerabilities were identified and there is
clear recognition of asset and threat likelihood in the defense measures taken.
No low severity or identified low severity vulnerabilities does not have any
impact on the business
Moderately
Secure B
No or few high severity vulnerabilities associated with less critically important
assets and have any serious impact.
(It is required to assess the number of vulnerabilities and the impact that it can
create to the critical assets based on the context.)
0
1
High Medium Low
Nu
mb
er o
f V
uln
erab
iliti
es
Severity
Vulnerability Statistics
Security Testing Report
Security Test Report 6 of 13
Marginally
Secure C
High severity vulnerabilities or medium severity vulnerabilities identified that
could be exploited to compromise medium critically important assets of
application.
(It is required to assess the number of vulnerabilities and the impact that it can
create to the critical assets based on the context.)
Unsecured D
High severity vulnerabilities associated with critically important assets and have
impact that is more serious on business.
(It is required to assess the number of vulnerabilities and the impact that it can
create to the critical assets based on the context.)
The below table provides the information about the priority description
Priority Priority Description
High
Vulnerabilities those affect the business , (Ex: Cross site scripting and Cross site request forgery
)
Information disclosed is sensitive and may lead to plan for other attacks( Ex: User credentials
and session details)
Likelihood of attack is high
Medium
Likely hood of attack is medium and needs more skill level to frame attack(Ex: Cookie details
,validation bypass)
Impact on the business logic is medium
Information disclosed is sensitive and may lead to plan for other attacks
Low Likelihood of attack is low and needs more skill level to frame attack
No impact on the business
Confidence level is decided based on the criteria description provided in the above table. The below table
contains overall vulnerabilities identified during application penetration testing with status Open/New/Re-
Open
Application Under Test Security level Confidence
Level
Vulnerability Details
High Medium Low*
Ignify - Manager
Secure
A 0 0 0
Ignify - WebStore
Secure
A 0 0 0
*Weak password policy (Low) vulnerability is applicable for both
Security Testing Report
Security Test Report 7 of 13
PART B –Vulnerability Report
6 Risks/Vulnerabilities
Below section provides detailed information about all the identified vulnerabilities and counter measures
for the target under test
Vulnerability No-01 Store Portal http://ecom7.ignify.net/
H-001 – Content Spoofing(Text Injection) – ‘hdnDisplayType’ Parameter
Risk Severity Risk Impact Risk Likelihood Ease of Discovery Technical Impact Factors
High High Medium Moderate Loss of Integrity
Vulnerability Details
Content Spoofing(Text Injection – ‘hdnDisplayType’ Parameter
Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made
possible by an injection vulnerability in a web application. When an application does not properly handle user
supplied data, an attacker can supply content to a web application, typically via a parameter value
Steps to Reproduce:
1. Login to the Ignify store with valid credentials
2. In the below POST request hdnDisplayType parameter is vulnerable to HTML injection,
POST/widgetscategory/gethtml_productlist/1180/html_productlist/150X177?filter=1180&search=&type=q&keywor
doption=&cid=0&fltrdesc=&ppp=9&discountid=&pn=1&newarrivaldays=30 HTTP/1.1
Host: ecom7.ignify.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://ecom7.ignify.net/category/1180/athletic-gear
Content-Length: 249
Cookie:__utma=109913745.1962255331.1432625157.1432625157.1432625157.1;__utmb=109913745.11.10.14326
25157; __utmc=109913745; __utmz=109913745.1432625157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
Security Testing Report
Security Test Report 8 of 13
Ignify_Nav=PDCacheKey_5%3DBEST-SELLER-PRODUCTS-SESSION-
KEY%5EPDPrevNextReffer_5%3Dhttp%3A//ecom7.ignify.net/search/denim%3Ffilter%3D%26search%3Ddenim%26ty
pe%3Dq%26keywordoption%3DANY%26cid%3D0%26fltrdesc%3D%5ECurrentPDReferrer_5%3Dhttp%3A//ecom7.ig
nify.net/search/denim%3Ffilter%3D%26search%3Ddenim%26type%3Dq%26keywordoption%3DANY%26cid%3D0%2
6fltrdesc%3D%5E; WebStore_SessionId=thbrzrkjhobmkpe0k0cbhp3n; userdata=e5c362af-62a0-49a0-841b-
ad794907d1c4;__utmt=1;Ignify.eCommerce=9CF008C2998126F461C25A08DD261874B555C8EFFFDED2A6DD187A9
32D6BF8626C02C5AD1D6CDED550C9B5297EF297FF2867DAA5C6B063D57C65FFAA9C2BBD776DED5D5EF948A3DEC
BEC60A974EBE85CE8AA79F1DA731C0565E9E2A5DAFB04EFFE895D00DA7CE05CA46CDFBB9FD6B9755736D3D64E9
8A5813168E195E3DF7B054514CF7A
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
hdnSelectedVal=&hdnFromPrice=7.98&hdnToPrice=87.80&hdnIsQuickMenuVisible=&hdnCurrentProductIds=&hdnFilter
=1180&hdndiscountid=&hdnDisplayType=grid30479'"){z}else{x}});/*]]>*/;TESTERWASHERE;&hdnSortType=SELLERRECO
MMENDATION&hdnSortTypeClicked=false
Note: Observe that the Java script is executed and alert box appears. Provided XSS payload is an example but,
this can be exploited using maliciously crafted scripts
Impact
1. An attacker can inject malicious content in the application through browser
2. Threat to Integrity of the application
3. Content Manipulation
Countermeasure/Recommendations
1. Filter the meta characters ("special" characters) and validate the user input to prevent unintended changes
in the application
2. Web server should ensure that the generated pages are properly encoded to prevent unintended execution
of scripts
3. Use Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
Remarks :
Security Testing Report
Security Test Report 10 of 13
Reference:
https://www.owasp.org/index.php/Content_Spoofing
Re-testing status: Fixed and Closed
Vulnerability No-02 Store/Manager Portal http://ecom7.ignify.net/ & https://ecommanager.ignify.net
L-001 – Sensitive information disclosure
Risk Severity Risk Impact Risk Likelihood Ease of Discovery Technical Impact Factors
Low Low Medium Easy Loss of Confidentiality
Vulnerability Details
Sensitive information disclosure
There are several different vendors and versions of web servers on the market today. Knowing the type of web
server that is being used significantly helps the attacker to craft sophisticated attacks depending on its version
and the known vulnerabilities.
Steps to reproduce:
1. Open application login URL Store/Manager Portal
2. Login with valid username and password
3. Once in to the application, use a proxy tool and intercept the request as well as response
Observe in each response the back end servers used and the version is also displayed
Impact
4. Loss of confidentiality
Countermeasure/Recommendations
1. Remove or fake Server/X-Powered-By headers
2. Response with generic error message for all invalid login attempts
Remarks :
Security Testing Report
Security Test Report 11 of 13
Reference:
https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)
Re-testing status: Issue closed as per the discussion
Vulnerability No-03 Store/Manager Portal http://ecom7.ignify.net/ & https://ecommanager.ignify.net
L-002 – Cross-Origin Resource Sharing– Access-Control-Allow-Origin set to ‘*’
Risk Severity Risk Impact Risk Likelihood Ease of Discovery Technical Impact Factors
Low Medium Medium Easy Loss of Integrity
Vulnerability Details
Cross-Origin Resource Sharing– Access-Control-Allow-Origin set to ‘*’
The HTML5 cross-origin resource sharing policy controls whether and how content running on other domains
can perform two-way interaction with the domain which publishes the policy. The policy is fine-grained and can
apply access controls per-request based on the URL and other features of the request.
If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a
user is logged in to the application, and visits a domain allowed by the policy, then any malicious content
running on that domain can potentially retrieve content from the application, and carry out actions, within the
security context of the logged in user.
Security Testing Report
Security Test Report 12 of 13
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could
potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application
which allows access
Steps to Reproduce:
1. Login to the Ignify Manager/Store Portal with valid credentials
2. Intercept a request and observe its response
Note: The header contains a '*' to indicate that any domain is allowed.
Impact
1. An attacker can inject malicious content in the application through browser
2. Threat to Integrity of the application
3. Content Manipulation
Countermeasure/Recommendations
1. Implementation of CORS authenticated request
2. Scrutinizing Origin header value on server side
3. White listing of domains
Remarks :
Reference:
https://www.owasp.org/index.php/CORS_OriginHeaderScrutiny#Introduction
Security Testing Report
Security Test Report 13 of 13
Re-testing status: Issue closed. As per the discussion it cannot be fixed due to the nature of the application
and how it operates
7 Status Tracker
7.1 Application Vulnerability Status – Q1 Phase
The table below provides the status of vulnerabilities identified during security testing on Ignify web
application during Q1-Phase
# Vulnerability Details Web site Priority Status
01 H-001 – Content Spoofing(Text Injection) – ‘hdnDisplayType’
Parameter Store High Fixed
02 L-001 – Sensitive information disclosure Store/Manager
Portal Low Fixed/Closed
03 L-002 – Cross-Origin Resource Sharing– Access-Control-
Allow-Origin set to ‘*’
Store/Manager
Portal Low Fixed/Closed
8 Conclusion
The security testing on Ignify applications for the Phase-1 is completed with identified vulnerabilities
listed in Section-7
By considering current test status confidence level has been updated
Status and remarks should be updated by the developer and shared based on which the test team will
commence re-testing.
top related