Vulnerability Details Report (Sites) Versionone, Inc

Vulnerability Details Report (Sites)

VersionOne, Inc. Report As Of Monday, November 14, 2016

Prepared By [email protected] The Vulnerability Details report provides detailed descriptions of the vulnerabilities found on Report Description the sites selected for this report, grouped by vulnerability class. Each report section contains a full description of the vulnerability class, remediation instructions for that class, and a list of specific instances of that vulnerability on each site. Note that this report is available for Sentinel (dynamic testing) only, since it is based on an assessment of the production or pre- production site. This report is intended for security team members, development managers and developers.

Sites are assessed using dynamic analysis, and vulnerabilities are rated by their severity levels. Notes For descriptions of dynamic analysis and severity levels, please see the Appendix.

Vulnerability Status Open, Closed Report Filtered By Vulnerability Rating Urgent, Critical, High, Medium, Low Start Date 2016-06-01 End Date 2016-11-14

Assets Number of Sites 1 Selected Vulnerability Classes Abuse of Functionality Application Code Execution Application Misconfiguration Autocomplete Attribute

Brute Force Buffer Overflow Cacheable Sensitive Response Clickjacking

Configuration Content Spoofing Cross Site Request Forgery Cross Site Scripting

Denial of Service Directory Indexing Directory Traversal Fingerprinting

Format String Attack Frameable Resource Frameable Response HTTP Request Smuggling

HTTP Request Splitting HTTP Response Smuggling HTTP Response Splitting Improper Filesystem Permissions

Improper HTTP Method Usage Improper Input Handling Improper Output Handling Information Leakage

Insecure Indexing Insufficient Anti-automation Insufficient Authentication Insufficient Authorization

Insufficient Cookie Access Control Insufficient Crossdomain Insufficient Password Aging Insufficient Password Policy

Insufficient Password Recovery Insufficient Password Strength Insufficient Process Validation Insufficient Session Expiration

Insufficient Session Invalidation Insufficient Transport Layer Insufficient User Session Integer Overflows Invalidation LDAP Injection Mail Command Injection Missing Transportation Layer Mixed Content Security

Non-HttpOnly Session Cookie Null Byte Injection OS Commanding OS Command Injection

Path Traversal Persistent Session Cookie Personally Identifiable Information Predictable Resource Location

Query Language Injection Remote File Inclusion Routing Detour Server Misconfiguration

Session Fixation Session Prediction SOAP Array Abuse SQL Injection

SSI Injection Unpatched Software Version Unsecured Session Cookie URL Redirector Abuse

Weak Cipher Strength Weak Password Recovery XML Attribute Blowup XML Entity Expansion The Index of Content can be found on the last page

XML External Entities XML Injection XPath Injection XQuery Injection

https://www11.v1host.com/v1test/

This table sorts by the importance (score) of your site set by vulnerability assessor. The higher the score, the more important the site. Your vulnerabilities are then categorized by the vulnerability class and then by the vulnerability level.

Urgent Critical High Medium Low Informational

Site Priority: 5 0(0) 0(0) 0(1) 0(0) 0(0) N/A Legend: Open (Closed)

H VULN ID - 50617327

Vulnerability Class Insufficient Transport Layer Protection Additional Information weak_cipher Status Closed URL www11.v1host.com/ Rating High Threat Low Score 9 Opened 2016-09-17 15:34:53 -0700 Custom Description The server supports the following weak ciphers:

* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA [0xc012] ECDH 3DES 168 * TLS_RSA_WITH_3DES_EDE_CBC_SHA [0x0a] RSA 3DES 168

These ciphers are known to have cryptographic weaknesses that make them unsuitable for use in SSL/TLS.

Custom Solution We recommend disabling support for the export and null cipher suites, as well as cipher suites using RC4/3DES. Instead, we suggest AES128-SHA for TLS 1.0 and 1.1, and AES128-GCM-SHA256 for TLS 1.2. TLS Configuration References:

- https://wiki.mozilla.org/Security/Server_Side_TLS - https://mozilla.github.io/server-side-tls/ssl-config-generator/ - https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule__Only_Support_Strong_Cryptogra phic_Ciphers

Insufficient Transport Layer Protection

Description Insufficient transport layer protection allows communication to be exposed to untrusted third parties, providing an attack vector to compromise a web application and/or steal sensitive information. When the transport layer is not encrypted, all communication between the website and the client is sent in clear text, which leaves it open to interception, injection, and redirection, also known as a man-in-the-middle/MITM attack. An attacker may passively intercept the communication, giving them access to any sensitive data that is being transmitted such as usernames and passwords. An attacker may also actively inject/remove content from the communication, allowing the attacker to forge and omit information, inject malicious scripting, or cause the client to access remote untrusted content. An attacker may also redirect the communication in such a way that the website and client are no longer communicating with each other, but instead are unknowingly communicating with the attacker in the context of the other trusted party.

References projects.webappsec.org/Insufficient© 2016 WhiteHat Security, Inc. - WhiteHat-Transport Security,-Layer-Protection Inc. and customer confidential | Vulnerability Details Report (Sites) Page 2 of 4 Solution Ensure all sensitive communication between a client and sever is conducted via SSL/TLS connection. Additionally, outdated weak ciphers should not be utilized by the SSL/TLS connection. Finally, all content on a secure page must be served via HTTPS, including the HTML, JavaScript, images, CSS, XHR, and any other content.

References projects.webappsec.org/Insufficient-Transport-Layer-Protection

Appendix - Assessment Methodology for Dynamic Analysis

WhiteHat Security combines a proprietary vulnerability scanning engine with human intelligence and analysis from its Threat Research Center to deliver thorough and accurate assessments of web applications with its Sentinel Service.

WhiteHat Sentinel dynamic scanning services are all based on a continuously evolving top of class scanning engine with manual verification of all vulnerabilities to ensure quality results. WhiteHat's model allows customers to keep all sites covered at all times with minimal investment of personnel, while having access to the worlds largest team of web application security experts who keep on top of the latest web security issues, manage security assessments for customers, and provide support and information. With Premium service the security experts in the Threat Research Center also perform business logic assessments of sites, which may uncover additional issues which cannot be found through automatic scanning. This combination provides the highest quality of security assessments in the industry with high scalability and ease of use, to keep customers on top of their risk posture and help them secure their assets.

Appendix - Vulnerability Level Definitions (by Severity)

Severity is defined as the potential business impact if a specific vulnerability is exploited. The levels of severity are based on the same conditions factored into the PCI Security Scan report ratings, but the definitions below are clarified for Web application security concerns.

The Severity is scored between 0 and 5:

Urgent Critical High Medium Low Informational

5 4 3 2 1 0

Severity ratings are defined below: Rating Description

Attacker can assume remote root or remote administrator roles; exposes entire host to attacker; backend database, Urgent personally identifiable records, credit card data; full read and write access, remote execution of commands; example Weakness Class: Insufficient Authorization; example Attack Classes: SQL Injection, Directory/Path Traversal

Attacker can assume remote user only, not root or admin; exposes internal IP addresses, source code; partial file-system Critical access (full read access without full write access); example Weakness Class: Insufficient Authentication; example Attack Classes: Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Abuse of Functionality

Exposes security settings, software distributions and versions, database names; example Weakness Classes: Information High Leakage, Predictable Resource Location; example Attack Class: Content Spoofing

Exposes precise versions of applications; sensitive configuration information may be used to research potential attacks against Medium host

Low General information may be exposed to attackers, such as developer comments

Informational No actual exposure: a failure to comply with best practices for security.

WhiteHat Security is the leading provider of application risk assessment and management services that enable customers to protect critical data, ensure compliance, and narrow windows of risk. By providing accurate, complete, and cost-effective application vulnerability assessments as a software- as-aservice, we deliver the visibility, flexibility, and guidance that organizations need to prevent web attacks.

Deloitte, SC Magazine, the San Jose/Silicon Valley Business Journal, Gartner and the American Business Awards have all recognized WhiteHat Security for our remarkable innovations, executive leadership and our ability to execute in the application security market.

To learn more about WhiteHat Security and how our solutions can support your applications throughout the entire software development lifecycle, please visit our website at www.whitehatsec.com.

Contents

Asset List 3 https://www11.v1host.com/v1test/ 4

Insufficient Transport Layer Protection 4

Appendix - Insufficient Transport Layer Protection 6

Assessment Methodology for Dynamic Analysis 6

Appendix - Vulnerability Level Definitions (by Severity) 7

About WhiteHat Security 8