A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
From Low to p0wn (Part 2 of 3) Breadcrumb Home Insights Blog From Low to p0wn (Part 2 of 3) February 27, 2017 From Low to p0wn (Part 2 of 3) Remember to Remediate Those Low Severity Findings This series explores the potential risk of de-prioritizing and ignoring low severity application vulnerabilities. In the first installment of this series, we discussed information disclosure due to security misconfiguration. In this installment we look at an example of vulnerability stacking. If an application is vulnerable to the right combination of low severity vulnerabilities, the result can be a situation where the risk of a successful attack is significantly increased. In the scenario, we focus on session management. The most common session management mechanism is a session cookie. We commonly see session cookies without the secure flag. Issues like weak SSL encryption ciphers, the presence of an invalid SSL certificate or missing the HTTP Strict Transport Security (HSTS) header weaken the security posture of the application and increase the likelihood of an attacker being able to intercept and view the application communications. On a shared Wi-Fi network, like in a coffee shop, all an attacker needs to do is convince the victim to visit an application over an insecure HTTP connection. The application in question doesn’t host content over HTTP though, right? If the session cookies are not marked secure and the HSTS header is not set, an attacker can convince the user to access a specially crafted URL and the session cookies will be sent unencrypted. As an example the URL would be http://www.example.com:443, the specially crafted URL connects to port 443 but does not utilize HTTPS. In another scenario, the victim is again on a shared network but the attacker this time is using a Wi-Fi Pineapple. In this scenario, the attacker is intercepting and controlling network traffic using Karma and SSLstrip, to remove any TLS protections from the victim’s request and thus observing their session cookies. Simply, the attacker is requesting the HTTPS page and sending them a HTTP version of the page. The user will most likely never notice that they are not seeing the HTTPS header on their browser. Versus: If the application hasn’t set the HSTS header in a previous session, the browser will proceed over the insecure connection, providing the attacker with the session information and all transmitted data. Each of these vulnerabilities if taken individually pose little risk to the application or its users. Application vulnerability scanners commonly report all of these as a low severity. It is only with the addition of a trained penetration tester with the knowledge of how vulnerabilities are related that the true risk of combining these vulnerabilities can be assessed. In our third and final installment of this series, we will investigate authentication issues including enumeration, password strength and missing account lockout mechanisms. By: Doug Rogahn Senior Security Consultant | Optiv Doug Rogahn is a Senior Consultant within the Application Security group of Optiv’s Threat Practice. With more than 10 years’ experience in Information Security, Doug has worked with a variety of businesses from large global enterprises to small sole proprietorships. Doug is a subject matter expert (SME) on application security and application penetration testing. Doug also enjoys branching out of the virtual world into the realm of physical security, where he runs lockpick villages for small and mid-sized security conventions. Share: Threat
Would you like to speak to an advisor? Let's Talk Cybersecurity Provide your contact information and we will follow-up shortly. Let's Browse Cybersecurity Just looking? Explore how Optiv serves its ~6,000 clients. Show me AI Security Solutions Show me the Optiv brochure Take me to Optiv's Events page Browse all Services