Académique Documents
Professionnel Documents
Culture Documents
5000
Contents
Executive Summary .......................................................................................................................................3 Methodology .................................................................................................................................................3 Risk Rating Definitions ...................................................................................................................................4 Detailed Findings and Recommendations .....................................................................................................5 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Confirmed Blind SQL Injection...............................................................................................................5 Session Identifier Not updated ..............................................................................................................6 Apache Chunked Encoding Overflow ....................................................................................................7 Possible PHP Source Code Disclosure....................................................................................................8 SSL/Encryption Not Enforced ................................................................................................................9 Cross-Site Request Forgery................................................................................................................. 10 Directory Listings with Config/Admin Pages ...................................................................................... 10 Apache specific web directories listings ............................................................................................. 12 Common Documentations Text Files ................................................................................................. 12 System File Path Disclosure ............................................................................................................ 12
Executive Summary
During the time frame of June 15th July 3rd , a web application security assessment (WASA) of the BP Candidate Dashboard was conducted. The overall objective assessment was to determine the security risks found in the BP Candidate Dashboard. The objectives of this vulnerability assessment were to evaluate the: Security-related controls embedded in the web application. To determine whether adequate security controls are in place. The security controls of the BP Candidate Dashboard with respect to the Information Security policies were found to need improvement. Several high severity items were discovered that should be addressed as soon as possible. Matters warranting managements attention and details of the finding are presented in the Detailed Findings section of this report. A sample of the items observed were: blind SQL injection, cross site request forgery, session id values not being updated adequately, lack of site wide encryption, directory listings containing sensitive files, local system path disclosure and generic information leaking related to the host web server and associated applications. Supporting detailed reports from the automated scanning tools are available and will be distributed to those with a need to know or upon request. These reports should be leveraged to help identify all instances of vulnerabilities outlined within this document
Methodology
To perform the Web Application testing we assumed the role of an authenticated user of the system. We used publicly-available tools and information to identify vulnerabilities in the web application. Our manual testing was additionally supplemented by automated scanners such as Proxy Strike, Fierce DNS Scanner, Nessus, Burp Suite, HP Web Inspect, and IBM App Scan. The goal of the web application assessment is to perform a careful inspection of the application to identify potential threats both from a technical or administrative standpoint. In performing these tests we attempted to identify weaknesses in areas including client-side controls, business logic flaws, authentication, session management, access controls, input validation, and web server or operating system flaws.
video_id=1%09AND%09(select%09ASCII(SUBSTR(schema()%2c15%2c1)))%09%3c0%09Or %093%3d6
Impact: If successful, SQL Injection can give an attacker access to backend database contents, the ability to remotely execute system commands, or in some circumstances the means to take control of the server hosting the database. Recommendations include employing a layered approach to security that includes utilizing parameterized queries when accepting user input, ensuring that only expected data is accepted by an application, and hardening the database server to prevent data from being accessed inappropriately. Solution: Each method of preventing SQL injection has its own limitations. Therefore, it is wise to employ a layered approach to preventing SQL injection, and implement several measures to prevent unauthorized access to your backend database. The following are recommended courses of action to take to prevent SQL Injection and Blind SQL Injection vulnerabilities from being exploited in your web application. Parameterized Queries, Consistent Error Messaging Schemes, Strong SA Password Policy, input validation via white listing method. White listing is defined as only accepting specific account numbers or specific account types for those relevant fields, or only accepting integers or letters of the English alphabet for others. Team Response:
Impact: It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the attacker to view or alter user records, and to perform transactions as that user. Solution: Always generate a new session to which the user will log in if successfully authenticated. Prevent user ability to manipulate session ID. Do not accept session IDs provided by the user's browser at login. Team Response:
Per RFC 2068, section 3.6 web servers are required to permit a client to break up a single request into multiple chunks of sections of a specific length. The Apache HTTP Server in use has a software flaw relating to correctly determine the size of the incoming data sections/chunks. Vulnerable Pages/Parameters:
Impact: If successfully exploited an attacker may be able to remotely execute arbitrary commands on the remote system running the vulnerable version of Apache. Solution: Upgrade the Apache HTTP Server that is no longer vulnerable to this issue. Team Response:
Impact: Obtaining PHP source code on a system allows an attacker to view the logic of the script and extract extremely useful information such as code bugs or logins and passwords. Solution: Recommendations include removing this script from the web server and moving it to a location not accessible from the Internet Team Response:
Solution: Install an SSL certificate to the web server. Ensure that all requests, not just login requests or other sensitive requests, are sent via an encrypted connection. Team Response:
Impact: It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user Solution: In order to avoid CSRF attacks, every request should contain a unique identifier, which is a parameter that an attacker cannot guess. Team Response:
10
Impact: It is possible to retrieve information about the site's file system structure, which may help the attacker to map the web site. The directories may also contain specific information relating to the database configuration, request log files, and other information that should be protected. Solution: If the forbidden resource is not required, remove it from the site. If possible, issue a "404 - Not Found" response status code instead of "403 - Forbidden". This change will obfuscate the presence of the directory in the site, and will prevent the site structure from being exposed
Confidential - Copyright Kenexa, 2012 11
Team Response:
Impact: An attacker may be able to determine the version of Apache, or the file structure of thw web site to leverage in later multi-staged attacks. Solution: Disable multiviews in the Apache httpd.conf. Upgrade Apache and or obfuscate the directories and related HTTP response data. Team Response:
Impact: Fully qualified server path names allow an attacker to know the file system structure of the web server, which is a baseline for many other types of attacks to be successful Solution: Recommendations include adopting a consistent error handling scheme and mechanism that prevents fully qualified path names from being displayed Team Response:
Confidential - Copyright Kenexa, 2012 12