Symptoms
Dear Bashar,
Kindly check the below issues found during Security check and provide us the solution.
1. Cacheable SSL Page Found
URL: https://ss-jhd-wft/Identity/sts/Windows/wsfed
https://ss-jhd-wfsft/Runtime/BlockedBrowser.aspx
https://ss-jhd-wfsft/Runtime/Bundles/Css/RT.SourceCode.Forms.Controls.Web
https://ss-jhd-wfsft/Runtime/CombinedResource.ashx
https://ss-jhd-wfsft/Runtime/JsonResources.axd
https://ss-jhd-wft/ViewFlow/ClientBin/SourceCode.Viewflow.SLViewer.xap
Risk(s): It is possible to gather sensitive information about the web application such as usernames, passwords, machine name
and/or sensitive file locations
Fix: Prevent caching of SSL pages by adding "Cache-Control: no-store" and "Pragma: no-cache" headers to their responses.
2. Social Security Number Pattern Found
URL: https://ss-jhd-wfsft/Runtime/Runtime/AnonymousResources.ashx
Risk(s): It is possible to gather sensitive information about the web application such as usernames, passwords, machine name
and/or sensitive file locations
Fix: Remove Social Security Numbers from your website
3. Integer Overflow
i)URL: https://ss-jhd-wfsft/Runtime/Runtime/SharedResources.ashx
Parameter: Modified
ii)URL: https://ss-jhd-wfsft/Runtime/Runtime/SharedResources.ashx
Parameter: ID
iii)URL: https://ss-jhd-wfsft/Runtime/Runtime/UserResources.ashx
Parameter: ID
iv)URL: https://ss-jhd-wfsft/Runtime/Runtime/UserResources.ashx
Parameter: Modified
v)URL: https://ss-jhd-wfsft/Runtime/Runtime/AjaxCall.ashx
Parameter: FieldId
Risk(s): It is possible to gather sensitive debugging information
Fix: Verify that parameter values are in their expected ranges and types. Do not output debugging error messages and
exceptions.
Please find attached docs for more info.
Diagnoses
Kindly see the response:
"
. Cacheable SSL Page Found
The last 4 URL?s listed are all resource files containing javascript and core SmartForm definitions which contains no sensitive data and are files that we want to be cached.
The BlockedBrowser.aspx page is a page that just shows what browsers are not allowed and has no harm in being cached.
The wsfed page is however a page that should ideally not be cached ? We are aware of this and have prioritized it for a future release. The security risk is however quite low due to the fact that the attacker would need local machine access.
2.Social Security Number Pattern Found
This is to some extent a false positive of the Security tool ? The page loads all the validation patterns of SmartForm expressions and one of them is the RegularExpression for social security numbers.The number it picks up is not any user?s social security number.
There is no security risk with this finding.
3. Integer Overflow
We are aware that we display verbose error messages and do have plans in the future to reduce the detailed information.
However this is a very low risk item ? To date we haven?t found any error messages that contains damaging information.
Due to the dynamic nature of the platform, we can?t validate all number values for minimum or maximum values ? Because we use managed C# there is no risk of breaching the software?s security through buffer overflows, so the only problem here is the verbose error messages.
the custmer then asked
"
Kinldy need your feedback on reported issues to resolve the same
1. Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (a.k.a. BREACH)
URL: https://ss-jhd-wfsft/Runtime/Utilities/FileHandler.ashx
Risk(s): It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate
user, allowing the hacker to view or alter user records, and to perform transactions as that user
"
the resolution was:
"
The security tool picked this up because the page, FileHandler.ashx, makes use of compression to serve it's data, which is correct.
However, the page is used to load files and documents and its the contents of those files that are being compressed.
The BREACH attack is only an issue if the HTTP response contains sensitive information like session ID's, cookies and other personal information.
The FileHandler.ashx page does not contain any of these in it's response to the client and thus would not allow impersonating of a legitimate user or modification of his data or transactions.
There is in other words no security risk with this item and nothing to be rectified.
"
Resolution
customer ordered this ticket closure after the following:
Kindly see the response:
"
. Cacheable SSL Page Found
The last 4 URL?s listed are all resource files containing javascript and core SmartForm definitions which contains no sensitive data and are files that we want to be cached.
The BlockedBrowser.aspx page is a page that just shows what browsers are not allowed and has no harm in being cached.
The wsfed page is however a page that should ideally not be cached ? We are aware of this and have prioritized it for a future release. The security risk is however quite low due to the fact that the attacker would need local machine access.
2.Social Security Number Pattern Found
This is to some extent a false positive of the Security tool ? The page loads all the validation patterns of SmartForm expressions and one of them is the RegularExpression for social security numbers.The number it picks up is not any user?s social security number.
There is no security risk with this finding.
3. Integer Overflow
We are aware that we display verbose error messages and do have plans in the future to reduce the detailed information.
However this is a very low risk item ? To date we haven?t found any error messages that contains damaging information.
Due to the dynamic nature of the platform, we can?t validate all number values for minimum or maximum values ? Because we use managed C# there is no risk of breaching the software?s security through buffer overflows, so the only problem here is the verbose error messages.
the custmer then asked
"
Kinldy need your feedback on reported issues to resolve the same
1. Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (a.k.a. BREACH)
URL: https://ss-jhd-wfsft/Runtime/Utilities/FileHandler.ashx
Risk(s): It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate
user, allowing the hacker to view or alter user records, and to perform transactions as that user
"
the resolution was:
"
The security tool picked this up because the page, FileHandler.ashx, makes use of compression to serve it's data, which is correct.
However, the page is used to load files and documents and its the contents of those files that are being compressed.
The BREACH attack is only an issue if the HTTP response contains sensitive information like session ID's, cookies and other personal information.
The FileHandler.ashx page does not contain any of these in it's response to the client and thus would not allow impersonating of a legitimate user or modification of his data or transactions.
There is in other words no security risk with this item and nothing to be rectified.
"
