Access It! Web Client Vulnerabilities


Overview

Upon a vulnerability scan of the Access It! Web Client, several possible issues may be discovered. This article will attempt to outline the common vulnerabilities discovered and how to remedy them.

Logins Sent Over Unencrypted Connection

Summary

When logging into the Access It! Web Client, the login process occurs over an unencrypted connection

Resolution

Install a SSL Certificate for the web server. A SSL certificate may have to be purchased from a 3rd party or a self signed SSL certificate can be created. Information on the creation and installation of a SSL certificate is outside the bounds of this article.

Missing Cross-Frame Scripting Protection

Summary

A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks.

Resolution
Administrators can mitigate frame sniffing by configuring IIS to send an HTTP response header that prevents content from being hosted in a cross-domain IFRAME. To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:

  1. Open Internet Information Services (IIS) Manager
  2. In the Connections pane on the left side, expand the Sites folder and select the Access It! Web site that you want to protect
  3. Double-click the HTTP Response Headers icon in the feature list in the middle
  4. In the Actions pane on the right side, click Add
  5. In the dialog box that appears, enter the following information:
    Name: X-Frame-Options
    Value: SAMEORIGIN
    These settings are case sensitive and must be entered exactly as shown.
  6. Click OK to save your changes

ASP.NET version disclosure

Summary
The HTTP responses returned by this web application include a header named X-AspNet-Version. The value of this header is used by Visual Studio to determine which version of ASP.NET is in use.

Resolution

Remove the X-Powered-By HTTP response header by performing the following steps:

  1. Open Internet Information Services (IIS) Manager
  2. In the Connections pane on the left side, expand the Sites folder and select the Access It! Web site that you want to protect
  3. Double-click the HTTP Response Headers icon in the feature list in the middle
  4. Select the X-Powered-By HTTP Response Header
  5. In the Actions pane on the right side, click Remove
  6. Click Yes

Microsoft IIS version disclosure

Summary
The HTTP responses returned by the Access It! web application include a header named Server. The value of this header includes the version of Microsoft IIS server.

Resolution

Remove the Server HTTP response header by performing the following steps:

  1. Open Internet Information Services (IIS) Manager
  2. In the Connections pane on the left side, expand the Sites folder and select the Access It! Web site that you want to protect
  3. Double-click the HTTP Response Headers icon in the feature list in the middle
  4. Select the Server HTTP Response Header
  5. In the Actions pane on the right side, click Remove
  6. Click Yes

SSL 2.0 Deprecated Protocol

Summary
The remote Internet Information Service (IIS) encrypts traffic using an old deprecated protocol with known weaknesses.

Resolution
Disable SSL 2.0 by performing the following steps:

  1. Click Start, click Run, type regedt32 or type regedit, and then click OK

  2. In Registry Editor, locate the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

  3. On the Edit menu, click Add Value

  4. In the Data Type list, click DWORD

  5. In the Value Name box, type Enabled, and then click OK

    If this value is present, double-click the value to edit its current value

  6. Type 00000000 in Binary Editor to set the value of the new key equal to "0"

  7. Click OK and restart the computer

POODLE attack (SSLv3 supported)

Summary
The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0.

Resolution
Disable SSL 3.0 by performing the following steps:

  1. Click Start, click Run, type regedt32 or type regedit, and then click OK

  2. In Registry Editor, locate the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

  3. On the Edit menu, click Add Value

  4. In the Data Type list, click DWORD

  5. In the Value Name box, type Enabled, and then click OK

    If this value is present, double-click the value to edit its current value

  6. Type 00000000 in Binary Editor to set the value of the new key equal to "0"

  7. Click OK and restart the computer

RC4 Cipher Suites Detected

Summary

RC4 is a stream cipher algorithm developed by Rivest for RSA Security. The RC4 algorithm, as used in SSL/TLS, is prone to a security weakness that may allow attackers to gain access to sensitive information. Specifically, this issue exists because it fails to properly combine state data with key data during the initialization phase. Successfully exploiting this issue in conjunction with other latent vulnerabilities may allow attackers to gain access to sensitive information that may aid in further attacks.

Resolution
Disable RC4 ciphers by performing the following steps:

  1. Click Start, click Run, type regedt32 or type regedit, and then click OK

  2. In Registry Editor, locate the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128

  3. On the Edit menu, click Add Value

  4. In the Data Type list, click DWORD

  5. In the Value Name box, type Enabled, and then click OK

    If this value is present, double-click the value to edit its current value

  6. Type 00000000 in Binary Editor to set the value of the new key equal to "0"

  7. Repeat steps 3-6 for the following registry keys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
  8. Click OK and restart the computer

Session Fixation

Summary
Session fixation allows an attacker to impersonate a user by abusing an authenticated session ID (SID). This attack can occur when a web application fails to supply a new, unique SID to a user following a successful authentication or allows a user to provide the SID to be used after authenticating. In a session fixation attack, the attacker creates or obtains a valid session identifier and causes the user to provide authentication credentials to the application along with the session identifier. If the application fails to renew this SID after the user logs in, the attacker can use the previously obtained/created value of this SID to clone the authenticated session. The attacker can continue to impersonate the victim user until the SID expires. The need to brute-force or intercept the SID is eliminated.

Resolution
A security enhancement has made made starting in Access It! Universal.NET 5.1.0.48 and higher to prevent any possibility of session fixation.

Password type input with auto-complete enabled

Summary
When a new name and password is entered in a form and the form is submitted, the browser asks if the password should be saved. Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the name is entered. An attacker with local access could obtain the clear text password from the browser.

Resolution
A security enhancement has made made starting in Access It! Universal.NET 5.1.0.48 and higher to prevent the use of auto completion.

Blind SQL Injection

Summary
SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user in-put. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters.

Resolution
A security enhancement has made made starting in Access It! Universal.NET 5.1.0.48 and higher to prevent any possibility of SQL injections.

Login page password-guessing attack

Summary
A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. .

Resolution
A security enhancement has made made starting in Access It! Universal.NET 5.2 allowing for a user account to be locked out after a specified amount of invalid attempts.

.NET Verbose Error Message

Summary
Detailed error reporting should never be provided on a production web application. Error messages give very useful information to an attacker about the application and is usually the first stepping stone to help carry out an attack. Error messages in .NET can leak the following information:

  • The language it was developed in, such as c# or vb.net
  • The stack trace of the program that failed
  • The version numbers for the .NET framework and ASP.NET
  • Development class names and object structures

Resolution
A security enhancement has made made starting in Access It! Universal.NET 5.1.0.48 and higher to prevent verbose error messages.

Persistent Cookies

Summary
Cookies are small bits of data that are sent by the web application but stored locally in the browser. This lets the application use the cookie to pass information between pages and store variable information. The web application controls what information is stored in a cookie and how it is used. Typical types of information stored in cookies are session Identifiers, personalization and customization information, and in rare cases even usernames to enable automated logins. There are two different types of cookies: session cookies and persistent cookies. Session cookies only live in the browser's memory, and are not stored anywhere. Persistent cookies, however, are stored on the browser's hard drive. This can cause security and privacy issues depending on the information stored in the cookie and how it is accessed.

Resolution
A security enhancement has made made starting in Access It! Universal.NET 5.1.0.48 to no longer utilize persistent cookies.


  • 529
  • 27-Sep-2018
  • 1602 Views