APPLICATION SECURITY AND ITS IMPORTANCE

Transcription

1 Table of Contents APPLICATION SECURITY AND ITS IMPORTANCE 1 ISSUES AND FIXES: 2 ISSUE: XSS VULNERABILITIES 2 ISSUE: CSRF VULNERABILITY 2 ISSUE: CROSS FRAME SCRIPTING (XSF)/CLICK JACKING 2 ISSUE: WEAK CACHE POLICY/SERVER CACHE POLICY 3 ISSUE: MIME-SNIFFING 3 ISSUE: CROSS ORIGIN RESOURCE SHARING (CORS) 3 ISSUE: BROWSER AUTO-COMPLETE ISSUE 4 ISSUE: HTTPONLY AND SECURE FLAG 4 ISSUE: SHA1WITHRSA FOR CSR CREATION 4 ISSUE: JQUERY MIGRATED TO NEW VERSION TO AVOID VULNERABILITY 4 ISSUE: SESSION FIXATION 5 ISSUE: HTTP METHODS BLOCKING. 5 ISSUE: SQL INJECTION THROUGH FRAMEWORK BUILD 5 ISSUE: WEAK SSL CIPHER 5

2 Application Security and Its Importance Password security has been, and will always be a source of eternal trouble for organizations across the globe. A weak password management solution can be detrimental to the reputation of companies in the eyes of the customers. Hackers today get easy access to better hardware and modern hacking techniques and are well poised to take advantage of any security vulnerabilities. A password management application offers considerable protection, but when the applications themselves contain these vulnerabilities, it is a recipe for disaster unless the organization carries out corrective action immediately. We at ManageEngine ADSelfService Plus take utmost care to instantly iron out any vulnerability that may arise in our product. We prioritize password security above all and stay vigilant in dealing with issues related to them. Here is a list of security vulnerabilities that we have identified in our product and the way in which we have fixed them. Issues and fixes: Issue: XSS vulnerabilities Cross-site Scripting (XSS) attacks involve an attacker injecting a script in the target application. When the script is run by the user, the script will run within the security context of the application undetected. In addition, X-XSS-Protection header is set in every request. This header is recognised by most browsers and they take necessary actions to prevent XSS attacks upon seeing this header. Fix: The output displayed on the application for any corresponding input of the user is encoded and displayed to prevent external scripts being run in the application. Issue: CSRF Vulnerability Cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. Fix: The application sends out a token with every request originating from it and will prevent running any unwanted actions that do not provide the right authentication token. This fix has been released with the ADSelfService Plus build 5300 released on May 2015.

3 Issue: Cross Frame Scripting (XSF)/Click Jacking In an XFS attack, the attacker exploits a specific cross-frame-scripting bug in a web browser to access private data on a third-party website. Fix: This vulnerability has been fixed by adding X-Frame-Options as same origin in the response header. This prevents third party sites from loading ADSelfService Plus in IFrames. Note: To enable this fix, open the file conf\security-params.xml from the installation folder and remove the # at the beginning of X-Frame-Options. Issue: Weak Cache Policy/Server Cache Policy The normally secure HTTPs sessions could be compromised due to stored copies of sensitive pages in a shared cache or browser cache. Fix: Every HTTP page in the product is set with cache-control, pragma, expires response headers to prevent caching of any data. Note: To enable this fix, open the file conf\security-params.xml from the installation folder and remove the # at the beginning of the line. Issue: MIME-SNIFFING Attackers manipulate the web application to display their content as a HTML and inject their scripts in it. Fix: This vulnerability has been fixed by adding X-Content-Type-options as nosniff. Note: To enable this fix, open the file conf\security-params.xml from the installation folder and remove the # at the beginning of X-content-type-options. Issue: Cross Origin Resource Sharing (CORS) A CORS attack allows restricted resources on a web page to be requested from another

4 domain outside the domain from which the resource originated. Fix: Setting Access-control-allow-origin=domainname has fixed the CORS vulnerability. Issue: Browser Auto-complete Issue Modern browsers cache credentials of users and administrators and autofill them at the next instance. Fix: The autocomplete setting in every password field is set to off to fix the auto-complete issue. Issue: HTTPOnly and Secure Flag This vulnerability is a variation of the popular man-in-the-middle attack. When HTTP protocol is used, the traffic is sent in plaintext. It allows the attacker to see/modify the traffic. Fix: Authentication cookie is set with HTTPonly and secure flag, it returns only empty strings. This solves the vulnerability issue as the attacker intercepts no useful data. Note: HTTPs has to be enabled to set secure flags for the authentication cookie. Issue: SHA1WithRSA for CSR creation The secure hash algorithm SHA1WithRSA used to encrypt information has been found to be vulnerable. Fix: CSR creation now uses SHA256WithRSA encryption to overcome this security vulnerability. Issue: jquery migrated to new version to avoid Vulnerability

5 The jquery v1.4 used had security vulnerabilities. Fix: Migrating to jquery v1.8 has fixed those security vulnerabilities. Issue: Session Fixation Session fixation is an attack which steals the user session by getting the session ID from users through hyperlink/cookie. Fix: Tomcat provides a fix by using different session IDs for each session. Additionally, ADSelfService Plus does not add session ID to any hyperlinks within the product. Moreover, stealing the cookie can be achieved only by performing an XSS attack, against which the product is safe. Issue: HTTP Methods Blocking. HTTP methods like HEAD, DELETE, PUT, OPTIONS AND CONNECT are unused in the product. These unused methods may be harnessed to perform unintended behaviour. Fix: ADSelfService Plus blocks all unused HTTP methods to overcome this vulnerability Issue: SQL Injection through framework build SQL injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command that is executed by a web application, exposing the back-end database. Fix: Database operations are handled through our internal framework to prevent security breaches. Issue: Weak SSL Cipher Weak SSL ciphers were used for encryption.

6 Fix: To fix this issue without compromising on the browser compatibility, use these ciphers: (Mozilla recommendations) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA To fix this issue with enhanced security but compromises in browser compatibility, use these ciphers: (OWASP recommendations) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AE S_256_GCM_SHA384 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_ 256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AE S_128_GCM_SHA256 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_ 128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AE S_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_2 56_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_ 256_CBC_SHA384 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256 _CBC_SHA

7 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AE S_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_1 28_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_ 128_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128 _CBC_SHA We have always valued our customer's security concerns over all others and resolve vulnerabilities as soon as we find them. We assure you that we would continue staying this way and provide you with as much as a vulnerability free password management solution as possible. If you do find any vulnerabilities in our product that you feel we haven't addressed yet, please do contact us at support@adselfserviceplus.com