⇤ How is the Diligence Risk Category Calculated?
Access control policies ensure that users cannot act outside of their intended permissions.
Table of Contents
- CMS Administration Portal Exposed
- Cross-Site Request Forgery (CSRF) Mitigations Present
- Authentication on Insecure Channel
CMS Administration Portal Exposed
Content Management System (CMS) admin interfaces are frequently exposed to the Internet and are prime targets for brute force attacks. Since these interfaces are typically present at well-known URLs, it is trivial to discover such interfaces for brute force attacks.
Frameworks Referenced
| Organization | Framework |
|---|---|
| OWASP | A01:2021 - Broken Access Control |
| CWE | CWE-284: Improper Access Control |
Grading
We scan each website looking for known CMS admin login pages and issue a WARN finding for each one exposed to the Internet.
| Condition | Grade |
|---|---|
| The CMS framework's admin login page is exposed to the Internet. | WARN |
Mitigation
Website owners should avoid exposing administrative interfaces to the Internet, instead only making them accessible via a VPN, internal network, or behind a firewall.
Cross-Site Request Forgery (CSRF) Mitigations Present
Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a web application against which they are currently authenticated. CSRF attacks exploit the trust a web application has in an authenticated user’s browser session.
Frameworks Referenced
| Organization | Framework |
|---|---|
| OWASP | A01:2021 - Broken Access Control |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
Grading
We issue an informational finding (NEUTRAL) whenever we fail to identify a CSRF mechanism in use without the adequate configuration. Since there is no standard method to define the name for these tokens, we will only consider those used by known CSRF frameworks.
| Condition | Grade |
|---|---|
| Missing CSRF mechanism with adequate configuration. | NEUTRAL |
Mitigation
Whenever possible, 128 bits of entropy should be used to define CSRF tokens.
Authentication on Insecure Channel
This assessment looks for situations where a web application is requesting authentication from a user on an insecure channel.
The following situations are considered:
- Web application is requesting credentials via the www-Authenticate header over an insecure non-HTTPS connection
- An authentication HTML form is being presented over an insecure non-HTTPS connection
- Password forms are requesting credentials on a site loaded with TLS Errors
Frameworks Referenced
| Organization | Framework |
|---|---|
| OWASP | A02:2021 - Cryptographic Failures |
| CWE | CWE-319: Cleartext Transmission of Sensitive Information |
Grading
| Condition | Grade |
|---|---|
| A password form is requesting credentials on a site loaded with the "Obsolete connections settings" TLS error. | WARN |
|
This grade is issued if:
|
BAD |
Mitigation
All authentication mechanisms should always be served through a secure channel.