Infosec Risk Assessment by hakimkt

VIEWS: 1,231 PAGES: 22

More Info
									#

Name

Description

Assessment Method(s)

Authentication 3.1.1 SSL Enforcement Does application force an SSL connection for the Manual Test, login? If yes, does it force SSL for all “loggedAsk System in” pages? Admin Ask Developer, Code Review

3.1.2

3.1.3

3.1.4

Authentication Does the site employ a standard authentication Mechanisms mechanism approved for use by the company’s IT Security department or does it use a custom authentication solution? Custom authentication schemes should be looked at very closely. Use of Does the application send user credentials to any Encrypted back-end systems (DB or LDAP server for Communicatio example) in the clear, or are the credentials n When encrypted in transit? Passing Credentials To Back-end Servers Storing Does the site store user credentials in a cookie and Credentials In a use this as the sole means of controlling access to Cookie user’s “logged-in” pages? If yes, this means that the logout button can’t destroy user’s session server-side. Recommend storing credentials in session, server-side. Even encrypted credentials shouldn’t be stored client-side. Password Complexity Account Lockout Evaluate password complexity requirements against company’s IT Security standards.

Ask Developer, Code Review

Manual Test, Ask Developer

3.1.5

Manual Test, Ask Developer

3.1.6

3.1.7

Does the site track failed login attempts serverManual Test, side and lock user id after a certain number of Ask Developer failed login attempts? Generic Login Does the site provide a generic login failure Manual Test Failure message that doesn’t indicate whether or not the Message user ID attempted was a valid user ID? For example, “Your user ID or password is incorrect.”

3.1.8

Secure Storage Are passwords and the answers to “forgot Ask Developer, Of Credentials password” questions stored in hashed format or in Manual Test clear-text?

3.1.9

Forgot Password Logic – Information Disclosure Forgot Password Logic – Strength of Security Questions Forgot Password Logic – Bypassing Security Question Forgot Password Logic – Establishing New Password

Does the Forgot Password feature give you Manual Test feedback that indicates whether or not an entered user id is valid?

3.1.10

3.1.11

Does the Forgot Password feature allow the user Manual Test to choose from only a pre-defined list of strong questions? (Allowing a user to choose their own security question, or having questions that are easy to brute force the answers to (“What is the color of your favorite car?”) would be a security issue). Is there any way to bypass the security question Manual Test and jump straight to the “Reset password” page, or manipulate the site into changing/resetting another user’s password?

3.1.12

Upon answering the security question correctly, does the site: 1. Reset the user’s password to a temporary value and email it to the email address on file, and force user to change password to a permanent value at next login. (best) 2. Allow the user to immediately choose a new password in-session. (not as secure) 3. Other. (evaluate case-by-case)

Manual Test

3.1.13

Enforcement of Does the application require user’s to change their Ask Developer, Periodic passwords periodically? Code Review Password Changes

3.1.14

Reauthenticatin g User When Changing Password or Security Info

Does the application ask the user to re-enter their Manual Test old password when making a password change or changing other security info such as the security question and answer? Manual Test, Scan

3.1.15

Use of POST Are credentials always submitted to the web Method When server via the POST method? Are the user id Passing and/or password every passed in the URL? Credentials Disabling Is autocomplete set to false for password, Browser username, and all other sensitive inputs? Autocomplete Feature

3.1.16

Manual Test

3.1.17

Does Are the application’s usernames unpredictable or Ask Developer, Application do they follow a pattern? (such as all being 5Manual Test Use digit numbers) Unpredictable User Names? Logging of Are logins, logouts, password changes, password Ask Developer, Authentication resets, account locks, and account unlocks logged Manual Test Events by the application? Are the logs adequately protected?

3.1.18

Session Management 3.2.1 3.2.2 Randomness of Session Token Method of Passing Session Token Use of Secure Cookies Use of HttpOnly Cookies Does the site use a crypographicacally random session token? (for example, a GUID) Does the site pass the session token from page to page in a cookie or hidden field (good), or in the URL (not secure)? Does the site mark its session cookie(s) with the “secure” attribute so it can only be passed via SSL? Does the site mark its session cookie(s) with the “HttpOnly” attribute so the cookie cannot be accessed via client-side Javascript code? Manual Test Manual Test

3.2.3

Manual Test

3.2.4

Manual Test

3.2.5

3.2.6

Use of NonPersistent Cookies For Tracking Session Cookie Scope

Does the site use session cookies (with no Manual Test “Expiration” attribute) for storing its session token, or does it use persistent cookies (with an “Expiration” attribute set to a future date)? Session cookies should be used. Is the scope of the session cookie as restrictive as Manual Test, possible? The most restrictive scope would be to Ask Developer not set a “Domain” attribute for the cookie so that it is only passed back to pages within the FQDN that set the cookie. Some apps require a broader scope, such as “.yourcompany.com” so that the cookie can be passed to multiple subdomains. Does the application have a session timeout that is tracked server-side? What happens when a user attempts to access the site after the user’s session has timed out? Does the web application allow a user to choose their own session ID (permissive), or will the application only accept session IDs that were generated by the application (strict)? Does the application generate a new session and assign a new session id to the user immediately after a successful login? (to protect against Session Fixation attacks) Does the application provide a Logout link for the user? Does clicking on the Logout link result in the session being destroyed on the server-side as well as clearing any session cookies? Do the cookies set by the application contain any sensitive info, such as the User ID, Roles, system info, etc.? Does the site employ whitelist-based server-side input validation of all inputs? (GET and POST parameters as well as cookies) Ask Developer, Manual Test

3.2.7

Session Timeout

3.2.8

Permissive or Strict Session Management Generating New Session After Login Logout Functionality

Ask Developer, Manual Test

3.2.9

Manual Test

3.2.10

Manual Test

3.2.11

Contents of Cookies

Manual Test

Input Validation 3.3.1 Global Whitelist-based Input validation 3.3.2 ASP.Net Request Validation

Ask Developer, Code Review, Manual Test

For ASP.Net applications, is the built-in request Manual Test, validation turned on for all web pages? It can be Code Review turned off on a per-page basis, so all pages should be checked.

3.3.3

3.3.4

Use of Are parameterized queries or stored procedures Parameterized (which are parameterized) used for all database Queries calls? Does the application employ a centralized data access component for all database calls that enforces the use of parameterized queries? Is dynamic SQL used anywhere in the application? Output Is all output that comes from untrusted input Encoding being properly encoded? (HTML, URL, or Javascript encoding should be used depending on the context.)

Ask Developer, Code Review

Ask Developer, Code Review

3.3.5

URL Redirection

For ASP.Net applications, the Microsoft AntiCross-Site Scripting Library is strongly recommended for performing this output encoding. Are there any pages that take a URL as input and Manual redirect to the given URL? Can these pages be Testing, tricked into redirecting to non-Progressive URLs AppScan that the application should not be redirecting to? Are there any pages that take input and echo it back onto the page? For example, an error page that takes a querystring parameter called “message” and displays it verbatim? Manual Testing

3.3.6

Content Spoofing

Configuration 3.4.1 Error Handling Does application log unhandled exceptions and show user a generic tech diff message rather than displaying the detailed error? 3.4.2 Protection of Are all pages that should be internal use only Debug Pages placed in a separate folder with IP restrictions? Are very sensitive debug in a separate folder that is protected with strong authentication plus IP restrictions?

Manual Test, Ask Developer Ask Developer, Manual Test

3.4.3

Protection of Configuration Files

Should examine all pages on web server to make sure that no sensitive pages are in unprotected folders. Are all configuration files stored in a non webAsk Developer, accessible folder? Manual Test

3.4.3

Protection of Configuration Files

Ask Developer, Manual Test

3.4.4

3.4.5

3.4.6

3.4.7 3.4.8

3.4.9

3.4.10

3.4.11

If the configuration files are in a web-accessible folder, are IP restrictions or other controls in place on this folder or folders? Connection Are all database connection strings in the Strings application’s configuration files encrypted? Another solution is to use Windows Authentication for SQL Server, which does not require the connection string to have a password in it. Backup Files Are there any backup files or other unnecessary files in web-accessible folders? (home.old, home.bak, etc.) Include Files Are there any .inc files used by the application? Is the web server configured not to serve up these .inc files? (IIS 6 is good by default, IIS 5 needs to be configured to respond with a 404 for .inc files or other specific file types.) Directory Is Directory Browsing enabled on any of the web Browsing folders? Information Is any sensitive information included in HTML, Leakage In Javascript, or other comments? For example, Code developer names, system info, URLs to admin Comments pages, etc. Secure When the application calls back-end web services Communicatio that handle sensitive data or perform sensitive n With Back- transactions, is SSL and authentication being used end Services by the web services? Web Is the web application running under a service Application account that has only the minimal privileges Service needed to run the application? Account Developer Do developers have write access to the Production Access To web servers, or do they need to use a formal Production elevate process to make changes in Production? Caching of Sensitive Content

Ask Developer, Manual Test

Manual Test

Manual Test, Ask Developer

Scan Scan, Manual Test

Ask Developer, Manual Test

Ask System Admin

Ask System Admin

3.4.12

Does the application set the proper response Manual Test, headers to prevent browsers and intermediate Scan proxies from caching sensitive content? (CacheControl: no-cache)

3.4.13

Existence of Does the web root of the application contain a Robots.txt File robots.txt file that restricts search engine spiders from indexing the application’s pages? Sensitive Data Handling 3.5.1 Protection of Does the application handle any data that is Sensitive Data classified as non-public, sensitive, or highly sensitive? Does the application follow company’s IT Security policies when handling this data? (in regards to how it is stored, displayed, and transmitted by the application) 3.5.2 Masking of Are the following data elements being masked if Sensitive Data they are returned in a response from the Elements application? SSN, DOB, DLN, CC#, Bank Account #, Password, Security Answer 3.5.3 Caching of Is the application setting the proper “CacheSensitive Pages Control: no-cache” header to prevent browsers and intermediate proxies from caching sensitive pages? Privilege Escalation 3.6.1 Horizontal Are there any security weaknesses that could Privilege allow one user to gain access to another user’s Escalation account data? For example, an Account Number being passed around by the application that could be tampered with to access another user’s account data. 3.6.2 Vertical Are there any security weaknesses that could Privilege allow a low-privileged user to gain higher Escalation privileges? For example, can normal user access pages and transactions meant only for admin users? 3.6.3 Secret Are there any secret parameters like “debug=true” Parameters that will cause the application to provide access to extra functionality? Logical Vulnerability Checks 3.7.1

Manual Test

Manual Testing, Ask Developer

Manual Testing, Ask Developer Scan

Manual Testing, Ask Developer

Manual Testing, Ask Developer, Scan Ask Developer, Code Review

Skipping Steps Are there any multi-step processes used by the Manual In Multi-Step application where it’s possible to skip steps in a Testing, Code Process way that exploits the application? For example, Review can you skip straight to the “reset password” page without answering the security question first, or skip past a page that requires solving a captcha?

3.7.2

Are there any parameters passed around by the Manual application that could be tampered with to exploit Testing, Code the application? For example, modifying the Review price of an item by manipulating a hidden field value or changing an invoice number to view another customer’s invoice? Standardized Security Components Assessment Method(s) 3.8.1 Encryption Does the application make use of encryption Ask Developer, (besides SSL)? If yes, does it use the IT Security Code Review department’s approved crypto component and key management system? 3.8.2 Session Does the application use its own custom-built Ask Developer, Handling session handling mechanism, or does it use the Manual Testing built-in mechanism’s of ASP.Net, Java, etc.? 3.8.3 Authentication Does the site employ a standard authentication Ask Developer, mechanism approved for use by the company’s IT Manual Security department or does it use a custom Testing, Code authentication solution? Custom authentication Review schemes should be looked at very closely. PCI Compliance 3.9.1 Forcing of SSL Does the application force a minimum 128-bit Manual Test, Connection SSL connection for the entire site for users Ask DSE accessing it via the Internet? Redirecting port 80 or disabling port 80 is acceptable. 3.9.2 Masking of Does the application always mask credit card Manual Test Credit Card number in all server responses, displaying at most Number the first 6 and last 4 digits of card number? Does it respond with full card number in any situation? (For example, when page re-renders after an edit, or when user back-buttons to the previouslycompleted credit card page.) 3.9.3 Storage of Does the application store the full card number to Ask Developer, Credit Card disk? If the application has a need to store card Manual Test Number number, is it using the company’s approved PCIcompliant solution? # Name Description

Parameter Tampering

Status

Status

#

Name

Description

Assessment Method(s)

Status

Issue

Detection Method

Description

Name

Description

Issue

Description


								
To top