security testing report hitachi application q1 sep 2015

Security Testing Report 1 of 13

Security Testing Report of Ignify Application

Q1 -2015-16

Application Name Start Date End Date Report Date

Ignify Web Applications 22-Sep-2015 28-Sep-2015 29-Sep -2015

Copyright © 2013 by SPAN InfoTech (India) Pvt. Ltd… All rights reserved. The contents of this document are protected

by copyright law and international treaties. The reproduction or distribution of the document or any portion of it

thereof, in any form, or by any means without prior written permission of SPAN InfoTech (India) Pvt. Ltd. is prohibited

Security Testing Report

Security Test Report 2 of 13

TABLE OF CONTENTS

1 INTRODUCTION AND OBJECTIVE ................................................................................ 3

2 DETAILS OF TARGET UNDER VERIFICATION................................................................... 3

3 SCOPE .................................................................................................................. 3

3.1 In Scope ............................................................................................................. 3

3.2 Out of Scope ....................................................................................................... 3

4 TECHNICAL APPROACH AND METHODOLOGY ............................................................... 4

PART A – Executive Report .............................................................................................. 5

5 EXECUTIVE SUMMARY ............................................................................................. 5

5.1 Risk Statistics ...................................................................................................... 5

5.2 Application Security Confidence Level ....................................................................... 5

PART B –Vulnerability Report .......................................................................................... 7

6 RISKS/VULNERABILITIES ........................................................................................... 7

7 STATUS TRACKER .................................................................................................. 13

7.1 Application Vulnerability Status – Q1 Phase .............................................................. 13

8 CONCLUSION ....................................................................................................... 13



1 Introduction and Objective

The objective of this report is to provide details on the Security testing conducted for Ignify application

during Phase 1 of the subscription period 2015-16. Report also contains possible

recommendations/mitigation plans to overcome the identified vulnerabilities. The tests were conducted

for Ignify application based on the scope defined in the Statement of Work document.

2 Details of Target Under Verification

Details of Target under Verification

Target Under Test Ignify Application

Target URL/IP Store Front application : http://ecom7.ignify.net

Manager Panel application :https://ecommanager.ignify.net

About Target IGNIFY application is an e-Commerce application for purchasing several apparels

online

Test Type Application Security Automated Scanning

3 Scope

This section provides the details on scope of the project.

3.1 In Scope

Automated security testing of Ignify application

o Store Front application

o Manager Panel application

Detailed reporting of vulnerabilities identified with possible impacts and countermeasures of same

Re-testing of previously identified vulnerabilities

3.2 Out of Scope

Hardening of the servers and application itself under test and fixing the identified vulnerabilities

Forensic Investigation of any security incidents

Functional testing and performance testing of application

Infrastructure Penetration Testing

Component level Web service Security Testing



4 Technical Approach and Methodology

SPAN’s Security Testing methodology is modeled from OWASP ASVS guidelines and Common Attack Pattern

Enumeration and Classification (CAPEC).Outlined below is the high-level approach followed for conducting

Security tests.

Information Gathering: The first phase of Security testing. In this phase, the test team makes an effort to

understand the target system in order to engage it properly. This phase substantially provides the data

required for overall Security testing

Vulnerability Assessment: The objective of the phase is to uncover all the possible vulnerabilities in target

under test. This will be accomplished by a set of automated tools, skills, expertise and experience of the

Security Test Engineers

Penetration Testing: The target system is attacked or exploited manually with the information gathered in

the previous phases of testing, in order to confirm the identified vulnerabilities and to uncover vulnerabilities,

which are not covered by the automated scan

Security Test Reporting: A security test report is produced with all the identified vulnerabilities with their

implications and countermeasures

Security Test reporting

Penetration Testing

Vulnerability Assesment

Information Gathering

https://www.owasp.org/index.php/OWASP_Application_Security_Verification_Standard_(ASVS)

http://capec.mitre.org/

http://capec.mitre.org/



PART A – Executive Report

5 Executive Summary

5.1 Risk Statistics

This section provides information about the overall statistics of the vulnerabilities identified during Ignify

application testing

A. Application Penetration Testing - Risk Statistics (Q1-2015-16)

Risk Level Number of Vulnerabilities

High 0

Medium 0

Low 0

Total 0

5.2 Application Security Confidence Level

The below table provides information about the confidence level of the target system under test after

Security Testing

Security level Confidence level Criteria Description

Secure A

No high severity or medium severity vulnerabilities were identified and there is

clear recognition of asset and threat likelihood in the defense measures taken.

No low severity or identified low severity vulnerabilities does not have any

impact on the business

Moderately

Secure B

No or few high severity vulnerabilities associated with less critically important

assets and have any serious impact.

(It is required to assess the number of vulnerabilities and the impact that it can

create to the critical assets based on the context.)

0

1

High Medium Low

Nu

mb

er o

f V

uln

erab

iliti

es

Severity

Vulnerability Statistics



Marginally

Secure C

High severity vulnerabilities or medium severity vulnerabilities identified that

could be exploited to compromise medium critically important assets of

application.



Unsecured D

High severity vulnerabilities associated with critically important assets and have

impact that is more serious on business.



The below table provides the information about the priority description

Priority Priority Description

High

Vulnerabilities those affect the business , (Ex: Cross site scripting and Cross site request forgery

)

Information disclosed is sensitive and may lead to plan for other attacks( Ex: User credentials

and session details)

Likelihood of attack is high

Medium

Likely hood of attack is medium and needs more skill level to frame attack(Ex: Cookie details

,validation bypass)

Impact on the business logic is medium

Information disclosed is sensitive and may lead to plan for other attacks

Low Likelihood of attack is low and needs more skill level to frame attack

No impact on the business

Confidence level is decided based on the criteria description provided in the above table. The below table

contains overall vulnerabilities identified during application penetration testing with status Open/New/Re-

Open

Application Under Test Security level Confidence

Level

Vulnerability Details

High Medium Low*

Ignify - Manager

Secure

A 0 0 0

Ignify - WebStore

Secure

A 0 0 0

*Weak password policy (Low) vulnerability is applicable for both



PART B –Vulnerability Report

6 Risks/Vulnerabilities

Below section provides detailed information about all the identified vulnerabilities and counter measures

for the target under test

Vulnerability No-01 Store Portal http://ecom7.ignify.net/

H-001 – Content Spoofing(Text Injection) – ‘hdnDisplayType’ Parameter

Risk Severity Risk Impact Risk Likelihood Ease of Discovery Technical Impact Factors

High High Medium Moderate Loss of Integrity


Content Spoofing(Text Injection – ‘hdnDisplayType’ Parameter

Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made

possible by an injection vulnerability in a web application. When an application does not properly handle user

supplied data, an attacker can supply content to a web application, typically via a parameter value

Steps to Reproduce:

1. Login to the Ignify store with valid credentials

2. In the below POST request hdnDisplayType parameter is vulnerable to HTML injection,

POST/widgetscategory/gethtml_productlist/1180/html_productlist/150X177?filter=1180&search=&type=q&keywor

doption=&cid=0&fltrdesc=&ppp=9&discountid=&pn=1&newarrivaldays=30 HTTP/1.1

Host: ecom7.ignify.net

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Referer: http://ecom7.ignify.net/category/1180/athletic-gear

Content-Length: 249

Cookie:__utma=109913745.1962255331.1432625157.1432625157.1432625157.1;__utmb=109913745.11.10.14326

25157; __utmc=109913745; __utmz=109913745.1432625157.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);

http://ecom7.ignify.net/



Ignify_Nav=PDCacheKey_5%3DBEST-SELLER-PRODUCTS-SESSION-

KEY%5EPDPrevNextReffer_5%3Dhttp%3A//ecom7.ignify.net/search/denim%3Ffilter%3D%26search%3Ddenim%26ty

pe%3Dq%26keywordoption%3DANY%26cid%3D0%26fltrdesc%3D%5ECurrentPDReferrer_5%3Dhttp%3A//ecom7.ig

nify.net/search/denim%3Ffilter%3D%26search%3Ddenim%26type%3Dq%26keywordoption%3DANY%26cid%3D0%2

6fltrdesc%3D%5E; WebStore_SessionId=thbrzrkjhobmkpe0k0cbhp3n; userdata=e5c362af-62a0-49a0-841b-

ad794907d1c4;__utmt=1;Ignify.eCommerce=9CF008C2998126F461C25A08DD261874B555C8EFFFDED2A6DD187A9

32D6BF8626C02C5AD1D6CDED550C9B5297EF297FF2867DAA5C6B063D57C65FFAA9C2BBD776DED5D5EF948A3DEC

BEC60A974EBE85CE8AA79F1DA731C0565E9E2A5DAFB04EFFE895D00DA7CE05CA46CDFBB9FD6B9755736D3D64E9

8A5813168E195E3DF7B054514CF7A

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache

hdnSelectedVal=&hdnFromPrice=7.98&hdnToPrice=87.80&hdnIsQuickMenuVisible=&hdnCurrentProductIds=&hdnFilter

=1180&hdndiscountid=&hdnDisplayType=grid30479'"){z}else{x}});/*]]>*/;TESTERWASHERE;&hdnSortType=SELLERRECO

MMENDATION&hdnSortTypeClicked=false

Note: Observe that the Java script is executed and alert box appears. Provided XSS payload is an example but,

this can be exploited using maliciously crafted scripts

Impact

1. An attacker can inject malicious content in the application through browser

2. Threat to Integrity of the application

3. Content Manipulation

Countermeasure/Recommendations

1. Filter the meta characters ("special" characters) and validate the user input to prevent unintended changes

in the application

2. Web server should ensure that the generated pages are properly encoded to prevent unintended execution

of scripts

3. Use Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes

Remarks :



Reference:

https://www.owasp.org/index.php/Content_Spoofing

Re-testing status: Fixed and Closed

Vulnerability No-02 Store/Manager Portal http://ecom7.ignify.net/ & https://ecommanager.ignify.net

L-001 – Sensitive information disclosure


Low Low Medium Easy Loss of Confidentiality


Sensitive information disclosure

There are several different vendors and versions of web servers on the market today. Knowing the type of web

server that is being used significantly helps the attacker to craft sophisticated attacks depending on its version

and the known vulnerabilities.

Steps to reproduce:

1. Open application login URL Store/Manager Portal

2. Login with valid username and password

3. Once in to the application, use a proxy tool and intercept the request as well as response

Observe in each response the back end servers used and the version is also displayed

Impact

4. Loss of confidentiality


1. Remove or fake Server/X-Powered-By headers

2. Response with generic error message for all invalid login attempts

Remarks :

https://www.owasp.org/index.php/Content_Spoofing


https://ecommanager.ignify.net/



Reference:

https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)

Re-testing status: Issue closed as per the discussion

Vulnerability No-03 Store/Manager Portal http://ecom7.ignify.net/ & https://ecommanager.ignify.net

L-002 – Cross-Origin Resource Sharing– Access-Control-Allow-Origin set to ‘*’


Low Medium Medium Easy Loss of Integrity


Cross-Origin Resource Sharing– Access-Control-Allow-Origin set to ‘*’

The HTML5 cross-origin resource sharing policy controls whether and how content running on other domains

can perform two-way interaction with the domain which publishes the policy. The policy is fine-grained and can

apply access controls per-request based on the URL and other features of the request.

If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a

user is logged in to the application, and visits a domain allowed by the policy, then any malicious content

running on that domain can potentially retrieve content from the application, and carry out actions, within the

security context of the logged in user.

https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)


https://ecommanager.ignify.net/



Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could

potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application

which allows access

Steps to Reproduce:

1. Login to the Ignify Manager/Store Portal with valid credentials

2. Intercept a request and observe its response

Note: The header contains a '*' to indicate that any domain is allowed.

Impact

1. An attacker can inject malicious content in the application through browser

2. Threat to Integrity of the application

3. Content Manipulation


1. Implementation of CORS authenticated request

2. Scrutinizing Origin header value on server side

3. White listing of domains

Remarks :

Reference:

https://www.owasp.org/index.php/CORS_OriginHeaderScrutiny#Introduction

https://www.owasp.org/index.php/CORS_OriginHeaderScrutiny%23Introduction



Re-testing status: Issue closed. As per the discussion it cannot be fixed due to the nature of the application

and how it operates

7 Status Tracker

7.1 Application Vulnerability Status – Q1 Phase

The table below provides the status of vulnerabilities identified during security testing on Ignify web

application during Q1-Phase

# Vulnerability Details Web site Priority Status

01 H-001 – Content Spoofing(Text Injection) – ‘hdnDisplayType’

Parameter Store High Fixed

02 L-001 – Sensitive information disclosure Store/Manager

Portal Low Fixed/Closed

03 L-002 – Cross-Origin Resource Sharing– Access-Control-

Allow-Origin set to ‘*’

Store/Manager

Portal Low Fixed/Closed

8 Conclusion

The security testing on Ignify applications for the Phase-1 is completed with identified vulnerabilities

listed in Section-7

By considering current test status confidence level has been updated

Status and remarks should be updated by the developer and shared based on which the test team will

commence re-testing.

security testing report hitachi application q1 sep 2015

Software