Showing posts with label AEM Security scan. Show all posts
Showing posts with label AEM Security scan. Show all posts

Saturday, 7 May 2022

Application security testing within AEM Boundary and Tools

Evolution of AEM from on-prem/AMS to AEM As Cloud service has reduced the security concerns to a certain limit. But there are areas an AEM architect should be concerned about, when the code moves to production.

Role of Application Security Testing (AST)
The application security is a major consideration when new design techniques are adopted and DevSecOps are in demand. Application Security Testing (AST) tools available as On-Premise,Cloud or as a SaaS offering. The current tech-market comprises of Application Security Testing (AST) tools offering core testing capabilities — which can be of type static, dynamic, interactive and various optional, specialized capabilities testing;

Below given a set of the AST techniques in brief
Static AST (SAST): SAST analyzes an application’s source, bytecode or binary code for security vulnerabilities - Mainly during development & testing phases.
Dynamic AST (DAST): DAST analyzes applications in their running/dynamic state during testing mainly during operational phases.
DAST Simulates the attack on web-application(AEM) and APIs(within the boundary of AEM application)
Software composition analysis (SCA):    SCA is used to identify other open-source and, less frequently, commercial components in use within an AEM application. From this, known security vulnerabilities, potential licensing concerns and operational risks can be identified.

Interactive AST (IAST): IAST checks a running application, For e.g In case of AEM via the Java Virtual Machine [JVM] and examines its operation to identify vulnerabilities.

Fuzzing: Fuzz testing relies on providing random, malformed or unexpected input to a program to identify potential security vulnerabilities — For e.g., a memory leaks or buffer overflows or application crashes.

Mobile AST (MAST): MAST generally use traditional testing approaches (e.g., SAST and DAST) that have been optimized to support languages and frameworks commonly used to develop mobile and/or Internet of things (IoT) applications. Since mobile & IoT is a related technology with AEM, we must consider such techniques.

Some of the market leaders in AST

There are many AST tools available in market, but below given a set of tools which we came across during our evaluation.
Synopsis, Checkmarx, Veracode, Contrast security, Invicti, Data Theorem are some of the options which can be considered for Application security testing.

Please comment if you have come across any other tools suitable for AEM projetcs.

An architectural thought should be around the selection of tools available in market, the time frame for testing, frequency and penetration level etc. 

The consideration for tool selection must factor pricing vs a freemium model, low-code applications, notification/ alert strategies, language options, IDE & Dashboard supports, customer experience etc.

Monday, 6 April 2020

Common security vulnerabilities identified as part of AEM projects

When ever an AEM project goes Live, there are set of scans happens to ensure that the website adheres to set of security & performance guidelines.
The security/ penetration tests usually gets scheduled few days ahead of any AEM go live. Below given the set of issues identified as part of AEM websites normally.

Horizontal Privilege Escalation Vulnerability   

Usually by horizontal privilege escalation, hackers remain on the same general user privilege level but gains access data of other accounts or processes that should be unavailable to the current account or process.

Host Header Injection Vulnerability   

Normally a header is used by a web server to decide which website should process the received HTTP request. Whenever many websites are hosted on the same IP address, webserver uses the value of this header to forward the HTTP request to the correct website for processing. This poses as a vulnerability.

Email Flooding Attack   

In general, sending large volumes of email to an email address so that the mail box gets overflowed, overwhelm the server where the email address is hosted in a denial-of-service attack. Thus a wrong impression screen to distract the attention from important email messages indicating a security breach.

HTML Injection Vulnerability   

HTML injection generally occurs when the vulnerability inside any website that occurs when the user input is not correctly sanitized or the output is not encoded and the attacker is able to inject valid HTML code into a vulnerable web page. If these methods are provided with un trusted input, then there is a high risk of XSS, specifically an HTML injection issues. If strings are not correctly sanitized the problem could lead to XSS based HTML injection.

Session Replay Attack   

This kind of attacks, known as playback attacks or replay attacks, are network attacks that maliciously repeat or delay a valid data transmission. A hacker can do this by intercepting a session and stealing a user’s unique session ID. Now, the hacker is able to behave himself or herself as an authorized user on site, and will be granted full access to do anything that the authorized user can do on a website.

Stored XSS via File Upload Vulnerability

    Such scripts are possibly vulnerable to XSS (Cross-site scripting). The web application allows file upload of any type & was able to upload a file containing HTML content or various file extensions. When HTML files are allowed, XSS payload can be injected in the file uploaded.

Web Server Banner Disclosure   

When we are running a web server, it often shows the others what type of server it is, its version number, and the operating system. This information is available in header fields and can be acquired using a web browser to make a simple HTTP request to any web application. It is often called the web server banner

Concurrent Logins Allowed    

Parallel logins. Interactive logins at desktops and laptops, a system administrator cannot therefore prevent a given user from going up to one computer, logging on there, letting somebody work as him or just leaving the computer unattended, and then walking up to another computer and logging on there. This causes data leak.

Email Harvesting   

A process of obtaining large number of e-mail addresses through various online sources like website hacking. They obtain list of emails, either by purchase or theft, of valid email address for the purpose of sending bulk emails or Spam.

Vulnerable JQuery version in use   
Old version of Jquerys causes a threat to the websites.

Content Spoofing Vulnerability  

Content Spoofing or Content Injection is one of the common web security vulnerability. It allows end user of the vulnerable web application to spoof or modify the actual content on the web page. The user might use the security loop holes in the website to inject the content that they wish to the target website. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user.

Missing Secure and "Http Only" Flag from cookie   

This is an additional flag included in a Set-Cookie HTTP response header. If supported by the browser, using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie. If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's web

[Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]]

Cookie Path Set to Root  

Many of the browsers don’t allow to set cookie at root level. set the cookie path attribute to application defined folder

SameSite Cookie Attribute Not Set   

The 'SameSite' attribute tells browsers when and how to fire cookies in first- or third-party situations. This attribute is used by a variety of browsers to identify whether or not to allow a cookie to be accessed.

Improper Error/Exception Handling Vulnerability   

Improper error handling arises when security mechanisms fail to deny access until it is specifically granted. This may occur as a result of a mismatch in policy and coding practice. It may also result from code that lacks appropriate error handling logic. For example, a system may grant access until it's denied (deny all, then allow individually).

Improper Session Management    The issue is because session tokens are not handled in proper way. While some of it might be intentional, enough care should be taken to add some kind of validation for the user. Because of the way mobile applications are used, many developers allow long or non-expiring user sessions, or use session tokens that are too predictable.

Session Timeout is not set Properly   

As a standard process, application should invalidate a session after a predefined idle time has passed (a timeout) and provide users the means to invalidate their own sessions, (logout). These simple measures help to keep the lifespan of a session ID as short as possible.  To protect against Insufficient Session Expiration attacks, the logout function should be easily visible to the user, explicitly invalidate a user’s session, and disallow reuse of the session token.

Missing Security Headers   

Security HTTP headers are a fundamental part of website security. Once implemented, they protect against the types of attacks that a site is most likely to come across. These headers protect against XSS, code injection, clickjacking, etc.

There are third party services to enable the security scan. A through scan and identify and fix all the major critical items should be a must included item in any AEM project delivery.