Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS



Similar documents
FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

elearning for Secure Application Development

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Adobe Systems Incorporated

05.0 Application Development

Where every interaction matters.

Columbia University Web Security Standards and Practices. Objective and Scope

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Network Security Audit. Vulnerability Assessment (VA)

Criteria for web application security check. Version

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Check list for web developers

The Top Web Application Attacks: Are you vulnerable?

Overview of the Penetration Test Implementation and Service. Peter Kanters

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

(WAPT) Web Application Penetration Testing

Attack Vector Detail Report Atlassian

Essential IT Security Testing

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Sitefinity Security and Best Practices

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Secure Web Applications. The front line defense

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Last update: February 23, 2004

Magento Security and Vulnerabilities. Roman Stepanov

Cloud Security:Threats & Mitgations

Hack Proof Your Webapps

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Web App Security Audit Services

Enterprise Application Security Workshop Series

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

MANAGED SECURITY TESTING

What is Web Security? Motivation

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

WHITEPAPER. Nessus Exploit Integration

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Rational AppScan & Ounce Products

Passing PCI Compliance How to Address the Application Security Mandates

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

SERENA SOFTWARE Serena Service Manager Security

Web application security

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

OWASP Top Ten Tools and Tactics

Strategic Information Security. Attacking and Defending Web Services

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

2015 Vulnerability Statistics Report

Chapter 1 Web Application (In)security 1

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Integrating Security Testing into Quality Control

Network Test Labs (NTL) Software Testing Services for igaming

white SECURITY TESTING WHITE PAPER

External Supplier Control Requirements

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

Annex B - Content Management System (CMS) Qualifying Procedure

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

8070.S000 Application Security

2,000 Websites Later Which Web Programming Languages are Most Secure?

Security Testing & Load Testing for Online Document Management system

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Security Testing and Vulnerability Management Process. e-governance

Cautela Labs Cloud Agile. Secured.

HTTPParameter Pollution. ChrysostomosDaniel

Web application testing

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

WEB APPLICATION SECURITY

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Final Audit Report AUDIT OF THE INFORMATION SECURITY POSTURE OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT'S USAJOBS SYSTEM FY 2012

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

AN OVERVIEW OF VULNERABILITY SCANNERS

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Supplier Information Security Addendum for GE Restricted Data

Kentico CMS security facts

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Web Application Vulnerability Testing with Nessus

Lecture 11 Web Application Security (part 1)

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Columbia University Web Application Security Standards and Practices. Objective and Scope

SAST, DAST and Vulnerability Assessments, = 4

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Web Application Report

OWASP Secure Coding Practices Quick Reference Guide

Table of Contents. Page 2/13

Web Security Testing Cookbook*

Reducing Application Vulnerabilities by Security Engineering

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Transcription:

Web Application Vulnerability Assessment/enetration Test repared By: Accuvant LABS November 20, 2012

Web Application Vulnerability Assessment/enetration Test Introduction Defending the enterprise against security threats with today s complex information infrastructure requires a layered security strategy. The strategies in place should be structured to mitigate risk at defined points within the organization. Accuvant LABS works with organizations to locate where effective security measures can be applied, provides a working knowledge of the best in class products, and helps implement the final solution into the environment. Background Risk reduction through vulnerability assessments is one area where Accuvant LABS helps our customers better their overall security posture. As part of Spigit s ongoing commitment to ensuring the security and integrity of their external environment, Spigit has engaged Accuvant LABS on a quarterly basis to perform a security assessment of the Engage web application. The assessment was a one-week effort, completed in September 2012. Accuvant LABS approach to security assessments is to locate application, network, and host vulnerabilities, document the findings, create a remediation plan to secure the system, and ensure the remediation efforts taken are successful. Scope and Methodology Accuvant LABS security specialists follow a detailed methodology to uncover system and application vulnerabilities. The assessment encompasses a detailed review of assets that can be detected from the Internet and perimeter architecture. Accuvant LABS consultants utilize multiple commercial and open source security tools, custom scripts, and manual validation techniques to scan for, enumerate, uncover, and exploit vulnerabilities. Commercial scanning tools, such as Nessus, Nexpose, and Acunetix, were used to identify host and application specific vulnerabilities. In addition to reviewing the application using a test environment, Accuvant LABS also reviews source code and performs threat-modeling exercises. Throughout the course of the assessment, Accuvant LABS engaged Spigit s developers to review and discuss potential risks, threats, and vulnerabilities. The phases and associated components of this assessment included: Assessment hase Components Tasks Application Testing Remediation lanning General Vulnerability Scanning Automated Vulnerability Scanning Manual Testing and Exploitation Workshop Accuvant LABS performs network service, enumeration, and vulnerability scanning of devices that support the application environment in order to identify known security issues or system configuration errors. Using a comprehensive suite of application assessment tools, Accuvant LABS targets all visible tiers of the application interfaces from external sources to identify common application security flaws and vulnerabilities. Accuvant LABS executes manual testing procedures, including a comprehensive analysis of the areas identified within the Testing Controls checklist. Attempts are made at controlled exploitation of all issues identified by any of the tools used in earlier phases. Testing is performed for both unauthenticated and authenticated test scenarios within specified user roles. Throughout the engagement, Accuvant LABS worked in concert with the Spigit team to explain the vulnerabilities discovered during testing and assigned proper risk to the vulnerabilities within the context of the environment. Revision: 1 Confidential age 2 of 7

Web Application Vulnerability Assessment/enetration Test Assessment Summary Spigit s customers can be assured that Spigit performed due diligence utilizing a trusted third party to independently evaluate the Engage web application from an information security standpoint. While the initial assessment of the Engage web application revealed minor areas that did not align with security best practices for web applications, direct attacks against the application and environment did not result in unauthorized access to Spigit systems or data assets within the application. Based on the findings observed and the remediation steps taken by Spigit, the overall security posture of the application and application environment can be classified as a low level of risk when compared to similar software Accuvant LABS has assessed. The charts below are an overview of how the controls within the application align with security best practices, shown as a summary and per category. Red denotes a low level of alignment with best practice security controls, yellow being a moderate level of alignment and blue represents a high level of alignment. Each of the control categories are based on the deficiencies identified in the application and the application is measured only against relevant test controls. Figure 1 - Overall alignment with best security practices Figure 2 - Alignment with best security practices per category It is important to note that this report represents a snapshot of the security of the environment assessed at a point in time. Conditions may have improved, deteriorated, or remained the same since this assessment was completed. Revision: 1 Confidential age 3 of 7

Web Application Vulnerability Assessment/enetration Test Application Security Test Cases During interaction with the application and hosts, the following areas of testing were executed based on Accuvant LABS comprehensive application plan. The work plan was composed using years of application security review experience and is a superset of related guidelines published by OWAS, WASC and MSDN. The plan includes the following categories: Application Security Test cases for the application server, client and related components at the application level. This may include review of source code, binary analysis, manual interaction and/or architecture review of the systems. This control list also includes application architecture controls. While these controls may not map directly to an exploitable issue, they often relate to poor security practices. Environment and Configuration Test cases for the server, clients and related systems. This section may include review of hardening standards and baselines to identify security issues. Compliance Test cases for issues that relate to a specific industry or regulatory standard such as the CI Data Security Standard (CI-DSS) or the HIAA security rule. The information compiled during this phase is the result of manual testing. The associated Result column in the spreadsheet indicates the results of the test: () ass The application is not vulnerable to the test. (F) Fail The application is vulnerable to the test. (N) Not Applicable The test in question was not executed or is irrelevant to the application. Revision: 1 Confidential age 4 of 7

Web Application Vulnerability Assessment/enetration Test Denial-of-Service Testing Security Controls Results DoS via Resource Exhaustion DoS of Supporting Services or Components DoS Abuse of Application Functionality Authentication Weak assword Complexity Controls Lack of assword History Controls Weak Authentication Token Implementation Insecure assword Reset Insecure Account Creation Authorization Controls Improper Authorization Controls on URL OWAS-A8 CSRF via arameter Manipulation OWAS-A5 Data and Input Validation Stored XSS F OWAS-A2 At the time of the assessment the application was vulnerable to stored and reflective XSS attacks. Remediation steps include implementing proper data validation and sanitization routines and ensuring that reflected input is HTML special entities encoded prior to being included in the server s response. This vulnerability has since been remediated, retested and verified to be fixed. Reflected XSS F OWAS-A2 This vulnerability has since been remediated, retested and verified to be fixed. DOM Based XSS F OWAS-A2 This vulnerability has since been remediated, retested and verified to be fixed. Command Injection OWAS-A1 LDA Injection OWAS-A1 SMT Injection OWAS-A1 XML Injection OWAS-A1 ORM Injection OWAS-A1 SQL Injection OWAS-A1 Code Injection OWAS-A1 Header Injection OWAS-A1 Directory Traversal OWAS-A1 Revision: 1 Confidential age 5 of 7

arameter Manipulation Sensitive Data Handling Testing Security Controls Results OWAS-A1 laintext Credentials Stored in Application OWAS-A7 Non-II Sensitive Data Stored in laintext OWAS-A7 II Data Stored in laintext OWAS-A7 Insecure Key Management OWAS-A7 Weak Entropy Source/Weak Random Generation OWAS-A7 Mechanism Insecure Hashing Mechanism OWAS-A7 Weak Data Encryption OWAS-A7 Session Control Session Token Expiration Session Termination and Destruction Session Fixation/Sidejacking Weak Entropy of Session ID Insecure Transmission of Session Tokens Session Binding Insecure Session Storage (Client-Side) Insecure Session Storage (Server-Side) Content Security File Upload Type Restrictions Temporary File Storage Outside of the Web Root Can Uploaded Files be Viewed/Executed Secure Channel Enforcement Insecure Transmission of Credentials OWAS-A9 Insecure Transmission of Session Tokens OWAS-A9 Exception Management Web Application Vulnerability Assessment/enetration Test Revision: 1 Confidential age 6 of 7

Testing Security Controls Results Detailed Error Messages Custom Error ages Information Leakage Sensitive Data Information Leakage User Enumeration Web Application Vulnerability Assessment/enetration Test Revision: 1 Confidential age 7 of 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information