Pricing  Get Quote
 
 

Help

Application Security and Its Importance

Password security has been, and will always be a source of eternal trouble for organizations across the globe. A weak password management solution can be detrimental to the reputation of companies in the eyes of the customers. Hackers today get easy access to better hardware and modern hacking techniques and are well poised to take advantage of any security vulnerabilities. A password management application offers considerable protection, but when the applications themselves contain these vulnerabilities, it is a recipe for disaster unless the organization carries out corrective action immediately.

We at ManageEngine ADSelfService Plus take utmost care to instantly iron out any vulnerability that may arise in our product. We prioritize password security above all and stay vigilant in dealing with issues related to them.

Here is a list of security vulnerabilities that we have identified in our product and the way in which we have fixed them.

Issues and fixes:

Select
  • XSS vulnerabilities
  • CSRF Vulnerability
  • Cross Frame Scripting (XSF)/Click Jacking
  • Weak Cache Policy/Server Cache Policy
  • MIME-SNIFFING
  • Cross Origin Resource Sharing (CORS)
  • Browser Auto-complete Issue
  • HTTPOnly and Secure Flag
  • SHA1WithRSA for CSR creation
  • jQuery migrated to new version to avoid Vulnerability
  • Session Fixation
  • HTTP Methods Blocking
  • SQL Injection through framework build
  • Weak SSL Cipher

Issue: XSS vulnerabilities

Cross-site Scripting (XSS) attacks involve an attacker injecting a script in the target application. When the script is run by the user, the script will run within the security context of the application undetected. In addition, X-XSS-Protection header is set in every request. This header is recognised by most browsers and they take necessary actions to prevent XSS attacks upon seeing this header.

Fix: The output displayed on the application for any corresponding input of the user is encoded and displayed to prevent external scripts being run in the application.

Issue: CSRF Vulnerability

Cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

Fix: The application sends out a token with every request originating from it and will prevent running any unwanted actions that do not provide the right authentication token.

This fix has been released with the ADSelfService Plus build 5300 released on May 2015.

Issue: Cross Frame Scripting (XSF)/Click Jacking

In an XFS attack, the attacker exploits a specific cross-frame-scripting bug in a web browser to access private data on a third-party website.

Fix: This vulnerability has been fixed by adding X-Frame-Options as same origin in the response header. This prevents third party sites from loading ADSelfService Plus in IFrames.

Note: To enable this fix, open the file conf\security-params.xml from the installation folder and remove the # at the beginning of X-Frame-Options.

This issue has been fixed in the ADSelfService Plus build 5300 released on May 2015.

Issue: Weak Cache Policy/Server Cache Policy

The normally secure HTTPs sessions could be compromised due to stored copies of sensitive pages in a shared cache or browser cache.

Fix: Every HTTP page in the product is set with cache-control, pragma, expires response headers to prevent caching of any data.

Note: To enable this fix, open the file conf\security-params.xml from the installation folder and remove the # at the beginning of the line.

This issue has been fixed in the ADSelfService Plus build 5300 released on May 2015.

Issue: MIME-SNIFFING

Attackers manipulate the web application to display their content as a HTML and inject their scripts in it.

Fix: This vulnerability has been fixed by adding X-Content-Type-options as nosniff.

Note: To enable this fix, open the file conf\security-params.xml from the installation folder and remove the # at the beginning of X-content-type-options.

This issue has been fixed in the ADSelfService Plus build 5300 released on May 2015.

Issue: Cross Origin Resource Sharing (CORS)

A CORS attack allows restricted resources on a web page to be requested from another domain outside the domain from which the resource originated.

Fix: Setting Access-control-allow-origin=domainname has fixed the CORS vulnerability.

This issue has been fixed in the ADSelfService Plus build 5300 released on May 2015.

Issue: Browser Auto-complete Issue

Modern browsers cache credentials of users and administrators and autofill them at the next instance.

Fix: The autocomplete setting in every password field is set to off to fix the auto-complete issue.

This issue has been fixed in the ADSelfService Plus build 5300 released on May 2015.

Issue: HTTPOnly and Secure Flag

This vulnerability is a variation of the popular man-in-the-middle attack. When HTTP protocol is used, the traffic is sent in plaintext. It allows the attacker to see/modify the traffic.

Fix: Authentication cookie is set with HTTPonly and secure flag, it returns only empty strings. This solves the vulnerability issue as the attacker intercepts no useful data.

Note: HTTPs has to be enabled to set secure flags for the authentication cookie.

This issue has been fixed in the ADSelfService Plus build 5300 released on May 2015.

Issue: SHA1WithRSA for CSR creation

The secure hash algorithm SHA1WithRSA used to encrypt information has been found to be vulnerable.

Fix: CSR creation now uses SHA256WithRSA encryption to overcome this security vulnerability.

This issue has been fixed in the ADSelfService Plus build 5300 released on May 2015.

Issue: jQuery migrated to new version to avoid Vulnerability

The jQuery v1.4 used had security vulnerabilities.

Fix: Migrating to jQuery v1.8 has fixed those security vulnerabilities.

This issue has been fixed in the ADSelfService Plus build 5300 released on May 2015.

Issue: Session Fixation

Session fixation is an attack which steals the user session by getting the session ID from users through hyperlink/cookie.

Fix: Tomcat provides a fix by using different session IDs for each session. Additionally, ADSelfService Plus does not add session ID to any hyperlinks within the product. Moreover, stealing the cookie can be achieved only by performing an XSS attack, against which the product is safe.

This issue has been fixed in the ADSelfService Plus build 5300 released on May 2015.

Issue: HTTP Methods Blocking.

HTTP methods like HEAD, DELETE, PUT, OPTIONS AND CONNECT are unused in the product. These unused methods may be harnessed to perform unintended behaviour.

Fix: ADSelfService Plus blocks all unused HTTP methods to overcome this vulnerability

This issue has been fixed in the ADSelfService Plus build 5300 released on May 2015.

Issue: SQL Injection through framework build

SQL injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command that is executed by a web application, exposing the back-end database.

Fix: Database operations are handled through our internal framework to prevent security breaches.

Issue: Weak SSL Cipher

Weak SSL ciphers were used for encryption.

Fix:

To fix this issue without compromising on the browser compatibility, use these ciphers: (Mozilla recommendations)

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  • TLS_RSA_WITH_AES_128_CBC_SHA256,
  • TLS_RSA_WITH_AES_128_CBC_SHA,
  • TLS_RSA_WITH_AES_256_CBC_SHA256,
  • TLS_RSA_WITH_AES_256_CBC_SHA

To fix this issue with enhanced security but compromises in browser compatibility, use these ciphers: (OWASP recommendations)

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

We have always valued our customer's security concerns over all others and resolve vulnerabilities as soon as we find them. We assure you that we would continue staying this way and provide you with as much as a vulnerability free password management solution as possible. If you do find any vulnerabilities in our product that you feel we haven't addressed yet, please do contact us at support@adselfserviceplus.com

ADSelfService Plus trusted by