APPLICATION SECURITY AND ITS IMPORTANCE



Similar documents
Criteria for web application security check. Version

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Where every interaction matters.

Hack Proof Your Webapps

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Magento Security and Vulnerabilities. Roman Stepanov

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Enterprise Application Security Workshop Series

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Secure development and the SDLC. Presented By Jerry

Web Application Report

Web Application Security

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Testing the OWASP Top 10 Security Issues

elearning for Secure Application Development

Web application security

Lecture 11 Web Application Security (part 1)

Check list for web developers

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

(WAPT) Web Application Penetration Testing

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

The Top Web Application Attacks: Are you vulnerable?

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Application Security Assessment and Vulnerability Mitigation Tests

OWASP Top Ten Tools and Tactics

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Sitefinity Security and Best Practices

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

JVA-122. Secure Java Web Development

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

OWASP TOP 10 ILIA

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

What is Web Security? Motivation

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Web Application Guidelines

Chapter 1 Web Application (In)security 1

Certified Secure Web Application Security Test Checklist

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Secure Web Development Teaching Modules 1. Threat Assessment

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Passing PCI Compliance How to Address the Application Security Mandates

MANAGED SECURITY TESTING

Sichere Webanwendungen mit Java

Web Application Firewall on SonicWALL SSL VPN

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Integrating Security Testing into Quality Control

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

HTTPParameter Pollution. ChrysostomosDaniel

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Web Application Security

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Web Application Penetration Testing

Threat Modeling. A workshop on how to create threat models by creating a hands-on example

Introduction: 1. Daily 360 Website Scanning for Malware

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Attack Vector Detail Report Atlassian

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

An Insight into Cookie Security

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Common Security Vulnerabilities in Online Payment Systems

Web Application Firewall on SonicWALL SRA

Data Breaches and Web Servers: The Giant Sucking Sound

Web Security Threat Report: January April Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

Protecting Web Applications and Users

Secure Coding in Node.js

Gateway Apps - Security Summary SECURITY SUMMARY

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Web Application Security

Cyber Security Workshop Ethical Web Hacking

Overview of the Penetration Test Implementation and Service. Peter Kanters

OWASP AND APPLICATION SECURITY

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

Essential IT Security Testing

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Columbia University Web Security Standards and Practices. Objective and Scope

TYPO3 Security. Jochen Weiland CertiFUNcation 2016

Security in Network-Based Applications. ITIS 4166/5166 Network Based Application Development. Network Security. Agenda. References

Security features of ZK Framework

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

SSL BEST PRACTICES OVERVIEW

Sichere Software- Entwicklung für Java Entwickler

Web Application Security and the OWASP Top 10. Web Application Security and the OWASP Top 10

Transcription:

Table of Contents APPLICATION SECURITY AND ITS IMPORTANCE 1 ISSUES AND FIXES: 2 ISSUE: XSS VULNERABILITIES 2 ISSUE: CSRF VULNERABILITY 2 ISSUE: CROSS FRAME SCRIPTING (XSF)/CLICK JACKING 2 ISSUE: WEAK CACHE POLICY/SERVER CACHE POLICY 3 ISSUE: MIME-SNIFFING 3 ISSUE: CROSS ORIGIN RESOURCE SHARING (CORS) 3 ISSUE: BROWSER AUTO-COMPLETE ISSUE 4 ISSUE: HTTPONLY AND SECURE FLAG 4 ISSUE: SHA1WITHRSA FOR CSR CREATION 4 ISSUE: JQUERY MIGRATED TO NEW VERSION TO AVOID VULNERABILITY 4 ISSUE: SESSION FIXATION 5 ISSUE: HTTP METHODS BLOCKING. 5 ISSUE: SQL INJECTION THROUGH FRAMEWORK BUILD 5 ISSUE: WEAK SSL CIPHER 5

Application Security and Its Importance Password security has been, and will always be a source of eternal trouble for organizations across the globe. A weak password management solution can be detrimental to the reputation of companies in the eyes of the customers. Hackers today get easy access to better hardware and modern hacking techniques and are well poised to take advantage of any security vulnerabilities. A password management application offers considerable protection, but when the applications themselves contain these vulnerabilities, it is a recipe for disaster unless the organization carries out corrective action immediately. We at ManageEngine ADSelfService Plus take utmost care to instantly iron out any vulnerability that may arise in our product. We prioritize password security above all and stay vigilant in dealing with issues related to them. Here is a list of security vulnerabilities that we have identified in our product and the way in which we have fixed them. Issues and fixes: Issue: XSS vulnerabilities Cross-site Scripting (XSS) attacks involve an attacker injecting a script in the target application. When the script is run by the user, the script will run within the security context of the application undetected. In addition, X-XSS-Protection header is set in every request. This header is recognised by most browsers and they take necessary actions to prevent XSS attacks upon seeing this header. Fix: The output displayed on the application for any corresponding input of the user is encoded and displayed to prevent external scripts being run in the application. Issue: CSRF Vulnerability Cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. Fix: The application sends out a token with every request originating from it and will prevent running any unwanted actions that do not provide the right authentication token. This fix has been released with the ADSelfService Plus build 5300 released on May 2015.

Issue: Cross Frame Scripting (XSF)/Click Jacking In an XFS attack, the attacker exploits a specific cross-frame-scripting bug in a web browser to access private data on a third-party website. Fix: This vulnerability has been fixed by adding X-Frame-Options as same origin in the response header. This prevents third party sites from loading ADSelfService Plus in IFrames. Note: To enable this fix, open the file conf\security-params.xml from the installation folder and remove the # at the beginning of X-Frame-Options. Issue: Weak Cache Policy/Server Cache Policy The normally secure HTTPs sessions could be compromised due to stored copies of sensitive pages in a shared cache or browser cache. Fix: Every HTTP page in the product is set with cache-control, pragma, expires response headers to prevent caching of any data. Note: To enable this fix, open the file conf\security-params.xml from the installation folder and remove the # at the beginning of the line. Issue: MIME-SNIFFING Attackers manipulate the web application to display their content as a HTML and inject their scripts in it. Fix: This vulnerability has been fixed by adding X-Content-Type-options as nosniff. Note: To enable this fix, open the file conf\security-params.xml from the installation folder and remove the # at the beginning of X-content-type-options. Issue: Cross Origin Resource Sharing (CORS) A CORS attack allows restricted resources on a web page to be requested from another

domain outside the domain from which the resource originated. Fix: Setting Access-control-allow-origin=domainname has fixed the CORS vulnerability. Issue: Browser Auto-complete Issue Modern browsers cache credentials of users and administrators and autofill them at the next instance. Fix: The autocomplete setting in every password field is set to off to fix the auto-complete issue. Issue: HTTPOnly and Secure Flag This vulnerability is a variation of the popular man-in-the-middle attack. When HTTP protocol is used, the traffic is sent in plaintext. It allows the attacker to see/modify the traffic. Fix: Authentication cookie is set with HTTPonly and secure flag, it returns only empty strings. This solves the vulnerability issue as the attacker intercepts no useful data. Note: HTTPs has to be enabled to set secure flags for the authentication cookie. Issue: SHA1WithRSA for CSR creation The secure hash algorithm SHA1WithRSA used to encrypt information has been found to be vulnerable. Fix: CSR creation now uses SHA256WithRSA encryption to overcome this security vulnerability. Issue: jquery migrated to new version to avoid Vulnerability

The jquery v1.4 used had security vulnerabilities. Fix: Migrating to jquery v1.8 has fixed those security vulnerabilities. Issue: Session Fixation Session fixation is an attack which steals the user session by getting the session ID from users through hyperlink/cookie. Fix: Tomcat provides a fix by using different session IDs for each session. Additionally, ADSelfService Plus does not add session ID to any hyperlinks within the product. Moreover, stealing the cookie can be achieved only by performing an XSS attack, against which the product is safe. Issue: HTTP Methods Blocking. HTTP methods like HEAD, DELETE, PUT, OPTIONS AND CONNECT are unused in the product. These unused methods may be harnessed to perform unintended behaviour. Fix: ADSelfService Plus blocks all unused HTTP methods to overcome this vulnerability Issue: SQL Injection through framework build SQL injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command that is executed by a web application, exposing the back-end database. Fix: Database operations are handled through our internal framework to prevent security breaches. Issue: Weak SSL Cipher Weak SSL ciphers were used for encryption.

Fix: To fix this issue without compromising on the browser compatibility, use these ciphers: (Mozilla recommendations) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA To fix this issue with enhanced security but compromises in browser compatibility, use these ciphers: (OWASP recommendations) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AE S_256_GCM_SHA384 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_ 256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AE S_128_GCM_SHA256 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_ 128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AE S_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_2 56_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_ 256_CBC_SHA384 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256 _CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AE S_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_1 28_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_ 128_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128 _CBC_SHA We have always valued our customer's security concerns over all others and resolve vulnerabilities as soon as we find them. We assure you that we would continue staying this way and provide you with as much as a vulnerability free password management solution as possible. If you do find any vulnerabilities in our product that you feel we haven't addressed yet, please do contact us at support@adselfserviceplus.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information