Web Application Vulnerability Assessment/enetration Test repared By: Accuvant LABS November 20, 2012
Web Application Vulnerability Assessment/enetration Test Introduction Defending the enterprise against security threats with today s complex information infrastructure requires a layered security strategy. The strategies in place should be structured to mitigate risk at defined points within the organization. Accuvant LABS works with organizations to locate where effective security measures can be applied, provides a working knowledge of the best in class products, and helps implement the final solution into the environment. Background Risk reduction through vulnerability assessments is one area where Accuvant LABS helps our customers better their overall security posture. As part of Spigit s ongoing commitment to ensuring the security and integrity of their external environment, Spigit has engaged Accuvant LABS on a quarterly basis to perform a security assessment of the Engage web application. The assessment was a one-week effort, completed in September 2012. Accuvant LABS approach to security assessments is to locate application, network, and host vulnerabilities, document the findings, create a remediation plan to secure the system, and ensure the remediation efforts taken are successful. Scope and Methodology Accuvant LABS security specialists follow a detailed methodology to uncover system and application vulnerabilities. The assessment encompasses a detailed review of assets that can be detected from the Internet and perimeter architecture. Accuvant LABS consultants utilize multiple commercial and open source security tools, custom scripts, and manual validation techniques to scan for, enumerate, uncover, and exploit vulnerabilities. Commercial scanning tools, such as Nessus, Nexpose, and Acunetix, were used to identify host and application specific vulnerabilities. In addition to reviewing the application using a test environment, Accuvant LABS also reviews source code and performs threat-modeling exercises. Throughout the course of the assessment, Accuvant LABS engaged Spigit s developers to review and discuss potential risks, threats, and vulnerabilities. The phases and associated components of this assessment included: Assessment hase Components Tasks Application Testing Remediation lanning General Vulnerability Scanning Automated Vulnerability Scanning Manual Testing and Exploitation Workshop Accuvant LABS performs network service, enumeration, and vulnerability scanning of devices that support the application environment in order to identify known security issues or system configuration errors. Using a comprehensive suite of application assessment tools, Accuvant LABS targets all visible tiers of the application interfaces from external sources to identify common application security flaws and vulnerabilities. Accuvant LABS executes manual testing procedures, including a comprehensive analysis of the areas identified within the Testing Controls checklist. Attempts are made at controlled exploitation of all issues identified by any of the tools used in earlier phases. Testing is performed for both unauthenticated and authenticated test scenarios within specified user roles. Throughout the engagement, Accuvant LABS worked in concert with the Spigit team to explain the vulnerabilities discovered during testing and assigned proper risk to the vulnerabilities within the context of the environment. Revision: 1 Confidential age 2 of 7
Web Application Vulnerability Assessment/enetration Test Assessment Summary Spigit s customers can be assured that Spigit performed due diligence utilizing a trusted third party to independently evaluate the Engage web application from an information security standpoint. While the initial assessment of the Engage web application revealed minor areas that did not align with security best practices for web applications, direct attacks against the application and environment did not result in unauthorized access to Spigit systems or data assets within the application. Based on the findings observed and the remediation steps taken by Spigit, the overall security posture of the application and application environment can be classified as a low level of risk when compared to similar software Accuvant LABS has assessed. The charts below are an overview of how the controls within the application align with security best practices, shown as a summary and per category. Red denotes a low level of alignment with best practice security controls, yellow being a moderate level of alignment and blue represents a high level of alignment. Each of the control categories are based on the deficiencies identified in the application and the application is measured only against relevant test controls. Figure 1 - Overall alignment with best security practices Figure 2 - Alignment with best security practices per category It is important to note that this report represents a snapshot of the security of the environment assessed at a point in time. Conditions may have improved, deteriorated, or remained the same since this assessment was completed. Revision: 1 Confidential age 3 of 7
Web Application Vulnerability Assessment/enetration Test Application Security Test Cases During interaction with the application and hosts, the following areas of testing were executed based on Accuvant LABS comprehensive application plan. The work plan was composed using years of application security review experience and is a superset of related guidelines published by OWAS, WASC and MSDN. The plan includes the following categories: Application Security Test cases for the application server, client and related components at the application level. This may include review of source code, binary analysis, manual interaction and/or architecture review of the systems. This control list also includes application architecture controls. While these controls may not map directly to an exploitable issue, they often relate to poor security practices. Environment and Configuration Test cases for the server, clients and related systems. This section may include review of hardening standards and baselines to identify security issues. Compliance Test cases for issues that relate to a specific industry or regulatory standard such as the CI Data Security Standard (CI-DSS) or the HIAA security rule. The information compiled during this phase is the result of manual testing. The associated Result column in the spreadsheet indicates the results of the test: () ass The application is not vulnerable to the test. (F) Fail The application is vulnerable to the test. (N) Not Applicable The test in question was not executed or is irrelevant to the application. Revision: 1 Confidential age 4 of 7
Web Application Vulnerability Assessment/enetration Test Denial-of-Service Testing Security Controls Results DoS via Resource Exhaustion DoS of Supporting Services or Components DoS Abuse of Application Functionality Authentication Weak assword Complexity Controls Lack of assword History Controls Weak Authentication Token Implementation Insecure assword Reset Insecure Account Creation Authorization Controls Improper Authorization Controls on URL OWAS-A8 CSRF via arameter Manipulation OWAS-A5 Data and Input Validation Stored XSS F OWAS-A2 At the time of the assessment the application was vulnerable to stored and reflective XSS attacks. Remediation steps include implementing proper data validation and sanitization routines and ensuring that reflected input is HTML special entities encoded prior to being included in the server s response. This vulnerability has since been remediated, retested and verified to be fixed. Reflected XSS F OWAS-A2 This vulnerability has since been remediated, retested and verified to be fixed. DOM Based XSS F OWAS-A2 This vulnerability has since been remediated, retested and verified to be fixed. Command Injection OWAS-A1 LDA Injection OWAS-A1 SMT Injection OWAS-A1 XML Injection OWAS-A1 ORM Injection OWAS-A1 SQL Injection OWAS-A1 Code Injection OWAS-A1 Header Injection OWAS-A1 Directory Traversal OWAS-A1 Revision: 1 Confidential age 5 of 7
arameter Manipulation Sensitive Data Handling Testing Security Controls Results OWAS-A1 laintext Credentials Stored in Application OWAS-A7 Non-II Sensitive Data Stored in laintext OWAS-A7 II Data Stored in laintext OWAS-A7 Insecure Key Management OWAS-A7 Weak Entropy Source/Weak Random Generation OWAS-A7 Mechanism Insecure Hashing Mechanism OWAS-A7 Weak Data Encryption OWAS-A7 Session Control Session Token Expiration Session Termination and Destruction Session Fixation/Sidejacking Weak Entropy of Session ID Insecure Transmission of Session Tokens Session Binding Insecure Session Storage (Client-Side) Insecure Session Storage (Server-Side) Content Security File Upload Type Restrictions Temporary File Storage Outside of the Web Root Can Uploaded Files be Viewed/Executed Secure Channel Enforcement Insecure Transmission of Credentials OWAS-A9 Insecure Transmission of Session Tokens OWAS-A9 Exception Management Web Application Vulnerability Assessment/enetration Test Revision: 1 Confidential age 6 of 7
Testing Security Controls Results Detailed Error Messages Custom Error ages Information Leakage Sensitive Data Information Leakage User Enumeration Web Application Vulnerability Assessment/enetration Test Revision: 1 Confidential age 7 of 7