Security tests of bxp and False Positives

From All n One's bxp software Wixi

Jump to: navigation, search

1 Overview

bxp is a secure platform and the security of All n One is paramount to All n One operations.


Security requirements change all the time. As new security weaknesses are found constantly bxp is constantly adapting to those challenges.


We often receive security testing and testing results. During these tests, results can appear which are not issues but are flagged as issues. This is called a false positive. Common tests and their results and already mitigated / understood and managed issues. These issues are listed here with explanations and mitigations


2 False Positives

2.1 Issue : XSS (Cross Site Scripting) Injection

Presents as


The usual test for SQL injection is to include alert(1); or equivalent JavaScript into the system. The system shouldn't allow this.


Mitigation


bxp actually provides facility for a client to customise the platform with custom JavaScript. The primary areas where this happens are:

  • Form Management : Form settings
  • Form Management : Outcomes
  • eCourse : Asset : Creation and application system wide
  • System Access Management : System Management : System Settings


Through UAM (User Access Management), UAM_-_User_Access_Management and the System Access Management module Module_-_System_Access_Management access to different aspects of the system are controlled. User secure access should be controlled. Function_Vs._Content Regular client auditing of logins and system usage then provide the control of who is accessing what and when. Security_-_Start_Here#System_Review_tools A bxp client is not forced to use UAM but it is highly recommended.


2.2 Issue : Privilege Escalation

Presents as


Normal level users can access secure areas.


Mitigation


When providing a test user it is important to understand the scope of the test user. The test user for Penetration testing can be set to an extremely limited user type account rather than an administrative level account.


The System Access Management module provides functional and content access. If a user has scope to be able to make changes in this module then they are effectively Administrators. Through UAM (User Access Management), UAM_-_User_Access_Management and the System Access Management module Module_-_System_Access_Management access to different aspects of the system are controlled. A bxp client is not forced to use UAM but it is highly recommended.


2.3 Issue : Session Cookie life

Presents as


Sessions are not expired in a timely fashion


Mitigation


bxp provides a dedicated log out process. If the logout process is used then the cookies and credentials are removed from the system requiring the user to log in again.


2.4 Issue : Autocomplete field for username and password entry

Presents as


Autocomplete should be added to the username and password log in fields.


Mitigation


Autocomplete is not a valid HTML 4.0 strict or XHTML 1.0 valid attribute and is widely discussed on the Internet [1]


bxp is XHTML 1.0 strict compliant [Security_-_Start_Here#W3C_XHTML_Compliance]


The solution to get compliance is to add JavaScript to add the attribute to the input tag. This is implemented on bxp


2.5 Issue : Error messages with too much data

Presents as


Hamster errors present too much data which could provide attackers with unnecessary data.


Mitigation


The hamster errors are provided as is to facilitate accurate trouble shooting with minimum issues. The detailed hamster errors are only generated for valid logged in users. White hamsters have limited information and are the only hamster available outside of log in.



2.6 Issue : Cookie valid duration

Presents as


Cookies have a long window of activity increasing session hijacking possibilities


Mitigation


Cookies in bxp have a window of 14 days. If a smaller window of timeout needs to be controlled then bxp provides an inactivity management solution Security_-_Force_inactive_logout


Whilst it is possible to set smaller and smaller windows, bxp user convenience is also a consideration.


2.7 Issue : No account lockout

Presents as


Lockout policy not applied.


Mitigation


A lockout engine is built into bxp which is configurable by client. This option is specified by the client on system setup CC-2-1_Security_and_Custom_Interface_configuration#Lockouts_and_Options


2.8 Issue : Weak passwords allowed

Presents as


Weak passwords allowed as valid


Mitigation


A client can specify a minimum strength password allowed as part of their configuration CC-2-1_Security_and_Custom_Interface_configuration#Password_cycling


bxp has a detailed password strength reporting suite to facilitate management of this aspect of security Security_-_Password_Strength_Report


2.9 Issue : Caching responses

Presents as


When a user clicks back in a browser, after a successful log out, data is still visible from the browser's cache.


Mitigation


On all pages in bxp the following is implemented

<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="0" />

Different browsers implement and interpret these instructions differently. IE5 through IE8 do not work well with pragma no-store. no-cache therefore is the compromise for backwards compatability. [2]


2.10 Issue : TLS V1.0 available

Presents as


HTTPS TLS v1.0 is available IF negotiated.


Mitigation


For backwards compatibility of TLS and earlier browsers which are end of life, TLS 1.0 is still available but only through negotiation as stronger encryptions are presented by default. What_browsers_does_bxp_work_on?


2.11 Issue : Reflective Cross-Site Scripting (XSS)

Presents as


Through specially crafted query string parameters JavaScript can be injected into operations.


Mitigation


As mentioned previously bxp facilitates client systems ability to support this capability on purpose for custom client applications and interaction with 3rd party solutions such as diallers and other "inside firewall" systems which require interactions.



2.12 Issue : Sensitive Information Exposure - Server Response Headers

Presents as


Cookies and response headers provide technology specific information facilitating targetted attacks.


Mitigation


bxp as part of it's compliance and regulation management provides a number of details about it's service publicly which mitigate the sensitivity of cookie and header information. The_bxp_Infrastructure


The hamster engine of bxp relies on information from a validly logged in user to provide technical support as to the nature of the issue that's occurred to allow a client to correct their own errors. The modules of MetaData and KeyStats are the two primary examples of where this matters most. Meet_the_Hamsters


2.13 Issue : Unprotected file upload

Presents as


Malicious files can be uploaded into bxp.


Mitigation


bxp facilitates clients with sufficient permissions the ability to add .js files to the engine for their own operations. eCourse pages facilitate a wider variety of supported materials. On all uploaders there are mime type approved lists. AntiVirus solutions monitor in real time all uploads with eicar being used extensively to monitor file upload points.


All upload points are limited and auditable.


2.14 Issue : httpOnly not applied

Presents as


The httpOnly flag not applied


Mitigation


Due to the implementation of the httpOnly flag using IIS Response.AddHeader "Set-Cookie" implementation to set a cookie flag at the end of the page, results in some testing software not properly detecting that the flag has been set. As bxp has to provide an HTTP implementation for backwards compatibility the httpOnly flag cannot be universally set by IIS and is implemented therefore in this fashion.


2.15 Issue : Cipher Suite Updates

Presents as


Bxp using legacy ciphers that do not support Forward secrecy

Mitigation


Forward Secrecy : We are reviewing our weblog reports to see what browsers / Operating systems are being used within bxp. This will allow us to create a more updated cipher suite listing. In some instances we may need to keep certain ciphers alive to support clients using legacy systems. With regard to forward secrecy we are currently testing the following cipher suite:


TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,

TLS_DHE_DSS_WITH_AES_256_CBC_SHA,

TLS_DHE_DSS_WITH_AES_128_CBC_SHA,