Web Management

  • View
    112

  • Download
    1

Embed Size (px)

Text of Web Management

Web Application Penetration Assessment For Texas Medical Center

December 13, 2010

Submitted to: Kevin Leonard Texas Medical Center 2450 Holcombe Boulevard, Suite 1 Houston, Texas 77021-2040 Presented by: Baccam Consulting LLC Tanya Baccam PO Box 894 Little Elm, TX 75068

Texas Medical Center Web Application Penetration Assessment

Executive Summary........................................................................................................................................3 Management Summary..................................................................................................................................5 Overview......................................................................................................................................................5 Approach & Methodology ..........................................................................................................................5 Phase I Identification ..........................................................................................................................5 Phase II Vulnerability and Penetration Identification .........................................................................6 Phase III Prioritization and Mitigation ................................................................................................9 Phase IV Reporting .............................................................................................................................9 Observation Summary...............................................................................................................................10 Summary....................................................................................................................................................10 Detailed Results.............................................................................................................................................11 Detailed Observations...........................................................................................................................11 High Risk..........................................................................................................................................11 1) Persistent Cross Site Scripting Vulnerability..........................................................................11 2) Upload Capability should do Additional Filtering..................................................................17 3) Cross Site Request Forgery Vulnerabilities............................................................................18 4) URLs Not Properly Restricted................................................................................................23 5) Record Enumeration................................................................................................................25 Medium Risk....................................................................................................................................31 1) Missing Secure Attribute in Encrypted Session (SSL) Cookie...............................................31 2) Password Reset Process should be Secured............................................................................31 Low Risk..........................................................................................................................................33 1) HTTP Headers Reveal Unnecessary Information...................................................................33 2) Unnecessary Methods Supported............................................................................................33

Baccam Consulting LLC

Proprietary and Confidential

Page 2

Texas Medical Center Web Application Penetration Assessment

Executive SummaryBaccam Consulting was contracted during November and December 2010 to conduct a Web Application Penetration Assessment for the Contract Parking web application located at: https://contractparking.texasmedicalcenter.org/TMCContractParking/CP/Login.as px

The engagement focused on identifying vulnerabilities related to the following categories: Authentication Authorization Session IDs Element Manipulation vulnerabilities Logical vulnerabilities Sensitive information disclosure Anti-automation and/or anti-spam controls Encryption controls

Initially, a number of scans were conducted to identify vulnerabilities. It should be noted that the scans themselves, did not identify a large number of vulnerabilities. Instead, only potential items were identified, and low risk vulnerabilities enumerated. The high risk vulnerabilities identified throughout this report were found primarily by manually testing. This means, it will take a more skilled attacker to find and understand the vulnerabilities, versus an attacker that is simply using a tool. However, given this manually testing, a number of high risk vulnerabilities were identified. The following is a listing of the vulnerabilities at a high level. Each vulnerability identified is described in more detail throughout this report, including details on how the vulnerability was exploited. User input is not being properly filtering. Users can be impersonated via vulnerabilities within the application. Users can be manipulated into making requests they did not intend to make, thereby manipulated account information. Records can be enumerated by users who should not have access to the records. URLs are not being properly restricted to the appropriate users. Data is not being properly encrypted. The password reset process is not secure. Unnecessary information is being provided by the application. Unnecessary functionality is being supported by the application which broadens the attack surface.

While extensive steps were taken to identify all reasonably exploitable vulnerabilities, it should be noted that with additional manual testing, there is a possibility that more Baccam Consulting LLC Proprietary and Confidential Page 3

Texas Medical Center Web Application Penetration Assessment vulnerabilities do exist. However, given the fact that the web application firewall was in place throughout the engagement, this can make it very time consuming to identify additional vulnerabilities. Even without the web application firewall, vulnerabilities that are identified manually, can take a significant period of time to find. Of course, this also means it will be more difficult for a true attacker. Overall, while there were a number of good security practices identified, there is also an overall weakness in the coding practices for the application. It was apparent that some of the security risks have not been addressed within the application. This may also mean that the risks are not understood. Therefore, it is also important that Texas Medical Center ensure that each developer is aware of and understands the types of vulnerabilities that can exist, as well as how to protect from the vulnerabilities.

Baccam Consulting LLC

Proprietary and Confidential

Page 4

Texas Medical Center Web Application Penetration Assessment

Management SummaryOverviewBaccam Consulting was contracted during November and December 2010 to conduct a Web Application Penetration Assessment for the Contract Parking web application located at: https://contractparking.texasmedicalcenter.org/TMCContractParking/CP/Login.as px Throughout this report, additional details will be provided related to the vulnerabilities that were identified for the application.

Approach & MethodologyFollowing is a summary of the methodology that is followed for penetration assessment engagements conducted by Baccam Consulting. In order to address each of the phases highlighted below, Baccam Consulting deployed the following approach and methodology. Our approach has been tailored to meet your specific needs while being built on a proven methodology. Our methodology is built in such a way that future engagements can also build on the information obtained in this assessment.

Phase I IdentificationThe identification phase focuses on gathering information about the systems in the environment, as well as how they are configured. In this case, the technical configuration of the systems was assessed. Using tools such as network mapping tools and port scanning tools, Baccam Consulting seeks to obtain a snapshot of the environment at the Baccam Consulting LLC Proprietary and Confidential Page 5

Texas Medical Center Web Application Penetration Assessment current point in time. Some of the specific steps we will execute include: Using port scanning software to identify any open ports or services on devices or servers reachable via the Internet. Connecting to open ports using TCP or UDP network utilities to determine the operating systems, applications and network service versions in use. Search the web site to understand the business flow and possible vulnerabilities for the applications.

The following are examples of the types of technical tools that can be utilized to complete this process: Hping/Nemesis: network probing utilities which assemble and send custom ICMP/UDP/TCP packets. Netcat: an all purpose tools which is a simple utility that reads and writes data across network connections using either the TCP or UDP protocol. Nmap: a tool that allows you to identify the ports that are open on a remote machine, as well as the services running on those ports. Additional capabilities such as operating system identification and reconnaissance can also be conducted. Sam Spade: provides tools such as ping, nslookup, whois, dig, traceroute, finger, raw HTTP web browser, DNS zone transfer, SMTP relay check, website search, and more. Web browsers: tools used to identify the flow of a web application, as well