Attack Vector Detail Report Atlassian

Transcription

1 Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes The Attack Vector Details report provides details of vulnerability instances (attack vectors) found on sites selected for Dynamic Analysis. In addition to the location and time the vulnerability was discovered, the attack vector details include a breakdown of the exact request and response so that developers can easily address the problem. Note that this report is available for Sentinel (dynamic testing) only, since it is based on an assessment of the production or pre-production site. This report is intended for security team members, development managers and developers. Sites are assessed using dynamic analysis, and vulnerabilities are rated by their severity levels. For descriptions of dynamic analysis and severity levels, please see the Appendix. Report Filtered By Vulnerability Status Open Vulnerability Rating Urgent, Critical, High, Medium, Low, Informational Start Date End Date Assets Number of Sites 1 Selected Vulnerability Classes Brute Force Insufficient Password Strength Autocomplete Attribute Insufficient User Session Invalidation Insufficient Session Invalidation Weak Cipher Strength Invalid HTTP Method Usage Non-HttpOnly Session Cookie Insufficient Password Aging Personally Identifiable Information Persistent Session Cookie Unsecured Session Cookie Insufficient Cookie Access Control Insufficient Crossdomain Secured Cachable HTTP Messages Application Misconfiguration HTTP Request Smuggling HTTP Request Splitting HTTP Response Smuggling Improper Filesystem Permissions Improper Input Handling Insufficient Password Recovery Insufficient Transport Layer Integer Overflows Mail Command Injection Null Byte Injection Path Traversal Remote File Inclusion Routing Detour SOAP Array Abuse Server Misconfiguration URL Redirector Abuse XML Attribute Blowup XML Entity Expansion XML External Entities XML Injection XQuery Injection Format String Attack Content Spoofing Credential/Session Prediction Session Fixation Cross Site Scripting Insufficient Process Validation Weak Password Recovery Insufficient Anti-automation SQL Injection SSI Injection Insufficient Authentication HTTP Response Splitting Denial of Service Insufficient Authorization Directory Traversal Predictable Resource Location OS Command Injection Cross Site Request Forgery Insufficient Session Expiration Buffer Overflow Fingerprinting Information Leakage LDAP Injection OS Commanding XPath Injection Frameable Response Mixed Content Security Abuse of Functionality Improper Output Handling Insecure Indexing Directory Indexing The Index of Content can be found on the last page Copyright WhiteHat Security, Inc. All Rights Reserved

2 Asset List This report has been generated for following assets: Sites: wh.atlassian.net

3 No Vulnerabilities

4 Appendix - Assessment Methodology for Dynamic Analysis WhiteHat Security combines a proprietary vulnerability scanning engine with human intelligence and analysis from its Threat Research Center to deliver thorough and accurate assessments of web applications with its Sentinel Service. WhiteHat Sentinel dynamic scanning services are all based on a continuously evolving top of class scanning engine with manual verification of all vulnerabilities to ensure quality results. WhiteHat's model allows customers to keep all sites covered at all times with minimal investment of personnel, while having access to the worlds largest team of web application security experts who keep on top of the latest web security issues, manage security assessments for customers, and provide support and information. With Premium service the security experts in the Threat Research Center also perform business logic assessments of sites, which may uncover additional issues which cannot be found through automatic scanning. This combination provides the highest quality of security assessments in the industry with high scalability and ease of use, to keep customers on top of their risk posture and help them secure their assets. WhiteHat Security - Attack Vector Report Page 4 of 7

5 Appendix - Vulnerability Level Definitions (by Severity) Severity is defined as the potential business impact if a specific vulnerability is exploited. The levels of severity are based on the same conditions factored into the PCI Security Scan report ratings, but the definitions below are clarified for Web application security concerns. The Severity is scored between 0 and 5: Urgent Critical High Medium Low Informational Severity ratings are defined below: Rating Urgent Critical High Medium Low Informational Description Attacker can assume remote root or remote administrator roles; exposes entire host to attacker; backend database, personally identifiable records, credit card data; full read and write access, remote execution of commands; example Weakness Class: Insufficient Authorization; example Attack Classes: SQL Injection, Directory/Path Traversal Attacker can assume remote user only, not root or admin; exposes internal IP addresses, source code; partial file-system access (full read access without full write access); example Weakness Class: Insufficient Authentication; example Attack Classes: Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Abuse of Functionality Exposes security settings, software distributions and versions, database names; example Weakness Classes: Information Leakage, Predictable Resource Location; example Attack Class: Content Spoofing Exposes precise versions of applications; sensitive configuration information may be used to research potential attacks against host General information may be exposed to attackers, such as developer comments No actual exposure: a failure to comply with best practices for security. WhiteHat Security - Attack Vector Report Page 5 of 7

6 About WhiteHat Security WhiteHat Security is the leading provider of application risk assessment and management services that enable customers to protect critical data, ensure compliance, and narrow windows of risk. By providing accurate, complete, and cost-effective application vulnerability assessments as a software-as-aservice, we deliver the visibility, flexibility, and guidance that organizations need to prevent web attacks. Deloitte, SC Magazine, the San Jose/Silicon Valley Business Journal, Gartner and the American Business Awards have all recognized WhiteHat Security for our remarkable innovations, executive leadership and our ability to execute in the application security market. To learn more about WhiteHat Security and how our solutions can support your applications throughout the entire software development lifecycle, please visit our website at WhiteHat Security - Attack Vector Report Page 6 of 7

7 Contents Vulnerabilities Assessment Methodology for Dynamic Analysis 4 Appendix - Vulnerability Level Definitions (by Severity) 5 About WhiteHat Security 6 WhiteHat Security - Attack Vector Report Page 7 of 7