Penetration Test Report

Size: px
Start display at page:

Download "Penetration Test Report"

Transcription

1 Penetration Test Report Acme Test Company ACMEIT System 26 th November 2010

2 Executive Summary Info-Assure Ltd was engaged by Acme Test Company to perform an IT Health Check (ITHC) on the ACMEIT System within the Service Provider network. This graph illustrates the level of risk that is exposed across the systems tested. It shows the number of vulnerabilities identified during this assessment along with their severity. As can be seen from the graph above, a number of high risk vulnerabilities were identified during the ITHC. These vulnerabilities relate both the infrastructure and web application. Infrastructure Multiple critical vulnerabilities were identified within web servers hosting the web application. Exploitation of the most critical of these vulnerabilities could allow an attacker to carry out a denial of service attack or gain access to the server with administrative permissions. A blank password was identified on the web server on the default administrator account. An attacker could exploit this to remotely gain full administrative access to the server and all data stored on it. Application Unauthorised access was possible to a number of sensitive pages without needing to authenticate to the application. These pages contained the home addresses and telephone numbers of customers who had placed orders on the website. Vulnerabilities were identified within the application that could allow an attacker to inject malicious scripts into the application which could later be executed on the victims browser within their session. An attacker who successfully exploits this vulnerability could hijack a user s session and gain access to the application with the privileges of that user. Info-Assure Ltd All rights reserved Page 2 of 17

3 Overall In summary, a number of high risk vulnerabilities were identified in both the infrastructure and application An attacker could exploit a number of these issues in order to gain unauthorised access to customers personal details such as their home address and telephone number. Unauthorised access to such information would be a breach of the UK Data Protection Act 1998 which states that Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. It is highly recommended that all high and medium risk vulnerabilities be addressed before the system goes live. This pie chart reveals the most common root causes in the vulnerabilities identified. The bar chart identifies the level of risk in the individual root causes identified Info-Assure Ltd All rights reserved Page 3 of 17

4 1 DOCUMENT CONTROL INFORMATION 1.1 DOCUMENT DETAILS Document Reference Property Client Acme Test Company Title AcmeIT Penetration Test Report Author Daniel Elliott Version 1.0 Date 6 th January 2011 Document Reference Status Issued 1.2 REVISION HISTORY Version Date Author Summary of Changes /01/2011 Daniel Elliott Initial draft of sample report /01/2011 Daniel Elliott Issued following approval 1.3 APPROVALS Name Martin Walsham Head of Consulting Position 1.4 DISTRIBUTION Organisation Name Role Martin Walsham Info-Assure Ltd Head of Consulting Info-Assure Ltd All rights reserved Page 4 of 17

5 TABLE OF CONTENTS 1 DOCUMENT CONTROL INFORMATION Document Details Revision History Approvals Distribution INTRODUCTION Background Approach Scope Test Information DETAIL RESULTS OF INFRASTRUCTURE TESTING Default Administrator Password Critical Microsoft Security Patches Missing DETAIL RESULTS OF WEB APPLICATION TESTING Insufficient Access Controls Reflective Cross Site Scripting Vulnerabilities Error Messages Reveal Sensitive Information SUMMARY OF FINDINGS Infrastructure Findings Application Testing Findings...13 APPENDIX A - TESTING TEAM APPENDIX B FINDINGS DEFINITIONS Info-Assure Ltd All rights reserved Page 5 of 17

6 2 INTRODUCTION Info-Assure Ltd was engaged by Acme Test Company to perform an IT Health Check (ITHC) on the ACMEIT System within the ACME network. Testing was carried out from the Service Provider offices in London 2.1 BACKGROUND The ACMEIT System is a new IT system developed by Service Provider which is used to process client orders placed over the Internet. Acme Test Company requires that both network infrastructure and web application penetration testing is carried out prior to the system going live. The ACMEIT System application is developed using ASP.NET and hosted on a Windows environment on Microsoft IIS web servers. 2.2 APPROACH All testing was carried out using Info-Assure standard testing methodology. A full copy of this methodology can be provided on request. Info-Assure connected locally (i.e. to a switch providing access to the <Project> environment) and were given two static IP addresses for testing laptops. All tests were run from the local network. The IP addresses used for testing were / SCOPE The following target IP addresses formed the scope for the assessment: Description IP Addresses Name Operating System File Server SERVER01 Windows 2000 Server Domain Controller SERVER02 Windows 2003 Server Web application testing was carried out on the following URL: Limitations During this phase of testing it was not possible to test the upload functionality of the application as this function was not currently operational. As such, it was agreed at the outset of testing that this functionality would be excluded from the scope of testing. 2.4 TEST INFORMATION The following test user credentials were provided to Info-Assure prior to testing:- User account 1: testuser1 User account 2: testuser2 Info-Assure Ltd All rights reserved Page 6 of 17

7 3 DETAIL RESULTS OF INFRASTRUCTURE TESTING This section provides the detailed findings of the internal ITHC of the ACMEIT System servers that was performed from July, DEFAULT ADMINISTRATOR PASSWORD Systems Affected SERVER01 ( ) Finding No 1. Finding CVE number Root Cause Seriousness (Impact) 5 A blank administrator password was identified on the Windows server. CVE Misconfiguration Likelihood 5 Overall Risk rating 25 (High Risk) Overview Weak passwords can allow an attacker to gain unauthorised access to a system. Unauthorised access to an administrative account can allow an attacker to gain full control of the affected server and all data stored on it Details The password for the local administrator account on the above server was blank Recommendation It is recommended that the password is changes to a secure password in line with the systems password policy. An example of a secure password policy for an administrative account is: minimum of 12 characters; mixture of numeric and alphanumeric characters; mixture of upper and lower case letters and mixture of symbols. Info-Assure Ltd All rights reserved Page 7 of 17

8 3.2 CRITICAL MICROSOFT SECURITY PATCHES MISSING Systems Affected SERVER01 ( ) SERVER02 ( ) Finding A number of Microsoft Windows critical security patches were identified as missing. Finding No 2. CVE number CVE CVE CVE CVE CVE CVE Root Cause System Patching Seriousness (Impact) 5 Likelihood 3 Overall Risk rating 15 (High Risk) Overview A number of critical Microsoft Windows security patches were identified as missing from the above servers which leaves them susceptible to various vulnerabilities ranging from denial of service to remote code execution. Exploitation of the most critical of these vulnerabilities could allow an attacker to gain unauthorised access to the server with administrative access. Currently there is no know exploit code these vulnerabilities in the public domain Details The following Microsoft security updates were not installed on the above server:- MS MS MS MS MS MS Recommendation It is recommended that all missing security patches are installed as appropriate. A review should be carried out on the patching policy deployed on the ACMEIT System to ensure that Windows servers are being kept up-to-date with the latest security patches. All security patches should be installed as they are released from Microsoft and then tested on a development environment before being deployed on production servers. Info-Assure Ltd All rights reserved Page 8 of 17

9 4 DETAIL RESULTS OF WEB APPLICATION TESTING This section provides the detailed findings of the web application test of the ACMEIT System that was performed from July, INSUFFICIENT ACCESS CONTROLS Systems Affected Finding No 3. Finding CVE number Root Cause Seriousness (Impact) 4 Unauthorised access was possible to a number of sensitive pages hosted on the web server CWE-285 System Patching Likelihood 4 Overall Risk rating 16 (High Risk) Instances Overview Unauthorised access was possible to a number of files hosted on the web server Details It was possible to gain access to the above pages with logging into the web application. These pages contained sensitive personal details about the users who had placed order on the website including their home address and telephone details. An attacker on the Internet could trivially gain unauthorised access to these files without needing any valid user credentials Recommendation It is recommended that a review is carried out on the access controls configured on all files hosted on the web server to ensure that unauthorised access cannot be gained to any files. In particular, attention should be given to reviewing the access to the above files Screenshots <Insert screenshots> Info-Assure Ltd All rights reserved Page 9 of 17

10 4.2 REFLECTIVE CROSS SITE SCRIPTING VULNERABILITIES Systems Affected Finding No 4. Finding CVE number Root Cause Seriousness (Impact) 4 Multiple reflective cross-site vulnerabilities were identified within the web application CWE-79 Misconfiguration Likelihood 3 Overall Risk rating 12 (High Risk) Instances (id and sid parameters) (id parameters) (number and nid parameters) Overview Reflected cross-site scripting (XSS) vulnerabilities allow malicious attackers to inject client-side scripts into web pages viewed by other users. Exploitation of these vulnerabilities would involve an attacker crafting a request containing an embedded JavaScript which is reflected back to the user who makes the request. These vulnerabilities are due to inadequate filtering of user-supplied input on the server side Details Numerous reflective XSS vulnerabilities were identified in the above instances within the application. Exploitation of all the instances identified would require the victim to have authenticated access to the application. The following is an example of a URL which could be used to exploit the XSS vulnerability within the order_detalis.aspx page. This vulnerable URL when send to a victim would execute a piece of JavaScript which displays a pop-up box XSS Vulnerability )</script> An attacker could construct a malicious URL which could be used to steal the victims session cookie and hijack their session, allowing access to the application with the privileges of the victim Recommendation It is recommended that all client-supplied input is sufficiently filtered before being echoed back to the client. If not possible (or in addition), the application should be coded to unsure that any potential unsafe data is properly encoded or escaped to prevent execution within the clients browser. Info-Assure Ltd All rights reserved Page 10 of 17

11 4.2.5 Screenshots <insert screenshots> Figure 1 - Example of injected JavaScript being executed within the victims session. Info-Assure Ltd All rights reserved Page 11 of 17

12 4.3 ERROR MESSAGES REVEAL SENSITIVE INFORMATION Systems Affected Finding No 5. Finding CVE number Root Cause Seriousness (Impact) 1 Error messages revealed sensitive information regarding configuration of the web application. CWE-209 Misconfiguration Likelihood 5 Overall Risk rating 5 (Low Risk) Instances Overview Error messages returned by the application revealed technical information regarding the configuration of the application, web server and other backend systems. Such information could be used by an attacker to carry out further attacks upon the application Details A summary of the information obtained from error messages include:- Web root on the web server is d:\data\prod\webroot\ The database instance on the backend database is acmesql The IP address of the backend database is Recommendation It is recommended that the application and web server is reconfigured so that they only provide generic error messages in the event of an error condition Screenshots <insert screenshots> Figure 2 - Example of technical error message Info-Assure Ltd All rights reserved Page 12 of 17

13 5 SUMMARY OF FINDINGS 5.1 INFRASTRUCTURE FINDINGS Finding No. Impact Exploitability Overall Rating (1-25) Finding Recommendation Affected Systems/Services Status A blank administrator password was identified on the Windows server. Change the password to a secure password in line with the systems password policy. SERVER01 ( ) Ongoing Critical vulnerabilities were identified in the Microsoft Windows operating system running on numerous servers. Install the latest Microsoft Windows security updates. SERVER01 ( ) SERVER02 ( ) Ongoing 5.2 APPLICATION TESTING FINDINGS Finding No. Impact Exploitability Overall Rating (1-25) Finding Unauthorised access was possible to number of sensitive pages without authentication Number of reflective cross-site scripting vulnerabilities identified Error messages were identified which contained sensitive information regarding the systems Recommendation Review the access controls on the vulnerable pages. Ensure sufficient input validation is enforced on all input parameters. Affected Systems/Services Status Ongoing Ongoing Reconfigure error messages to generic Ongoing Info-Assure Ltd All rights reserved Page 13 of 17

14 configuration. messages. Info-Assure Ltd All rights reserved Page 14 of 17

15 Appendix A - TESTING TEAM This project was undertaken using the following consultant: Daniel Elliott CHECK Team Leader Any queries regarding this penetration test and report should be directed to Daniel Elliott Principal Security Consultant Mob: + 44 (0) The point of contact at Service Provider was Mr Client who was the programme manager for the ACMEIT System. Info-Assure Ltd All rights reserved Page 15 of 17

16 Appendix B FINDINGS DEFINITIONS Info-Assure have developed a method for evaluating vulnerabilities and presenting the results in a way which enables clients to easily assess the risks they pose to the organisation. Each finding is categories by its Impact and Likelihood B.1. Findings Box The table below provides a key to understand the findings description. Systems Affected Finding CVE number Root Cause List of devices which are vulnerable. This will either take the form of IP addresses (DNS names) or URLs. An overview of the vulnerability identified. Where possible, references will be made to a common reference identifier such as CVE or CWE. These references to external sources allow clients to find out additional details regarding the vulnerability and how to mitigate it. Each finding will be categorised as to the perceived root cause. Further details are discussed in the section below. Finding No. x Seriousness (Impact) Impact if the vulnerability is successfully exploited. Rated from 5 (very high) to 1. Remotely gaining full administrative access to device would rate highest. Privilege Escalation and unauthorised access to data would rate 3 or 4. As a contrast minor information disclosure would rate lower with 1 or 2 Likelihood How easy is the vulnerability to exploit? Ratings from 5 (very easy) to 1 (very hard). A rating of 5 would correspond if it could be trivially exploited by attacker without the need for any exploit code or tool Could be trivially exploded by attacker but would require publically available exploit code or tool. 3 - Vulnerability is not trivial to exploit and may require development of exploit code. A lower rating of 1 or 2 would relate to a theoretical vulnerability where there is no known exploit code and/or would require a lot of resources to exploit Overall Risk rating The overall risk rating is calculated by multiplying the seriousness rating with the impact rating and then categories as follows (Very High Risk) (High Risk) (Medium Risk) 6-10 (Medium/Low Risk) 1-5 (Very Low Risk) Info-Assure Ltd All rights reserved Page 16 of 17

17 Note: It should be noted that the definitions defined above for the seriousness and likelihood ratings are only guidelines B.2. Executive Summary The executive summary provides a number of graphical representations as to the most common root cause of the vulnerabilities identified. A summary of the number of different root cause categories are summarised in a graph in the management summary. The pie chart depicts the most common root causes of the vulnerabilities identified. The column chart shows each of the root causes against the percentage In addition, all findings are plotted onto a graph so that the severity of the vulnerabilities identified can easily be visualised. This enables the client to concentrate their efforts for resolution in specific areas. B.2.1. Root Causes The root causes include: Patching failure; Mis-configuration / Lack of hardening; Insecure coding; Network design failure; Human failure (or non-technical); Other. Info-Assure Ltd All rights reserved Page 17 of 17

Web Application Security

Web Application Security Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching

More information

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security

More information

Sitefinity Security and Best Practices

Sitefinity Security and Best Practices Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Penetration Testing Report Client: Business Solutions June 15 th 2015

Penetration Testing Report Client: Business Solutions June 15 th 2015 Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST Performed Between Testing start date and end date By SSL247 Limited SSL247 Limited 63, Lisson Street Marylebone London

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO-6013-09 TABLE OF CONTENTS

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO-6013-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER OCIO-6013-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS

More information

5 Simple Steps to Secure Database Development

5 Simple Steps to Secure Database Development E-Guide 5 Simple Steps to Secure Database Development Databases and the information they hold are always an attractive target for hackers looking to exploit weaknesses in database applications. This expert

More information

CMP3002 Advanced Web Technology

CMP3002 Advanced Web Technology CMP3002 Advanced Web Technology Assignment 1: Web Security Audit A web security audit on a proposed eshop website By Adam Wright Table of Contents Table of Contents... 2 Table of Tables... 2 Introduction...

More information

Application Security Testing. Generic Test Strategy

Application Security Testing. Generic Test Strategy Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

Data Breaches and Web Servers: The Giant Sucking Sound

Data Breaches and Web Servers: The Giant Sucking Sound Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences

More information

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration

More information

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP) Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage

More information

Magento Security and Vulnerabilities. Roman Stepanov

Magento Security and Vulnerabilities. Roman Stepanov Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection

More information

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting SECURITY ADVISORY December 2008 Barracuda Load Balancer admin login Cross-site Scripting Discovered in December 2008 by FortConsult s Security Research Team/Jan Skovgren WARNING NOT FOR DISCLOSURE BEFORE

More information

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

OWASP AND APPLICATION SECURITY

OWASP AND APPLICATION SECURITY SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

Ruby on Rails Secure Coding Recommendations

Ruby on Rails Secure Coding Recommendations Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional

More information

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

Security features of ZK Framework

Security features of ZK Framework 1 Security features of ZK Framework This document provides a brief overview of security concerns related to JavaScript powered enterprise web application in general and how ZK built-in features secures

More information

Web Application Security Assessment and Vulnerability Mitigation Tests

Web Application Security Assessment and Vulnerability Mitigation Tests White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software

More information

Essential IT Security Testing

Essential IT Security Testing Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04

More information

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat

More information

Web Vulnerability Assessment Report

Web Vulnerability Assessment Report Web Vulnerability Assessment Report Target Scanned: www.daflavan.com Report Generated: Mon May 5 14:43:24 2014 Identified Vulnerabilities: 39 Threat Level: High Screenshot of www.daflavan.com HomePage

More information

Annex B - Content Management System (CMS) Qualifying Procedure

Annex B - Content Management System (CMS) Qualifying Procedure Page 1 DEPARTMENT OF Version: 1.5 Effective: December 18, 2014 Annex B - Content Management System (CMS) Qualifying Procedure This document is an annex to the Government Web Hosting Service (GWHS) Memorandum

More information

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Recommended Practice Case Study: Cross-Site Scripting. February 2007 Recommended Practice Case Study: Cross-Site Scripting February 2007 iii ACKNOWLEDGEMENT This document was developed for the U.S. Department of Homeland Security to provide guidance for control system cyber

More information

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration

More information

Web application security

Web application security Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0

More information

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Nuclear Regulatory Commission Computer Security Office Computer Security Standard Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:

More information

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP

More information

WEB ATTACKS AND COUNTERMEASURES

WEB ATTACKS AND COUNTERMEASURES WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

Hack Proof Your Webapps

Hack Proof Your Webapps Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University

More information

MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May 2010. Contents

MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May 2010. Contents Contents MWR InfoSecurity Security Advisory BT Home Hub SSID Script Injection Vulnerability 10 th May 2010 2010-05-10 Page 1 of 8 Contents Contents 1 Detailed Vulnerability Description... 5 1.1 Technical

More information

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

Annual Web Application Security Report 2011

Annual Web Application Security Report 2011 Annual Web Application Security Report 2011 An analysis of vulnerabilities found in external Web Application Security tests conducted by NTA Monitor during 2010 Contents 1.0 Introduction... 3 2.0 Summary...

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

In partnership with CST. Web Application Security Assessment Report. Acme Inc V1.0. 27 November 2012 2012-999 COMMERCIAL IN CONFIDENCE

In partnership with CST. Web Application Security Assessment Report. Acme Inc V1.0. 27 November 2012 2012-999 COMMERCIAL IN CONFIDENCE In partnership with CST V1.0 27 November 2012 2012-999 Copyright The copyright in this work is vested in Activity Information Management Limited, and the document is issued in confidence for the purpose

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

Virtualization System Security

Virtualization System Security Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation Overview Vulnerability disclosure analysis Vulnerability

More information

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011 Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing

More information

Web Engineering Web Application Security Issues

Web Engineering Web Application Security Issues Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend

More information

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance

More information

Thick Client Application Security

Thick Client Application Security Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two

More information

Acunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808)

Acunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Acunetix Website Audit 5 November, 2014 Developer Report Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Scan of http://filesbi.go.id:80/ Scan details Scan information Starttime 05/11/2014 14:44:06

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

Common Security Vulnerabilities in Online Payment Systems

Common Security Vulnerabilities in Online Payment Systems Common Security Vulnerabilities in Online Payment Systems Author- Hitesh Malviya(Information Security analyst) Qualifications: C!EH, EC!SA, MCITP, CCNA, MCP Current Position: CEO at HCF Infosec Limited

More information

Cross Site Scripting in Joomla Acajoom Component

Cross Site Scripting in Joomla Acajoom Component Whitepaper Cross Site Scripting in Joomla Acajoom Component Vandan Joshi December 2011 TABLE OF CONTENTS Abstract... 3 Introduction... 3 A Likely Scenario... 5 The Exploit... 9 The Impact... 12 Recommended

More information

Web Application Security

Web Application Security E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary

More information

IT HEALTHCHECK TOP TIPS WHITEPAPER

IT HEALTHCHECK TOP TIPS WHITEPAPER WHITEPAPER PREPARED BY MTI TECHNOLOGY LTD w: mti.com t: 01483 520200 f: 01483 520222 MTI Technology have been specifying and conducting IT Healthcheck s across numerous sectors including commercial, public

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

Columbia University Web Security Standards and Practices. Objective and Scope

Columbia University Web Security Standards and Practices. Objective and Scope Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements

More information

QuickBooks Online: Security & Infrastructure

QuickBooks Online: Security & Infrastructure QuickBooks Online: Security & Infrastructure May 2014 Contents Introduction: QuickBooks Online Security and Infrastructure... 3 Security of Your Data... 3 Access Control... 3 Privacy... 4 Availability...

More information

Attack Vector Detail Report Atlassian

Attack Vector Detail Report Atlassian Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability

More information

Webapps Vulnerability Report

Webapps Vulnerability Report Tuesday, May 1, 2012 Webapps Vulnerability Report Introduction This report provides detailed information of every vulnerability that was found and successfully exploited by CORE Impact Professional during

More information

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.

More information

Application security testing: Protecting your application and data

Application security testing: Protecting your application and data E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers

More information

How to complete the Secure Internet Site Declaration (SISD) form

How to complete the Secure Internet Site Declaration (SISD) form 1 How to complete the Secure Internet Site Declaration (SISD) form The following instructions are designed to assist you in completing the SISD form that forms part of your Merchant application. Once completed,

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke EVALUATING COMMERCIAL WEB APPLICATION SECURITY By Aaron Parke Outline Project background What and why? Targeted sites Testing process Burp s findings Technical talk My findings and thoughts Questions Project

More information

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications

More information

Using Foundstone CookieDigger to Analyze Web Session Management

Using Foundstone CookieDigger to Analyze Web Session Management Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.

More information

MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July 2008. Contents

MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July 2008. Contents Contents MWR InfoSecurity Security Advisory pfsense DHCP Script Injection Vulnerability 25 th July 2008 2008-07-25 Page 1 of 10 Contents Contents 1 Detailed Vulnerability Description... 5 1.1 Technical

More information

Overview of the Penetration Test Implementation and Service. Peter Kanters

Overview of the Penetration Test Implementation and Service. Peter Kanters Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing

More information

WEB APPLICATION SECURITY

WEB APPLICATION SECURITY WEB APPLICATION SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part

More information

Last update: February 23, 2004

Last update: February 23, 2004 Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to

More information

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most

More information

OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741

OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN

More information

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems Soteria Health Check A Cyber Security Health Check for SAP systems Soteria Cyber Security are staffed by SAP certified consultants. We are CISSP qualified, and members of the UK Cyber Security Forum. Security

More information

Stopping SQL Injection and. Manoranjan (Mano) Paul. Track: Operating Systems Security - Are we there yet?

Stopping SQL Injection and. Manoranjan (Mano) Paul. Track: Operating Systems Security - Are we there yet? Stopping SQL Injection and Crossing Over Cross-site Scripting Track: Operating Systems Security - Are we there yet? Manoranjan (Mano) Paul CISSP, MCSD, MCAD, CompTIA Network+, ECSA/LPT Catalyst(s) SQL

More information

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details Sub: Supply, Installation, setup and testing of Tenable Network Security Nessus vulnerability scanner professional version 6 or latest for scanning the LAN, VLAN, VPN and IPs with 3 years License/Subscription

More information

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these

More information

WEB 2.0 AND SECURITY

WEB 2.0 AND SECURITY WEB 2.0 AND SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS

Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS Acknowledgements Ed Barlow Technical Director EMEA Ed sends his apologies. The following presentation is based on the talk

More information

SPEAR PHISHING UNDERSTANDING THE THREAT

SPEAR PHISHING UNDERSTANDING THE THREAT SPEAR PHISHING UNDERSTANDING THE THREAT SEPTEMBER 2013 Due to an organisation s reliance on email and internet connectivity, there is no guaranteed way to stop a determined intruder from accessing a business

More information

Web application testing

Web application testing CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration

More information

8070.S000 Application Security

8070.S000 Application Security 8070.S000 Application Security Last Revised: 02/26/15 Final 02/26/15 REVISION CONTROL Document Title: Author: File Reference: Application Security Information Security 8070.S000_Application_Security.docx

More information

Client Side Filter Enhancement using Web Proxy

Client Side Filter Enhancement using Web Proxy Client Side Filter Enhancement using Web Proxy Santosh Kumar Singh 1, Rahul Shrivastava 2 1 M Tech Scholar, Computer Technology (CSE) RCET, Bhilai (CG) India, 2 Assistant Professor, CSE Department, RCET

More information

Web Plus Security Features and Recommendations

Web Plus Security Features and Recommendations Web Plus Security Features and Recommendations (Based on Web Plus Version 3.x) Centers for Disease Control and Prevention National Center for Chronic Disease Prevention and Health Promotion Division of

More information

OWASP Top Ten Tools and Tactics

OWASP Top Ten Tools and Tactics OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),

More information

white SECURITY TESTING WHITE PAPER

white SECURITY TESTING WHITE PAPER white SECURITY TESTING WHITE PAPER Contents: Introduction...3 The Need for Security Testing...4 Security Scorecards...5 Test Approach... 11 Framework... 16 Project Initiation Process... 17 Conclusion...

More information

Cyber Exploits: Improving Defenses Against Penetration Attempts

Cyber Exploits: Improving Defenses Against Penetration Attempts Cyber Exploits: Improving Defenses Against Penetration Attempts Mark Burnette, CPA, CISA, CISSP, CISM, CGEIT, CRISC, QSA LBMC Security & Risk Services Today s Agenda Planning a Cyber Defense Strategy How

More information

4. Getting started: Performing an audit

4. Getting started: Performing an audit 4. Getting started: Performing an audit Introduction Security scans enable systems administrators to identify and assess possible risks within a network. Through GFI LANguard N.S.S. this is performed automatically,

More information

CompTIA Security+ (Exam SY0-410)

CompTIA Security+ (Exam SY0-410) CompTIA Security+ (Exam SY0-410) Length: Location: Language(s): Audience(s): Level: Vendor: Type: Delivery Method: 5 Days 182, Broadway, Newmarket, Auckland English, Entry Level IT Professionals Intermediate

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

Quality Assurance version 1

Quality Assurance version 1 Quality Assurance version 1 Introduction Quality assurance (QA) is a standardised method that ensures that everything works as it was intended to work and looks as it was intended to look. It should force

More information

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protecting a business s IT infrastructure is complex. Take, for example, a retailer operating a standard multi-tier infrastructure

More information

Countermeasures against Spyware

Countermeasures against Spyware (2) Countermeasures against Spyware Are you sure your computer is not infected with Spyware? Information-technology Promotion Agency IT Security Center http://www.ipa.go.jp/security/ 1. What is a Spyware?

More information

Network Test Labs (NTL) Software Testing Services for igaming

Network Test Labs (NTL) Software Testing Services for igaming Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs

More information