Web Application Report

Transcription

1 Web Application Report This report includes important security information about your Web Application. OWASP Top Ten 2010 The Ten Most Critical Web Application Report This report was created by IBM Rational AppScan /11/2013 4:16:57 PM 4/11/2013 4:16:58 PM Copyright IBM Corp. 2000, All Rights Reserved. 1/17

2 OWASP Top Ten 2010 The Ten Most Critical Web Application Web Application Report Scanned Web Application: Scan Name: bse Content This report contains the following sections: Description Compliance Scan Results Unique Compliance-related Issues Detected Compliance-Related Issues and Section References IMPORTANT INFORMATION ABOUT THIS REPORT This Compliance Scan Results Report is based on the results of an automated Web Application Security scan, performed by AppScan. An AppScan scan attempts to uncover security-related issues in web applications, testing both the http frameworks (e.g. web servers) and the code of the application itself (e.g. dynamic pages). The testing is performed over HTTP, and is limited only to those issues that are specified for testing and identified in an automated fashion via the HTTP channel. The scan is also limited to those specific issues included in an automatic and/or manual explore performed during the scan. The security-related issues detected are compared to selected regulatory or industry standard requirements to produce this report. There may be areas of compliance risk associated with such regulation or standard that are not specified for testing by AppScan. This report will not detect any compliance-related issues in areas of compliance risk that are not tested by AppScan. The report identifies areas where there may be a compliance risk, but the exact impact of each uncovered issue type depends on the individual application, environment, and the subject regulation or standard. Regulations and standards are subject to change, and the scans performed by AppScan may not reflect all such changes. It is the user s responsibility to interpret the results in this report for determination of impact, actual compliance violations, and appropriate remedial measures, if any. Section references to regulations are provided for reference purposes only. The issues reported are general compliance-related risks and are not to be interpreted as excerpts from any regulation. The information provided does not constitute legal advice. IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer's business and any actions the customer may need to take to comply with such laws. 4/11/2013 4:16:58 PM 2/17

3 Description Summary Description The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. Development projects should address these potential risks in their requirements documents and design, build and test their applications to ensure that they have taken the necessary measures to reduce these risks to the minimum. Project managers should include time and budget for application security activities including developer training, application security policy development, security mechanism design and development, penetration testing, and security code review as part over the overall effort to address the risks. The primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security risks. The Top 10 provides basic guidance on how to address against these risks and where to go to learn more on how to address them. Although setout as an education piece, rather than a standard or a regulation, it is important to note that several prominent industry and government regulators are referencing the OWASP top ten. These bodies include among others VISA USA, MasterCard International and the American Federal Trade Commission (FTC). However, according to the OWASP team the OWASP top ten first and foremost an education piece, not a standard. The OWASP team suggests to any organization about to adopt the Top Ten paper as a policy or standard to consult with the OWASP team first. The OWASP Top is a significant update to the previous version of OWASP top ten (2007). It presents a more concise, risk focused list of the Top 10 Most Critical Web Application security risks and how to asses them. Each item in the top 10 is presented with the general likelihood and consequence factors that are used to categorize the typical severity of the risk. Covered Entities All companies and other entities that develop any kind of web application code are encouraged to address the top ten list as part of their over all security risk management. Adopting the OWASP Top Ten is an effective first step towards changing the software development culture within the organization into one that produces secure code. For more information on OWASP Top Ten, please review the OWASP Top Ten 2010 The Ten Most Critical Web Application, at For more information on securing web applications, please visit 01.ibm.com/software/rational/offerings/websecurity (*) DISCLAIMER The information provided does not constitute legal advice. The results of a vulnerability assessment will demonstrate potential vulnerabilities in your application that should be corrected in order to reduce the likelihood that your information will be compromised. As legal advice must be tailored to the specific application of each law, and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent counsel. IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer's business and any actions the customer may need to take to comply with such laws. 4/11/2013 4:16:58 PM 3/17

4 Compliance Scan Results 48 unique issues detected across 10 sections of the regulation: 1. Section Injection (A1) No. of Issues Cross site scripting (XSS) - (A2) Broken authentication and session management - (A3) Insecure direct object reference 45 (A4) Cross site request forgery (CSRF) - (A5) Security Misconfiguration 42 (A6) Insecure cryptographic storage 3 (A7) Failure to restrict URL access. 48 (A8) Insufficient transport layer protection - (A9) UnvalidatedRedirects and Forwards - (A10) 4/11/2013 4:16:58 PM 4/17

5 Unique Compliance-related Issues Detected 48 unique issues detected across 10 sections of the regulation: ID URL Parameter/Cookie Test Name Sections Hidden Directory Detected 4, Hidden Directory Detected 4, Hidden Directory Detected 4, Hidden Directory Detected 4, Hidden Directory Detected 4, Robots.txt File Web Site Structure 4, 8 Exposure uery_update/ 13 UERY~1/ 14 uery_update/replace/ 15 uery_update/replace/jquery/ 16 uery_update/replace/jquery/1.8/ uery_update/replace/ui/ 19 uery_update/replace/ui/external/ 20 uery_update/replace/misc/ 21 ternal/ 22 htbox2/ 23 GHTB~1/ 24 htbox2/js/ 25 e_menus/ 26 CE_M~1/ 4/11/2013 4:16:58 PM 5/17

6 ID URL Parameter/Cookie Test Name Sections 27 e_menus/superfish/ 28 e_menus/superf~1/ 29 e_menus/superfish/js/ 30 roll_to_top/ 31 CROLL~1/ 32 ws_ticker/ 33 EWS_~1/ 34 ws_ticker/js/ 35 ws/ 36 ws/js/ 37 o_slider/ 38 VO_S~1/ 39 o_slider/js/ o-slider/ 43 VO-S~1/ uery_update/replace/ui/external/jquery.cookie.js bform/ 48 bform/js/ Internal IP Disclosure Pattern Found 6, 7, 8 Address Pattern Found 6, 7, 8 Internal IP Disclosure Pattern Found 6, 7, 8 4/11/2013 4:16:58 PM 6/17

7 Compliance-Related Issues and Section References 1) Injection (A1) No issues. 2) Cross site scripting (XSS) (A2) No issues. 3) Broken authentication and session management (A3) No issues. 4) Insecure direct object reference (A4) 45 Issues Directory Listing - It is possible to view and download the contents of certain web application virtual directories, which might contain restricted files - Directory browsing is enabled Modify the server configuration to deny directory listing, and install the latest security patches available 1 4/11/2013 4:16:58 PM 7/17

8 j query/ j query/1.8/ ui/ ui/external/ misc/ / s/ /11/2013 4:16:58 PM 8/17

9 Hidden Directory Detected - It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site - The web server or application server are configured in an insecure way Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely /11/2013 4:16:58 PM 9/17

10 Robots.txt File Web Site Structure Exposure - It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site - The web server or application server are configured in an insecure way Move sensitive content to an isolated location to exclude it from web robot search 8 5) Cross site request forgery (CSRF) (A5) No issues. 6) Security Misconfiguration (A6) 42 Issues Directory Listing - It is possible to view and download the contents of certain web application virtual directories, which might contain restricted files - Directory browsing is enabled Modify the server configuration to deny directory listing, and install the latest security patches available 1 4/11/2013 4:16:58 PM 10/17

11 j query/ j query/1.8/ ui/ ui/external/ misc/ / s/ /11/2013 4:16:58 PM 11/17

12 Address Pattern Found - It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations - Insecure web application programming or configuration Remove addresses from the website 45 ui/external/jquery.cookie.js Internal IP Disclosure Pattern Found - It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations - Insecure web application programming or configuration Remove internal IP addresses from your website /11/2013 4:16:58 PM 12/17

13 7) Insecure cryptographic storage (A7) 3 Issues Address Pattern Found - It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations - Insecure web application programming or configuration Remove addresses from the website 45 ui/external/jquery.cookie.js Internal IP Disclosure Pattern Found - It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations - Insecure web application programming or configuration Remove internal IP addresses from your website /11/2013 4:16:58 PM 13/17

14 8) Failure to restrict URL access. (A8) 48 Issues Directory Listing - It is possible to view and download the contents of certain web application virtual directories, which might contain restricted files - Directory browsing is enabled Modify the server configuration to deny directory listing, and install the latest security patches available j query/ j query/1.8/ ui/ ui/external/ misc/ /11/2013 4:16:58 PM 14/17

15 / s/ Address Pattern Found - It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations - Insecure web application programming or configuration Remove addresses from the website 4/11/2013 4:16:58 PM 15/17

16 45 ui/external/jquery.cookie.js Hidden Directory Detected - It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site - The web server or application server are configured in an insecure way Issue a "404 - Not Found" response status code for a forbidden resource, or remove it completely Internal IP Disclosure Pattern Found - It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations - Insecure web application programming or configuration Remove internal IP addresses from your website /11/2013 4:16:58 PM 16/17

17 Robots.txt File Web Site Structure Exposure - It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site - The web server or application server are configured in an insecure way Move sensitive content to an isolated location to exclude it from web robot search 8 9) Insufficient transport layer protection (A9) No issues. 10) UnvalidatedRedirects and Forwards (A10) No issues. 4/11/2013 4:16:58 PM 17/17