Security tests of bxp and False Positives
From All n One's bxp software Wixi
- 1 Overview
- 2 False Positives
- 2.1 Issue : XSS (Cross Site Scripting) Injection
- 2.2 Issue : Privilege Escalation
- 2.3 Issue : Session Cookie life
- 2.4 Issue : Autocomplete field for username and password entry
- 2.5 Issue : Error messages with too much data
- 2.6 Issue : Cookie valid duration
- 2.7 Issue : No account lockout
- 2.8 Issue : Weak passwords allowed
- 2.9 Issue : Caching responses
- 2.10 Issue : TLS V1.0 available
- 2.11 Issue : Reflective Cross-Site Scripting (XSS)
- 2.12 Issue : Sensitive Information Exposure - Server Response Headers
- 2.13 Issue : Unprotected file upload
- 2.14 Issue : httpOnly not applied
- 2.15 Issue : Cipher Suite Updates
bxp is a secure platform and the security of All n One is paramount to All n One operations.
Security requirements change all the time. As new security weaknesses are found constantly bxp is constantly adapting to those challenges.
We often receive security testing and testing results. During these tests, results can appear which are not issues but are flagged as issues. This is called a false positive. Common tests and their results and already mitigated / understood and managed issues. These issues are listed here with explanations and mitigations
2 False Positives
2.1 Issue : XSS (Cross Site Scripting) Injection
- Form Management : Form settings
- Form Management : Outcomes
- eCourse : Asset : Creation and application system wide
- System Access Management : System Management : System Settings
Through UAM (User Access Management), UAM_-_User_Access_Management and the System Access Management module Module_-_System_Access_Management access to different aspects of the system are controlled. User secure access should be controlled. Function_Vs._Content Regular client auditing of logins and system usage then provide the control of who is accessing what and when. Security_-_Start_Here#System_Review_tools A bxp client is not forced to use UAM but it is highly recommended.
2.2 Issue : Privilege Escalation
Normal level users can access secure areas.
When providing a test user it is important to understand the scope of the test user. The test user for Penetration testing can be set to an extremely limited user type account rather than an administrative level account.
The System Access Management module provides functional and content access. If a user has scope to be able to make changes in this module then they are effectively Administrators. Through UAM (User Access Management), UAM_-_User_Access_Management and the System Access Management module Module_-_System_Access_Management access to different aspects of the system are controlled. A bxp client is not forced to use UAM but it is highly recommended.
2.3 Issue : Session Cookie life
Sessions are not expired in a timely fashion
bxp provides a dedicated log out process. If the logout process is used then the cookies and credentials are removed from the system requiring the user to log in again.
2.4 Issue : Autocomplete field for username and password entry
Autocomplete should be added to the username and password log in fields.
Autocomplete is not a valid HTML 4.0 strict or XHTML 1.0 valid attribute and is widely discussed on the Internet 
bxp is XHTML 1.0 strict compliant [Security_-_Start_Here#W3C_XHTML_Compliance]
2.5 Issue : Error messages with too much data
Hamster errors present too much data which could provide attackers with unnecessary data.
The hamster errors are provided as is to facilitate accurate trouble shooting with minimum issues. The detailed hamster errors are only generated for valid logged in users. White hamsters have limited information and are the only hamster available outside of log in.
2.6 Issue : Cookie valid duration
Cookies have a long window of activity increasing session hijacking possibilities
Cookies in bxp have a window of 14 days. If a smaller window of timeout needs to be controlled then bxp provides an inactivity management solution Security_-_Force_inactive_logout
Whilst it is possible to set smaller and smaller windows, bxp user convenience is also a consideration.
2.7 Issue : No account lockout
Lockout policy not applied.
A lockout engine is built into bxp which is configurable by client. This option is specified by the client on system setup CC-2-1_Security_and_Custom_Interface_configuration#Lockouts_and_Options
2.8 Issue : Weak passwords allowed
Weak passwords allowed as valid
A client can specify a minimum strength password allowed as part of their configuration CC-2-1_Security_and_Custom_Interface_configuration#Password_cycling
bxp has a detailed password strength reporting suite to facilitate management of this aspect of security Security_-_Password_Strength_Report
2.9 Issue : Caching responses
When a user clicks back in a browser, after a successful log out, data is still visible from the browser's cache.
On all pages in bxp the following is implemented
<meta http-equiv="cache-control" content="no-cache" /> <meta http-equiv="pragma" content="no-cache" /> <meta http-equiv="expires" content="0" />
Different browsers implement and interpret these instructions differently. IE5 through IE8 do not work well with pragma no-store. no-cache therefore is the compromise for backwards compatability. 
2.10 Issue : TLS V1.0 available
HTTPS TLS v1.0 is available IF negotiated.
For backwards compatibility of TLS and earlier browsers which are end of life, TLS 1.0 is still available but only through negotiation as stronger encryptions are presented by default. What_browsers_does_bxp_work_on?
2.11 Issue : Reflective Cross-Site Scripting (XSS)
As mentioned previously bxp facilitates client systems ability to support this capability on purpose for custom client applications and interaction with 3rd party solutions such as diallers and other "inside firewall" systems which require interactions.
2.12 Issue : Sensitive Information Exposure - Server Response Headers
Cookies and response headers provide technology specific information facilitating targetted attacks.
bxp as part of it's compliance and regulation management provides a number of details about it's service publicly which mitigate the sensitivity of cookie and header information. The_bxp_Infrastructure
The hamster engine of bxp relies on information from a validly logged in user to provide technical support as to the nature of the issue that's occurred to allow a client to correct their own errors. The modules of MetaData and KeyStats are the two primary examples of where this matters most. Meet_the_Hamsters
2.13 Issue : Unprotected file upload
Malicious files can be uploaded into bxp.
bxp facilitates clients with sufficient permissions the ability to add .js files to the engine for their own operations. eCourse pages facilitate a wider variety of supported materials. On all uploaders there are mime type approved lists. AntiVirus solutions monitor in real time all uploads with eicar being used extensively to monitor file upload points.
All upload points are limited and auditable.
2.14 Issue : httpOnly not applied
The httpOnly flag not applied
Due to the implementation of the httpOnly flag using IIS Response.AddHeader "Set-Cookie" implementation to set a cookie flag at the end of the page, results in some testing software not properly detecting that the flag has been set. As bxp has to provide an HTTP implementation for backwards compatibility the httpOnly flag cannot be universally set by IIS and is implemented therefore in this fashion.
2.15 Issue : Cipher Suite Updates
Bxp using legacy ciphers that do not support Forward secrecy
Forward Secrecy : We are reviewing our weblog reports to see what browsers / Operating systems are being used within bxp. This will allow us to create a more updated cipher suite listing. In some instances we may need to keep certain ciphers alive to support clients using legacy systems. With regard to forward secrecy we are currently testing the following cipher suite: