We at CRMJetty understand the value of data and information security and henceforth we have taken all required conservative steps to ensure best security parameters for our CRMJetty Portal Solution.
In Highlights, we are ISO certified organization for Information Security (ISO 27001) and Quality (ISO 9001), yet to share you the security measures in detail, please find them as below:
Security Checklist | Description/Solution |
---|---|
Path Traversal |
Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When performing input validation, consider all potentially relevant properties, including length, input type, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as “red” or “blue.” For filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single “.” character in the filename to avoid weaknesses, and exclude directory separators such as “/”. Use a whitelist of allowable file extensions. Warning: if you attempt to cleanse your data, then do so that the end result is not in the form that can be dangerous. A sanitizing mechanism can remove characters such as ‘.’ and ‘;’ which may be required for some exploits. An attacker can try to fool the sanitizing mechanism into “cleaning” data into a dangerous form. Suppose the attacker injects a ‘.’ inside a filename (e.g. “sensi.tiveFile”) and the sanitizing mechanism removes the character resulting in the valid filename, “sensitiveFile”. If the input data are now assumed to be safe, then the file may be compromised. Inputs should be decoded and canonicalized to the application’s current internal representation before being validated. Make sure that your application does not decode the same input twice. Such errors could be used to bypass whitelist schemes by introducing dangerous inputs after they have been checked. Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes “..” sequences and symbolic links. Run your code using the lowest privileges that are required to accomplish the necessary tasks. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. Run your code in a “jail” or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by your software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows you to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. |
Cross Site Scripting |
Phase: Architecture and Design Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft’s Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket. Phases: Implementation; Architecture and Design For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed. Phase: Architecture and Design If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Phase: Implementation To help mitigate XSS attacks against the user’s session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user’s session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set. Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as “red” or “blue.” Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere. |
Cross-Domain JavaScript Source File Inclusion |
Ensure JavaScript source files are loaded from only trusted sources, and the sources can’t be controlled by end users of the application. |
Cookie Without Secure Flag |
Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. |
Absence of Anti-CSRF Tokens |
Phase: Architecture and Design Phase: Implementation Phase: Architecture and Design Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation. Use the ESAPI Session Management control. Phase: Implementation |
Cookie No HttpOnly Flag |
Ensure that the HttpOnly flag is set for all cookies. |
X-Content-Type-Options Header Missing |
Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to ‘nosniff’ for all web pages. If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing. |
Server Leaks Information via “X-Powered-By” HTTP Response Header Field(s) |
Ensure that your web server, application server, load balancer, etc. is configured to suppress “X-Powered-By” headers. |
Incomplete or No Cache-control and Pragma HTTP Header Set |
Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache. |
X-Frame-Options Header Not Set |
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it’s set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it’s part of a FRAMESET) then you’ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). |
Content Security Policy (CSP) Header Not Set |
Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: “Content-Security-Policy” for Chrome 25+, Firefox 23+ and Safari 7+, “X-Content-Security-Policy” for Firefox 4.0+ and Internet Explorer 10+, and “X-WebKit-CSP” for Chrome 14+ and Safari 6+. |
Cookie Without SameSite Attribute |
Ensure that the SameSite attribute is set to either ‘lax’ or ideally ‘strict’ for all cookies. |
CSP: script-src unsafe-inline |
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header. |
CSP: style-src unsafe-inline |
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header. |
Cross-Domain Misconfiguration |
Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance). Configure the “Access-Control-Allow-Origin” HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner. |
Application Error Disclosure |
Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user. |
Information Disclosure – Suspicious Comments |
Remove all comments that return information that may help an attacker and fix any underlying problems they refer to. |
Timestamp Disclosure – Unix |
Manually confirms that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. |