goes without saying – software products operating in the IT Security
space should offer rock solid security. These products should be devoid of
holes and vulnerabilities; otherwise, they will prove to be haven for
hackers and malicious insiders.
With increasing security threats
to mission-critical network IT resources and serious legal consequences
of information mis-management, IT security products are required not
just to ensure extreme levels of security, but also demonstrate and reassure that
the products are indeed secure. One of the best ways to do this is to subject the product to a detailed evaluation by a professional, neutral, third-party
Password Manager Pro was subjected to the rigorous penetration test process by Seibert Media,
a leading professional agency to test the security aspects. The
product has passed the test and Seibert Media has certified that
Password Manager Pro is a secure software.
The penetration test concentrated on the following vital aspects:
- Overall SSL/TLS configuration as well as the offered encryption methods and lengths
- Checking for world-writable and world-readable critical files and folders.
World-writable and world-readable files and folders can be a serious
security issue. An attacker could add or modify files and by this
compromise the security of the service and system or could access
sensitive data with normal user privileges. It could also be possible
that an attacker can access these files through another vulnerable
service or system component
- Checking database configuration, files.
Assessing if the product securely stores the sensitive data,
correctness of database configuration and and public or open database
- Checking log files – Analyzing if the log files contain sensitive data such as usernames, passwords
- Checking client plugins and addons – Analyzing the possible security issues due to client plugins and addons used in the product
- File upload checks – File
uploads are common in today’s web applications. These are often used to
provide users with an option to attach various files in the application.
Insufficient server-side checks can be a serious security issue, as an
place other files outside the application root.
- Checking forgot password function
– Checking if the forgot password function had been properly
implemented and if it introduces any flaw in the authentication scheme
- Checking cookie attributes
– The use of session cookies is the most common method for storing
authentication information for a defined period a session after
successful authentication. It is therefor crucial that these are
protected with correct HTTP flags.
- Cross site request forgery (CSRF)
– CSRF is an attack which forces an end user to execute unwanted
actions on a web application in which he/she is currently authenticated.
With a little help of social engineering (like sending a link via
email/chat), an attacker may force the users of a web application to
execute actions of the attacker’s choosing. A successful CSRF exploit
can compromise end user data and operation in case of normal user. If
the targeted end user is the administrator account, it can compromise
the entire web application. This test checks such CSRF flaws in the
- Cross-site scripting (Type 1 XSS – Reflected cross-site scripting and Type 2 – Persistent cross-site scripting)
– Cross-site scripting (XSS) attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser
side script, to a different end user. Reflected attacks are those where
the injected code is reflected off the web server, such as in an error
message, search result, or any other response that includes some or all
of the input sent to the server as part of the request. Persistent
attacks are those where the injected code is permanently stored on the
target servers, such as in a database, in a message forum, visitor log,
comment field, etc. In this test, the application was thoroughly checked
for such stored script vulnerabilities to disclose erroneous or
incomplete protection measurements.
- Checking for old software versions and its known vulnerabilities. Old or non-patched software often is a serious security issue. Through
a vulnerability, even an inexperienced attacker (‘script kiddie’) could
gain root privileges or could harm the system in many any other ways,
e.g. by executing a denial of service (DoS) attack, manipulate files and
stringent tests. Seibert Media has certified that Password Manager Pro
is very secure.
Ensuring security is not a one-time process, but an ongoing activity. We
understand this fact and have taken all steps to ensure security always
and at all levels.
The original article/video can be found at Password Manager Pro offers rock solid security, reveals penetration test by Seibert Media