Ossar v1.0

Open Source Security
Assessment Report
For
by
Cynergi Solutions Inc.

http://www.cynergisolutions.cxm
Author: Olu Akindeinde
Copyright 2009 Olu Akindeinde
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in Appendix C entitled "GNU Free Documentation License
Security Assessment Report for eClipse Bank PLC
Private & Confidential
Legal Notice
Cynergi Limited All rights reserved 20XX
This document contains confidential and proprietary information. It is intended for the exclusive use of eClipse Bank. Unauthorized use or reproduction of this document is prohibited Current Test has been conducted by Cynergi's security experts. Cynergi assures that findings in this report are true to the extent that can be verified via the Internet. This Vulnerability Assessment & Penetration Test reveals all relevant vulnerabilities known up to the date of this report. As new vulnerabilities continue to be found and the introduction of new security threats, it is suggested that security assessments be conducted after every major change in the Information System and periodically in 3 to 6 month intervals.
Document Details
Document Type Client Consultant Document Version Creation Date
Security Assessment Report eClipse Bank PLC Cynergi Solutions Inc. 1 23/07/20XX
Revision History
Version
1
Date
23/07/20XX
Author
Cynergi Solutions Inc.
Change Description
Document Updated
Acknowledgment
Name
Company
Function
Location
Email
Contact For more information about this Document and its contents please contact Cynergi Professional Services
Name Address
Olu Akindeinde
Cynergi Solutions Inc

234 Cynergi Avenue, South Island, Atlantic City.
Phone E-Mail
+123 456 789 0123 fx.one@cynergisolutions.cxm
CONTENT
Limitations on Disclosure and Use of this report 1.0 Executive Summary 2.0 Introduction 3.0 Network Flow Diagram 4.0 Summary of Results 5.0 Findings 6.0 Conclusion 7.0 Appendix
6 7 9 15 16 22 38 39
LIMITATIONS ON DISCLOSURE & USE OF THIS REPORT

This report contains information concerning potential vulnerabilities of eClipse Bank's network and systems and methods of exploiting them. Cynergi recommends that special precautions be taken to protect the confidentiality of both this document and the information contained herein. Cynergi has retained and secured a copy of the report for customer reference. All other copies of the report have been delivered to eClipse Bank. Security assessment is an uncertain process, based upon experiences, currently available information, and known threats. It should be understood that all information systems, which by their nature are dependent on human beings, are vulnerable to some degree. Therefore, while Cynergi considers the major security vulnerabilities of the analyzed systems to have been identified, there can be no assurance that any exercise of this nature will identify all possible vulnerabilities or propose exhaustive and operationally viable recommendations to mitigate those exposures. In addition, the analysis set forth herein is based on the technologies and known threats as of the date of this report. As technologies and risks change over time, the vulnerabilities associated with the operation of eClipse Bank's systems described in this report, as well as the actions necessary to reduce the exposure to such vulnerabilities, will also change. Cynergi makes no undertaking to supplement or update this report on the basis of changed circumstances or facts of which Cynergi becomes aware after the date hereof, absent a specific written agreement to perform supplemental or updated analysis. This report may recommend that eClipse Bank use certain software or hardware products manufactured or maintained by other vendors. Cynergi bases these recommendations upon its prior experience with the capabilities of those products. Nonetheless, Cynergi does not and cannot warrant that a particular product will work as advertised by the vendor, nor that it will operate in the manner intended. This report was prepared by Cynergi for the exclusive use and benefit of eClipse Bank and is deemed proprietary information. The Professional Service Level Agreement (SLA) in effect between Cynergi and eClipse Bank governs the disclosure of this report to all other parties.
1.0 EXECUTIVE SUMMARY This report presents the results of the vulnerability assessment and penetration test of eClipse Bank's Internet banking web application and underlying Internet and network infrastructure. The purpose of this assessment is to identify application and network-level security issues that could affect eClipse Bank's Internet banking application and network infrastructure. The scope of this exercise included the testing of the network infrastructure and Internet banking application and all of its functionality. To evaluate the security of the network and application, Cynergi attempted to perform unauthorized transactions, obtain confidential information, and determine the overall security of the application by performing a wide variety of vulnerability checks. The testing also included the servers, operating systems and network devices associated with the bank. This result is intended to be an overall assessment of the eClipse Bank's network, including that of applications that fall within the scope of this project. Furthermore, the findings in this report reflect the conditions found during the testing, and do not necessarily reflect current conditions. Cynergi was able to identify vulnerabilities that affect the infrastructure and application tested. A summary of the breakdown of the vulnerability risk classification is given below:
22 High Security vulnerabilities (holes) were discovered 50 Medium security vulnerabilities (warnings) were discovered 192 Low security vulnerabilities (notes) were discovered
Table 1.1: Vulnerability Summary for Network Infrastructure
Summarized below is a graphical chart of all findings identified.
Specifically, the following action should be taken:

Password protect the FTP Administrator account on the Internet application server We also recommend that the issue of the reflected cross site scripting on the Internet banking web application be looked into
The eclipsebank.cxm web hosting provider should also be contacted with a view to effecting the recommended security controls on the webserver.
Care should also be taken not to ignore vulnerabilities with high and medium risk classification levels. This can have a major impact on the confidentiality and integrity of the bank's information assets. We highly recommend that appropriate remedial action be taken to protect the network infrastructure and assets against these threats.
2.0 INTRODUCTION At the request of eClipse Bank PLC, Cynergi Solutions Inc performed the security assessment of the Online application and underlying network infrastructure. The purpose of this assessment is to identify the network and application-level security issues as well as vulnerabilities affecting the servers and network devices providing access to the organization. The objective of the analysis is to simulate an attack to assess eClipse Bank's immunity level, discover weak links and provide recommendations and guidelines to vulnerable entities discovered. This report is a report which contains sub-sections. Each Sub-section discusses in detail all relevant issues and avenues that can be used by attackers to compromise and gain unauthorized access to sensitive information. Every issue includes an overview, issues found and security guidelines which, if followed correctly, will ensure the confidentiality and integrity of the systems and applications. Cynergi's assessment methodology includes structured review processes based on recognized best-in-class practices as defined by such methodologies as the ISECOM's Open Source Security Testing Methodology Manual (OSSTMM), the Open Web Application Security Project (OWASP) and ISO 27001 Information Security Standard The testing was performed under the auspices and supervision of Cynergi's CTO F. X One from June 18 through July 23, 20XX. Phase One (Footprinting and Enumeration) of the test was executed within eClipse Bank's office premises while phase two (Scanning, and Exploitation) was conducted via the Internet from Cynergis security labs located within and outside the country. This testing did not explicitly attempt Denial of Service (DoS) attacks against any of eClipse Bank's systems. However, we performed the security assessment of the external network and web application as an authorized and an unauthorized user. Login credentials to the Internet Banking system were obtained as part of the testing process. This was a complete black box test simulating a typical external hacker's view of the organization.
2.1 Project Objective The objective of eClipse Bank's network and application assessment is to determine the overall security of the application by analyzing all possible transactions, user input variables, and application components that reside on network systems. For the testing, Cynergi attempted to perform a full application test as an authorized user (with log-on and password supplied to the Internet banking application) The objective of the security assessment and penetration test of the network infrastructure supporting the application is to determine the overall security of the network segments and hosts within the scope of the engagement.
2.2 Project Scope The assessment performed was focused on eClipse Bank's external network and application infrastructure and its related systems and the Internet banking application portal itself. The specific systems and subnets tested are indicated in the next section titled Target Systems. This result is intended to be an overall assessment of eClipse Bank's network, and those systems and subnets that fall within the scope of this project. Furthermore, the findings in this report reflect the conditions found during the testing, and do not necessarily reflect current conditions. This testing did not attempt any active network-based Denial of Service (DoS) attacks. Password cracking, physical, process and social engineering attacks were outside our remit. Internal assessment was also not carried out.
2.3 Target Systems The following table lists all web URLs and systems that were targeted during this assessment
Security Assessment Report for eClipse Bank PLC Private & Confidential
10
Application URL 1 URL 2
eClipse Bank Web Presence http://www.eclipsebank.cxm https://secure.eclipsebank.cxm
Table 2.1: eClipse Bank Online Presence
IP Addresses Discovered 127.127.251.1 127.127.251.13 127.127.255.1 127.127.255.10 127.127.255.11 127.127.255.12 127.127.255.13 127.127.255.14 127.127.255.15 127.127.255.18
Table 2.2: IP Addresses Discovered
127.127.255.21 127.127.255.27 127.127.255.254
2.4 Network and Application Test Methodology Cynergi used a combination of the ISECOM's Open Source Security Testing Methodology Manual (OSSTMM) v2.0 and the Open Web Application Security Project (OWASP) Testing guide V2.0.1 for conducting Vulnerability Assessments and Penetration Test of the network and web-based applications. The functional OSSTMM domains in line with the scope of this engagement are listed below
11
Info gathering and Posture review Network Surveying and Enumeration Systems Services Verification and Port Scanning Application Testing Vulnerability Research and Verification
Table 2.3: Functional OSSTMM Domains
For the Web application and online services, the OWASP Top ten lists served as a guide and the domains tested for are listed below
SQL Injection Flaws Cross Site Scripting (XSS) Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) Information Leakage and Improper Error Handling Broken Authentication and Session Management Insecure Cryptographic Storage Insecure Communications Failure to Restrict URL Access
Table 2.4: OWASP Top 10 Domains
12
2.5 Tools Various commercial and publicly available tools were used during testing. All Publicly available tools used by Cynergi were subjected to detailed review and evaluation.
Activity Port Scanning & Footprinting Web Application Enumeration Vulnerability Assessment Network Penetration Test Web Application Penetration Test Vulnerability Research & Verification
Tool Nmap, Hping3, Netcat, Google Ratproxy, Nikto Nessus, Qualys, Grendel Scan Metasploit Framework Web Application Attack & Audit Framework (w3af), Burp Professional http://www.securityfocus.com, http://www.osvdb.org http://www.metasploit.com
Table 2.5 Tool Grid
2.6 Overall Vulnerability Risk Classification Throughout the document, each vulnerability or risk identified has been labeled as a Finding and categorized as a high risk, medium risk, or low risk. In addition, each supplemental testing note is labeled as an Issue. These terms are defined below:
13
High risk: These findings identify conditions that could directly result in the compromise or unauthorized access of a network, system, application or information. Examples of High Risks include known buffer overflows, weak or no passwords, no encryption, which could result in denial of service on critical systems or services; unauthorized access; and disclosure of information. Medium risk: These findings identify conditions that do not immediately or directly result in the compromise or unauthorized access of a network, system, application or information, but do provide a capability or information that could, in combination with other capabilities or information, result in the compromise or unauthorized access of a network, system, application or information. Examples of Medium Risks include unprotected systems, files, and services that could result in denial of service on non-critical services or systems; and exposure of configuration information and knowledge of services or systems to further exploit. Low risk: These findings identify conditions that do not immediately or directly result in the compromise of risk: a network, system, application, or information, but do provide information that could be used in combination with other information to gain insight into how to compromise or gain unauthorized access to a network, system, application or information. Low risk findings may also demonstrate an incomplete approach to or application of security measures within the environment. Examples of Low Risks include cookies not marked secure; concurrent sessions and revealing system banners
Table 2.6: Overall Risk Classification
14
3.0 NETWORK FLOW DIAGRAM The following networks were scanned externally: 127.127.251.0/24 and 127.127.255.0/24. A map of the visible corporate data network is below 3.1 External Network Map (IP Addresses)
Fig 3.1: External Network Map of eClipse Bank
15
4.0 SUMMARY OF RESULTS
4.1 EXTERNAL NETWORK INFRASTRUCTURE ASSESSMENT At the time of assessment Cynergi discovered a total of 13 IP addresses belonging to eClipse Bank PLC. The breakdown of vulnerabilities is given below
21 High Security vulnerabilities (holes) were discovered 49 Medium security vulnerabilities (warnings) were discovered 185 Low security vulnerabilities (notes) were discovered
Table 4.1: Vulnerability Summary for Network Infrastructure
16
5.2 Graphical Summary for External Infrastructure
Fig 4.1: Vulnerability Summary for Network Infrastructure
Fig 4.2: Most Dangerous Services on the network
Fig 4.3: Services most present on the network
4.3 eClipse Bank Internet Banking Security Assessment

At the time of assessment Cynergi conducted a web application test on 1 host. The breakdown of vulnerabilities is given below
1 High security vulnerabilities (holes) were discovered 1 Medium security vulnerabilities (warnings) were discovered 7 Low security vulnerabilities (notes) were discovered
Table 4.2: Vulnerability Summary for Internet Banking Application
20
4.4 Graphical Summary of Internet Banking Assessment
Fig 4.3: Vulnerability Summary for Internet Banking Application
5.0 FINDINGS 5.3.1 Issue Identification Each security issue identified by Cynergi is described with the finding, the impact of the issue, how easy it would be for an attacker to exploit the issue and a recommendation. Each security issue is rated based on a number of factors, each of these are described in the following sections. 5.3.2 Issue Finding The issue finding describes what configuration setting we identified that potentially poses a security threat. In addition to the finding details, any relevant background information is also described. 5.3.3 Issue Impact The impact section describes what an attacker could gain from exploiting the security issue. The impact of an issue is often defined by other configuration settings that could heighten the issue or partially mitigate it. The impact is rated depending on the significance of the security threat.
Rating Critical Description These issues can pose a very significant security threat. The issues that have a critical impact are typically those that would allow an attacker to gain full administrative access to the device. For a firewall device, allowing all traffic to pass through the device unfiltered would receive this rating as filtering traffic to protect other devices is the primary purpose of a firewall. High These issues pose a significant threat to security, but have some limitations on the extent to which they can be abused. User level access to a device and a DoS vulnerability in a critical service would fall into this category. A firewall deivce that allowed significant unfiltered access, such as allowing entire subnets through or not filtering in all directions, would fall into this category. A router that allows significant modification of its routing configuration would also fall into this category. Medium These issues have significant limitations on the direct impact they can cause. Typically these issues would include significant information leakage issues, denial of service issues or those that provide significantly limited access. A SNMP service that
22
is secured with default or a dictionary based community string would typically fall into this rating, as would a firewall that allows unfiltered access to a range of services on a device. Low These issues represent a low level security threat. A typical issue would involve information leakage that could be useful to an attacker, such as a list of users or version details. A non-firewall device that was configured with weak network filtering would fall into this category. Table 5.1: Impact ratings
5.3.4 Issue Ease The ease section of each issue describes the knowledge, skill and physical access that would be required of an attacker in order to exploit it. The ease will describe if open source or commercially available tools are required for an attacker to exploit an issue. Additionally, the ease will note where an extended period is required to exploit the issue, such as cracking weak encryption ciphers. Each issue is rated upon how easily it can be exploited, the ratings are described in Table 6.2
Rating Trivial Description The issue requires little-to-no knowledge on behalf of an attacker and can be exploited using standard operating system tools. A firewall device which had a network filtering configuration that enables traffic to pass through would fall into this category. Easy The issue requires some knowledge for an attacker to exploit, which could be performed using standard operating system tools or tools downloaded from the Internet. An administrative service without or with a default password would fall into this category, as would a simple software vulnerability exploit. Moderate The issue requires specific knowledge on behalf of an attacker. The issue could be exploited using a combination of operating system tools or publicly available tools downloaded from the Internet. Challenge A security issue that falls into this category would require significant effort and knowledge on behalf of the attacker. The attacker may require specific physical access to resources or to the network infrastructure in order to successfully exploit it. Furthermore, a combination of attacks may be required. N/A The issue is not directly exploitable. An issue such as enabling legacy protocols or unnecessary services would fall into this rating category. Table 5.2: Ease ratings
23
5.3.5 Issue Recommendation Each issue includes a recommendation section which describes what steps Cynergi recommends should be taken in order to mitigate the issue. The recommendation will sometimes include various options, if several mitigating choices are available, and any relevant system commands. Directly following the recommendation, the issue dependencies and other relevant issues are referenced. The dependency issues are those that when mitigated will eliminate the described issue. For example, if the Simple Network Management Protocol (SNMP) is disabled it no longer matters if a view has not been configured. The relevant issues are ones that can affect the impact or the ease that the issue can be exploited. The recommendation includes a rating that indicates how easy an issue is to resolve, these are described in Table 5.3.
Rating Involved Description The resolution of the issue will require significant resources to resolve and is likely to include disruption to network services, and possibly the modification of other network device configurations. The issue could involve upgrading the Cisco PIX Security Appliance OS and possibly modifications to the hardware. Planned The issue resolution involves planning, testing and could cause some disruption to services. This issue could involve changes to routing protocols and changes to network filtering. Quick The issue is quick to resolve. Typically this would just involve changing a small number of settings and would have little-to-no effect on network services.
Table 5.3: Fix ratings
24
5.4 Network Infrastructure Assessment

127.127.255.254 (www.eclipsebank.cxm)
Issue Port Overall High Impact Critical Ease Easy Fix Involved Recommendation Upgrade to PHP version 4.4.5/ 5.1.4 or later.
According to its banner, the 80 version of PHP installed on the remote host is older than 4.4.5. Such versions may be affected by several issues, including buffer overflows, format string vulnerabilities, arbitrary code execution, 'safe_mode' and 'open_basedir' bypasses, and clobbering of superglobals. The remote version of Apache is vulnerable to an off-by-one buffer overflow attack. The remote DNS resolver does not use random ports when making queries to third party DNS servers. This problem might be exploited by an attacker to poison the remote DNS server more easily, and therefore divert legitimate traffic to arbitrary sites. The remote service encrypts traffic using a protocol with known weaknesses. The remote server's SSL certificate has already expired or will expire shortly. 443 80
High
High
Easy
Involved
Upgrade to version 2.0.59 or later.
53
High
High
Moderate
Quick
Contact your DNS server vendor for a patch The ports used by 81.29.66.2 are not random. An attacker may spoof DNS responses. List of used ports : - 59574 - 59574 - 59574 - 59574
Medium Medium
Challenge
Planned
Restrict access to services from only those hosts that require access
443
Medium Medium
Challenge
Quick
Purchase or generate a new SSL certificate to replace the existing one.
25
Debugging functions are 443 enabled on the remote web server. The remote name server allows recursive queries to be performed The remote DNS server is vulnerable to cache snooping attacks. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. The MySQL database server on the remote host reads from uninitialized memory when processing a specially-crafted login packet. An unauthenticated attacker may be able to exploit this flaw to obtain sensitive information from the affected host as returned in an error packet. The remote service accepts 443 connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. An FTP server is listening on this port. The remote FTP server allows credentials to be transmitted in clear 21 21 53
Medium Medium
Moderate
Quick
Disable these methods.
Medium Medium
Medium
Quick
Restrict recursive queries to the hosts that should use this nameserver Restrict recursive queries to the hosts that should use this nameserver
53
Medium Medium
Challenge
Quick
Medium Medium
Medium
Planned
Upgrade to MySQL 4.0.27 / 4.1.19 / 5.0.21 / 5.1.10 or later.
Medium Medium
Challenge
Planned
Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.
Low Low
Low Low
Moderate Moderate
Quick Quick
Disable FTP if not needed Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the
26
text. The SSL certificate has been signed using a weak hash algorithm. A database server is listening on the remote machine The remote host is running MySQL, an open-source database server. It is possible to extract the version number of the remote installation from the server greeting. Table 5.4 443 Low Low Challenge Planned
server such as data and control connections must be encrypted Contact the Certificate Authority to have the certificate reissued. Restrict access to the database to allowed IPs only.
Low
Low
Challenge
Quick
127.127.251.13 / 127.127.255.12 / 127.127.255.15 / 127.127.255.21

Issue The remote service encrypts traffic using a protocol with known weaknesses. The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. Medium Medium Challenge Planned Reconfigure the affected application if possible to avoid use of weak ciphers Port 443 Overall Impact Ease Challenge Fix Planned Recommendation Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.
Medium Medium
27
The remote webserver 443 supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. It is possible to enumerate directories on the web server. The following directories were discovered: /backup, /cgi-bin, /downloads The remote web server hosts office-related files. This plugin connects to the remote web server and attempts to find office-related files such as .doc, .ppt, .xls, .pdf etc. The following office-related files are available on the remote server : - Word files (.doc) : /downloads/performanceap praisal.doc - Excel files (.xls) : /downloads/guidelines.xls 80 80
Medium Medium
Moderate
Quick
Disable these methods.
Low
Medium
Easy
Quick
While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards
Low
Low
N/A
Planned
Make sure that such files do not contain any confidential or otherwise sensitive information and that they are only accessible to those with valid credentials.
28
Using the remote HTTP banner, it is possible to guess that the Linux distribution installed on the remote host is :
80
Low
Low
N/A
Quick
N/A
Table 5.5
127.127.255.10 / 127.127.255.11
Issue The remote name server allows recursive queries to be performed. If the host allows these recursive queries via UDP, then the host can be used to 'bounce' Denial of Service attacks against another network or system. The remote DNS server is vulnerable to cache snooping attacks. 53 Medium High Moderate Quick Restrict recursive queries to the hosts that should use this nameserver Port 53 Overall Impact Ease Moderate Fix Quick Recommendation Restrict recursive queries to the hosts that should use this nameserver.
Medium Medium
Table 5.6
29
127.127.255.14
Issue The remote server is incorrectly configured with a NULL password for the user 'Administrator' and has FTP enabled. The remote service encrypts traffic using a protocol with known weaknesses. The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. Port 21 Overall High Impact Critical Ease Trivial Fix Quick Recommendation Change the Administrator password on this host.
443
Medium Medium
Moderate
Quick
Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.
443
Medium Medium
Moderate
Quick Reconfigure the affected application if possible to avoid use of weak ciphers.
This web server leaks a 80 private IP address through its HTTP headers. This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. This web server leaks the following private IP address : 10.100.47.49 The remote web server might transmit credentials in cleartext. The remote web server contains several HTML form fields containing an input of type 'password' which transmit their information to a remote web server in cleartext. 80
Medium Medium
N/A
Quick
http://support.microsoft.com/support/ kb/articles/Q218/1/80.ASP
Medium High
Moderate
Quick
Make sure that every sensitive form transmits content over HTTPS.
30
An attacker eavesdropping the traffic between web browser and server may obtain logins and passwords of valid users. The remote web server 443 contains a JSP application that is affected by a crosssite scripting vulnerability. Medium Medium Medium Planned Either undeploy the Tomcat examples web application, apply the appropriate patch referenced in the vendor advisory, or upgrade to Tomcat 6.0.20 / 5.5.28 / 4.1.40 when they become available. Disable this service if you do not use it.
The remote web server is not configured or is not properly configured. The remote web server uses its default welcome page. It probably means that this server is not used at all or is serving content that is meant to be hidden. Several directories on the remote host are DAVenabled. The remote web server contains a graphic image that is prone to information disclosure.
443
Low
Low
Easy
Quick
443
Low
Low
Moderate
Quick
Disable DAV support if you do not use it. Remove the 'favicon.ico' file or create a custom one for your site.
80
Low
Low
Moderate
Quick
Table 5.7
127.127.255.27
Issue The remote service offers an insecure cryptographic protocol. The remote database server is affected by a buffer overflow flaw. Port 443 Overall Impact Ease Challenge Fix Quick Recommendation Disable compatibility with version1 of the protocol. Upgrade to MySQL 4.0.25 / 4.1.13 / 5.0.7-beta or later.
Medium Medium
Medium Medium
Moderate
Quick
31
According to its version number, the installation of MySQL on the remote host may be prone to a buffer overflow when copying the name of a user-defined function into a stack-based buffer. With sufficient access to create a user-defined function, an attacker may be able to exploit this and execute arbitrary code within the context of the affected database server process. The remote database server is susceptible to multiple attacks. The version of MySQL Community Server installed on the remote host reportedly is affected by a denial of service vulnerability that can lead to a server crash with a specially-crafted password packet. It is also affected by a privilege escalation vulnerability because 'CREATE TABLE LIKE' does not require any privileges on the source table, which allows an attacker to create arbitrary tables using the affected application. The remote database server is affected by an information disclosure flaw. Medium High Moderate Quick Upgrade to MySQL 4.0.27 / 4.1.19 / 5.0.21 / 5.1.10 or later. Medium Medium Moderate Planned Upgrade to MySQL Community Server version 5.0.45 or later.
Table 5.8
32
5.8 Internet Banking Assessment

Issue Cross-site scripting (reflected) Reflected cross-site scripting vulnerabilities arise when There are 5 instances of this data is copied from a request and echoed into the issue: application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request https://secure.eclipsebank.cxm/g which, if issued by another application user, will cause enScript.php [acctno parameter] JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's https://secure.eclipsebank.cxm/g session with the application. enScript.php [bank parameter] The attacker-supplied code can perform a wide variety https://secure.eclipsebank.cxm/g of actions, such as stealing the victim's session token enScript.php [edate parameter] or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. https://secure.eclipsebank.cxm/g enScript.php [sdate parameter] Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can https://secure.eclipsebank.cxm/g send a victim a link containing a malicious URL in an enScript.php [usr parameter] email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method). The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same Description Severity High Recommendation In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised. User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk. SSL cookie without secure flag set If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. Medium The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
The following cookie was issued by the application and does not have the secure flag set:
PHPSESSID=dd06vet836kdto8 An attacker may be able to induce this event by feeding cvmvqmlo8d2; path=/ a user suitable links, either directly or via another web The cookie appears to contain a site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an session token, which may increase the risk associated with attacker may be able to use links of the form this issue. You should review the http://eclipsebank.cxm:443/ to perform the same attack contents of the cookie to determine its function. Cookie without HttpOnly flag set The following cookie was issued by the application and does not have the HttpOnly flag set: PHPSESSID=dd06vet836kdto8 cvmvqmlo8d2; path=/ If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script. Low
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive. You should be aware that the restrictions imposed by the HttpOnly flag can potentially
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
Password field with autocomplete enabled The page contains a form with the following action URL: https://secure.eclipsebank.cx m/functions.php?action=login The form contains the following password field with autocomplete enabled: passwd2
Most browsers have a facility to remember user Low credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application. The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through applicationlevel cross-domain attacks.
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
Cross-domain script include
When an application includes a script from an external Low domain, this script is executed by the browser within The response dynamically the security context of the invoking application. The includes the following script from script can therefore do anything that the application's another domain: own scripts can do, such as accessing application data and performing actions within the context of the current user. https://siteseal.thawte.com/cgi /server/thawte_seal_generator. If you include a script from an external domain, then exe you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application. TRACE method is enabled The TRACE method is designed for diagnostic purposes. If enabled, the web server will respond to requests which use the TRACE method by echoing in its response the exact request which was recieved. Low
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
The TRACE method should be disabled on the web server.
Although this behaviour is apparently harmless in itself, it can sometimes be leveraged to support attacks against other application users. If an attacker can find a way of causing a user to make a TRACE request, and can retrieve the response to that request, then the attacker will be able to capture any sensitive data which is included in the request by the user's browser, for example session cookies or credentials for platformlevel authentication. This may exacerbate the impact of other vulnerabil Email addresses disclosed There are 2 instances of this issue: /functions.php /welcome.php The presence of email addresses within application Low responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content. However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received. Cacheable HTTPS response Unless directed otherwise, browsers may store a local Low cached copy of content received from web servers. There are 3 instances of this Some browsers, including Internet Explorer, cache issue: content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then /functions.php this may be retrieved by other users who have access /genScript.php /ibanking_tranzalert.swf to the same computer at a future time. The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content: Cache-control: no-store Pragma: no-cache You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary,
Content type incorrectly stated There are 2 instances of this issue: /ft_own.php /ft_third.php
If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities. In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists. Table 5.9
Low
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
6.0 CONCLUSION
This analysis is based on the technologies and known threats as of the date of this report. Cynergi recommends that all modifications suggested in this document be performed in order to ensure the overall security of the web application and Internet segment. We also propose that eClipse Bank perform a follow on re-test to verify that the recommended changes were made and made correctly. Technical raw data aggregated and collected from the security assessment has also been made available in the appendix for reference. Please note that as technologies and risks change over time, the vulnerabilities associated with the operation of the systems described in this report, as well as the actions necessary to reduce the exposure to such vulnerabilities, will also change. Cynergi makes no undertaking to supplement or update this report on the basis of changed circumstances or facts of which we become aware after the date hereof, absent a specific written agreement to perform supplemental or updated analysis. Cynergi has appreciated this opportunity to perform the assessment and testing service for eClipse Bank PLC. We hope that the information contained in this document is of benefit to your organization. As eClipse Bank's security related needs arise again in the future, it would be our pleasure to serve you again.
38
7.0 APPENDIX Appendix A: Administrator FTP Login Screen shot (127.127.255.14)
Fig A1: FTP Screen shot
39
Appendix B: Output from Internet Banking Assessment Cross-site scripting (reflected) https://secure.eclipsebank.cxm/genScript.php [acctno parameter]
The value of the acctno request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faae9"><script>alert(1)</script>9e68745e3bb was submitted in the acctno parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. Request
GET /genScript.php? action=reqform&acctno=3670060l3747574faae9"><script>alert(1)</script>9e68745e3bb&bank =eClipse&usr= HTTP/1.1 Host: secure.eclipsebank.cxm User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.19) Gecko/20081217 Fedora/1.1.14-1.fc8 SeaMonkey/1.1.14 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image /png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://secure.eclipsebank.cxm/functions.php?action=accountdetails Cookie: __utma=209544464.2727170205088107000.1245274367.1245274367.1245313214.2; __utmz=209544464.1245274367.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=dd06vet836kdto8cvmvqmlo8d2; /main.phpfirsttimeload=1
Table A2-1
40
Response
HTTP/1.1 200 OK Date: Thu, 25 Jun 2009 22:53:54 GMT Server: Apache/2.2.0 (Fedora) X-Powered-By: PHP/5.2.5 Cache-control: no-cache,no-store Expires: Thu, 25 Jun 2009 22:53:54 GMT Content-Length: 1052 Connection: close Content-Type: text/html; charset=UTF-8 <html> <head><title>eClipse-Plus</title> <link rel="Stylesheet" href="eClipse.css" type="text/css" media ="screen"> </head> <body> <BODY class="main" > <center> <br> <br> <table border="1" cells ...[SNIP]... <input type="hidden" name="acctno" size="20" value="3670060l3747574faae9"><script>alert(1)</script>9e68745e3bb"> ...[SNIP]...
Table A2-2
https://secure.eclipsebank.cxm/genScript.php [bank parameter] The value of the bank request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31e14"><script>alert(1)</script>e0f75b40e6f was submitted in the bank parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
41
Request
GET /genScript.php? action=reqform&acctno=3670060l3747574&bank=eClipse31e14"><script>alert(1)</script>e0f 75b40e6f&usr= HTTP/1.1 Host: secure.eclipsebank.cxm User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.19) Gecko/20081217 Fedora/1.1.14-1.fc8 SeaMonkey/1.1.14 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image /png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://secure.eclipsebank.cxm/functions.php?action=accountdetails Cookie: __utma=209544464.2727170205088107000.1245274367.1245274367.1245313214.2; __utmz=209544464.1245274367.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=dd06vet836kdto8cvmvqmlo8d2; /main.phpfirsttimeload=1
Table A2-3
Response
HTTP/1.1 200 OK Date: Thu, 25 Jun 2009 22:55:03 GMT Server: Apache/2.2.0 (Fedora) X-Powered-By: PHP/5.2.5 Cache-control: no-cache,no-store Expires: Thu, 25 Jun 2009 22:55:04 GMT Content-Length: 1052 Connection: close Content-Type: text/html; charset=UTF-8 <html> <head><title>eClipse-Plus</title> <link rel="Stylesheet" href="eClipse.css" type="text/css" media ="screen"> </head> <body> <BODY class="main" > <center> <br>
42
<br> <table border="1" cells ...[SNIP]... <input type="hidden" name="bank" size="20" value="Prudent31e14"><script>alert(1)</script>e0f75b40e6f"> ...[SNIP]...
Table A2-4
https://secure.eclipsebank.cxm/genScript.php [edate parameter] The value of the edate request parameter is copied into the HTML document as plain text between tags. The payload feb35<script>alert(1)</script>1ee1d60c14a was submitted in the edate parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. Request
POST /genScript.php?action=reqExec HTTP/1.1 Host: secure.eclipsebank.cxm User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.19) Gecko/20081217 Fedora/1.1.14-1.fc8 SeaMonkey/1.1.14 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image /png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://secure.eclipsebank.cxm/genScript.php? action=reqform&acctno=3670060l3747574&bank=eClipse&usr= Cookie: __utma=209544464.2727170205088107000.1245274367.1245274367.1245313214.2; __utmz=209544464.1245274367.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=dd06vet836kdto8cvmvqmlo8d2; /main.phpfirsttimeload=1 Content-Type: application/x-www-form-urlencoded Content-Length: 86 sdate=18-JUN-09&edate=25-JUN09feb35<script>alert(1)</script>1ee1d60c14a&submit=Submit&acctno=3670060l3747574&bank =eClipse&usr=
Table A2-5
43
Response
HTTP/1.1 200 OK Date: Thu, 25 Jun 2009 22:55:10 GMT Server: Apache/2.2.0 (Fedora) X-Powered-By: PHP/5.2.5 Content-Length: 1201 Connection: close Content-Type: text/html; charset=UTF-8 <html> <head><title>eClipse-Plus</title> <link rel="Stylesheet" href="eClipse.css" type="text/css" media ="screen"> </head> <body> <table border=0 cellpadding=0 cellspacing=0 width=90% align=center>< ...[SNIP]... <br> 18-JUN-09 To 25-JUN-09feb35<script>alert(1)</script>1ee1d60c14a<br> ...[SNIP]...
Table A2-6
https://secure.eclipsebank.cxm/genScript.php [sdate parameter]
The value of the sdate request parameter is copied into the HTML document as plain text between tags. The payload 55bc1<script>alert(1)</script>f47e65c2b12 was submitted in the sdate parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
44
Request
POST /genScript.php?action=reqExec HTTP/1.1 Host: secure.eclipsebank.cxm User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.19) Gecko/20081217 Fedora/1.1.14-1.fc8 SeaMonkey/1.1.14 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image /png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://secure.eclipsebank.cxm/genScript.php? action=reqform&acctno=3670060l3747574&bank=Prudent&usr= Cookie: __utma=209544464.2727170205088107000.1245274367.1245274367.1245313214.2; __utmz=209544464.1245274367.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=dd06vet836kdto8cvmvqmlo8d2; /main.phpfirsttimeload=1 Content-Type: application/x-www-form-urlencoded Content-Length: 86 sdate=18-JUN-0955bc1<script>alert(1)</script>f47e65c2b12&edate=25-JUN09&submit=Submit&acctno=3670060l3747574&bank=eClipse&usr=
Table A2-7
Response
HTTP/1.1 200 OK Date: Thu, 25 Jun 2009 22:53:54 GMT Server: Apache/2.2.0 (Fedora) X-Powered-By: PHP/5.2.5 Content-Length: 1201 Connection: close Content-Type: text/html; charset=UTF-8 <html> <head><title>eClipse-Plus</title> <link rel="Stylesheet" href="eClipse.css" type="text/css" media ="screen">
45
</head> <body> <table border=0 cellpadding=0 cellspacing=0 width=90% align=center>< ...[SNIP]... <br> 18-JUN-0955bc1<script>alert(1)</script>f47e65c2b12 To 25-JUN-09<br> ...[SNIP]...
Table A2-8
https://secure.eclipsebank.cxm/genScript.php [usr parameter] The value of the usr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7639"><script>alert(1)</script>d78d82783f2 was submitted in the usr parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /genScript.php? action=reqform&acctno=3670060l3747574&bank=eClipse&usr=b7639"><script>alert(1)</scrip t>d78d82783f2 HTTP/1.1 Host: secure.eclipsebank.cxm User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.19) Gecko/20081217 Fedora/1.1.14-1.fc8 SeaMonkey/1.1.14 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image /png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://secure.eclipsebank.cxm/functions.php?action=accountdetails Cookie: __utma=209544464.2727170205088107000.1245274367.1245274367.1245313214.2; __utmz=209544464.1245274367.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=dd06vet836kdto8cvmvqmlo8d2; /main.phpfirsttimeload=1
Table A2-9
46
Response
HTTP/1.1 200 OK Date: Thu, 25 Jun 2009 22:56:18 GMT Server: Apache/2.2.0 (Fedora) X-Powered-By: PHP/5.2.5 Cache-control: no-cache,no-store Expires: Thu, 25 Jun 2009 22:56:18 GMT Content-Length: 1052 Connection: close Content-Type: text/html; charset=UTF-8 <html> <head><title>eClipse-Plus</title> <link rel="Stylesheet" href="eClipse.css" type="text/css" media ="screen"> </head> <body> <BODY class="main" > <center> <br> <br> <table border="1" cells ...[SNIP]... <input type="hidden" name="usr" size="20" value="b7639"><script>alert(1)</script>d78d82783f2"> ...[SNIP]...
Table A2-10
47
Appendix C: GNU Free Documentation License

0. PREAMBLE The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or non commercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others. This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software. We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference. 1. APPLICABILITY AND DEFINITIONS This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royaltyfree license, unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law. A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.
48
The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none. The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words. A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called "Opaque". Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only. The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text. The "publisher" means any person or entity that distributes copies of the Document to the public. A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to this definition.
49
The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License. 2. VERBATIM COPYING You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3. You may also lend copies, under the same conditions stated above, and you may publicly display copies. 3. COPYING IN QUANTITY If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and BackCover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects. If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages. If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using publicstandard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after
50
the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document. 4. MODIFICATIONS You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version: A. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission. B. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five), unless they release you from this requirement. C. State on the Title page the name of the publisher of the Modified Version, as the publisher. D. Preserve all the copyright notices of the Document. E. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices. F. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below. G. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.
51
H. Include an unaltered copy of this License. I. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence. J. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission. K. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein. L. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles. M. Delete any section Entitled "Endorsements". Such a section may not be included in the Modified Version. N. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any Invariant Section. O. Preserve any Warranty Disclaimers. If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles. You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.
52
You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a BackCover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version. 5. COMBINING DOCUMENTS You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers. The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements". 6. COLLECTIONS OF DOCUMENTS You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. You may extract a single document from such a collection, and distribute it individually under this License,
53
provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document. 7. AGGREGATION WITH INDEPENDENT WORKS A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit the legal rights of the compilation's users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document. If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document's Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate. 8. TRANSLATION Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail. If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title. 9. TERMINATION You may not copy, modify, sublicense, or distribute the Document except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, or distribute it is void, and will automatically terminate your rights under this License.
54
However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, receipt of a copy of some or all of the same material does not give you any rights to use it. 10. FUTURE REVISIONS OF THIS LICENSE The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/. Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation. If the Document specifies that a proxy can decide which future versions of this License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Document. 11. RELICENSING "Massive Multiauthor Collaboration Site" (or "MMC Site") means any World Wide Web server that publishes copyrightable works and also provides prominent facilities for anybody to edit those works. A public wiki that anybody can edit is an example of such a server. A "Massive Multiauthor Collaboration" (or "MMC") contained in the site means any set of copyrightable works thus published on the MMC site.
55
"CC-BY-SA" means the Creative Commons Attribution-Share Alike 3.0 license published by Creative Commons Corporation, a not-for-profit corporation with a principal place of business in San Francisco, California, as well as future copyleft versions of that license published by that same organization. "Incorporate" means to publish or republish a Document, in whole or in part, as part of another Document. An MMC is "eligible for relicensing" if it is licensed under this License, and if all works that were first published under this License somewhere other than this MMC, and subsequently incorporated in whole or in part into the MMC, (1) had no cover texts or invariant sections, and (2) were thus incorporated prior to November 1, 2008. The operator of an MMC Site may republish an MMC contained in the site under CC-BY-SA on the same site at any time before August 1, 2009, provided the MMC is eligible for relicensing.
56

Ossar v1.0

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Ossar v1.0

Загружено:

Авторское право:

Доступные форматы

Open Source Security

Cynergi Solutions Inc.

Copyright 2009 Olu Akindeinde

Security Assessment Report for eClipse Bank PLC

Private & Confidential

Cynergi Limited All rights reserved 20XX

Document Type Client Consultant Document Version Creation Date

Security Assessment Report for eClipse Bank PLC

Private & Confidential

Cynergi Solutions Inc

+123 456 789 0123 fx.one@cynergisolutions.cxm

Security Assessment Report for eClipse Bank PLC

Private & Confidential

Security Assessment Report for eClipse Bank PLC

Private & Confidential

LIMITATIONS ON DISCLOSURE & USE OF THIS REPORT

Security Assessment Report for eClipse Bank PLC

Private & Confidential

Table 1.1: Vulnerability Summary for Network Infrastructure

Security Assessment Report for eClipse Bank PLC

Private & Confidential

Summarized below is a graphical chart of all findings identified.

Specifically, the following action should be taken:

Security Assessment Report for eClipse Bank PLC

Private & Confidential

Security Assessment Report for eClipse Bank PLC

Private & Confidential

Application URL 1 URL 2

eClipse Bank Web Presence http://www.eclipsebank.cxm https://secure.eclipsebank.cxm

Table 2.1: eClipse Bank Online Presence

127.127.255.21 127.127.255.27 127.127.255.254

Security Assessment Report for eClipse Bank PLC

Private & Confidential

Table 2.3: Functional OSSTMM Domains

Security Assessment Report for eClipse Bank PLC

Private & Confidential

Security Assessment Report for eClipse Bank PLC

Private & Confidential

Security Assessment Report for eClipse Bank PLC

Private & Confidential

Fig 3.1: External Network Map of eClipse Bank

Security Assessment Report for eClipse Bank PLC

Private & Confidential

4.0 SUMMARY OF RESULTS

Table 4.1: Vulnerability Summary for Network Infrastructure

Security Assessment Report for eClipse Bank PLC

Private & Confidential

5.2 Graphical Summary for External Infrastructure

Fig 4.1: Vulnerability Summary for Network Infrastructure

Fig 4.2: Most Dangerous Services on the network

Fig 4.3: Services most present on the network

4.3 eClipse Bank Internet Banking Security Assessment

Table 4.2: Vulnerability Summary for Internet Banking Application

Security Assessment Report for eClipse Bank PLC

Private & Confidential

4.4 Graphical Summary of Internet Banking Assessment

Fig 4.3: Vulnerability Summary for Internet Banking Application

Security Assessment Report for eClipse Bank PLC

Private & Confidential

Security Assessment Report for eClipse Bank PLC

Private & Confidential

Table 5.3: Fix ratings