Penetration test - Technical Report

Nixu A/S ▪ Hørkær 14, 2730 Herlev, Denmark ▪ Telephone ▪ +45 7020 1260 ▪ www.nixu.com

Newsec

Penetration test - Technical report

Version 1 / Confidential

Penetration test - Technical Version 1

Confidential 2 (31)

Version: Report

finished:

Test period: Author:

1.0 04-03-2021 09.02.2021 - 04.03.2021 Hakan Yurdakul Pedersen


Confidential 3 (31)

Contents

1. Host information......................................................................................................................... 4

2. Technical summary ................................................................................................................... 5

2.1 Recommendations ................................................................................................................. 6

3. Findings overview per host...................................................................................................... 7

4. Detailed findings......................................................................................................................... 8

4.1 CRITICAL rated vulnerabilities ............................................................................................ 9

4.2 HIGH rated vulnerabilities................................................................................................... 10

4.3 Medium rated vulnerabilities.............................................................................................. 11

4.3.1 Use of JavaScript library with known vulnerability ...............................................................11

4.3.2 Multiple SSL/TLS vulnerabilities .................................................................................... 12

4.4 Low rated vulnerabilities..................................................................................................... 14

4.4.1 User enumeration ........................................................................................................... 14

4.4.2 Missing HTTP security headers .................................................................................... 15

4.4.3 Missing DNSSEC............................................................................................................ 16

4.5 Informational ......................................................................................................................... 17

4.5.1 Information disclosure via response header ................................................................ 17

5. TCP Scan Results .................................................................................................................... 18

6. Other observations .................................................................................................................. 19

7. Contact Information ................................................................................................................. 20

8. Appendix 1 - OWASP Top 10 ................................................................................................. 21


Confidential 4 (31)

1. Host information This section shows information on hosts in the scope or hosts discovered through the assessment.

IP/Domain Critical High Medium Low Informational

duedilligence.dateanet.dk 0 0 0 1 1

forening.dateanet.dk 0 0 1 3 1

datarum.dateanet.dk 0 0 1 3 1

i.dateanet.dk 0 0 0 1 1

62.242.41.44 0 0 1 0 0

62.242.89.139 0 0 1 0 0


Confidential 5 (31)

2. Technical summary Nixu has conducted a penetration test of Newsecs following websites:

- duedilligence.dateanet.dk - forening.dateanet.dk - datarum.dateanet.dk - i.dateanet.dk

No critical or high rated vulnerabilities were found but 2 medium and 3 low vulnerabilities were found. Two of the websites use vulnerable JavaScript libraries that contain cross-site-sciprting vulnerabilities. We recommend updating these libraries to the newest version as the vulnerabilities are fixed in these versions. Furthermore, we recommend making sure the libraries are kept updated. The webservers also support SSLv3 which has been deprecated for a long time, and allows the use of weak ciphers and cipher-block-chaining. This makes certain attacks possible that are exploitable in limited circumstances. Nonetheless we recommend only using TLS1.2+, and disabling the weak ciphers as the exploitation of these vulnerabilities may ultimately lead to loss of confidentiality. 3 low rated vulnerabilities were found which we recommend remediating whenever possible. User enumeration is rated as low in this report, but if brute-force attacks or weak passwords are possible(which we cannot test as we do not have valid credentials), the vulnerabilitiy could be high or critical. Lastly, we recommend enforcing Strict-Transport-Security on all websites and implement a Content-Security-Policy to mitigate certain man-in-the-middle attacks and cross-site-scripting attacks.


Confidential 6 (31)

2.1 Recommendations Based on the found vulnerabilities, is it Nixu’s opinion that Newsec can increase the security level of the web applications by implementing the following actions:

• Update the JavaScript libraries

• Disable user enumeration

• Add the remaining HTTP security headers to your web applications

• Consult your hosting provide to enable DNSSEC

• Update TLS to 1.2+


Confidential 7 (31)

3. Findings overview per host This section gives an overview of vulnerabilities per host/domain. duedilligence.dateanet.dk

Name Severity Missing DNSSEC Low

Information disclosure via response header Informational forening.dateanet.dk

Name Severity Use of JavaScript library with known vulnerability Medium

User enumeration Low Missing HTTP security headers Low

Missing DNSSEC Low Information disclosure via response header Informational

datarum.dateanet.dk Name Severity

Use of JavaScript library with known vulnerability Medium User enumeration Low

Missing HTTP security headers Low Missing DNSSEC Low

Information disclosure via response header Informational i.dateanet.dk

Name Severity Missing DNSSEC Low

Information disclosure via response header Informational 62.242.41.44

Name Severity Multiple SSL/TLS vulnerabilities Medium

62.242.89.139 Name Severity

Multiple SSL/TLS vulnerabilities Medium


Confidential 8 (31)

4. Detailed findings This section shows detailed information on vulnerabilities found during the assessment. The vulnerabilities found have been rated based on following severity:

• CRITICAL:

These vulnerabilities are of absolute importance due to findings in this category can sometimes

be used directly to compromise the system. We recommend that these findings get prioritized

and remediated immediately. Consider even taking systems offline until vulnerability has been

remediated.

• HIGH:

Vulnerabilities at this severity are to be considered very important. These vulnerabilities can

compromise confidentiality, integrity, and cause impact on availability. We recommend

remediating these vulnerabilities immediately.

• MEDIUM:

Medium rated vulnerabilities are considered important. These vulnerabilities have the same

impact risks as High rated vulnerabilities has but is considered less likely to be exploited. We

recommend that vulnerabilities in this category will be remediated as soon as possible.

• LOW:

Vulnerabilities at this severity has less importance but should not be forgotten. These

vulnerabilities have been rated low due to likelihood of exploitation is low or some other factor

needs to be in place before exploitation can take place.

• INFORMATIONAL:

Informational findings do not themselves constitute security risks. However, they can help an

attacker to expand the attack surface.


Confidential 9 (31)

4.1 CRITICAL rated vulnerabilities These vulnerabilities are of absolute importance due to findings in this category can sometimes be used

directly to compromise the system. We recommend that these findings get prioritized and remediated

immediately. Consider even taking systems offline until vulnerability has been remediated.

No critical vulnerabilities were found.


Confidential 10 (31)

4.2 HIGH rated vulnerabilities Vulnerabilities at this severity are to be considered very important. These vulnerabilities can compromise confidentiality, integrity, and cause impact on availability. We recommend remediating these vulnerabilities immediately.

No high vulnerabilities were found.



4.3 Medium rated vulnerabilities Medium rated vulnerabilities are considered important. These vulnerabilities have the same impact risks as high rated vulnerabilities has but is considered less likely to be exploited. We recommend that vulnerabilities in this category will be remediated as soon as possible.

4.3.1 Use of JavaScript library with known vulnerability

Severity: Medium OWASP TOP10: A9 Affected systems:

Domain Vulnerable library forening.dateanet.dk jQuery 1.11.0

datarum.dateanet.dk jQuery 1.11.0

General description: The websites use a JavaScript library which have known vulnerabilities. Attackers could exploit the vulnerabilities under certain circumstances. The exact ability impact and ability to exploit depends on the component(s), the exact CVE’s and how the library is used by the web application. The jQuery version used and shown in the above table have multiple cross-site scripting vulnerabilities.

CVEs:

• CVE-2015-9251

• CVE-2019-11358

• CVE-2020-11022

Impact: Using JavaScript libraries that have known vulnerabilities can result in the exploitation of the vulnerability by an attacker. This can result in a successful cross-site scripting attacks which can harm the integrity of the web application as well as be used to trick legitimate users of the web application and disclosure their credentials to an attacker.

Recommendation: Never use outdated and/or vulnerable libraries. We recommend updating the library to the newest version and ensuring that the software is kept updated in the future.

Proof-of-concept:



4.3.2 Multiple SSL/TLS vulnerabilities Severity: Medium OWASP TOP10: A9 Affected system:

IP Use of weak RC4 cipher

SSLv3 enabled (Vulnerable to POODLE)

TLS 1.0 enabled

TLS 1.1 enabled

Weak ciphers supported. (Vulnerable to Sweet32 attack)

Cipher block chaining enabled (Vulnerable to BEAST)

Certificate Expired

62.242.41.44 X X X X X X

62.242.89.139 X X X

General description: It has been detected that the tested systems use old SSL/TLS configurations and/or encryption ciphers, which results in vulnerabilities in the encrypted communication. The systems allow SSL/TLS communication using deprecated versions SSLv3, TLS v1.0 and TLS v1.1. Furthermore, the systems allow the use of weak cipher suite RC4 and DES-CBC with known vulnerabilities. Impact: Successful exploitation of these vulnerabilities can ultimately result in decryption of the communication leading to loss of confidentiality between the server and the client. Recommendations: Upgrade to TLS1.2 or TLS1.3 and disable supported for SSLv3, TLS1.0 and TLS1.2. If it is not possible use TLS1.1 without supporting DES, 3DES, IDEA or RC2 or RC4 ciphers. Replace the expired certificate with a valid one. Proof-of-concept:





4.4 Low rated vulnerabilities Vulnerabilities at this severity has less importance but should not be forgotten. These vulnerabilities have been rated low due to likelihood of exploitation is low or some other factor needs to be in place before exploitation can take place.

4.4.1 User enumeration Severity: Low OWASP TOP10: A3 Affected system: Domain name

forening.dateanet.dk datarum.dateanet.dk

General description: It is possible to enumerate for existing accounts by using the “Forgot password” function or by simply loggin in with any username. This allows an attacker to obtain valid login usernames and can be used for further passwords attacks to attempt to gain authorized access to the website. This vulnerability on itself is low but can be high to critical if the web application allows users to create password or if brute-force attacks are possible. Impact: Obtaining valid usernames makes it easier for an attacker to gain access to the website using brute-force or dictionary attacks. Recommendations: Make a generic error message that does not reveal if an account exists or not. Proof-of-concept: Using the forgot password function user [email protected] and [email protected] reveals the [email protected] exist.



4.4.2 Missing HTTP security headers Severity: Low OWASP TOP10: A6 Affected system:

Domain name Missing header

forening.dateanet.dk Strict-Transport-Security forening.dateanet.dk Content-Security-Policy

forening.dateanet.dk X-XSS-Protection datarum.dateanet.dk Strict-Transport-Security

datarum.dateanet.dk Content-Security-Policy datarum.dateanet.dk X-XSS-Protection

General description: HTTP security headers provide a basic layer of security by helping to mitigate attacks and security vulnerabilities. The web applications are missing the Strict-Transport-Security, Content-Security-Policy headers and X-XSS-Protection header.

1. Strict-Transport-Security

The Strict-Transport-Security header protects against man-in-the-middle attacks by preventing

the site from redirecting to http websites and only allows communicating over https.

2. Content-Security-Policy

Content-Security-Policy is a header that determines where content can be loaded from and

prevents unsafe JavaScript to be executed. The content-security-policy should specify where

scripts may be loaded from and what can be executed, so that it is not possible to load malicious

content from another server if the website is compromised.

3. X-XSS-Protection:

This is a header that protects against cross-site-scripting in certain circumstances.

Impact: Missing security headers increases the chance of a successful cross-site-scripting attack, man-in-the-middle attacks or allowing malicious content to be loaded from a malicious external website. Recommendations: Create and add the Strict-Transport-Security, X-XSS-Protection and Content-Security-Policy header to your web applications. Proof-of-concept:



4.4.3 Missing DNSSEC Severity: Low Affected system: Domain name

duedilligence.dateanet.dk forening.dateanet.dk

datarum.dateanet.dk i.dateanet.dk

General description: DNSSEC is created to secure DNS lookups by prevent users of your websites from being redirected to a malicious IP if the DNS lookup process is compromised. This attack is also known as a domain name cache poisoning attack. DNSSEC uses public-key encryption technology to authenticate web lookups. The domains in the above table are missing this technology. Impact: Legitimate users can be redirect to a malicious website if the DNS lookup process is compromised by an attacker. Recommendations: Consult your hosting provider to enable DNSSEC.



4.5 Informational Informational findings do not themselves constitute security risks. However, they can help an attacker to expand the attack surface.

4.5.1 Information disclosure via response header Severity: Informational Affected system:

Domain name Header Disclosed forening.dateanet.dk Server Microsoft-IIS/8.5

forening.dateanet.dk X-AspNet-Version 4.0.30319 forening.dateanet.dk X-Powered-By ASP.NET

forening.dateanet.dk MicrosoftSharePointTeamServices 16.0.0.4744 duedilligence.dateanet.dk Server Microsoft-IIS/8.5

duedilligence.dateanet.dk X-Powered-By X-Powered-By: ASP.NET datarum.dateanet.dk Server Microsoft-IIS/8.5 datarum.dateanet.dk X-AspNet-Version 4.0.30319

datarum.dateanet.dk X-Powered-By ASP.NET

datarum.dateanet.dk MicrosoftSharePointTeamServices 16.0.0.4744 i.dateanet.dk Server Microsoft-IIS/8.5

i.dateanet.dk X-Powered-By X-Powered-By: ASP.NET General description: HTTP response headers like 'Server', 'X-Powered-By', 'X-AspNetVersion', 'X-AspNetMvcVersion' could disclose information about the platform and technologies used by the website. The HTTP response include one or more such headers. Impact: The headers can potentially be used by attackers for fingerprinting and launching attacks specific to the technologies and versions used by the web application. These response headers are not necessary for production sites and should be disabled. Recommendations: Disable such response headers, remove them from the response, or make sure that the header value does not contain information which could be used to fingerprint the server-side components of the web application. Proof-of-concept:



5. TCP Scan Results

This section gives an overview of open TCP ports that were available to us during the test. 62.242.41.44 Port Status Service Version

80 Open http IIS 8.5 443 Open ssl/http HTTPAPI 2.0

62.242.89.139 Port Status Service Version

80 Open http IIS 8.5 443 Open ssl/http HTTPAPI 2.0



6. Other observations No other observations were made.



7. Contact Information

Customer Name Paw de Sparra Lundin

E-mail [email protected]

Phone +45 2080 9699

Nixu – Technical consultant Name Hakan Yurdakul Pedersen


Phone +45 3176 1782

Nixu – QA Name Thomas Wong


Phone +45 3150 0115

Nixu – Commercial Name Torben Kenneth Jørgensen


Phone +45 2871 9422



8. Appendix 1 - OWASP Top 10





















Documents

Penetration test - Technical Report