Help Center

Articles in this section

Penetration Testing Report - September 12, 2019

Last updated

 

Penetration Testing Report

 Report Date: September 12, 2019

 LabFellows values customer and data security and strives to continually take every measure possible to protect data, implement industry-standard security protocols, and maintain a secure application. Penetration testing and vulnerability mitigation against OWASP standards are routinely performed to identify and mitigate vulnerabilities.

OWASP (Open Web Application Security Project) is a worldwide not-for-profit charitable organization focused on improving the security of software. OWASP has identified the top ten application vulnerabilities as the following:

  1. Injection
  2. Broken Authentication
  3. Sensitive data exposure
  4. XML External Entities (XXE)
  5. Broken Access control
  6. Security misconfigurations
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with known vulnerabilities
  10. Insufficient logging and monitoring

The list is utilized to prioritize and direct our efforts towards hardening our application. The OWASP Zed Attack Proxy (ZAP) Security Tool is used for penetration testing to analyze and identify security vulnerabilities within our application.

Security Improvements

In order to enhance the hardness of our application and mitigate vulnerabilities, the following modifications have been made:

  1. Content Security Policy

Adding a Content Security Policy aids in the prevention of cross-site scripting vulnerabilities. By setting specific script-src values allows us to specify where are valid sources for Javascript to be loaded from. 

  1. Helmet

    (https://helmetjs.github.io/docs/)

Helmet is a library to help secure Express.js apps by adding various HTTP headers. Helment was used with the default settings within our application, which adds headers including those for:

  • dnsPrefetchControl (controls browser DNS prefetching)
  • Frameguard (to prevent clickjacking)
  • noSniff (keep clients from sniffing MIME type)
  1. Webpack Headers

  The following Webpack headers were set:

  headers: {

      'X-Frame-Options': 'sameorigin',

      'X-Content-Type-Options': 'nosniff',

      'X-XSS-Protection': 1,

      "Access-Control-Allow-Origin": "*"

}

Known Vulnerabilities

All high priority vulnerabilities associated directly with our application have been identified and resolved. The following unmitigated low/medium-priority vulnerabilities have been identified within third-party libraries utilized by our application. All of these libraries are maintained by trusted and reliable sources with robust security policies. These libraries are:

  • Stripe [react-stripe-elements library]
  • Compass
  • Google Fonts
  • Heap Analytics
  • RavenJS

CSP Scanner: Wildcard Directive (Medium)

Description: The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: frame-ancestor

 Two errors were triggered from the Content-Security-Policy within the following libraries: Stripe.

CSP Scanner: script-src unsafe-inline (Medium)

This error is triggered by the Content-Security-Policy within the following libraries: Stripe.

CSP Scanner: style-src unsafe-inline (Medium)

Two errors were triggered from the Content-Security-Policy within the following libraries: Stripe.

X-Frame-Options Header Not Set (Medium)

Description: X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

Five warnings were triggered from the Content-Security-Policy from the following libraries: Stripe, Conpass, and Google Fonts.

The X-Frame-Options response header was set within our app through Webpack devServer settings with X-Frame-Options set to same origin.

 

Cross-Domain JavaScript Source File Inclusion (Low)

Description: The page includes one or more script files from a third-party domain.

Two warnings were triggered due to script tags added to include the following libraries: Stripe and Conpass.

Where possible, Subresource Integrity (SRI) was utilized by adding the integrity tag for external libraries that support this functionality. Within our app, Raven.js (for Sentry error reporting) offered this functionality.

 

Incomplete or No Cache-control and Pragma HTTP Header Set (Low)

Description: The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

There are 8 warnings associated with the following libraries: Stripe, Conpass, and Google Fonts.

 

Web Browser XSS Protection Not Enabled (Low)

Description: Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server.

There are 5 warnings associated with the following libraries: Stripe, Conpass, and Google Fonts.

 

X-Content-Type-Options Header Missing (Low)

Description: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

 There are 10 warnings associated with the following libraries: Stripe, RavenJS, Heap Analytics, Conpass, and Google Fonts.

 

Loosely Scoped Cookie (Informational)

Description: Cookies can be scoped by domain or path. This check is only concerned with the domain scope. The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent or any subdomain of the parent.

 There is 1 warning associated with the following libraries: Conpass.

 

References

  1. OWASP: https://www.owasp.org

  2. OWASP Cheatsheet: https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets

  3. MDN CSP: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

  4. Helmet: https://github.com/helmetjs/helmet