Penetration Test Report



Similar documents
Web Application Security

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Sitefinity Security and Best Practices

What is Web Security? Motivation

Penetration Testing Report Client: Business Solutions June 15 th 2015

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Where every interaction matters.

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

5 Simple Steps to Secure Database Development

CMP3002 Advanced Web Technology

Application Security Testing. Generic Test Strategy

Check list for web developers

Data Breaches and Web Servers: The Giant Sucking Sound

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Magento Security and Vulnerabilities. Roman Stepanov

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

OWASP AND APPLICATION SECURITY

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Ruby on Rails Secure Coding Recommendations

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Adobe Systems Incorporated

Security features of ZK Framework

Web Application Security Assessment and Vulnerability Mitigation Tests

Essential IT Security Testing

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Web Vulnerability Assessment Report

Recommended Practice Case Study: Cross-Site Scripting. February 2007

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Web application security

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

WEB ATTACKS AND COUNTERMEASURES

Criteria for web application security check. Version

Hack Proof Your Webapps

MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May Contents

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Annual Web Application Security Report 2011

External Supplier Control Requirements

In partnership with CST. Web Application Security Assessment Report. Acme Inc V November COMMERCIAL IN CONFIDENCE

Passing PCI Compliance How to Address the Application Security Mandates

Virtualization System Security

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Web Engineering Web Application Security Issues

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Thick Client Application Security

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Common Security Vulnerabilities in Online Payment Systems

Cross Site Scripting in Joomla Acajoom Component

Web Application Security

IT HEALTHCHECK TOP TIPS WHITEPAPER

A Decision Maker s Guide to Securing an IT Infrastructure

Columbia University Web Security Standards and Practices. Objective and Scope

QuickBooks Online: Security & Infrastructure

Attack Vector Detail Report Atlassian

Webapps Vulnerability Report

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Application security testing: Protecting your application and data

How to complete the Secure Internet Site Declaration (SISD) form

The Top Web Application Attacks: Are you vulnerable?

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Using Foundstone CookieDigger to Analyze Web Session Management

MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July Contents

Overview of the Penetration Test Implementation and Service. Peter Kanters

WEB APPLICATION SECURITY

Last update: February 23, 2004

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

OWASP TOP 10 ILIA

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Cyber Essentials Scheme

WEB 2.0 AND SECURITY

Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS

SPEAR PHISHING UNDERSTANDING THE THREAT

Web application testing

8070.S000 Application Security

Client Side Filter Enhancement using Web Proxy

Web Plus Security Features and Recommendations

OWASP Top Ten Tools and Tactics

white SECURITY TESTING WHITE PAPER

4. Getting started: Performing an audit

CompTIA Security+ (Exam SY0-410)

05.0 Application Development

Protecting Your Organisation from Targeted Cyber Intrusion

Quality Assurance version 1

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Countermeasures against Spyware

Network Test Labs (NTL) Software Testing Services for igaming

Transcription:

Penetration Test Report Acme Test Company ACMEIT System 26 th November 2010

Executive Summary Info-Assure Ltd was engaged by Acme Test Company to perform an IT Health Check (ITHC) on the ACMEIT System within the Service Provider network. This graph illustrates the level of risk that is exposed across the systems tested. It shows the number of vulnerabilities identified during this assessment along with their severity. As can be seen from the graph above, a number of high risk vulnerabilities were identified during the ITHC. These vulnerabilities relate both the infrastructure and web application. Infrastructure Multiple critical vulnerabilities were identified within web servers hosting the web application. Exploitation of the most critical of these vulnerabilities could allow an attacker to carry out a denial of service attack or gain access to the server with administrative permissions. A blank password was identified on the web server on the default administrator account. An attacker could exploit this to remotely gain full administrative access to the server and all data stored on it. Application Unauthorised access was possible to a number of sensitive pages without needing to authenticate to the application. These pages contained the home addresses and telephone numbers of customers who had placed orders on the website. Vulnerabilities were identified within the application that could allow an attacker to inject malicious scripts into the application which could later be executed on the victims browser within their session. An attacker who successfully exploits this vulnerability could hijack a user s session and gain access to the application with the privileges of that user. Info-Assure Ltd 2011. All rights reserved Page 2 of 17

Overall In summary, a number of high risk vulnerabilities were identified in both the infrastructure and application An attacker could exploit a number of these issues in order to gain unauthorised access to customers personal details such as their home address and telephone number. Unauthorised access to such information would be a breach of the UK Data Protection Act 1998 which states that Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. It is highly recommended that all high and medium risk vulnerabilities be addressed before the system goes live. This pie chart reveals the most common root causes in the vulnerabilities identified. The bar chart identifies the level of risk in the individual root causes identified Info-Assure Ltd 2011. All rights reserved Page 3 of 17

1 DOCUMENT CONTROL INFORMATION 1.1 DOCUMENT DETAILS Document Reference Property Client Acme Test Company Title AcmeIT Penetration Test Report Author Daniel Elliott Version 1.0 Date 6 th January 2011 Document Reference Status Issued 1.2 REVISION HISTORY Version Date Author Summary of Changes 0.1 05/01/2011 Daniel Elliott Initial draft of sample report 1.0 06/01/2011 Daniel Elliott Issued following approval 1.3 APPROVALS Name Martin Walsham Head of Consulting Position 1.4 DISTRIBUTION Organisation Name Role Martin Walsham Info-Assure Ltd Head of Consulting Info-Assure Ltd 2011. All rights reserved Page 4 of 17

TABLE OF CONTENTS 1 DOCUMENT CONTROL INFORMATION...4 1.1 Document Details...4 1.2 Revision History...4 1.3 Approvals...4 1.4 Distribution...4 2 INTRODUCTION...6 2.1 Background...6 2.2 Approach...6 2.3 Scope...6 2.4 Test Information...6 3 DETAIL RESULTS OF INFRASTRUCTURE TESTING...7 3.1 Default Administrator Password...7 3.2 Critical Microsoft Security Patches Missing...8 4 DETAIL RESULTS OF WEB APPLICATION TESTING...9 4.1 Insufficient Access Controls...9 4.2 Reflective Cross Site Scripting Vulnerabilities...10 4.3 Error Messages Reveal Sensitive Information...12 5 SUMMARY OF FINDINGS... 13 5.1 Infrastructure Findings...13 5.2 Application Testing Findings...13 APPENDIX A - TESTING TEAM... 15 APPENDIX B FINDINGS DEFINITIONS... 16 Info-Assure Ltd 2011. All rights reserved Page 5 of 17

2 INTRODUCTION Info-Assure Ltd was engaged by Acme Test Company to perform an IT Health Check (ITHC) on the ACMEIT System within the ACME network. Testing was carried out from the Service Provider offices in London 2.1 BACKGROUND The ACMEIT System is a new IT system developed by Service Provider which is used to process client orders placed over the Internet. Acme Test Company requires that both network infrastructure and web application penetration testing is carried out prior to the system going live. The ACMEIT System application is developed using ASP.NET and hosted on a Windows environment on Microsoft IIS web servers. 2.2 APPROACH All testing was carried out using Info-Assure standard testing methodology. A full copy of this methodology can be provided on request. Info-Assure connected locally (i.e. to a switch providing access to the <Project> environment) and were given two static IP addresses for testing laptops. All tests were run from the local network. The IP addresses used for testing were 192.168.0.134 / 24. 2.3 SCOPE The following target IP addresses formed the scope for the assessment: Description IP Addresses Name Operating System File Server 192.168.0.1 SERVER01 Windows 2000 Server Domain Controller 192.168.0.2 SERVER02 Windows 2003 Server Web application testing was carried out on the following URL: http://www.acmeit.local 2.3.1 Limitations During this phase of testing it was not possible to test the upload functionality of the application as this function was not currently operational. As such, it was agreed at the outset of testing that this functionality would be excluded from the scope of testing. 2.4 TEST INFORMATION The following test user credentials were provided to Info-Assure prior to testing:- User account 1: testuser1 User account 2: testuser2 Info-Assure Ltd 2011. All rights reserved Page 6 of 17

3 DETAIL RESULTS OF INFRASTRUCTURE TESTING This section provides the detailed findings of the internal ITHC of the ACMEIT System servers that was performed from 10-15 July, 2010. 3.1 DEFAULT ADMINISTRATOR PASSWORD Systems Affected SERVER01 (192.168.0.1) Finding No 1. Finding CVE number Root Cause Seriousness (Impact) 5 A blank administrator password was identified on the Windows server. CVE-1999-0506 Misconfiguration Likelihood 5 Overall Risk rating 25 (High Risk) 3.1.1 Overview Weak passwords can allow an attacker to gain unauthorised access to a system. Unauthorised access to an administrative account can allow an attacker to gain full control of the affected server and all data stored on it. 3.1.2 Details The password for the local administrator account on the above server was blank. 3.1.3 Recommendation It is recommended that the password is changes to a secure password in line with the systems password policy. An example of a secure password policy for an administrative account is: minimum of 12 characters; mixture of numeric and alphanumeric characters; mixture of upper and lower case letters and mixture of symbols. Info-Assure Ltd 2011. All rights reserved Page 7 of 17

3.2 CRITICAL MICROSOFT SECURITY PATCHES MISSING Systems Affected SERVER01 (192.168.0.1) SERVER02 (192.168.0.2) Finding A number of Microsoft Windows critical security patches were identified as missing. Finding No 2. CVE number CVE-2010-1879 CVE-2010-1880 CVE-2010-0480 CVE-2010-0478 CVE-2010-0483 CVE-2010-0250 Root Cause System Patching Seriousness (Impact) 5 Likelihood 3 Overall Risk rating 15 (High Risk) 3.2.1 Overview A number of critical Microsoft Windows security patches were identified as missing from the above servers which leaves them susceptible to various vulnerabilities ranging from denial of service to remote code execution. Exploitation of the most critical of these vulnerabilities could allow an attacker to gain unauthorised access to the server with administrative access. Currently there is no know exploit code these vulnerabilities in the public domain. 3.2.2 Details The following Microsoft security updates were not installed on the above server:- MS10-033 MS10-026 MS10-025 MS10-022 MS10-021 MS10-013 3.2.3 Recommendation It is recommended that all missing security patches are installed as appropriate. A review should be carried out on the patching policy deployed on the ACMEIT System to ensure that Windows servers are being kept up-to-date with the latest security patches. All security patches should be installed as they are released from Microsoft and then tested on a development environment before being deployed on production servers. Info-Assure Ltd 2011. All rights reserved Page 8 of 17

4 DETAIL RESULTS OF WEB APPLICATION TESTING This section provides the detailed findings of the web application test of the ACMEIT System that was performed from 10-15 July, 2010. 4.1 INSUFFICIENT ACCESS CONTROLS Systems Affected www.acmeit.local Finding No 3. Finding CVE number Root Cause Seriousness (Impact) 4 Unauthorised access was possible to a number of sensitive pages hosted on the web server CWE-285 System Patching Likelihood 4 Overall Risk rating 16 (High Risk) 4.1.1 Instances http://www.acmeit.local/admin/addresses.aspx?list=true http://www.acmeit.local/function/order_details.aspx?list=true&wd=1 http://www.acmeit.local/admin/phone.aspx?list=true 4.1.2 Overview Unauthorised access was possible to a number of files hosted on the web server. 4.1.3 Details It was possible to gain access to the above pages with logging into the web application. These pages contained sensitive personal details about the users who had placed order on the website including their home address and telephone details. An attacker on the Internet could trivially gain unauthorised access to these files without needing any valid user credentials. 4.1.4 Recommendation It is recommended that a review is carried out on the access controls configured on all files hosted on the web server to ensure that unauthorised access cannot be gained to any files. In particular, attention should be given to reviewing the access to the above files. 4.1.5 Screenshots <Insert screenshots> Info-Assure Ltd 2011. All rights reserved Page 9 of 17

4.2 REFLECTIVE CROSS SITE SCRIPTING VULNERABILITIES Systems Affected www.acmeit.local Finding No 4. Finding CVE number Root Cause Seriousness (Impact) 4 Multiple reflective cross-site vulnerabilities were identified within the web application CWE-79 Misconfiguration Likelihood 3 Overall Risk rating 12 (High Risk) 4.2.1 Instances http://www.acmeit.local/admin/addresses.aspx (id and sid parameters) http://www.acmeit.local/function/order_details.aspx (id parameters) http://www.acmeit.local/admin/phone.aspx (number and nid parameters) 4.2.2 Overview Reflected cross-site scripting (XSS) vulnerabilities allow malicious attackers to inject client-side scripts into web pages viewed by other users. Exploitation of these vulnerabilities would involve an attacker crafting a request containing an embedded JavaScript which is reflected back to the user who makes the request. These vulnerabilities are due to inadequate filtering of user-supplied input on the server side. 4.2.3 Details Numerous reflective XSS vulnerabilities were identified in the above instances within the application. Exploitation of all the instances identified would require the victim to have authenticated access to the application. The following is an example of a URL which could be used to exploit the XSS vulnerability within the order_detalis.aspx page. This vulnerable URL when send to a victim would execute a piece of JavaScript which displays a pop-up box http://www.acmeit.local/function/order_details.aspx?id=<script>alert( XSS Vulnerability )</script> An attacker could construct a malicious URL which could be used to steal the victims session cookie and hijack their session, allowing access to the application with the privileges of the victim. 4.2.4 Recommendation It is recommended that all client-supplied input is sufficiently filtered before being echoed back to the client. If not possible (or in addition), the application should be coded to unsure that any potential unsafe data is properly encoded or escaped to prevent execution within the clients browser. Info-Assure Ltd 2011. All rights reserved Page 10 of 17

4.2.5 Screenshots <insert screenshots> Figure 1 - Example of injected JavaScript being executed within the victims session. Info-Assure Ltd 2011. All rights reserved Page 11 of 17

4.3 ERROR MESSAGES REVEAL SENSITIVE INFORMATION Systems Affected www.acmeit.local Finding No 5. Finding CVE number Root Cause Seriousness (Impact) 1 Error messages revealed sensitive information regarding configuration of the web application. CWE-209 Misconfiguration Likelihood 5 Overall Risk rating 5 (Low Risk) 4.3.1 Instances http://www.acmeit.local/admin/addresses.aspx?list= http://www.acmeit.local/function/order_details.aspx?list=true&wd=< 4.3.2 Overview Error messages returned by the application revealed technical information regarding the configuration of the application, web server and other backend systems. Such information could be used by an attacker to carry out further attacks upon the application. 4.3.3 Details A summary of the information obtained from error messages include:- Web root on the web server is d:\data\prod\webroot\ The database instance on the backend database is acmesql The IP address of the backend database is 192.168.20.50 4.3.4 Recommendation It is recommended that the application and web server is reconfigured so that they only provide generic error messages in the event of an error condition. 4.3.5 Screenshots <insert screenshots> Figure 2 - Example of technical error message Info-Assure Ltd 2011. All rights reserved Page 12 of 17

5 SUMMARY OF FINDINGS 5.1 INFRASTRUCTURE FINDINGS Finding No. Impact Exploitability Overall Rating (1-25) Finding Recommendation Affected Systems/Services Status 3.1 5 5 25 A blank administrator password was identified on the Windows server. Change the password to a secure password in line with the systems password policy. SERVER01 (192.168.0.1) Ongoing 3.2 4 4 16 Critical vulnerabilities were identified in the Microsoft Windows operating system running on numerous servers. Install the latest Microsoft Windows security updates. SERVER01 (192.168.0.1) SERVER02 (192.168.0.1) Ongoing 5.2 APPLICATION TESTING FINDINGS Finding No. Impact Exploitability Overall Rating (1-25) Finding 4.1 4 4 16 Unauthorised access was possible to number of sensitive pages without authentication. 4.2 4 3 12 Number of reflective cross-site scripting vulnerabilities identified. 4.3 1 5 5 Error messages were identified which contained sensitive information regarding the systems Recommendation Review the access controls on the vulnerable pages. Ensure sufficient input validation is enforced on all input parameters. Affected Systems/Services www.acmeit.local www.acmeit.local Status Ongoing Ongoing Reconfigure error messages to generic www.acmeit.local Ongoing Info-Assure Ltd 2011. All rights reserved Page 13 of 17

configuration. messages. Info-Assure Ltd 2011. All rights reserved Page 14 of 17

Appendix A - TESTING TEAM This project was undertaken using the following consultant: Daniel Elliott CHECK Team Leader Any queries regarding this penetration test and report should be directed to Daniel Elliott Principal Security Consultant Mob: + 44 (0) 7801 577810 Email: daniel.elliott@info-assure.co.uk The point of contact at Service Provider was Mr Client (mr.client@client.org) who was the programme manager for the ACMEIT System. Info-Assure Ltd 2011. All rights reserved Page 15 of 17

Appendix B FINDINGS DEFINITIONS Info-Assure have developed a method for evaluating vulnerabilities and presenting the results in a way which enables clients to easily assess the risks they pose to the organisation. Each finding is categories by its Impact and Likelihood B.1. Findings Box The table below provides a key to understand the findings description. Systems Affected Finding CVE number Root Cause List of devices which are vulnerable. This will either take the form of IP addresses (DNS names) or URLs. An overview of the vulnerability identified. Where possible, references will be made to a common reference identifier such as CVE or CWE. These references to external sources allow clients to find out additional details regarding the vulnerability and how to mitigate it. Each finding will be categorised as to the perceived root cause. Further details are discussed in the section below. Finding No. x Seriousness (Impact) Impact if the vulnerability is successfully exploited. Rated from 5 (very high) to 1. Remotely gaining full administrative access to device would rate highest. Privilege Escalation and unauthorised access to data would rate 3 or 4. As a contrast minor information disclosure would rate lower with 1 or 2 Likelihood How easy is the vulnerability to exploit? Ratings from 5 (very easy) to 1 (very hard). A rating of 5 would correspond if it could be trivially exploited by attacker without the need for any exploit code or tool. 5-4 - 3-2 - 1-5 - 4-3 - 4 Could be trivially exploded by attacker but would require publically available exploit code or tool. 3 - Vulnerability is not trivial to exploit and may require development of exploit code. A lower rating of 1 or 2 would relate to a theoretical vulnerability where there is no known exploit code and/or would require a lot of resources to exploit. 2-1 - Overall Risk rating The overall risk rating is calculated by multiplying the seriousness rating with the impact rating and then categories as follows. 21-25 (Very High Risk) 16-20 (High Risk) 11-15 (Medium Risk) 6-10 (Medium/Low Risk) 1-5 (Very Low Risk) Info-Assure Ltd 2011. All rights reserved Page 16 of 17

Note: It should be noted that the definitions defined above for the seriousness and likelihood ratings are only guidelines B.2. Executive Summary The executive summary provides a number of graphical representations as to the most common root cause of the vulnerabilities identified. A summary of the number of different root cause categories are summarised in a graph in the management summary. The pie chart depicts the most common root causes of the vulnerabilities identified. The column chart shows each of the root causes against the percentage In addition, all findings are plotted onto a graph so that the severity of the vulnerabilities identified can easily be visualised. This enables the client to concentrate their efforts for resolution in specific areas. B.2.1. Root Causes The root causes include: Patching failure; Mis-configuration / Lack of hardening; Insecure coding; Network design failure; Human failure (or non-technical); Other. Info-Assure Ltd 2011. All rights reserved Page 17 of 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information