Revolving around the core of technology
PCI compliance scan failing on my Syncrify server port for 2 reasons -
1) Clickjacking Vulnerability &
2) Web Server Transmits Cleartext Credentials.
Anything I can do to mitigate these vulnerabilities/ will Syncrify be updated to mitigate these? Any help is appreciated.
Thank you
Ed,
Could you please send us the report via email. This will help us narrow down the area where this is occurring.
As far as cleartext credentials goes, are you using HTTPS?
Imran
in all content responses. This could potentially expose the site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions. X-Frame-Options has been proposed by Microsoft as a way to mitigate clickjacking attacks and is currently supported by all major browser vendors. Content-Security- Policy (CSP) has been proposed by the W3C Web Application Security Working Group, with increasing support among all major browser vendors, as a way to mitigate clickjacking and other attacks. The 'frame- ancestors' policy directive restricts which sources can embed the protected resource. Note that while the X-Frame-Options and Content- Security-Policy response headers are not the only mitigations for clickjacking, they are currently the most reliable methods that can be detected through automation. Therefore, this plugin may produce false positives if other mitigation strategies (e.g., frame-busting JavaScript) are deployed or if the page does not perform any security-sensitive transactions. See also : http://www.nessus.org/u?399b1f56 https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet https://en.wikipedia.org/wiki/Clickjacking
Resolution:
Return the X-Frame-Options or Content-Security-Policy (with the 'frame- ancestors' directive) HTTP header with the page's response. This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags.
Ed,
Syncrify does add the X-Frame-Options header. This was added in build 943. See http://web.synametrics.com/SyncrifyVersionHistory.htm
The reason why you're getting this warning is because the test is being done on the root of the server instead of the /app path. Assume your Syncrify is running on http://192.168.2.16:5800 . Instead of running test on this URL, run it on http://192.168.2.16:5800/app (with /app at the end)
When someone tries to connect to root, Syncrify will redirect the client to /app. No application runs on root.
The easiest way to confirm if Syncrify is returning the correct headers, try running the netcat utility from a Linux or Mac machine against a Syncrify Server. I ran the following two commands with two different results:
nc 192.168.2.16 5800
GET / HTTP/1.0
Results:
HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"234-1222253886000"
Last-Modified: Wed, 24 Sep 2008 10:58:06 GMT
Content-Type: text/html
Content-Length: 234
Date: Wed, 22 Nov 2017 02:03:23 GMT
Connection: close
Server: Synametrics Web Server v7
nc 192.168.2.16 5800
GET /app HTTP/1.0
Results:
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=FC5211B6AC4A2FDA5F1B21D69A512B36; Path=/; HttpOnly
x-frame-options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 5664
Date: Wed, 22 Nov 2017 02:04:26 GMT
Connection: close
Server: Synametrics Web Server v7
The second test returns some additional headers that were not returned by the first test. X-Frame-Options was one of them.