= Overview =
bxp is a secure platform and the security of All n One is paramount to All n One operations.
Security requirements change all the time. As new security weaknesses are found constantly bxp is constantly adapting to those challenges.
We often receive security testing and testing results which are false positives and already mitigated / understood and managed issues. These issues are listed here with explanations and mitigations
We often receive security testing and testing results. During these tests, results can appear which are not issues but are flagged as issues. This is called a false positive. Common tests and their results and already mitigated / understood and managed issues. These issues are listed here with explanations and mitigations
= False Positives =
=False Positives=
==Issue : XSS (Cross Site Scripting) Injection==
''' Presents as '''
== Issue : XSS (Cross Site Scripting) Injection ==
The usual test for SQL injection is to include alert(1); or equivalent JavaScript into the system. The system shouldn't allow this.
=== Presents as ===
''' Mitigation '''
The usual test for SQL injection is to include alert(1); or equivalent JavaScript into the system. The system shouldn't allow this.
bxp actually provides facility for a client to customise the platform with custom JavaScript. The primary areas where this happens are:
=== Mitigation ===
bxp actually provides facility for a client to customise the platform with custom JavaScript. The primary areas where this happens are:
* Form Management : Form settings
* Form Management : Outcomes
Through UAM (User Access Management), [[UAM_-_User_Access_Management]] and the System Access Management module [[Module_-_System_Access_Management]] access to different aspects of the system are controlled. User secure access should be controlled. [[Function_Vs._Content]] Regular client auditing of logins and system usage then provide the control of who is accessing what and when. [[Security_-_Start_Here#System_Review_tools]] A bxp client is not forced to use UAM but it is highly recommended.
== Issue : Privilege Escalation ==
==Issue : Privilege Escalation= =''' Presents as ==='''
=== ''' Mitigation === When providing a test user it is important to understand the scope of the test user. The test user for Penetration testing can be set to an extremely limited user type account rather than an administrative level account.'''
The System Access Management module provides functional and content access. If When providing a test user has scope it is important to be able to make changes in this module then they are effectively Administrators. Through UAM (User Access Management), [[UAM_-_User_Access_Management]] and understand the System Access Management module [[Module_-_System_Access_Management]] access to different aspects scope of the system are controlledtest user. A bxp client is not forced The test user for Penetration testing can be set to use UAM but it is highly recommendedan extremely limited user type account rather than an administrative level account.
The System Access Management module provides functional and content access. If a user has scope to be able to make changes in this module then they are effectively Administrators. Through UAM (User Access Management), [[UAM_-_User_Access_Management]] and the System Access Management module [[Module_-_System_Access_Management]] access to different aspects of the system are controlled. A bxp client is not forced to use UAM but it is highly recommended.
== Issue : Session Cookie life ==
==Issue : Session Cookie life= =''' Presents as ==='''
=== ''' Mitigation ==='''
bxp provides a dedicated log out process. If the logout process is used then the cookies and credentials are removed from the system requiring the user to log in again.
bxp provides a dedicated log out process. If the logout process is used then the cookies and credentials are removed from the system requiring the user to log in again.
== Issue : Autocomplete field for username and password entry ==
==Issue : Autocomplete field for username and password entry== ''' Presents as ==='''
=== ''' Mitigation ==='''
The solution to get compliance is to add JavaScript to add the attribute to the input tag. This is implemented on bxp
== Issue : Error messages with too much data == === ''' Presents as ==='''
=== ''' Mitigation ==='''
The hamster errors are provided as is to facilitate accurate trouble shooting with minimum issues. The detailed hamster errors are only generated for valid logged in users. White hamsters have limited information and are the only hamster available outside of log in.
The hamster errors are provided as is to facilitate accurate trouble shooting with minimum issues. The detailed hamster errors are only generated for valid logged in users. White hamsters have limited information and are the only hamster available outside of log in.
== Issue : Cookie valid duration ==
==Issue : Cookie valid duration= =''' Presents as ==='''
=== ''' Mitigation ==='''
Cookies in bxp have a window of 14 days. If a smaller window of timeout needs to be controlled then bxp provides an inactivity management solution [[Security_-_Force_inactive_logout]]
== Issue : No account lockout == === ''' Presents as ==='''
=== ''' Mitigation ==='''
A lockout engine is built into bxp which is configurable by client. This option is specified by the client on system setup [[CC-2-1_Security_and_Custom_Interface_configuration#Lockouts_and_Options]]
A lockout engine is built into bxp which is configurable by client. This option is specified by the client on system setup [[CC-2-1_Security_and_Custom_Interface_configuration#Lockouts_and_Options]]
== Issue : Weak passwords allowed ==
==Issue : Weak passwords allowed== ''' Presents as ==='''
=== ''' Mitigation ==='''
== Issue : Caching responses == === ''' Presents as ==='''
=== ''' Mitigation ==='''
</syntaxhighlight>
Different browsers implement and interpret these instructions differently. IE5 through IE8 do not work well with pragma no-store. no-cache therefore is the compromise for backwards compatability.
[https://stackoverflow.com/questions/866822/why-both-no-cache-and-no-store-should-be-used-in-http-response]
== Issue : TLS V1.0 available ==''' Presents as ''' HTTPS TLS v1.0 is available IF negotiated. ''' Mitigation '''
=== Presents For backwards compatibility of TLS and earlier browsers which are end of life, TLS 1.0 is still available but only through negotiation as ===stronger encryptions are presented by default. [[What_browsers_does_bxp_work_on%3F]]
HTTPS TLS v1==Issue : Reflective Cross-Site Scripting (XSS)==''' Presents as ''' Through specially crafted query string parameters JavaScript can be injected into operations.0 is available IF negotiated ''' Mitigation ''' As mentioned previously bxp facilitates client systems ability to support this capability on purpose for custom client applications and interaction with 3rd party solutions such as diallers and other "inside firewall" systems which require interactions. ==Issue : Sensitive Information Exposure - Server Response Headers==''' Presents as ''' Cookies and response headers provide technology specific information facilitating targetted attacks. ''' Mitigation ''' bxp as part of it's compliance and regulation management provides a number of details about it's service publicly which mitigate the sensitivity of cookie and header information. [[The_bxp_Infrastructure]]
=== Mitigation ===The hamster engine of bxp relies on information from a validly logged in user to provide technical support as to the nature of the issue that's occurred to allow a client to correct their own errors. The modules of MetaData and KeyStats are the two primary examples of where this matters most. [[Meet_the_Hamsters]]
For backwards compatibility of TLS and earlier browsers which are end of life, TLS 1.0 is still available but only through negotiation as stronger encryptions are presented by default. [[What_browsers_does_bxp_work_on%3F]]
==Issue : Unprotected file upload==
''' Presents as '''
== Issue : Reflective Cross-Site Scripting (XSS) ==Malicious files can be uploaded into bxp.
=== Presents as ===''' Mitigation '''
Through specially crafted query string parameters JavaScript can be injected into bxp facilitates clients with sufficient permissions the ability to add .js files to the engine for their own operations.eCourse pages facilitate a wider variety of supported materials. On all uploaders there are mime type approved lists. AntiVirus solutions monitor in real time all uploads with eicar being used extensively to monitor file upload points.
All upload points are limited and auditable.
=== Mitigation ===
As mentioned previously bxp facilitates client systems ability to support this capability on purpose for custom client applications and interaction with 3rd party solutions such ==Issue : httpOnly not applied==''' Presents as diallers and other "inside firewall" systems which require interactions.'''
The httpOnly flag not applied
''' Mitigation '''
== Issue : Sensitive Information Exposure - Server Response Headers ==
Due to the implementation of the httpOnly flag using IIS Response.AddHeader "Set-Cookie" implementation to set a cookie flag at the end of the page, results in some testing software not properly detecting that the flag has been set. As bxp has to provide an HTTP implementation for backwards compatibility the httpOnly flag cannot be universally set by IIS and is implemented therefore in this fashion.
=== Presents as ===
==Issue : Cipher Suite Updates==
'''Presents as'''
Cookies and response headers provide technology specific information facilitating targetted attacks.
Bxp using legacy ciphers that do not support Forward secrecy
=== '''Mitigation ==='''
Forward Secrecy : We are reviewing our weblog reports to see what browsers / Operating systems are being used within bxp as part of it's compliance and regulation management provides . This will allow us to create a number of details about it's service publicly which mitigate more updated cipher suite listing. In some instances we may need to keep certain ciphers alive to support clients using legacy systems. With regard to forward secrecy we are currently testing the sensitivity of cookie and header information. [[The_bxp_Infrastructure]]following cipher suite:
The hamster engine of bxp relies on information from a validly logged in user to provide technical support as to the nature of the issue that's occurred to allow a client to correct their own errors. The modules of MetaData and KeyStats are the two primary examples of where this matters most. [[Meet_the_Hamsters]]TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,
== Issue : Unprotected file upload ==TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
=== Presents as ===TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,
Malicious files can be uploaded into bxp.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
=== Mitigation ===TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
bxp facilitates clients with sufficient permissions the ability to add .js files to the engine for their own operations. eCourse pages facilitate a wider variety of supported materials. On all uploaders there are mime type approved lists. AntiVirus solutions monitor in real time all uploads with eicar being used extensively to monitor file upload points. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
All upload points are limited and auditable.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
[[Category:Topic:Security]]
