(647) 660-7600 Info@authdigital.com
 

Security Fixes

1. Password value set in cookie

Removed cookies u and p.

2. Security Misconfiguration – Domain Administrator File Dump

https://devethosanalystlibrary.mercatoradvisorygroup.com/…/…/…/…/…/

Now gives an error.

3. ASP.NET ViewState Without MAC Enabled

Added –
pages enableViewStateMac=”true” viewStateEncryptionMode=”Always

4. Cookie Without HttpOnly Flag Set

Added HttpOnly flag:
• ecm
• EktGUID
• EkAnalytics

5. Cross-Site Request Forgery

Enabled Single Sign-On(SSO). Removed password reset page (settings.aspx) and removed it from the menu. This is not needed in this site.

6. Default Credentials Supported

Changed Builtin password.

7. Default Server Pages Present

https://devethosanalystlibrary.mercatoradvisorygroup.com/WorkArea/activateuser.aspx

Added additional authentication before access is granted.

8. Early TLS Enabled

Disabled TLS version 1.0 and 1.1

9. Frameable Response (Potential Clickjacking) Attach

Added add name=”X-Frame-Options” value=”sameorigin”

10. Information Leakage from Server Response

Removed –

Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET

11. Overly Verbose Error Message

Added –

  1. Generic Error message
  2. Custom Error Page.

https://devethosanalystlibrary.mercatoradvisorygroup.com/error.aspx?aspxerrorpath=/test.aspx

https://devethosanalystlibrary.mercatoradvisorygroup.com/WorkArea/reterror.aspx

12. SSL Cookie Without Secure Flag Set

Added-

httpCookies sameSite=”None” requireSSL=”true” httpOnlyCookies=”true

13. User Enumeration

Removed “Error Authenticating User” error message. Generic error message given “Invalid username or password”.

14. Debugging is Enabled

Removed –

https://devethosanalystlibrary.mercatoradvisorygroup.com/test.aspx

15. Improper Session Timeout Configuration

Added a 15 minutes session time out. After 15 minutes of inactivity user is logged out.

16. Insecure Direct Object Reference

Restricted access to site resources (PDF) without authentication.

https://devethosanalystlibrary.mercatoradvisorygroup.com/uploadedFiles/Merchant%20Services_2018_v4.pdf

17. Missing or Misconfigured Content-Security Policy

Added-

name=”Content-Security-Policy” value=”default-src * ; script-src * ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ ssl.google-analytics.com; style-src * ‘unsafe-inline’;”

18. Missing or Misconfigured Strict-Transport-Security Header

Added-

name=”Strict-Transport-Security” value=”Strict-Transport-Security max-age=31536000; includeSubDomains; preload”

19. Missing or Misconfigured X-Content-Type-Options Header

Added-

X-Content-Type-Options nosniff;

This change is creating issues in Content tab in Admin Panel, let us know if this change is not critical and we could revert.

Will discuss with Karen.

20. Missing or Misconfigured X-Frame-Options Header

Added name=”X-Frame-Options” value=”sameorigin

21. No Logout Functionality

Added Logout Functionality.

22. No Password Reset Feature Provided

Enabled Single Sign-On(SSO).  This functionality is not needed in this site.

23. Security Misconfiguration: Public WSDL Access

Disabled web services documentation.

24. Security Misconfiguration: Unauthenticated Access to Config File

Removed version.xml

25. Stacktrace / Overly Verbose Error Message Displayed

26. URL Redirect Abuse

https://devethosanalystlibrary.mercatoradvisorygroup.com/Workarea/reterror.aspx?info=Please%20navigate%20to%20http://evilsite.com%20to%20continue

27. Vulnerable Version of the Library ‘jQuery’ Found

Upgraded to the latest version of jQuery version 3.6.0.

28. Vulnerable Version of the Library ‘jQuery-UI’ Found

Upgraded to the latest version of jQuery-UI version 1.12.1.


29. Weak Ciphers

Removed Ciphers that were not required.

30. Weak Session Management – Session not Invalidated

Implemented.

31. Missing or Misconfigured X-XSS-Protection Header

Added add name=”X-XSS-Protection” value=”1; mode-block”

32. Path-relative Style Sheet Import

33. Weak Session Management – Concurrent Sessions Allowed

Enabled Single Sign-On(SSO). Handle this functionality via Identity Provider Session Management.

34. Authentication in Alternative Channel

https://devethosanalystlibrary.mercatoradvisorygroup.com/

Removed access to the direct URL to ensure all users enter via the Portal.

35. No Password History Check

Enabled Single Sign-On(SSO).  This functionality is not needed in this site.

36. Password Field with Autocomplete Enabled

Enabled Single Sign-On(SSO).  This functionality is not needed in this site.

Single Sign On

We have configured following IdP metadata –

https://ethos-idp.fisglobal.com/auth/realms/ethos-uat/protocol/saml/descriptor

 

 

SAML Attributes required –

Email
FirstName
LastName
Client

 

The SAML request for Client Provisioning and User Provisioning is the same. Clients will be created automatically if the client is not found.

Client Provisioning will automatically be done, if the SAML attribute Client is not found in Ektron and a new Client will be created.

ADMIN PANEL ACCESS

If FIS team needs access to ADMIN Panel, do let us know.

We will either disable Identity provider redirect on the login page or we could disable redirect for their IP address.

https://devethosanalystlibrary.mercatoradvisorygroup.com/login.aspx