1 Overview

Security and maintenance are an ongoing feature of any good Software as a Service solution. bxp is no different and this weekend a number of changes were made to our solutions to further secure and maintain our very high levels of security.

This document outlines the changes made.

2 Security headers

bxp uses IIS 7.5 as our webserver. When your browser chats to IIS a number of hidden headers are transmitted to your browser. A number of these headers were updated.

2.1 X-Frame-Options

Anti-clickjacking header added.

• https://www.owasp.org/index.php/Clickjacking
• https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

2.2 X-XSS-Protection

This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. This header is supported in IE 8+, and in Chrome. The anti-XSS filter was added in Chrome 4.

• https://www.owasp.org/index.php/List_of_useful_HTTP_headers
• http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
• http://stackoverflow.com/questions/9090577/what-is-the-http-header-x-xss-protection

2.3 X-Content-Type-Options

The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.

• https://www.owasp.org/index.php/List_of_useful_HTTP_headers

3 ASPSESSIONID

The session state cookie is one used by other Classic ASP services for various reasons including visitor account management. bxp has never used the ASPSESSIONID cookie. The service was enabled and showing false positives on security scans. This service has now been disabled on the servers removing this perceived threat.

4 crossdomain.xml

http://www.ookla.com/support/a21097566/What-is-crossdomain-xml-and-why-do-I-need-it

Basically this is the restriction for Flash player. It says that Flash is only allowed to get content from X specified servers.

• http://code.tutsplus.com/tutorials/quick-tip-a-guide-to-cross-domain-policy-files--active-3832
• http://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

5 Testing engine

All of our testing was done using Nikto v2.1.6 from a Kali Linux 2.0 instance.

A false positive was also found in the test for localstart.asp which was removed from the servers. A redirect to a custom 404 error page gives the impression that it is.