Customer
Document
EEA
CORDA
Security Assessment
About
Security assessment of CORDA
Ver.
DATE
AUTHOR
DESCRIPTION
V1.0
18/04/2016
Iker García
First version
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
Contents
1
Introduction .................................................................................................................. 3
1.1
2
3
Terms and Abbreviations.............................................................................................................4
Security Audit ............................................................................................................... 5
2.1
Application & Environment ........................................................................................................5
2.2
OWASP Top 10 ................................................................................................................................5
2.2.1
A1 Injection ..................................................................................................................................6
2.2.2
A2 Broken Authentication and Session Management ................................................7
2.2.3
A3 Cross-Site Scripting (XSS) ................................................................................................9
2.2.4
A4 Insecure Direct Object References ............................................................................ 11
2.2.5
A5 Security Misconfiguration ............................................................................................. 11
2.2.6
A6 Sensitive Data Exposure ................................................................................................ 13
2.2.7
A7 Missing Function Level Access Control ................................................................... 14
2.2.8
A8 Cross-Site Request Forgery (CSRF) ........................................................................... 15
2.2.9
A9 Using Components with Known Vulnerabilities ................................................... 16
2.2.10
A10 Unvalidated Redirects and Forwards ..................................................................... 18
Summary ..................................................................................................................... 19
Page 2 of 20
15/04/2016 v1.0
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
1
Introduction
The purpose of this document is a security assessment of the EEA – CORDA system based on
OWASP1 recommendations and best practices. OWASP (The Open Web Application Security
Project) is an open community dedicated to enabling organizations to conceive, develop,
acquire, operate, and maintain applications that can be trusted.
There are various testing techniques that can be employed when building a testing program,
such as:

Inspections & Reviews

Manual Threat Modeling

Code Review

Penetration Testing
No single technique can be performed to effectively cover all security testing and ensure that
all issues have been addressed. The consortium opted for a hybrid approach including both
white box testing techniques, such as source code analysis, and black box testing techniques,
such as automated and manual penetration testing.
Code review audits the source code of the application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right
place.
A penetration test is the practice of evaluating a chosen entity to ensure the current security
controls are performing as expected, and the vulnerability state is known. The results of an
assessment can be used to measure the effectiveness of the security controls over time and
help quantify the vulnerability state of the entity
In particular, penetration tests were assisted by Zed Attack Proxy (ZAP) tool. ZAP is an easy
to use OWASP integrated penetration testing tool for finding vulnerabilities in web applications, providing automated scanners as well as a set of tools that allow finding security vulnerabilities manually.
1
https://www.owasp.org/index.php/Main_Page
Page 3 of 20
15/04/2016 v1.0
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
1.1
Terms and Abbreviations
The following abbreviations have been used within this document:
Abbreviation
Description
AD
Active Directory
CAPTCHA
Completely Automated Public Turing test to tell Computers and Humans Apart
CSRF
Cross-Site Request Forgery
DBMS
Database Management System
HTTPS
Hypertext Transfer Protocol Secure
IIS
Internet Information Services
OS
Operating System
OWASP
The Open Web Application Security Project
SQL
Structured Query Language
SSL
Secure Socket Layer
URL
Uniform Resource Locator
XSS
Cross-Site Scripting
ZAP
Zed Attack Proxy
Page 4 of 20
15/04/2016 v1.0
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
2
Security Audit
2.1
Application & Environment
The security tests have been performed against the EEA - CORDA – v1.1 on the consortium
Testing environment.
2.2
OWASP Top 10
The performed security audit was focused on the OWASP Top 102 project, which represents
a broad consensus about what the most critical web application security flaws are.
Figure 1 – OWASP Top 10
The following sections details the top ten generic application security risks as identified by
OWASP. The risks are a combination of threat agents, attack vectors, security weaknesses,
security controls, technical impacts and business impacts; therefore, it does not imply that
they are the most common weaknesses.
2
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Page 5 of 20
15/04/2016 v1.0
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
Figure 2 – OWASP Top 10 classification factors
The detected vulnerabilities have been classified according to OWASP risk rating methodology as shown in the following diagram.
Figure 3 – OWASP risk rating methodology
2.2.1 A1 Injection
2.2.1.1 Description
Injection flaws occur when an application sends untrusted data to an interpreter. Injection
flaws are very prevalent, particularly in legacy code. They are often found in SQL, OS commands, etc. Injection flaws are easy to discover when examining code, but frequently hard to
discover via testing. Scanners and fuzzers3 can help attackers find injection flaws.
Fuzz testing or fuzzing, is a software testing technique, often automated or semi-automated,
that involves providing invalid, unexpected, or random data to the inputs of a computer program.
3
Page 6 of 20
15/04/2016 v1.0
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
2.2.1.2 Test results
No vulnerabilities found.
2.2.2 A2 Broken Authentication and Session Management
2.2.2.1 Description
Developers frequently build custom authentication and session management schemes,
but building these correctly is hard. As a result, these custom schemes frequently have flaws
in areas such as logout, password management, timeouts, remember me, secret question,
account update, etc. Finding such flaws can sometimes be difficult, as each implementation
is unique.
2.2.2.2 Test results
The following vulnerabilities have been detected.
Severity
Low
Simply using Cookie as authentication token without further checking on Web server side.
This may result authentication token vulnerable to attackers if cookies are stolen by either
malware or JavaScript injection.
Description
Page 7 of 20
15/04/2016 v1.0
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
Potential fix
Implement other checks on the web site not to solely rely on the session cookie. It is highly
recommended to bind the session ID to other user or client properties, such as the client IP
address, User-Agent, or client-based digital certificate. If the web application detects any
change or anomaly between these different properties in the middle of an established session, this is a very good indicator of session manipulation and hijacking attempts, and this
simple fact can be used to alert and/or terminate the suspicious session.
Severity
Medium
Description
Secure flag not set for session cookie.
This attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over un-encrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is
the potential that the cookie can be sent in clear text.
Potential fix
Enable the ‘secure’ flag for cookies containing sensitive information.
Severity
High
Description
When a user signs out his/her session token (stored in the ‘FedAuth’ cookie) is not expired
server side. This behavior along with the above issues leads to the undesirable situation
where an attacker is able to replay the session cookie even if the former user signs out.
Potential fix
Invalidate user session tokens once they sign out.
Severity
Low
Description
User sessions are not expired or the expiration time is too long.
Potential fix
Correctly expire the session so users are required to enter their credentials again
when session idle timeout is reached.
Severity
Low
URL
/_layouts/15/CustomLoginPageFBA/CustomLogin.aspx
Description
AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved.
Potential fix
Disable AUTOCOMPLETE attribute for password type inputs.
Page 8 of 20
15/04/2016 v1.0
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
2.2.3 A3 Cross-Site Scripting (XSS)
2.2.3.1 Description
XSS is the most prevalent web application security flaw. XSS flaws occur when an application
includes user supplied data in a page sent to the browser without properly validating or
escaping that content.
2.2.3.2 Test results
The following vulnerabilities have been detected.
Severity
URL
High
/_layouts/15/CORDASearch/Search.aspx
/_layouts/15/CORDADataProviderSearch/DataProviderDetail.aspx
Reflected XSS vulnerability found tampering the following parameters:

Year (Search.aspx)

Test attack vector: </a><script>alert(1);</script><a>
Description

Search Text (Search.aspx)


ID (DataProviderDetail.aspx)

Potential fix
Page 9 of 20
15/04/2016 v1.0
Test attack vector: " onMouseOver="alert(1);
Test attack vector: javascript:alert(1);
Follow OWASP recommendations: OWASP: XSS (Cross Site Scripting) Prevention Cheat Sheet
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
Severity
URL
High
/Lists/News/NewForm.aspx
/Lists/News/AllItems.asp (edit)
/_layouts/15/CORDAAdministrationModule/ResourceEdition.aspx?MODE=U&ID=?
Stored / Persistent XSS vulnerability found tampering the following parameters:

Title (news)

Test attack vector: </script><script>alert(1);</script><script>
Description

Resource License (ResourceEdition.aspx)
Test attack vector: </textarea><script>alert(1);</script><textarea>
Potential fix
Page 10 of 20
15/04/2016 v1.0
Follow OWASP recommendations: OWASP: XSS (Cross Site Scripting) Prevention Cheat Sheet
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
Severity
Description
Potential fix
Low
Web Browser XSS Protection is not enabled, or is disabled by the configuration of
the 'X-XSS-Protection' HTTP response header on the web server
Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection
HTTP response header to '1'.
2.2.4 A4 Insecure Direct Object References
2.2.4.1 Description
Applications frequently use the actual name or key of an object when generating web pages.
Applications don’t always verify the user is authorized for the target object. This results in an
insecure direct object reference flaw. Testers can easily manipulate parameter values to
detect such flaws. Code analysis quickly shows whether authorization is properly verified.
2.2.4.2 Test results
The following vulnerabilities have been detected.
Severity
URL
Description
Potential fix
Medium
/_layouts/15/CORDAMapViewer/Resource%20Preview.aspx?ID=?
/Reports/Report.aspx?ReportId=monitoring&ID=?
Users can preview and see the statistics for a Resource they do not have access to
by directly providing the Resource ID on the URL.
Implement the required validations to verify that the user is authorized for the target object.
2.2.5 A5 Security Misconfiguration
2.2.5.1 Description
Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Developers and
Page 11 of 20
15/04/2016 v1.0
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
system administrators need to work together to ensure that the entire stack is configured
properly. Automated scanners are useful for detecting missing patches, misconfigurations,
use of default accounts, unnecessary services, etc.
2.2.5.2 Test results
The following vulnerabilities were detected regarding ‘Security Misconfiguration’:
Severity
Low
URL
Description
Potential fix
/_layouts/15/CORDAAdministrationModule/FeedbackForm.aspx
/SitePages/Feedback.aspx
Automated sending of many GET/POST requests in a short time is allowed thus enabling
email flood attacks.
Use a CAPTCHA to prevent automated attacks.
However, Security Misconfiguration is strongly related with the hosting / environment infrastructure:

Ensuring that OS, Web/App Server, DBMS, applications, and all code libraries (see
section 2.2.9) are up to date e.g IIS, Windows.

No required features are enabled or installed e.g services, ports and accounts.
Therefore, following results obtained for the Testing environment may not be meaningful
for other environments, such as Production.
Severity
Medium
URL
/_api/*
SharePoint REST API is exposed to logged users. Meaning that an attacker may be able to obtain
sensitive data to plan of attack. For instance, every AD user login name:

/_api/web/getuserbyid(?)
Description
Potential fix
Page 12 of 20
15/04/2016 v1.0
Disable features which are not required.
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
2.2.6 A6 Sensitive Data Exposure
2.2.6.1 Description
The most common flaw is simply not encrypting sensitive data. When crypto is employed,
weak key generation and management, and weak algorithm usage is common, particularly
weak password hashing techniques. Browser weaknesses are very common and easy to detect, but hard to exploit on a large scale. External attackers have difficulty detecting server
side flaws due to limited access and they are also usually hard to exploit.
2.2.6.2 Test results
The following vulnerabilities were detected regarding ‘Sensitive Data Exposure’:
Severity
Description
Potential fix
High
The site can be accessed through HTTP. SSL should be used for all pages that require authentication. A third party may be able to read the user credentials by intercepting the unencrypted connection.
Make sure that at least sensitive data is transmitted over HTTPS.
Disable HTTP or redirect HTTP requests to HTTPS.
Severity
Low
URL
/_layouts/15/CORDAAdministrationModule/Error.aspx
Description
System data information is revealed which helps an adversary to learn about the system and
form a plan of attack.
Page 13 of 20
15/04/2016 v1.0
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
Potential fix
Implement a proper exception/error handling not to leak any system data.
2.2.7 A7 Missing Function Level Access Control
2.2.7.1 Description
Applications do not always protect application functions properly. Sometimes, function level
protection is managed via configuration, and the system is misconfigured. Sometimes, developers must include the proper code checks, and they forget.
Detecting such flaws is easy. The hardest part is identifying which pages (URLs) or functions
exist to attack.
2.2.7.2 Test results
The following vulnerabilities have been detected.
Severity
High
URL
/_layouts/15/CORDAAdministrationModule/ResourceDetails.aspx?ID=?
/_layouts/15/CORDAAdministrationModule/datasetdetails.aspx?ID=?
Description
Unauthorised deletion of Resources and DataSets are permitted. Performing validations in client
side code, generally JavaScript, provides no protection for server-side code. An attacker can
Page 14 of 20
15/04/2016 v1.0
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
simply disable JavaScript, use telnet, or use a security testing proxy to bypass client side validations.
Potential fix
Implement the required server side validations to verify that the user is authorized for the target
object / action.
2.2.8 A8 Cross-Site Request Forgery (CSRF)
2.2.8.1 Description
CSRF takes advantage the fact that most web apps allow attackers to predict all the details
of a particular action.
Because browsers send credentials like session cookies automatically, attackers can create
malicious web pages which generate forged requests that are indistinguishable from legitimate ones.
Detection of CSRF flaws is fairly easy via penetration testing or code analysis.
2.2.8.2 Test results
Find below detailed the vulnerabilities found regarding CSRF.
Severity
Description
Potential fix
Page 15 of 20
15/04/2016 v1.0
Medium
X-Frame-Options header is not included in the HTTP responses to protect against
'ClickJacking' attacks.
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's
set on all web pages returned by the site (if it is expected the page to be framed
only by pages on its own server (e.g. it's part of a FRAMESET) then use SAME-
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
ORIGIN, otherwise if it is never expected the page to be framed, use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web
browsers).
2.2.9 A9 Using Components with Known Vulnerabilities
2.2.9.1 Description
Virtually every application has these issues because most development teams don’t focus on
ensuring their components/libraries are up to date. In many cases, the developers don’t
even know all the components they are using, never mind their versions. Component dependencies make things even worse.
2.2.9.2 Test results
The following vulnerabilities were automatically detected regarding third party libraries used
in the application. Bear in mind that some of the vulnerabilities may not affect CORDA; it
depends on the library functionalities that are actually being used on the CORDA system. For
instance, several Microsoft Office SharePoint high severity issues detected have been already
omitted from this list due to CORDA not making use of them.
Severity
Low
Component
Microsoft.SharePoint.Client.ServerRuntime.dll
Description
Potential fix
Published vulnerabilities:

CVE-2010-0716: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0716

CVE-2008-5026: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5026
Analyse if the listed vulnerabilities actually affect the system and apply the corresponding patches or, if possible, upgrade the library version where the listed issues
are already fixed.
Severity
Note
Description
Pages including one or more script files from a third-party domain. Such as:

code.jquery.com/jquery-1.10.2.js

code.jquery.com/ui/1.11.4/jquery-ui.js
Page 16 of 20
15/04/2016 v1.0
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
Potential fix

ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js

http://ajax.googleapis.com/ajax/libs/jquery/1.8.2/jquery.min.js
Ensure JavaScript source files are loaded from only trusted sources, and the sources
can't be controlled by end users of the application.
A static code review was performed and 140 issues regarding security were detected:

6 Inappropriate casts: Inappropriate casts are issues that will lead to unexpected
behaviour or runtime errors. The compiler will catch bad casts from one class to another, but not bad casts to interfaces.

99 Dead stores: A dead store happens when a local variable is assigned a value that
is not read by any subsequent instruction. Calculating or retrieving a value only to
then overwrite it or throw it away, could indicate a serious error in the code. Even if
it's not an error, it is at best a waste of resources. Therefore all calculated values
should be used.

35 Generic exceptions: When exceptions occur, it is usually a bad idea to simply
ignore them. Instead, it is better to handle them properly, or at least to log them.
These types of bad programming practices may lead to potential security weaknesses. However, after a further code analysis, it was concluded that the listed issues are not affecting
CORDA system security-wise.
Page 17 of 20
15/04/2016 v1.0
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
2.2.10 A10 Unvalidated Redirects and Forwards
2.2.10.1 Description
Applications frequently redirect users to other pages, or use internal forwards in a similar
manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page.
Detecting unchecked redirects is easy. Look for redirects where you can set the full URL. Unchecked forwards are harder, because they target internal pages.
2.2.10.2 Test results
No vulnerabilities found.
Page 18 of 20
15/04/2016 v1.0
BILBOMATICA-GEOGRAMA
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
3
Summary
Find below a summary of the security issues found classified by OWASP risk rating methodology and by OWASP Top10 vulnerabilities.
Detected Vulnerability Types
8
7
7
6
Critical
5
High
5
4
Medium
4
3
Low
2
Note
1
0
1
0
Critical
High
Medium
Low
Note
Figure 4 – Detected Vulnerabilities
Critical
High
Medium
Low
A2 Broken Authentication and Session Management
1
1
3
A3 Cross-Site Scripting (XSS)
2
Note
A1 Injection
1
A4 Insecure Direct Object References
1
A5 Security Misconfiguration
1
A6 Sensitive Data Exposure
1
A7 Missing Function Level Access Control
1
1
1
A8 Cross-Site Request Forgery (CSRF)
1
A9 Using Components with Known Vulnerabilities
1
A10 Unvalidated Redirects and Forwards
Figure 5 – Detected Vulnerabilities – OWASP Top10
Page 19 of 20
15/04/2016 v1.0
BILBOMATICA-GEOGRAMA
1
European Environment Agency - Specific Contract No 3436B2014R0-GIOEEA.55879
CORDA - Security Assessment
Several weaknesses have been detected during the security audit and those vulnerabilities
rated as ‘high’ and ‘medium’ should be fixed as soon as possible. Every vulnerability
found is detailed to easily reproduce it and is accompanied with a recommended potential
fix. Nevertheless, the OWASP website can be consulted in order to extend any of the reported
security issues.
Most these high-rated issues are already being fixed for the upcoming CORDA v.1.2, addressing:

A2 Broken Authentication and Session Management

A3 Cross-Site Scripting (XSS)

A4 Insecure Direct Object References

A7 Missing Function Level Access Control
It is noteworthy that even though this security assessment targeted CORDA Testing environment, a quick check at the Production environment revealed that some of the detected
weaknesses are not present there due to the communication channel being secured and that
the site can only be accessed through HTTPS.
Finally, future security assessments are highly recommended in order to validate that the
vulnerabilities are correctly being fixed and that no new weaknesses are introduced in forthcoming CORDA releases.
Page 20 of 20
15/04/2016 v1.0
BILBOMATICA-GEOGRAMA