Internet Banking System Web Application Penetration Test Report

Similar documents
ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Chapter 17. Transport-Level Security

WHITE PAPER. GoToMyPC. Citrix GoToMyPC Corporate Security FAQs. Common security questions about Citrix GoToMyPC Corporate.

Criteria for web application security check. Version

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Security Protocols/Standards

Using a Malicious Proxy to Pilfer Data & Wreak Havoc. Edward J. Zaborowski ed@thezees.net

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

Secure Web Appliance. SSL Intercept

Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day. SSL Certificate - Subject Common Name Does Not Match Server FQDN

Lecture 11 Web Application Security (part 1)

HTTPS HTTP. ProxySG Web Server. Client. ProxySG TechBrief Reverse Proxy with SSL. 1 Technical Brief

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Connecting an Android to a FortiGate with SSL VPN

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web Access 1.06

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Online Data Services. Security Guidelines. Online Data Services by Esri UK. Security Best Practice

Client logo placeholder XXX REPORT. Page 1 of 37

The Trivial Cisco IP Phones Compromise

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

BlackShield ID Agent for Remote Web Workplace

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Cisco AnyConnect Secure Mobility Client VPN User Messages, Release 3.1

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Hack Proof Your Webapps

Automated Vulnerability Scan Results

Three attacks in SSL protocol and their solutions

IBM Managed Security Services Vulnerability Scanning:

Workday Mobile Security FAQ

How To Protect A Web Application From Attack From A Trusted Environment

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Intro to Firewalls. Summary

RemotelyAnywhere. Security Considerations

Using Foundstone CookieDigger to Analyze Web Session Management

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

My FreeScan Vulnerabilities Report

Dashlane Security Whitepaper

Vulnerability Assessment & Penetration Test Report For

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Web Application Firewall

Security features of ZK Framework

(WAPT) Web Application Penetration Testing

Acano solution. Security Considerations. August E

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Guidelines for Web applications protection with dedicated Web Application Firewall

April 11, (Revision 2)

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

What is Web Security? Motivation

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web App. Technical Manual Template

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

Integrated SSL Scanning

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Web application security

Application Security Testing. Generic Test Strategy

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Introduction. Purpose. Background. Details

Check list for web developers

Exploiting Foscam IP Cameras.

SSL and Browsers: The Pillars of Broken Security

PaperCut Payment Gateway Module - PayPal Payflow Link - Quick Start Guide

Where every interaction matters.

Security Evaluation CLX.Sentinel

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Sample Report. Security Test Plan. Prepared by Security Innovation

Session Management in Web Applications

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Chapter 7 Transport-Level Security

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Network Security Audit. Vulnerability Assessment (VA)

RemotelyAnywhere. Security Overview

Topics in Network Security

New Systems and Services Security Guidance

WPAD TECHNOLOGY WEAKNESSES. Sergey Rublev Expert in information security, "Positive Technologies"

Secure Client Guide

Configuring and Monitoring the Client Desktop Component

Penetration Testing Report Client: Business Solutions June 15 th 2015

Security First Umbrella

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

PCI Compliance Considerations

Pentesting Mobile Applications

Implementation Vulnerabilities in SSL/TLS

Security from the Ground Up eblvd uses a hybrid-asp model designed expressly to ensure robust, secure operation.

PaperCut Payment Gateway Module - PayPal Payflow Link - Quick Start Guide

Locking down a Hitachi ID Suite server

THE OPEN UNIVERSITY OF TANZANIA

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

The Key to Secure Online Financial Transactions

MANAGED SECURITY TESTING

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Webmail Using the Hush Encryption Engine

The Secure Sockets Layer (SSL)

CS5008: Internet Computing

GoToMyPC Corporate Security FAQs

Transcription:

Internet Banking System Web Application Penetration Test Report Kiev - 2014

1. Executive Summary This report represents the results of the Bank (hereinafter the Client) Internet Banking Web Application (hereinafter the Application) penetration test conducted by Berezha Security between 28th of December and 16th of November 2014. As a result of the penetration test, we have concluded that the overall security of the Application is in an acceptable state, while there are certain improvements that we recommend to implement in order to apply generally acceptable good practice for security of internet-facing online financial systems. 2 of 15

2. Immediate Remedial Actions No immediate remedial actions are required to be performed over the Application s security. 3 of 15

3. Scope and Goals The goal of the penetration test was to assess the security posture of online internet banking web application located by the URL https://www.thebank.com/payme/ and hosted on the system with external IP address X.X.X.X The Application was tested in two ways: without user access to the Application and with a valid user account provided by the Client. Since no significant access control vulnerabilities have been found during the penetration test, this report does not differentiate the findings by the manner of their discovery (e.g. authenticated or unauthenticated). During the penetration test we have experienced multiple occasions of unpredictable temporary increases of response time of the Application while the latency of the hosting system remained within acceptable limits. We assume this behavior to be caused by the fact that the Application still remains in its development phase and may have been changed during the penetration test. We recommend the Client to investigate this issue and insure that no such behavior is demonstrated by the Application in production. 4 of 15

4. Overview of the Results During the penetration test we have discovered 11 significant vulnerabilities that we recommend remediating, including 2 vulnerabilities of High risk, 3 vulnerabilities of Medium risk, and 6 vulnerabilities of Low risk. 2 of the discovered vulnerabilities have Potential status, and the status of 9 vulnerabilities is Real. High Medium Low Potential Real 2 2 6 3 9 We recommend remediating the vulnerabilities of High risk before moving Application to production. In case required changes and extensions are not acceptable from the time and budget point of view, the Client s responsible management should accept related risks and plan remediation activities after production release. 5 of 15

5. Technical Results This section contains detailed descriptions of the vulnerabilities we have discovered during the penetration test along with the remediation steps we recommend to take in order to eliminate them. The issues are outlined in order of descending Risk value. Please refer to Appendix A for details on the risk assessment methodology used in this report. The Status value of each vulnerability is either Potential or Real. Potential vulnerabilities do not pose direct risk to the Application but might be used by a malicious person in order to perform certain attacks. Though, there is no sufficient evidence that Potential attacks may be effectively used to attack the Application. In contrast, Real vulnerabilities were verified and are backed by sufficient evidence. However, this status does not signal that an attacker may easily and readily use the vulnerability: the probability of such event is indicated by the Risk value. Please see Appendix B for the evidence of each vulnerability and related explanation. Table 1. Vulnerabilities and Recommendations Index Title Description Risk Status VULN-01 One-Factor User Authentication User authentication mechanism of the Application does not involve a second factor of authentication. High Potential Remediation Consider adding a second authentication factor to the access control subsystem of the Application. Comments For a web-application that allows bank account manipulations (e.g. transfers of funds) it is essential to strengthen the user authentication process by a second factor such as hardware or software token, or a onetime password delivered out-of-band. 6 of 15

Index Title Description Risk Status VULN-02 No Lock-Out After Failed Authentication Attempts Although we observed that multiple failed authentication attempts using the same user name result in the secure lock-out of a corresponding user account, it is still possible to mount password guessing attacks using different user names. High Potential Remediation Consider adding a mechanism of secure source blocking after multiple failed authentication attempts using different user names. Comments Secure lock-out is used by the Application to protect user accounts against targeted password guessing attacks. This approach is efficient assuming that Application user names cannot be easily guessed. However, during the penetration test we have been provided with a user account with a numerical user name. Based on that, we assumed that the user name convention of the Application is the sequence of 4 digits. Also the user names might as well be sequential 4-digit numbers. In case if these assumptions hold true, it is easy for an attacker to mount username-guessing attacks rotating through predictable user name space and trying a few most popular passwords against each user account. We have performed an imitation of the attack explained above. Although the imitation had no positive outcome within a short time frame of a few hours, it has demonstrated that this attack vector is available and can be used by any internet user. Index Title Description Risk Status VULN-03 SSL Certificate Is Not Trusted The server's certificate is not trusted, which means any trusted SSL Certification Authority did not sign it. Instead, SSL certificate is signed by a test CA run by the VeriSign company for trial use. Medium Real 7 of 15

Remediation Although in general SSL certificate issues may constitute a significant risk of information disclosure or disruption, we assume that the web server is going to be configured with a valid SSL certificate before moving to production. Comments SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate, which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed. Index Title Description Risk Status VULN-04 The POODLE Attack (SSLv3 Is Supported) The SSL server (port: 443) encrypts traffic using a vulnerable version of SSLv3.0. An attacker may be able to exploit this problem to conduct man-in-themiddle attacks and decrypt communications between the affected service and clients. Medium Real Remediation It's recommended to disable SSLv3 and replace it with TLSv1.0 as soon as compatibility with legacy clients is no longer required. (The only browser that does not support TLSv1.0 is Internet Explorer 6). To disable SSLv2 and SSLv3: For Apache: SSLProtocol all -SSLv2 -SSLv3 Comments Websites that support SSLv3 and CBC-mode ciphers are potentially vulnerable to an active MITM (Man-in-the-middle) attack. This attack, called POODLE, is similar to the BEAST attack and also allows a network attacker to extract the plaintext of targeted parts of an SSL connection, usually cookie data. Unlike the BEAST attack, it doesn't require such extensive control of the format of the plaintext and thus is more practical. Any website that supports SSLv3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. SSLv3 will be disabled by default in Firefox 34, which will be released on Nov 25 2014. 8 of 15

Index Title Description Risk Status VULN-05 Session Token In URL 9 instances of this issue were identified, at the following locations: [URLs redacted] Low Real Remediation The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method. As it is shown in the evidence section, the application uses tokens in URLs that point to non-sensitive data that can be accessed without authentication based on session tokens. It is recommended to store non-sensitive website information (e.g. JavaScript modules, static image files) in the areas that do not require user authentication. Comments Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed onscreen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referrer header when any off-site links are followed. Placing session tokens into the URL increases the risk that an attacker will capture them. [The rest of vulnerability descriptions were redacted.] 9 of 15

Appendix A. Risk Evaluation Methodology Issue Risk is defined as a product of Issue Impact and Issue Exploitability: Risk = Impact * Exploitability Further risk evaluation is performed according to the following taxonomy and selection principles. Table 2. Issue Impact Value Critical High Medium Low Description The issue can pose a very high security threat such as allow an attacker to gain full administrative access to the system, allow all traffic to pass through the security control device unfiltered etc. The issue poses significant security threat, but has some limitations on the extent to which they can be exploited. User level access to the system or a DoS vulnerability in a critical service would fall into this category. The issue has significant limitations on the impact it can cause. Typically such issues would include significant information leakage, denial of service or those that allow limited access to the system. The issue represents a low level security threat. A typical issue would involve information leakage that could be useful to an attacker, such as a list of users or software version details. Table 3. Issue Exploitability Value Trivial Easy Moderate Challenging N/A Description The issue requires little-to-no knowledge on behalf of an attacker and can be exploited using standard operating system tools. The issue requires some knowledge for an attacker to exploit, which could be performed using standard operating system tools or tools downloaded from the Internet. The issue requires specific knowledge on behalf of an attacker. The issue could be exploited using a combination of operating system tools or publicly available tools downloaded from the Internet. A security issue that falls into this category would require significant effort and knowledge on behalf of the attacker. The attacker may require specific physical access to resources or to the network infrastructure in order to successfully exploit it. Furthermore, a combination of attacks may be required. The issue is not directly exploitable. 10 of 15

Table 4. Risk Level Calculation Exploitability/Im pact 5 - Trivial 4 - Easy 3 - Moderate 2 - Challenging 1 - N/A 4 - Critical 20 16 12 8 4 3 - High 15 12 9 6 3 2 - Medium 10 8 6 4 2 1 - Low 5 4 3 2 1 Table 5. Risk Value Risk Level Risk Value 15-20 High 6-12 Medium 1-5 Low 11 of 15

Appendix B. Evidence VULN-01 One-Factor User Authentication Table 6. Penetration Test Evidence The Application login form does not require entry of any additional authentication information other than user ID and password. [Image redacted] 12 of 15

VULN-02 No Lock-Out After Failed Authentication Attempts Screenshots demonstrate that the attack imitation has been able to try passwords of different user accounts over 22 000 times. [Image redacted.] [Image redacted.] 13 of 15

VULN-03 SSL Certificate Is Not Trusted The web server SSL certificate is not signed by a trusted Certification Authority as shown on the screenshot below. [Image redacted] 14 of 15

VULN-04 The POODLE Attack (SSLv3 Is Supported) The Application web server supports SSL version 3 which is vulnerable to the POODLE Attack. [Image redacted] 15 of 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information