Security & Information Management

• The industry standard adhered by the data centre for hosting the applications is ISO 27001:2005.
• All Servers are hosted in UK-London.

NCC Group was contracted by PSI to conduct a security assessment of the JMS, AWT and FSS applications

PSI requested that NCC Group perform a security assessment of JMS, AWT and FSS application as well as the supporting infrastructure in order to identify security issues that in turn could negatively affect PSI’s business or reputation if they led to the compromise or abuse of systems.

The assessment was performed in two separate phases as follows:
External Infrastructure – Tests were performed through the standpoint of an attacker operating over an Internet connection against the server.

Web Application Assessment – All three applications (i.e. AWT, JMS and FSS) were tested from both authenticated as well non-authenticated level of access.  http://lcc.asbestossearch.co.uk/amsweb/

Conclusion

Due to the remedial work carried out by PSI, the security of the application and hosting servers are now in a much better position.
Although three medium and five low risk issues remain within the applications, it is unlikely that these vulnerabilities will lead to a direct compromise of the infrastructure, application or it’s user base.
Remedial work should be on going to ensure all remaining vulnerabilities are closed to ensure the future integrity of the application.

Detailed Methodology

We will perform an in-depth and thorough testing of in-scope web applications to ensure that correct configuration and recommended practices have been followed to minimise client exposure. The following is a sample list of common tests that are performed when carrying out an application test. It will vary depending on the technology and protocols that have been implemented.

Web Server Specific

•  Identify known vulnerabilities related to the web server version
•  Assess configuration issues
•  Search for default web server content
•  Identify information leakage
•  Locate information hidden within field variables of HTML forms and comments
•  Examine information contained in banners, usage instructions, help messages and error messages

Authentication

• Find a possible brute force password guessing point in the application
•  Find valid login credentials with password grinding
•  Ensure a lockout policy for failed attempts is implemented
•  Assess if a lockout time-out is in place
•  Assess use of generic authentication error messages, preventing username enumeration
•  Bypass authentication with spoofed tokens
•  Bypass authentication with replay of authentication information
•  Determine the application logic to maintain authentication sessions, such as number of failures, logins allowed and login time outs
•  Determine the limitations of access control in the applications – access permissions, login session duration, and idle duration
•  If SSL is implemented, ensure the certificate is correctly configured

Input Manipulation

• Find limitations of defined variables and protocol payload, data length and type, construct format
•  Use exceptionally long character-strings to find buffer overflow vulnerability in applications
•  Concatenate commands in the input strings of the applications
•  Inject SQL language in the input strings of database-tied web applications
•  Examine cross-site scripting opportunities in the web application
•  Examine unauthorised directory or file access with path and directory traversal
•  Execute remote commands through server side includes
•  Manipulate session/persistent cookie
•  Manipulate the (hidden) field variable in the HTML forms
•  Manipulation of HTTP fields such as “Referrer” and “Host”
•  Check validation, ensuring strong type, length and data format input
•  Determine the protocol specification of server/client application
•  Deduce program logic from error or debug messages in application outputs and from program behaviours and performance. By forcing the application to generate errors, useful information can be gained about the logic of the program

Session Management

• Determine session management information – number of concurrent sessions, IP-based authentication, role-based authentication, identity-based authentication, cookie usage, and session ID in hidden HTML field variable
•  Estimate session ID sequence and format
•  Determine if the session ID is maintained with IP address information; check if the same information can be retrieved on another machine
•  Gather excessive information with direct URL, direct instruction, action sequence jumping and/or page skipping
•  Replay gathered information to fool applications
•  Check if commercially proven session tokens are in use such as ASP.NET_SessionID or JSESSIONID
•  Ensure session variables are kept server side
•  Check for validation, cookie re-injection, and cookie manipulation.
•  Ensure session tokens are not mixed with authentication tokens
•  Ensure authentication cookies are non-persistent
•  Check if a session timeout is enforced
•  Check that simultaneous logins are not permitted
•  Ensure that the user session is deleted on logout
•  Ensure the client-server communication channel is adequately secured for intended use

Language and Application Specific

• Identify application default content
•  Availability of administration interface
•  Check for default accounts

Output Manipulation

• Retrieve valuable information stored in cookies
•  Retrieve valuable information from the client application cache
•  Retrieve valuable information stored in serialised objects
•  Retrieve valuable information stored in temporary files and object