Security Test Summary

Transcription

1 PINE DIGITAL SECURITY Signaalrood SH Zoetermeer Nederland TELEFOON +31(0) KVK BTW NR NL B.01 IBAN NL41ABNA BIC/SWIFT ABNANL2A ABN AMRO Security Test Summary Customer AFAS Software Product InSite Version 1.0 Date May 26th, 2016

2 Date May 26th, 2016 Page 2 of 9 Introduction To improve the security of the product, AFAS has requested Pine Digital Security ( Pine ) to perform a security test on the application. This document is the Security Test Summary issued by Pine to AFAS Software. In this document, the security tests performed by Pine on InSite are described. This document is a simplified representation of the test report. The results only apply to the product as tested before the abovementioned date. 1. Approach Pine Digital Security performs remote security tests without physical access to the server(s) or application(s). Both automated and manual checks are used in the testing process. 1) Testing a) To ensure a thorough and transparent testing process, Pine uses the publically available Certified Secure checklists 1. These checklists include commonly found vulnerabilities such as those on the OWASP Top Ten, and less publically known vulnerabilities. The checklists are created based on years of penetration testing experience, and are periodically revised. b) A penetration tester makes sure that each of the items on the checklist is tested for in the application. The application can either pass or fail each test on the checklists, or the test might not be applicable to the target. 2) Scoring a) When a vulnerability is found, Pine Digital Security scores this vulnerability using the public standard Common Vulnerability Scoring System (CVSS 2 ) version 2. b) Every vulnerability is rated on several technical characteristics such as: access vector, access complexity, required authentication, confidentiality impact, integrity impact and availability impact. c) These ratings combined produce a score from 1 to 10, with 10 indicating the potentially greatest impact. 2. Scope AFAS offers an application in which customers can carry out work-related administrative tasks. This is a publicly accessible website which offers functionality for the customers clients and other relations. Customers can, for example, edit and register working days or manage their worked hours. The InSite environment was tested using four Certified Secure checklists: Basic Server Scan Checklist Advanced Server Scan Checklist Basic Web Application Scan Checklist Advanced Web Application Scan Checklist

3 Date May 26th, 2016 Page 3 of 9 For the execution of the security test, Pine uses Certified Secure checklists. The following icons are used in these checklists: Icon Description The tested object has successfully passed the test The tested object has failed the test The test is not applicable to the tested object 3. Checklists The goal of this security test is to determine whether the systems in scope of this test are vulnerable to an attack from the Internet. The conducted test is based on the Certified Secure Basic Server Scan Checklist, the Certified Secure Advanced Server Scan Checklist, the Certified Secure Basic Web Application Scan Checklist and the Certified Secure Advanced Web Application Scan Checklist, version 3.2. # Certified Secure Basic Server Scan Checklist Result Check-up 1.0 Network security 1.1 Check for extraneous open TCP/UDP ports 2.0 Version management 2.1 Check available services for missing security updates 2.2 Check available services for unsupported software 3.0 User accounts and policies 3.1 Check for default and/or predictable accounts 4.0 Mail service configuration 4.1 Check for open relays 5.0 FTP service configuration 5.1 Check for anonymous uploading 6.0 Cryptography 6.1 Check for insecure SSL certificates 7.0 Miscellaneous 7.1 Check for server-specific problems

4 Date May 26th, 2016 Page 4 of 9 # Certified Secure Advanced Server Scan Checklist Result Check-up 1.0 Network security 1.1 Check for AXFR transfers 1.2 Check for sensitive information in the domain name system 1.3 Check for extraneous ICMP services 1.4 Check for extraneously enabled network protocols 2.0 Firewall 2.1 Check for firewall evasion by using special TCP flags 2.2 Check for firewall evasion by using IP fragmentation 2.3 Check for firewall evasion by using special source ports 3.0 Information disclosure 3.1 Check available services for sensitive information 4.0 Mail service configuration 4.1 Check for mail service username enumeration 5.0 Web service configuration 5.1 Check for extraneous directory listings 5.2 Check for too verbose error messages 5.3 Check for installed example scripts 5.4 Check for extraneous virtual hosts 5.5 Check for TRACK and TRACE methods 5.6 Check for internal IP addresses in header fields 5.7 Check for extraneous functionality 6.0 Cryptography 6.1 Check for insecure ciphers, hashes or protocols 7.0 Miscellaneous 7.1 Check for server-specific problems

5 Date May 26th, 2016 Page 5 of 9 # Certified Secure Basic Web Application Scan Checklist Result Check-up 1.0 Authentication and authorization 1.1 Check for client-side authentication 1.2 Check for default and predictable accounts 1.3 Check for identifier-based authorization 1.4 Check for missing authentication or authorization 2.0 User input 2.1 Check for filename injection / path traversal 2.2 Check for SQL injection 2.3 Check for cross-site scripting 2.4 Check for system command injection 3.0 Information disclosure 3.1 Check for extraneous files in the document root 3.2 Check for accessible backup files 3.3 Check for accessible configuration files or directories 3.4 Check for accessible revision control files or directories 4.0 Privacy and confidentiality 4.1 Check for insecure transmission of sensitive information 4.2 Check for sensitive information in externally archived pages 5.0 File upload 5.1 Check for uploading of (dynamic) scripts 6.0 Sessions 6.1 Check for cross-site request forgery 7.0 Miscellaneous 7.1 Check for application- or setup-specific problems

6 Date May 26th, 2016 Page 6 of 9 # Certified Secure Advanced Web Application Scan Checklist Result Check-up 1.0 Version management 1.1 Check for missing security updates for third-party software 2.0 Design 2.1 Check for untrusted domains in crossdomain.xml 3.0 Information disclosure 3.1 Check for too verbose error messages 3.2 Check for debug enabling using a predictable parameter 3.3 Check for valuable information in robots.txt 3.4 Check for accessible non-parsed dynamic scripts 4.0 Privacy and confidentiality 4.1 Check for missing anti-caching headers 4.2 Check for sensitive information stored in cookies 5.0 Integrity 5.1 Check for client-side state management 6.0 Authentication and authorization 6.1 Check for authentication based on the knowledge of a secret URL 6.2 Check for too verbose authentication-failure logging 6.3 Check for brute-force username enumeration 6.4 Check for brute-force password guessing 6.5 Check for denial-of-service by locking out accounts 6.6 Check for authentication or authorization based on obscurity 6.7 Check for predictable password and/or token generation 6.8 Check for unauthorized credential changes 7.0 User input 7.1 Check for double decoding of headers / parameters

7 Date May 26th, 2016 Page 7 of Check for XML injection 7.3 Check for XPath injection 7.4 Check for LDAP injection 7.5 Check for HTTP header injection 7.6 Check for XSL(T) injection 7.7 Check for SSI injection 7.8 Check for resource identifier injection 7.9 Check for dynamic scripting injection 7.10 Check for regular expression injection 8.0 XML 8.1 Check for XML external entity parsing 8.2 Check for XML external DTD parsing 9.0 File Upload 9.1 Check for uploading outside of intended directory 9.2 Check for uploading of configuration files Check for automated spamming via (feedback) scripts Sessions 11.1 Check for session cookies without the Secure flag 11.2 Check for session cookies without the HttpOnly flag 11.3 Check for predictable session ids 11.4 Check for session collisions 11.5 Check for session fixation 11.6 Check for external session hijacking 11.7 Check for insecure transmission of session cookies

8 Date May 26th, 2016 Page 8 of Check for missing anti-clickjacking measures Cryptography 12.1 Check for unproven cryptographic algorithms Miscellaneous 13.1 Check for application- or setup-specific problems

9 Date May 26th, 2016 Page 9 of 9 4. Results Pine Digital Security conducted a security test for AFAS on December 18 th The purpose of the test was to determine if InSite was vulnerable to attack from the Internet. After the initial security test, a check-up test has been carried out on May 26 th During this check-up Pine examined whether the previous detected vulnerabilities were mitigated appropriately. Pine Digital Security is of the opinion that the InSite web application, and the associate infrastructure, is sufficiently secure. All items on the Certified Secure Server checklist have been marked as Passed and no new vulnerabilities were introduced while solving previous detected vulnerabilities.