Threats and vulnerabilities

Document ID : KB000011940
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Need to provide justification on the threats and vulnerabilities found in APM 10.3 during security assessment.

Question:

Threat 1 - 

http://<APM Server>:8080/ApmServer/forward.jsf
http://<APM Server>:8080/jsp/login.jsf

Threat Details - An attacker may be able to use the vulnerability to construct a URL that, if visited by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

Vulnerability Details - Cross-site scripting (DOM-based) 

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of the DOM (for example, the URL) and processes this data in an unsafe way.
DOM-based cross-site scripting arises when a script writes controllable data into the HTML document in an unsafe way

Impact details - 
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Recommended Mitigation - 
The most effective way to avoid DOM-based cross-site scripting vulnerabilities is not to dynamically write data from any untrusted source into the HTML document. 
In many cases, the relevant data can be validated on a whitelist basis, to allow only content that is known to be safe. 

In other cases, it will be necessary to sanitize or encode the data. 

-------------------- 
Threat 2 - 

http://<APM Server>

Threat Details - This measure makes certain client-side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie's value via an injected script.

Vulnerability Details - Cookie without HttpOnly flag set
Session cookie doesn't have the HTTPOnly flag set. 

Affected URLs - 

There are 39 instances of this issue:

/castylesr5.1.2/javascript/CommandOption.js
/castylesr5.1.2/javascript/Instructions.js
/castylesr5.1.2/javascript/QuickStart.js
/castylesr5.1.2/javascript/button.js
/castylesr5.1.2/javascript/ca-corpui.js
/castylesr5.1.2/javascript/calendar.js
/castylesr5.1.2/javascript/calendarSummary.js
/castylesr5.1.2/javascript/checkbox.js
/castylesr5.1.2/javascript/client.js
/castylesr5.1.2/javascript/colorpicker.js
/castylesr5.1.2/javascript/combobox.js
/castylesr5.1.2/javascript/datepicker.js
/castylesr5.1.2/javascript/dialog.js
/castylesr5.1.2/javascript/dropdownMenu.js
/castylesr5.1.2/javascript/form.js
/castylesr5.1.2/javascript/formlayout.js
/castylesr5.1.2/javascript/image.js
/castylesr5.1.2/javascript/imageMap.js
/castylesr5.1.2/javascript/inputText.js
/castylesr5.1.2/javascript/label.js
/castylesr5.1.2/javascript/link.js
/castylesr5.1.2/javascript/masterDetail.js
/castylesr5.1.2/javascript/masterDetailList.js
/castylesr5.1.2/javascript/messages.js
/castylesr5.1.2/javascript/optionMenu.js
/castylesr5.1.2/javascript/outputText.js
/castylesr5.1.2/javascript/pageSection.js
/castylesr5.1.2/javascript/progressIndicator.js
/castylesr5.1.2/javascript/radiogroup.js
/castylesr5.1.2/javascript/selectColumn.js
/castylesr5.1.2/javascript/shuttlecontrol.js
/castylesr5.1.2/javascript/spincontrol.js
/castylesr5.1.2/javascript/tabBar.js
/castylesr5.1.2/javascript/table.js
/castylesr5.1.2/javascript/timespinner.js
/castylesr5.1.2/javascript/tree.js
/castylesr5.1.2/javascript/uiform.js
/castylesr5.1.2/javascript/validators.js

Environment:
APM 10.3, any OS
Answer:

Threat1: Vulnerability Details - Cross-site scripting (DOM-based) 

Above mentioned vulnerability is false positive.
Found same vulnerability during our regular scan process. And the javascript which modified browser URL is actually removing malicious character to avoid XSS attack.


Threat 2: Vulnerability Details - Cookie without HttpOnly flag set 

URL doesn’t show set-cookie attribute in response header. Please see attached image, we can treat this as false positive.

httponly.png