AKS INFORMATION TECHNOLOGY SERVICES PRIVATE LTD

Submitted by

AKS INFORMATION TECHNOLOGY SERVICES PRIVATE LTD.

May 2012 Commercial-in-confidence

AKS INFORMATION TECHNOLOGY SERVICES PRIVATE LTD

Version 1.0 1.1

Person Vivek Verma Ashish K Saxena

Action Preparation Approval

Date 15 May 2012 15 May 2012

Contact Information
Please feel free to contact the following individual for information about this document. Ashish Kumar Saxena Managing Director Tel :+91-120-4545911 TeleFax: +91 120 4243669 ashish@aksitservices.co.in

Company Address
AKS Information Technology Services Pvt Ltd, E-52, First Floor, Sector -3, Noida -201301 Tele : +91 120 4545911 TeleFax : +91 120 4243669 Website: http://www.aksitservices.co.in

Copyright
AKS Information Technology Services Pvt Ltd has created this document for your evaluation only. It contains proprietary information. Without our express permission you may not publish, disclose, or use this document or any of its contents for any purpose other than your evaluation. AKS IT. All rights reserved. This document and the intellectual property contained herein is the property of AKS Information Technology Services Pvt Ltd and may not be reproduced or transmitted in any form or by any means, or forwarded to any third party, without prior written consent from AKS Information Technology Services Pvt Ltd.

AKS INFORMATION TECHNOLOGY SERVICES PRIVATE LTD

TABLE OF CONTENT Proposal at a Glance............................................................................. 4 Introduction ......................................................................................... 4 Specific Requirements & Scope ............................................................ 4 Web Application Security Audit ............................................................ 5 Standard .............................................................................................. 5 Threats................................................................................................. 7 Criteria of Threat Rating....................................................................... 7 Black Box Testing ................................................................................. 8 Consultants .......................................................................................... 8 Methodology ........................................................................................ 8 Deliverable ........................................................................................... 9 What we require from you ................................................................... 9 Change Management ............................................................................ 9 Acceptance ........................................................................................... 9 Commercials & Project Time Lines ..................................................... 10

AKS INFORMATION TECHNOLOGY SERVICES PRIVATE LTD

Proposal at a Glance
This proposal is for conduct of security audit of the website for Rajkiya Intermediate College, Allahabad. (http://updemo5.nic.in/Index.aspx)

Introduction
AKS Information Technology Services Pvt Ltd (AKS IT) is a front runner IT Security Company. AKS IT implements IT Security solutions for Government organizations and corporate sectors like manufacturing, banking, telecom, pharmaceutical, etc. While our clients focus on their core business, we implement security solutions tailored to suit their requirements. AKS IT has its corporate office at Delhi and Head office at Noida. The Company offers a full range of Esecurity auditing, Consulting, Training and Technology services. Electronic information is essential to the achievement of organizational objectives. Reliability, integrity, and availability of information are a major concern. The use of computer networks, particularly the Internet, is revolutionising the way organizations conduct business. While the benefits have been enormous and vast amounts of information are at our fingertips, these interconnections also pose significant risks to computer systems, information, and to the critical operations and infrastructures they support. Web Application Security Audit is the process of actively evaluating web pages to ensure that it has been developed within the guidelines of security best practices. It can be undertaken as part of a wider security audit or performed in isolation. It is of great importance to avoid security holes in the application itself. It improves the reliability, stability and performance of the application. The results of the application testing are delivered in a comprehensive report highlighting the vulnerabilities and mitigating the risk.

Specific Requirements & Scope

This project involves addressing Information Security issues for the website for Rajkiya Intermediate College, Allahabad consisting of approx. 15 input fields to be hosted at NIC. The scope for this exercise shall be Web Security Audit (Black Box Testing). Subsequently vulnerabilities/bugs found during the audit will be patched up by your developers. The Web Application(s) will be again audited to check for any left out vulnerabilities. A certificate will be issued only when there is no vulnerability found in the website.

AKS INFORMATION TECHNOLOGY SERVICES PRIVATE LTD

Web Application Security Audit

There are two types of testing carried out for the complete check of the Web Application i.e. Functional Test and Internal logic test. Black box testing assesses the functional operating effectiveness and White box testing assesses the effectiveness of software program logic. We would be carrying out the Black Box testing for the application. The First level Application Audit would highlight the vulnerabilities in the Application like Cross Site Scripting, vulnerability to SQL Injections, Buffer Overflows, Invalidated Inputs, and insecure storage etc. These would need to be addressed by the Developers, post which the second or third level audits would be undertaken. Removal of flaws and vulnerabilities from the Application depends on the capabilities of the Application Developers, and the subsequent level audits are driven by this necessity.

Standard
The standard used for Web Application Testing is OWASP (Open Web Application Security Project). The OWASP 2007 Top Ten represents a broad consensus about what are the most critical application security flaws. The following table summarizes the OWASP 2007 Top Ten Most Critical Application Security Vulnerabilities:

Top Ten Most Critical Application Security Vulnerabilities XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.

A1

Cross Site Scripting (XSS)

A2

Injection Flaws

Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing
5

AKS INFORMATION TECHNOLOGY SERVICES PRIVATE LTD

data. Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users. A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. A CSRF attack forces a logged-on victim's browser to send a preauthenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks. Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.

A3

Malicious File Execution

A4

Insecure Direct Object Reference

A5

Cross Site Request Forgery

A6

Information Leakage and Improper Error Handling

A7

Account credentials and session tokens are often not properly protected. Broken Authentication and Session Attackers compromise passwords, Management keys, or authentication tokens to assume other users' identities. Web applications rarely use cryptographic functions properly to
6

A8

Insecure Cryptographic Storage

AKS INFORMATION TECHNOLOGY SERVICES PRIVATE LTD

protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud. A9 Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.

A10 Failure to Restrict URL Access

Threats
Spoofing of Identity: Allows an attacker to pose as another user or allows a rogue server to pose as a valid server. Tampering with Data: Malicious modification of data. Repudiation: Associated with users denying having performed an action without other parties having any way to prove otherwise. Information Disclosure: Exposure of information to individuals who are not supposed to have access to it. Denial of Service: Deny service to valid users. Elevation of Privilege: An unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system.

Criteria of Threat Rating

Damage Potential: Extent of potential damage. Reproducibility: How easy is it to let a threat become an exploit. Exploitability: Effort and expertise required. Affected Users: How many users would be affected? Discoverability: Can this be found out?

AKS INFORMATION TECHNOLOGY SERVICES PRIVATE LTD

Black Box Testing

Audit Objectives. Develop an understanding of the application. Develop understanding how application reacts to devious input. Develop understanding whether application contains common vulnerabilities. Results. Test scripts. Black Box Test Results.

Consultants
AKS IT Services shall deploy the following consultants: Application Manager Attack and Penetration experts/ Application Code experts

Methodology
The first step followed by AKS IT is to analyze the Web Application for appropriate security measures built in to the Website. This analysis is necessary to create a baseline so that one understands the present state better and can thus appreciate findings and recommendations. The project entails a First Level Audit of the website, post which the Web site Development Team would correct the vulnerabilities projected in the AKS IT Audit Report. On successful patching up of the vulnerabilities, a certificate will be issued for hosting of the website. The methodology followed is as follows: Understand the scope and purpose of the Website. Review the Web Application structure and specifications so as to understand the basic design of the Website. For the Web Application under review, identify, document and understand the "high value objects" that a malicious attacker would seek to steal or exploit (e.g., user IDs, customer data, passwords). Devise attacks or methods using proprietary AKS IT techniques to obtain the desired data objects. Once Web Application security is handled, check if a valid/invalid user can use the Web Application in a manner so as to subvert the underlying security model of the system. Various attacks are devised on each component and then relevant vulnerabilities are demonstrated.

AKS INFORMATION TECHNOLOGY SERVICES PRIVATE LTD

Deliverable
Web Application Security Audit Report based upon Black box testing with Vulnerabilities and flaws highlighted. Hosting Clearance certificate will be issued only after verifying that all vulnerabilities have been closed as brought out in the audit reports.

What we require from you

We propose that you will provide: 1. Rajkiya Intermediate College, Allahabad/Crystalsoft Informatics Services Pvt. Ltd. will provide the staging/ live server with the hosted Web Application which is to be audited along with the user names, passwords. 2. AKS IT may require support of Application development team for clarification and functional testing and patching up of the vulnerabilities in the web pages. 3. Rajkiya Intermediate College, Allahabad/Crystalsoft Informatics Services Pvt. Ltd. will designate a suitable staff as Single point of contact to co-ordinate the activities.

Change Management
Any change to the project scope, duration, deliverables, pricing, or any other change shall be mutually agreed to by both parties using a Change Request Form. The Change Request form will include the reason for the change, a description of the change, and the anticipated impact on the projects budget, schedule, deliverables, and pricing. AKS IT will not undertake any project change until the change has been documented, priced, and agreed to by Rajkiya Intermediate College, Allahabad/Crystalsoft Informatics Services Pvt. Ltd. and AKS IT. All changes, even those that do not alter the original price, will be documented before being implemented.

Acceptance
After the receipt of the Final Delivery of the project, Rajkiya Intermediate College, Allahabad/Crystalsoft Informatics Services Pvt. Ltd. shall issue, within 2 weeks, a formal Project Completion Certificate stating the satisfactory completion of the project. If AKS IT does not receive the above within the above-mentioned period, we shall consider formal completion of the Project.

AKS INFORMATION TECHNOLOGY SERVICES PRIVATE LTD

Commercials & Project Time Lines

Professional fee for security auditing of the website for Rajkiya Intermediate College, Allahabad are as follows:

Sr. No 1.

Service Offering First Level Security Audit, report generation including recommendations Second & Subsequent Level Security Audit, report generation including recommendations and issue of Certificate Total

Number of days 05

Professional Charges (Rs.) 20,000

2.

02

8,000

28,000

(Rupees Twenty Eight Thousand only)* * Above charges are exclusive of Service tax @ 12.36% All Cheques / drafts to be drawn in favour of: AKS Information Technology Services Private Ltd. payable at New Delhi / Noida. IN WITNESS WHEREOF, the parties have read the above and hereby execute this Statement of Work as of the date first set forth below.

For Rajkiya Intermediate College, Allahabad/Crystalsoft Informatics Services Pvt. Ltd.

For AKS Information Technology Services Private Ltd.

Name : Appointment: Date:

Name : Ashish Kumar Saxena Appointment: Managing Director Date: 15th May 2012

10

AKS INFORMATION TECHNOLOGY SERVICES PRIVATE LTD

Note: Though, below CERT-In (Govt. of India) empanelment certificate is valid till 30 th April 2012. However, empanelment is extended upto 31st August 2012. Information is available at http://cert-in.org.in

11