The penetration test concentrated on the following vital aspects:

• Overall SSL/TLS configuration as well as the offered encryption methods and lengths
• Checking for world-writable and world-readable critical files and folders.
  World-writable and world-readable files and folders can be a serious
  security issue. An attacker could add or modify files and by this
  compromise the security of the service and system or could access
  sensitive data with normal user privileges. It could also be possible
  that an attacker can access these files through another vulnerable
  service or system component
• Checking database configuration, files.
  Assessing if the product securely stores the sensitive data,
  correctness of database configuration and and public or open database
  accounts.
• Checking log files – Analyzing if the log files contain sensitive data such as usernames, passwords
• Checking client plugins and addons – Analyzing the possible security issues due to client plugins and addons used in the product
• File upload checks – File
  uploads are common in today’s web applications. These are often used to
  provide users with an option to attach various files in the application.
  Insufficient server-side checks can be a serious security issue, as an
  attacker could upload malicious files like HTML or Javascript or could
  place other files outside the application root.
• Checking forgot password function
  – Checking if the forgot password function had been properly
  implemented and if it introduces any flaw in the authentication scheme
• Checking cookie attributes
  – The use of session cookies is the most common method for storing
  authentication information for a defined period a session after
  successful authentication. It is therefor crucial that these are
  protected with correct HTTP flags.
• Cross site request forgery (CSRF)
  – CSRF is an attack which forces an end user to execute unwanted
  actions on a web application in which he/she is currently authenticated.
  With a little help of social engineering (like sending a link via
  email/chat), an attacker may force the users of a web application to
  execute actions of the attacker’s choosing. A successful CSRF exploit
  can compromise end user data and operation in case of normal user. If
  the targeted end user is the administrator account, it can compromise
  the entire web application. This test checks such CSRF flaws in the
  application.
• Cross-site scripting (Type 1 XSS – Reflected cross-site scripting and Type 2 – Persistent cross-site scripting)
  – Cross-site scripting (XSS) attacks occur when an attacker uses a web
  application to send malicious code, generally in the form of a browser
  side script, to a different end user. Reflected attacks are those where
  the injected code is reflected off the web server, such as in an error
  message, search result, or any other response that includes some or all
  of the input sent to the server as part of the request. Persistent
  attacks are those where the injected code is permanently stored on the
  target servers, such as in a database, in a message forum, visitor log,
  comment field, etc. In this test, the application was thoroughly checked
  for such stored script vulnerabilities to disclose erroneous or
  incomplete protection measurements.
• Checking for old software versions and its known vulnerabilities. Old or non-patched software often is a serious security issue. Through
  a vulnerability, even an inexperienced attacker (‘script kiddie’) could
  gain root privileges or could harm the system in many any other ways,
  e.g. by executing a denial of service (DoS) attack, manipulate files and
  other

Bala




ManageEngine Password Manager Pro

Quick Video

|

Free Trial Download

|

White Papers

|

Success Stories

You Can Learn More About the ManageEngine Product Line By Going to manageengine.optrics.com

The original article/video can be found at Password Manager Pro offers rock solid security, reveals penetration test by Seibert Media