Friday 1 June 2012

Security assessment summary

We did a security assessment of Stadium in January this year. It was done by  company called Sensepost.

Risk Summary

The overall application security risk rating was calculated as: MediumThe result is based on the following statistics:

Total number of findings: 11
  • High findings: 3
  • Medium findings: 5
  • Low findings: 3
The assessment was made on the basis that the application was accessible over the internet.

As a first step, we have decided to address all the high priority issues in Stadium 4.
  • Cross-site scripting
Overview
'The Stadium3 application was vulnerable to a persistent cross-site scripting(XSS) attack. Example: When adding a new item to the tree view, it was possible to inject Javascript in a node. Since no input validation or output encoding was performed on this user input, the injected javascript was reflected back and executed by victim's browser.'

Business ImpactA successful attack could allow an attacker to gain access to the environmnet as another user. This could lead to authorisation of malicious transactions.

Changes madeAll controls that have cross-site scripting vulnerability have been changed so that any text they output on the page is html encoded to prevent script injection.

This means that html injection is no longer possible. This may be a problem if existing implementations are currently making use of html injection in their applications.
  • Application does not use encryption
OverviewThe application did not make use of any encryption mechanism. This opens the application up to sniffing attacks, whereby an attacker could intercept information being sent from the client to ther server.

Business ImpactSince the application information is transmitted in clear text over an unencrypted connection, an attacker may intercept and view sensitive information such as login details.

Changes made
No code changes were made. The fix for this is to use an SSL certificate on the web server.
  • Clear text submission of password
OverviewThe login form sent the password in clear text over the internet. This could expose customers' credentials and HTTP session IDs to the network packet capture attacks.

Business ImpactPasswords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network.

Changes made
No code changes were made. The fix for this is to use an SSL certificate on the web server.  Further explanation can be found at:

http://www.w3.org/2001/tag/doc/passwordsInTheClear-52