Security Enhancements - 2015-09-13
From All n One's bxp software Wixi
Contents
1 Overview
Security and maintenance are an ongoing feature of any good Software as a Service solution. bxp is no different and this weekend a number of changes were made to our solutions to further secure and maintain our very high levels of security.
This document outlines the changes made.
2 Security headers
bxp uses IIS 7.5 as our webserver. When your browser chats to IIS a number of hidden headers are transmitted to your browser. A number of these headers were updated.
2.1 X-Frame-Options
Anti-clickjacking header added.
- https://www.owasp.org/index.php/Clickjacking
- https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
2.2 X-XSS-Protection
This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. This header is supported in IE 8+, and in Chrome. The anti-XSS filter was added in Chrome 4.
- https://www.owasp.org/index.php/List_of_useful_HTTP_headers
- http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
- http://stackoverflow.com/questions/9090577/what-is-the-http-header-x-xss-protection
2.3 X-Content-Type-Options
The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.
3 ASPSESSIONID
The session state cookie is one used by other Classic ASP services for various reasons including visitor account management. bxp has never used the ASPSESSIONID cookie. The service was enabled and showing false positives on security scans. This service has now been disabled on the servers removing this perceived threat.
4 crossdomain.xml
http://www.ookla.com/support/a21097566/What-is-crossdomain-xml-and-why-do-I-need-it
Basically this is the restriction for Flash player. It says that Flash is only allowed to get content from X specified servers.
- http://code.tutsplus.com/tutorials/quick-tip-a-guide-to-cross-domain-policy-files--active-3832
- http://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
5 Testing engine
All of our testing was done using Nikto v2.1.6 from a Kali Linux 2.0 instance.
A false positive was also found in the test for localstart.asp which was removed from the servers. A redirect to a custom 404 error page gives the impression that it is.