Security improvements suggestions


Here are some security improvements suggested to be implemented:

*It was observed that application is allowing an user to reuse the old password. Application should not allow to reuse the old password for specifc period while using the change password functionality

*It was observed that application is vulnerable to frame injection attack where an attack enables the malicious user to load arbitrary code in the browser. This attack is caused by the browser not checking the destination of the resulting frame, therefore allowing arbitrary code such as JavaScript or VBScript.To defend against clickjacking add X-FRAME header option in HTTP header response with ‘SAME ORIGIN’ or ‘DENY’ or set X-Frame-Options: ALLOW-FROM and another one is Frame busting. Using frame busting you “bust” or break out of any containing iframe automatically.
*It was observed that sensitive information like username is transmitting in a cleartext format with the cookie. Use the strong encryption technique to encrypt the sensitive information sending through cookie if required else remove sensitive information like username from cookie.
*During the course of the audit it was identified that the password complexity not implemented or enforced strictly towards application. It was observed that application password is very weak and easily gussable.The application should ensure that:

  1. Password history should be maintained.
  2. Password should contain alphanumeric characters and special characters as well.
  3. Length of Password should be greater than or equal to 8 digits. 3. Password should not be same as userid.

*Session timeout is not set in the application
*Through “Reset Functionlity” feature available in the application, email flodding attacks could be possible.


Another suggestion:

If an application is configured for “Autocomplete settings/Remember Passwords” to remember the username and password, then every time a user logs in to the application, the browser asks the user to remember the password. If the user had accidentally or intentionally clicked “Yes”, a local adversary can log in with the “remembered” password of the previous user. The browser stores the saved password either as cleartext or in a form that is easily reversible by an adversary.

The password auto-complete should be disabled in sensitive fields. Follow the steps to mitigate the autocomplete feature :
1. “For an input field in a form”
2.“For all the input field in a form”

Use strong hasing technique with salting for sensitive fields so even if user stores the password=hash(password+salt) in browser the same password=hash(password+salt) value will be rejected by the server next time when user tries to login with the stored credentials.As every time new password=hash(password salt) string will be generated and validated to authenticate the user.