Penetration Testing Report - E-spincorp

Penetration Testing Report Independent / 3rd party Web Application Vulnerability & Security Assessment / Penetration Testing / Audit (come with report) ### customer name censored ### ### date and version censored ### E-SPIN * Copyrighted. E-SPIN GROUP OF COMPANIES. All Right Reserved.

http://www.e-spincorp.com website info@e-spincorp.com email Our Ref: SWYY-NNNN ###Date### ###Customer name and address### Attn: ###Full Name of the person, Title### CC: RE: Independent / 3rd party Web Application Vulnerability & Security Assessment / Penetration Testing / Audit (come with report) for https://[ IP Address ]esupplier/qbe sg/pages/login/login.do We would like to express our gratitude for giving E-SPIN to provide a first service report and recommendation on reporting founding as per our subscribed service deliverables. The report will be used as the based line for conduct "vulnerability fixing" and the final pen test (if subscribe) will be conduct after this to certified the status for the vulnerability whether have being fix and consider overall secured or improved. Mr. ###person name### is an officer of the company who is authorised to make all commitments in this documentation and report. Future communications should be our appointed Account Manager (AM) or Customer Service Representative (CSR), once the project have being successful signed off. Once again, it is our pleasure to assist yours on your security assessment and/or penetration test project. Thank you. Yours faithfully, for E-SPIN ###person name### ###title### ###unit### ###email### email c.c. - E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) *

http://www.e-spincorp.com website info@e-spincorp.com email Document Control Document History Version Date Author Comments 0.9 ### Date ### ###Person Name ### Final Draft 1.0 ### Date ### ###Person name ### Final QA Pass Document Distribution Version Date Comments 0.9 ### Date ### E-SPIN Internal 1.0 ### Date ### Release to CLIENT Author Name ###Person Name### Position ###position### ###Unit### Tel ###telphone### Fax ###fax### Email ###email address### Web www.e-spincorp.com E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) *

http://www.e-spincorp.com website info@e-spincorp.com email Table of Contents Item Description Page 1.0 EXECUTIVE SUMMARY 1 2.0 TECHNICAL DETAIL FINDINGS 3 E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) *

http://www.e-spincorp.com website info@e-spincorp.com email 1.0 EXECUTIVE SUMMARY 1.1 OBJECTIVES The E-SPIN team was engaged by ###customer name### (hereinafter CLIENT) to conduct an independent security assessment and/or penetration testing services on their End Client systems to help identify any potential risks, as well as to suggest appropriate security measures to deal with any exposures uncovered. The intent was to see to what extent an external hacker could penetrate the systems with one external web IP given. The intent was to see to what extent an external attacker could penetrate the systems subscribed. This test focused on identifying technical vulnerabilities that a competent external hacker could exploit to gain privileged access to the systems. Two (2) credentials for the web application were provided, and external IP (URL) to be test on the date remotely given. 1.2 SCOPE E-SPIN was engaged by CLIENT to perform independent security assessment and/or penetration testing services on the following: External URL https:// IP Address/esupplier/qbe sg/pages/login/login.do For Credential Testing ID is provided as below: Admin Login User ID: XXX Password: XXX Agent Login User ID: XXX Password: XXX The testing was conducted over the period from Date 1 to Date 5 E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) * 1

http://www.e-spincorp.com website info@e-spincorp.com email 1.3 WHAT WE TESTED FOR A large part of the effort in performing a penetration test consists of searching for information about the network and looking for holes and weaknesses in the configuration or software. The team gathers as much information as they can, and use this information to search security databases for known vulnerabilities against the systems we found. The report contains information about what was found and how it may lead to a compromise of the systems we tested. Thousands of unsuccessful automated and manual attacks have not been documented in this report, but included are areas where steps should be taken to strengthen the infrastructure to reduce the possibility of a successful attack. New exploits and vulnerabilities are being developed and discovered daily, so even though an attack may not be successful today, the same cannot be assumed about the future. E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) * 2

http://www.e-spincorp.com website info@e-spincorp.com email 1.4 KEY FINDINGS AND RECOMMENDATIONS Critical High Med Low Info Reference Vulnerability Risk Item 3.1 Cross site scripting High 7 3.2 SSL 2.0 deprecated protocol High 1 3.2 HTML form without CSRF Protection Medium 6 3.3 Slow HTTP Denial of Service Attack Medium 1 3.4 SSL weak ciphers Medium 3 3.5 The FREAK attack (export cipher suites supported) Medium 2 3.6 The POODLE attack (SSLv3 supported) Medium 1 3.7 Clickjacking: X-Frame-Options header missing Low 1 3.8 Cookie without HpptOnly flag set Low 1 3.9 Cookie without Secure flag set Low 3 3.9 Login page password-guessing attack Low 3 3.10 TRACE method is enabled Low 1 3.11 Email address found Information 2 3.12 Possible CSRF (Cross-site request forgery) Information 10 E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) * 3

http://www.e-spincorp.com website info@e-spincorp.com email The risk associated with the application tested in this assessment is considered to be "High" - due to two(2) High Risk Vulnerability Item being founded. The most critical vulnerability that the E-SPIN team came across in this web application penetration test was the “Cross Site Scripting XSS” and "SSL 2.0 Deprecated protocol" vulnerability and correlated with SSL Weak Ciphers, The FREAK attack (export cipher suites supported) and The POODLE attack (SSLv3 supported) (Medium severity vulnerability). An attacker may be able to exploit these issues to conduct mian-in-the-middle attacks or decrypt communications between the affected service and clients based on the SSL Weak Ciphers 2.0 refer to. Server side configuration to ensure the web application only make use of the much stronger TLS 1.0 will be significantly improve overall security posture to "Medium". With the removal of the SSL and weak ciphers mention, the security posture and implementation of CSRF protection on your form can be improved further to become "Low". The E-SPIN team also found a number of less critical vulnerabilities that could be fixed to improve the security of the web application. Based on these findings, recommended remedial actions for these vulnerabilities include: Configure your web server to include an X-Frame-Options header If possible, Cookie with HttpOnly flag set If possible, Cookie with Secure flag set Implement some type of account lockout after a defined number of incorrect password attempts Disable TRACE Method on the web server Recommended to remove email address that unnecessary, because email addresses posted on Web sites may attract spam. Recommend to insert custom random tokens into every form and URL that will not be automatically submitted by the browser. E-SPIN thanks CLIENT for the opportunity to assist in your security program and look forward to working with you in the future. E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) * 4

http://www.e-spincorp.com website info@e-spincorp.com email 2.0 TECHNICAL DETAIL FINDINGS 2.1 INTRODUCTION The detailed findings are contained in the following sections; each section describes the finding and includes an assessment of the risk and actions that can be taken to mitigate this risk. The findings are listed in the order in which they were discovered. This order of presentation shows how potentially low risk vulnerabilities may sometimes be used to escalate the privilege of the attacker and allow the discovery of higher risk vulnerabilities. Whilst each individual vulnerability is more or less self-contained, each of these vulnerabilities might be a stepping stone towards a full compromise of the systems. Information discovered through a single vulnerability is likely to assist the attacker in making a more serious attack later on. Therefore, it is imperative to consider all of the recommendations as a whole regardless of their apparent severity. A successful attack often requires exactly the right combination of software, ill configuration, timing and luck. Knowledge and information about a system is one of those factors. It is important to reduce the amount of information available to the attacker in order to minimize the chance of a successful attack. 2.2 VULNERABILITY LEVELS To aid in assessing the risk associated with each vulnerability, the following risk levels are given: Unknown Software/system that is considered vulnerable, but the team was unable to complete testing. Low Information disclosure. The information gleaned from these vulnerabilities will not allow an attacker to gain direct access to systems or data. It may, however, be used to escalate a separate vulnerability. Medium A vulnerability that , by itself will not allow unauthorised access to systems/Data. However, two or more Medium rated vulnerabilities used in conjunction may allow an attacker unauthorised access to systems or data. High A medium to high level of technical knowledge is required for an attacker to gain unauthorised access to a system/data from a single vulnerability. The ability for an attacker/user to harm the professional image of a corporation. Critical The vulnerability could be used to comprise the application or infrastructure resulting in a severe business impact. Overall Risk Severity HIGH Medium High Critical MEDIUM Low Medium High LOW Note Low Medium LOW MEDIUM HIGH Impact Likelihood E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) * 5

http://www.e-spincorp.com website info@e-spincorp.com email E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) * 6

http://www.e-spincorp.com website info@e-spincorp.com email E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) * 7

http://www.e-spincorp.com website info@e-spincorp.com email E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) * 8

http://www.e-spincorp.com website info@e-spincorp.com email E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) * 9

http://www.e-spincorp.com website info@e-spincorp.com email E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) * 10

http://www.e-spincorp.com website info@e-spincorp.com email E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) * 11

http://www.e-spincorp.com website info@e-spincorp.com email E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) * 12

http://www.e-spincorp.com website info@e-spincorp.com email E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) * 13

http://www.e-spincorp.com website info@e-spincorp.com email E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) * 14

http://www.e-spincorp.com website info@e-spincorp.com email E-SPIN GROUP OF COMPANIES ( Enterprise Solution Professional on Information and Network ) * 15