E-mailPenetration Test of ManageEngine Password Manager Pro
Management Summary
Download this video (MP4, 15 MB)
Overview of issues and needed actions
This is an overview of all security checks for which a defect or issue was found. All checks are divided into six categories of risk:
| Category | Title | Description | Issues found | Fixed in newer version | Verified by //SEIBERT/MEDIA |
|---|---|---|---|---|---|
| 0 | Information | No risk, informative | 0 | ||
| 1 | Hint | A hint for a defect | 0 | ||
| 2 | Recommendation | Recommendation for optimization | 2 | 2  | verification due  |
| 3 | Issue | Issue which needs to be corrected | 5 | 5 | verification due |
| 4 | Critical | High risk | 5 | 5 | verification due |
| 5 | Severe | Very high risk | 1 | 1 | verification due |
The penetration test included the following components of the web application and the system configuration in version 6.3 (build 6303) Windows.
Module: System
Verification of SSL-TLS security
SSL/TLS is a protocol which resides in 6th level of the OSI stack. It is used for trusted and encrypted communication over unsecure networks.
This test was intended to verify the overall SSL/TLS configuration as well as the offered encryption methods and lengths.
Notes on system-side application configuration
This test describes the findings during the assessment on the system side which can't be assigned to a specific issue.
Old software versions
Old or non-patched software often is a serious security issue. Through a vulnerability, even an inexperienced attacker ('script kiddie') could gain root privileges or could harm the system in many any other ways, e.g. by executing a denial of service (DoS) attack, manipulate files and other.
This test checked for old software versions and its known vulnerabilities.
World-writable and world-readable critical files and folders
World-writable and world-readable files and folders can be a serious security issue. An attacker could add or modify files and by this compromise the security of the service and system or could acccess sensitive data with normal user privileges. It could also be possible that an attacker can access these files through another vulnerable service or system component.
In this test, the installation of PMP was checked for such files and folders.
Database configuration and files
A database management system (DBMS) often is the most crucial part of an application, because it holds most or all data. Customer- and useraccounts, bank accounts or product- and payment information must be stored securely so that only privileged user can access the data.
This test checked for incorrect database configuration and public or open database accounts.
Logging
It is common to enable logging for trouble- and performance analysis as well as access statistics. Especially debug log files often contain sensitive information like usernames, passwords and other information.
For this, all logfiles of the application installation are checked for such data.
Client plugins and addons
Client plugins can enhance and extend the functionality of a web application and often allow stronger interaction between the client's computer and the web application.
This test checked for security issues in the plugins implementation.
Module: Web Application
File upload checks
File uploads are common in today's web applications. These are often used to provide users with an option to attach various files in the application. Insufficent server-side checks can be a serious security issue, as an attacker could upload malicious files like HTML or Javascript or could place other files outside the application root.
This test checked for various common security issues like
- Upload of HTML, Javascript and other potential malicious files
- Handling of wrong MIME-Type
- Handling of null byte chars
- Header manipulation
- Path traversal
Forgot-Password function
Most web applications allow users to reset their password if they have forgotten it, usually by sending them a password reset email and/or by asking them to answer one or more "security questions".
In this test, we checked that this function is properly implemented and that it does not introduce any flaw in the authentication scheme. We also checked whether the application allows the user to store the password in the browser ("remember password" function) or if the application allows autocomplete of Password fields.
Cookie attributes
The use of Session Cookies is the most common method for storing authentication information for a defined period a session after successful authentication. It is therefor crucial that these are protected with correct HTTP flags.
This test checked, which flags and values are set. These are:
- Secure-Flag: Only permit the transmission over an encrypted connection. Otherwise it may be possible to read the Cookie values in cleartext.
- httpOnly-Flag: Disable client side access to Cookies. This prevents, amongst other, the most common XSS attacks.
- Domain-Flag: Scope of application.
Cross site request forgery (CSRF)
Cross site request forgery (CSRF) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, it can compromise the entire web application.
This test checked for such CSRF flaws in the application.
Reflected Cross-Site Scripting (Type 1 XSS)
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted pages. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Reflected attacks are those where the injected code is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an email message, or on some other web server. When a user is tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user's browser. The browser then executes the code because it came from a "trusted" server.
In this test the application was thoroughly checked for such reflected script vulnerabilities to disclose erroneous or incomplete protection measurements.
Persistent Cross-Site Scripting (Type 2 XSS)
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted pages. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.
In this test the application was thoroughly checked for such stored script vulnerabilities to disclose erroneous or incomplete protection measurements.
Labels:
None
Build-Access-Manage with dayaciptamandiri.com
