Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
For
NeoGames
Version: 1.0
Date: 23 February 2015
Page 2 of 27
Version 1.0
COPYRIGHT NOTICE
Copyright 2015 by Comsec Consulting and NeoGames.
All rights reserved. No part of this document may be reprinted, reproduced, or transmitted, in any
form or manner, without the prior written consent of the copyright owner.
First published and distributed in February 2015.
DATE:
(Comsec Consulting)
APPROVED & ACCEPTED: _____________________ DATE:_____/_____/_____
(NeoGames)
Page 3 of 27
Version 1.0
Changes Record
Date
Author
Version
Change Reference
17- 02 -15
RR
0.9
23- 02 -15
LR
0.91
Review
23- 02 -15
RR
0.92
23- 02 -15
LR
0.93
Second Review
23-02-15
NS
1.00
Version 1.0
Approvals
Name
Department
Reviewers
Name
Department
Initials
Project Member
Initial
RR
LR
NS
Page 4 of 27
Version 1.0
TABLE OF CONTENTS
[1]
1.1.
1.2.
1.3.
1.4.
[2]
2.1.
2.2.
[3]
3.1.
3.2.
3.3.
3.4.
3.5.
3.6.
3.7.
3.8.
Page 5 of 27
Version 1.0
Page 6 of 27
Version 1.0
Risk Impact: The business damage the organization might suffer, if the breach was
exploited. The following considerations are taken into account when deciding on the impact
level:
Asset sensitivity The higher the sensitivity of the asset, the higher the damage might be.
Confidentiality, integrity and availability considerations The level of the potential damage is
defined based on the potential impact on each of the three Information Security
components. For each breach, three questions are posed:
a. What will be the damage regarding information confidentiality?
b. What will be the damage regarding information integrity?
c. What will be the damage regarding system availability?
Direct and indirect damages Direct damages relate to breaches that, if exploited, will cause
immediate damage to the organization. Indirect damages relate to breaches that, if
realized, are not sufficient for causing damage without taking additional steps.
Breaches that might cause direct damages receive higher impact levels.
Types of business damages Both financial damages and reputation damages are
considered when deciding on the risk impact level.
2.
Risk Probability: The probability that the breach will be realized. The following
considerations are taken into account when deciding on the probability level:
The level of knowledge required to exploit the breach.
The frequency of the breachs exploitation in reality (based on statistics and on Comsec
experience).
3.
Risk Level: The evaluation of the total risk level is based on the following stages:
a. Each breach is assigned both an impact level (low, medium, or high) and a
probability level (low, medium, or high), based on the considerations defined above.
b. The total risk level is calculated and presented based on the following matrix:
Page 7 of 27
Version 1.0
Low
Medium
High
Probability (1)
Probability (2)
Probability (3)
Low
Low
Low
(Risk level 1)
(Risk level 1)
(Risk level 1)
Medium impact
(2)
Low
Medium
High
(Risk level 1)
(Risk level 2)
(Risk level 3)
Medium
High
High
(Risk level 2)
(Risk level 3)
(Risk level 3)
The risk level will be the basis for defining the priorities and timetable for dealing with the different
breaches:
Low (Risk Level 1): Breaches that could be addressed within more than one year.
Initial Recommendations: An outline of the required measures to secure the detected breach and
avoid its risks. Estimated costs in terms of time and materials will be provided where relevant and
possible.
Page 8 of 27
Version 1.0
Page 9 of 27
Version 1.0
[2] Information
2.1. Objectives
The main objective of this project was to perform a security penetration test in order to identify
vulnerabilities on the application level that may expose NeoGames's systems and customers to
security risks. This was done by inspecting the application security controls from the perspective of
both an external attacker and a malicious user.
Other objectives include:
Detecting security breaches at the application level, which jeopardize NeoGames's systems,
and the data that is processed and/or stored in the system.
The system must provide secure, availaable, and reliable data for the customers. This document
will assist NeoGames in meeting the requirements, standards, and options that must be in place for
securing the tested applications.
Page 10 of 27
Version 1.0
Parameter tampering
Cookie poisoning
Buffer overflow
Forceful browsing
Third-party misconfigurations
Unauthorized browsing
Configuration subversion
Vendor-specific vulnerabilities
Session management
Input manipulation
Cryptography usage
Page 11 of 27
Version 1.0
Lobby
Vulnerability Description:
NeoGamess Lobby application includes Forgot Password mechanism which is based on username
in order to ensure that users information is protected against a malicious user. It is best practice to
implement a generic error messages mechanism at the case of authentication failure - Due to the
fact that by showing detailed error messages to the end user, about the application users, an
attacker can know if a user is valid or not.
However, NeoGamess Lobby application enables an attacker to gather information regarding valid
users. This includes information such as usernames via feedback messages generated by the
application.
Initial Recommendations:
At username failure, the application must return a generic error messages without the error reason.
For example:
Replay sent to the required email address.
The system should log any and all attempts to lock users.
Page 12 of 27
Version 1.0
Technical Details:
The following screenshot displays the error message that the application returns after entering the
wrong user name.
Page 13 of 27
Version 1.0
Lobby
Vulnerability Description:
The Lobby application implements a login and registration pages, where the user is required to
supply a valid user name and password to authenticate in the application. This is done to prevent
unauthorized users, who do not possess the password, from accessing sensitive and private data in
Lobby application.
Most common browsers, including Microsoft Internet Explorer and Firefox, allow the use of an autocomplete mechanism. This mechanism is used for the user's convenience by saving them the
information that will have to enter from time to time when using the application.
However, the auto-complete mechanism is also considered a security risk because if a malicious
user gains access to a legitimate user's local-end computer, he may be able to use the deposit
functionality without knowing the CVV.
During the security review it became clear that the Lobby application does not disable the autocomplete mechanism at the CVV input parameter.
Initial Recommendations:
Disable the auto-complete mechanism in the deposit form, specifically in the sensitive input text
boxes, by adding the attribute Autocomplete=Off to these sensitive form.
Page 14 of 27
Version 1.0
Technical Details:
The following screenshot shows that auto-complete mechanism is enabled in DEPOSIT page.
Page 15 of 27
Version 1.0
Lobby
BackOffice
Vulnerability Description:
The system is based on ASP.NET technology. This technology produces dynamic pages on the
server side and sends them to the user's browser. The Web page is saved user transmitted
character string representing the "page mode" (ViewState). This string contains some of the data
sent to and displayed in the browser and other data of the status page, and returned as a
parameter to the server when an operation by the user. This string is used for the server-side
components for maintaining the state of the data server-side controls.
Page 16 of 27
Version 1.0
Prevention change - can be set in ASP.NET add a signature (hash code) field on the
VIEWSTATE by setting the (attribute) EnableViewStateMAC system pages.
To do this we must add the following instruction:
<% @ Page EnableViewStateMAC = true%>
EnableViewStateMAC directive can be defined at any level of any page or app.
ASP.NET system will generate a hash code for any VIEWSTATE data that are sent to
the client side and compare it with the hash code which returns the server from the user.
If these data do not match, the request is rejected and the state of controls on the back
to its original state.
Define the signature using SHA1 algorithm in Machine.Config file in the Web server's
system - using the definition: <machineKey validation="SHA1">
Do not move in VIEWSTATE data used to identify the user. Test data should be performed on
the server side only.
Page 17 of 27
Version 1.0
Back Office: The following screenshot displays the parameter VIEWSTATE is not encrypted, but
only using BASE64 encoding.
Page 18 of 27
Version 1.0
BackOffice
Vulnerability Description:
After the initial authentication phase the General application identifies the end user by his private
session identifier.
The application stores the session identifier within client side cookies that are transmitted back and
forth between the customer's local end computer and NeoGames server.
During the audit, it was detected that the application sets a cookie without the "Secure" attributes.
Since this cookie does not contain the "Secure", it will be sent to the site during an unencrypted
session.
As the application sends some of the data through unencrypted this breach poses a real threat to
the users.
Initial Recommendations:
The secure attributes of all client-side cookies should be set in order to make sure they are only
sent over a secure channel (HTTPS).
Page 19 of 27
Version 1.0
Technical Details:
The following screenshot shows cookie that set by the BackOffice application without the Secure
attribute:
Page 20 of 27
Version 1.0
3.5. The System Does Not Inform the User of Last Login Time
Revealed In:
Lobby
Vulnerability Description:
It is a common security practice to inform each user who logs on to an application the time and date
of their previous connection. This is important to raise user awareness in case their account was
hijacked by attacker. For example, a user can log on to the application and notice that the previous
connection occurred during a time when they were unavailable and therefore the customer
becomes aware that a malicious attacker has taken over their account.
Initial Recommendations:
It is important that the application displays to the user the time and date of their last login to the
application as soon as they logs on. This will provide an additional layer of protection for the
customer.
Page 21 of 27
Version 1.0
Technical Details:
The following screenshot displays the home page of the application, where the user is not informed
on his last login time:
Page 22 of 27
Version 1.0
BackOffice
Vulnerability Description:
A common security practice is to prevent a customer from making a second login attempt from a
different workstation unless they had previously logged out of the system. However, NeoGames
enables multiple user login sessions to the Lobby and BackOffice applications, using the same
username and password. This could be carried out using one or more remote computers. The
system does not alert when such an event happens.
The multiple user login sessions can be initialized using the same username and password and
from different computers or IP Addresses. This fact might compromise a user's account due to the
fact that a user is unaware of other users that can be logged on to his account.
Initial Recommendations:
Consider disabling the possibility of multiple user login by checking (on the server side) if the
user is already logged on to the site and does not allow a second instance of the same user
with the same credentials to log into the system.
The system should track and audit any attempt to perform simultaneous logons using
different computers.
The system Administration and security personnel should be notified of such an event.
All proper alert/message should be displayed to the user in case of a double login attempt
Page 23 of 27
Version 1.0
Technical Details:
The following example shows a scenario where the user is logged in simultaneously from different
machines to the BackOffice Application:
Page 24 of 27
Version 1.0
BackOffice
Vulnerability Description:
Users of the NeoGames BackOffice are required to supply a username and password in order to
login to the application. This identification mechanism is used in order to ensure that only those who
possess the proper credentials are able to login to the application, while unauthorized users cannot.
Users who have forgotten or misplaced their password are not able to request that their password
be reset.
Initial Recommendations:
Consider adding a Forgot Password mechanism to the website.
:
Page 25 of 27
Version 1.0
Lobby
Vulnerability Description:
It is common practice not to reveal internal information about the servers and application
components to visitors of websites. This is important since visitors to the website have no need for
information regarding the type and version of servers. While this information is relevant to System
Administrators and developers, it can be used by malicious attackers to uncover security breaches
in the system.
During the security audit it was revealed that the system divulges information through the HTTP
responses within its headers. These headers reveal the servers type and version, thus making an
attackers job of infiltrating the system an easier task.
Initial Recommendations:
The application servers should be hardened so that they will not reveal any internal information to
the visitors of the web site.
Configure the web servers to remove the server-specific and version-specific headers.
Page 26 of 27
Version 1.0
Technical Details:
The following screenshot displays a detail about the type of response is sent from the server.
Page 27 of 27
Version 1.0