POC (Proof Of Concept)REPORT
Hello Sir,
I’m Ruchit Raval Network Security Engineer Intern at IONX
Institute. I’m investigating A website namely “Humber College”
https://humber.ca/ and filtering the vulnerability as many as
possible to generate a report.
Contact me: +91635170413
Email: ravalruchit0@gmail.com
Various levels of severity:
1. Critical level severity:
This is a significant flaw that causes the system to fail. Certain elements of the
system, however, are still operational.
2. Major level severity:
It results in some unfavorable behavior, but the system remains functioning.
3. Minor level severity:
It won't create any serious system failures.
: Below mentioned table indicates different type of severity and Priority.
Table of content:
No
Name
Level
1
Hash
Disclosure Mac OSX
salted SHA-1
Critical
2
Open
Redirect
Critical
3
PII
Disclosure
Critical
4
Absence of
Anti-CSRF
Tokens
Major
5
Content
Security
Policy (CSP)
Header Not
Set
Missing Anticlickjacking
Header
Major
6
Major
CWE
Solution
ID
200
Ensure that hashes that are used to
protect credentials or other resources
are not leaked by the web server or
database. There is typically no
requirement for password hashes to
be accessible to the web browser
601
To avoid the open redirect
vulnerability, parameters of the
application script/program must be
validated before sending 302 HTTP
code (redirect) to the client browser.
Implement safe redirect functionality
that only redirects to relative URI's, or
a list of trusted domains
359
Check the response for the potential
presence of personally identifiable
information (PII), ensure nothing
sensitive is leaked by the application.
352
Ensure that your application is free of
cross-site scripting issues, because
most CSRF defenses can be
bypassed using attacker-controlled
script.
693
Ensure that your web server,
application server, load balancer, etc.
is configured to set the ContentSecurity-Policy header.
1021 Modern Web browsers support the
Content-Security-Policy and X-FrameOptions HTTP headers. Ensure one
of them is set on all web pages
returned by your site/app.
7
Vulnerable
JS Library
Major
829
Upgrade to the latest version of
jquery-migrate.
8
Server Leaks
Version
Information
via "Server"
HTTP
Response
Header Field
StrictTransportSecurity
Header Not
Set
Minor
200
Ensure that your web server,
application server, load balancer, etc.
is configured to suppress the "Server"
header or provide generic details.
Minor
319
Ensure that your web server,
application server, load balancer, etc.
is configured to enforce StrictTransport-Security.
9
Detail Description & Evidance of severity’s:
1. Hash Disclosure - Mac OSX salted SHA-1:
Hash disclosure means that an encrypted version of a password may be
publicly available somewhere on your website. Due to the existence of
hashing algorithms that are not considered secure any more but may be
still in use that can pose a risk to your application.
Evidence: FEFF00420061007200720065007400740020004300540049
2. Open Redirect:
Open redirects are one of the OWASP 2010 Top Ten vulnerabilities. This
check looks at user-supplied input in query string parameters and POST
data to identify where open redirects might be possible. Open redirects
occur when an application allows user-supplied input to control an offsite
redirect.
3. PII Disclosure:
Personally identifiable information (PII) uses data to confirm an individual's
identity. Sensitive personally identifiable information can include your full
name, Social Security Number, driver's license, financial information, and
medical records.
Evidence:
<div class="swag"><img alt="Virtual Session #HumberOrientation with
faded backdrop" src="/orientation/sites/default/files/digital-swag/facebook/2020orientation-FB-frame-virtual-sessions-thumb.jpg" /><div class="swag-link"><a
href="http://www.facebook.com/profilepicframes/?selected_overlay_id=4044411595629337"
>Use This Frame</a></div>
4. Absence of Anti-CSRF Tokens:
The absence of Anti-CSRF tokens may lead to a Cross-Site Request
Forgery attack that can result in executing a specific application action as
another logged in user, e.g. steal their account by changing their email and
password or silently adding a new admin user account when executed from
the administrator account.
Evidence: <form class="d-none form-search programSearchForm"
method="post">
5. Content Security Policy (CSP) Header Not Set:
Content Security Policy (CSP) is an added layer of security that helps to
detect and mitigate certain types of attacks, including Cross Site Scripting
(XSS) and data injection attacks. These attacks are used for everything
from data theft to site defacement or distribution of malware
6. Missing Anti-clickjacking Header:
Clickjacking is an interface-based attack in which a user is tricked into
clicking on actionable content on a hidden website by clicking on some
other content in a decoy website.
7. Vulnerable JS Library:
The Vulnerable JS Library is a common security issue that occurs when a
web application uses outdated or unpatched JavaScript libraries.
Cybercriminals exploit these vulnerabilities to gain access to sensitive data
or cause damage to the application.
Evidence: /*! jQuery Migrate v1.2.1
8. Server Leaks Version Information via "Server" HTTP Response Header
Field:
If your application leaks server version details via the Server HTTP
response header field, It may help the attacker to find the distinct security
issues in our application and use them to exploit your web application.
Exposing the version means you are assisting attackers to speed the
reconnaissance process.
Evidence: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips
9. Strict-Transport-Security Header Not Set:
The missing Strict-Transport-Security header results in communication over
HTTP being allowed to the specified domain. That makes the website
vulnerable to man-in-the-middle attacks, presenting a fake login page being
one of the options.
Impacts of severity’s:
1. Hash Disclosure - Mac OSX salted SHA-1:
Due to the existence of hashing algorithms that are not considered
secure any more but may be still in use that can pose a risk to your
application.
2. Open Redirect:
An open redirect may allow an attacker to: Bypass a domain-based serverside request whitelist to achieve full-blown server-side request forgery.
3. PII Disclosure:
PII Disclosure could result to the subject individuals and/or the organization
if PII were inappropriately accessed, used, or disclosed.
4. Absence of Anti-CSRF Tokens:
The absence of Anti-CSRF tokens may lead to a Cross-Site Request
Forgery attack that can result in executing a specific application action as
another logged in user.
5. Content Security Policy (CSP) Header Not Set:
If your website is exposed to a Cross-site Scripting attack, CSP can
prevent the vulnerability from being successfully exploited. You will lose
this extra layer of protection if you do not implement CSP.
6. Missing Anti-clickjacking Header:
Clickjacking is when an attacker uses multiple transparent or opaque layers
to trick a user into clicking on a button or link on a framed page when they
were intending to click on the top level page. Thus, the attacker is
"hijacking" clicks meant for their page and routing them to other another
page, most likely owned by another application, domain, or both.
7. Vulnerable JS Library:
JavaScript library’s security vulnerabilities can be exploited to perform
cross-site scripting, cross-site request forgery, and buffer overflow.
8. Server Leaks Version Information via "Server" HTTP Response Header
Field:
If your application leaks web server version details via “Server” HTTP
response header field the attacker may use it to find and exploit security
vulnerabilities present specifically in the reported web server information.
9. Strict-Transport-Security Header Not Set:
If Strict-Transport-Security Header Not Set can be dangerous.The missing
Strict-Transport-Security header results in communication over HTTP being
allowed to the specified domain.
THANK YOU.