Scan Report Executive Summary

Similar documents
Scan Report Executive Summary

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

Scan Report Executive Summary

Scan Report Executive Summary

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):ekk.worldtravelink.com

Payment Card Industry (PCI) Executive Report 11/07/2017

Payment Card Industry (PCI) Executive Report 11/01/2016

SSL/TLS Server Test of

Certified Secure Web Application Security Test Checklist

Nessus Scan Report. Hosts Summary (Executive) Hosts Summary (Executive) Mon, 15 May :27:44 EDT

How to Configure Authentication and Access Control (AAA)

SSL/TLS Security Assessment of e-vo.ru

Merchant Certificate of Compliance

TIBCO Cloud Integration Security Overview

SSL/TLS Server Test of grupoconsultorefe.com

Uniform Resource Locators (URL)

PCI Compliance Assessment Module with Inspector

Tabular Presentation of the Application Software Extended Package for Web Browsers

PCI Compliance. Network Scanning. Getting Started Guide

Payment Card Industry (PCI) Data Security Standard

Transport Level Security

Business Address: City: Calabasas State/Province: California City: Seattle State/Province: Washington

DEPLOYMENT GUIDE HOW TO DEPLOY MICROSOFT SHAREPOINT 2016 WITH A10 THUNDER ADC

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Certified Secure Web Application Secure Development Checklist

Vulnerability Validation Tutorial

RiskSense Attack Surface Validation for Web Applications

Release Notes Version 7.8

Payment Card Industry (PCI) Data Security Standard

Web as a Distributed System

EasyCrypt passes an independent security audit

Web Application Penetration Testing

How to Configure SSL Interception in the Firewall

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

ForeScout Extended Module for Tenable Vulnerability Management

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

PCI DSS v3. Justin

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Payment Card Industry (PCI) Data Security Standard

U.S. E-Authentication Interoperability Lab Engineer

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Configuring SSL. SSL Overview CHAPTER

Configuring SSL. SSL Overview CHAPTER

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

SSL Visibility and Troubleshooting

WHITE PAPER. Authentication and Encryption Design

Security in Bomgar Remote Support

Payment Card Industry (PCI) Data Security Standard

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Load Balancing VMware Workspace Portal/Identity Manager

F5 Big-IP Application Security Manager v11

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit

Configuring SSL CHAPTER

Payment Card Industry (PCI) Technical Report 11/07/2017

Requirements from the Application Software Extended Package for Web Browsers

Xerox Audio Documents App

SSL Report: bourdiol.xyz ( )

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Forescout. eyeextend for ServiceNow. Configuration Guide. Version 2.0

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Data Security Standard

Security in the Privileged Remote Access Appliance

Payment Card Industry (PCI) Data Security Standard

Integrigy Consulting Overview

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

Section 1: Assessment Information

Forescout. eyeextend for IBM BigFix. Configuration Guide. Version 1.2

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Combating Common Web App Authentication Threats

Customer Compliance Portal. User Guide V2.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C

PCI COMPLIANCE IS NO LONGER OPTIONAL

Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

Content and Purpose of This Guide... 1 User Management... 2

Transport Layer Security

Site Data Protection (SDP) Program Update

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Tenable.io User Guide. Last Revised: November 03, 2017

Payment Card Industry (PCI) Data Security Standard

Evaluating the Security Risks of Static vs. Dynamic Websites

P2_L12 Web Security Page 1

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

epldt Web Builder Security March 2017

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

Transcription:

Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Vin65 ASV Company: Comodo CA Limited 08/28/2017 Scan expiration date: 11/26/2017 Part 2. Component Summary Component (IP Address, domain, etc.): Component (IP Address, domain, etc.): Part 3a. Vulnerabilities Noted for each Component ASV may choose to omit vulnerabilities that do not impact compliance from this section, however, failing vulnerabilities that have been changed to "pass" via exceptions or after remediation / rescan must always be listed Component SSL Cipher Suites Supported 443 / Device Type 0 / tcp / SSL Root Certification Authority Certificate Information 443 / Web Server No 404 Error Code Check 80 / TCP/IP Timestamps Supported 0 / tcp / Web Server Directory Enumeration 80 / Web Server Directory Enumeration 443 / Strict Transport Security (STS) Detection 80 / tcp / Strict Transport Security (STS) Detection 443 / tcp / SSL / TLS Versions Supported 443 / Non-compliant Strict Transport Security (STS) 80 / Service Detection 443 / Service Detection 443 /

Component Service Detection 80 / Web Application Cookies Not Marked HttpOnly 80 / Web Application Cookies Not Marked HttpOnly 443 / SSL Perfect Forward Secrecy Cipher Suites Supported 443 / Nessus SYN scanner 443 / Nessus SYN scanner 80 / OpenSSL Detection 443 / Common Platform Enumeration (CPE) 0 / tcp / HTTP Server Type and Version 80 / HTTP Server Type and Version 443 / HyperText Transfer Protocol (HTTP) Information 443 / HyperText Transfer Protocol (HTTP) Information 80 / OS Identification 0 / tcp / Web Application Cookies Not Marked Secure 80 / tcp / Web Application Cookies Not Marked Secure 443 / SSL Session Resume Supported 443 / SSL Cipher Block Chaining Cipher Suites Supported 443 / HTTP Methods Allowed (per directory) 80 / HTTP Methods Allowed (per directory) 443 / tcp / HyperText Transfer Protocol (HTTP) Redirect Information 80 / SSL Certificate Information 443 /

Consolidated Solution/Correction Plan for above IP address: Ensure that use of this root Certification Authority certificate complies with your organization's acceptable use and security policies. If possible, add the 'HttpOnly' attribute to all session cookies and any cookies containing sensitive data. Protect your target with an IP filter. If possible, ensure all communication occurs over an encrypted channel and add the 'secure' attribute to all session cookies or any cookies containing sensitive data. Analyze the redirect(s) to verify that this is valid operation for your web server and/or application. Component CGI Generic SQL Injection (HTTP Headers) 80 / tcp / High 7.5 The vulnerability is not present after inspection and testing CGI Generic SQL Injection (blind) 443 / High 7.5 The vulnerability is not present after inspection and testing CGI Generic SQL Injection (HTTP Headers) 443 / tcphigh 7.5 The vulnerability is not present after / inspection and testing Web Server Uses Plain Text Authentication Forms 80 / Low 2.6 The vulnerability is not included in the CGI Generic Tests Load Estimation (all tests) 443 / CGI Generic Tests Load Estimation (all tests) 80 / tcp / CGI Generic Injectable Parameter 443 / CGI Generic Injectable Parameter 80 / Web Server Harvested Email Addresses 443 / tcp / Web Server Harvested Email Addresses 80 / tcp / Web Server Office File Inventory 443 / HSTS Missing From HTTPS Server 443 / OpenSSL Detection 443 / Web Server No 404 Error Code Check 80 / Web Application Sitemap 443 /

Component Web Application Sitemap 80 / Web Application Cookies Not Marked HttpOnly 80 / Web Application Cookies Not Marked HttpOnly 443 / SSL Cipher Block Chaining Cipher Suites Supported 443 / OS Identification 0 / tcp / SSL / TLS Versions Supported 443 / SSL Session Resume Supported 443 / SSL Cipher Suites Supported 443 / Web Application Cookies Not Marked Secure 80 / tcp / Web Application Cookies Not Marked Secure 443 / TCP/IP Timestamps Supported 0 / tcp / Web Server Directory Enumeration 80 / Web Server Directory Enumeration 443 / Device Type 0 / tcp / HTTP Methods Allowed (per directory) 443 / tcp / HTTP Methods Allowed (per directory) 80 / HyperText Transfer Protocol (HTTP) Redirect Information 80 / Service Detection 443 / Service Detection 443 / Service Detection 80 / Web Application Cookies Are Expired 80 /

Component Web Application Cookies Are Expired 443 / tcp / SSL Root Certification Authority Certificate Information 443 / Web Server robots.txt Information Disclosure 80 / tcp / Web Server robots.txt Information Disclosure 443 / SSL Perfect Forward Secrecy Cipher Suites Supported 443 / Web Server Allows word Auto-Completion 80 / Web Server Allows word Auto-Completion 443 / Nessus SYN scanner 443 / Nessus SYN scanner 80 / SSL Certificate Information 443 / HTTP Server Type and Version 80 / HTTP Server Type and Version 443 / HyperText Transfer Protocol (HTTP) Information 443 / Common Platform Enumeration (CPE) 0 / tcp / HyperText Transfer Protocol (HTTP) Information 80 / HTTP X-Content-Security-Policy Response Header Usage 443 / HTTP X-Content-Security-Policy Response Header Usage 80 / Consolidated Solution/Correction Plan for above IP address: Modify the affected CGI scripts so that they properly escape arguments. Make sure that such files do not contain any confidential or otherwise sensitive information and that they are only accessible to those with valid credentials. Configure the remote web server to use HSTS. If possible, add the 'HttpOnly' attribute to all session cookies and any cookies containing sensitive data.

Consolidated Solution/Correction Plan for above IP address: If possible, ensure all communication occurs over an encrypted channel and add the 'secure' attribute to all session cookies or any cookies containing sensitive data. Make sure that every sensitive form transmits content over HTTPS. Analyze the redirect(s) to verify that this is valid operation for your web server and/or application. If needed, set an expiration date in the future so the cookie will persist or remove the Expires cookie attribute altogether to convert the cookie to a session cookie. Ensure that use of this root Certification Authority certificate complies with your organization's acceptable use and security policies. Review the contents of the site's robots.txt file, use Robots META tags instead of entries in the robots.txt file, and/or adjust the web server's access controls to limit access to sensitive material. Add the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials. Protect your target with an IP filter. Set a properly configured Content-Security-Policy header for all requested resources. Part 3b. Special notes by IP Address Component Special Note Item Noted Scan customer`s description of action taken and declaration that software is either implemented securely or removed Part 3c. Special notes -- Full Text Note Load Balancing As you were unable to validate that the configuration of the environment behind your load balancers is synchronized, it is your responsibility to ensure that the environment is scanned as part of the internal vulnerability scans required by the PCI DSS. Directory Browsing Browsing of directories on web servers can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, please 1) justify the business need for this configuration to the ASV, or 2) confirm that it is disabled. Please consult your ASV if you have questions about this Special Note. Remote Access Due to increased risk to the cardholder data environment when remote access software is present, please 1) justify the business need for this software to the ASV and 2) confirm it is either implemented securely per Appendix C or disabled/ removed. Please consult your ASV if you have questions about this Special Note. Pos Software detected Due to increased risk to the cardholder data environment when a point-of-sale system is visible on the Internet, please 1) confirm that this system needs to be visible on the Internet, that the system is implemented securely, and that original default passwords have been changed to complex passwords, or 2) confirm that the system has been reconfigured and is no longer visible to the Internet. Please consult your ASV if you have questions about this Special Note. Embedded links or code from out-of-scope domains Note to scan customer: Due to increased risk to the cardholder data environment when embedded links redirect traffic to domains outside the merchant's CDE scope, 1) confirm that this code is obtained from a

trusted source, that the embedded links redirect to a trusted source, and that the code is implemented securely, or 2) confirm that the code has been removed. Consult your ASV if you have questions about this Special Note. Insecure Services / industry-deprecated protocols Note to scan customer: Insecure services and industry-deprecated protocols can lead to information disclosure or potential exploit. Due to increased risk to the cardholder data environment, 1) justify the business need for this service and confirm additional controls are in place to secure use of the service, or 2) confirm that it is disabled. Consult your ASV if you have questions about this Special Note. Unknown services Note to scan customer: Unidentified services have been detected. Due to increased risk to the cardholder data environment, identify the service, then either 1) justify the business need for this service and confirm it is securely implemented, or 2) identify the service and confirm that it is disabled. Consult your ASV if you have questions about this Special Note. Part 4a. Scope Submitted by Scan Customer for Discovery IP Addresses/ranges/subnets, domains, URLs, etc. DOMAIN: DOMAIN: Part 4b. Scan Customer Designated In-Scope Components (Scanned) IP Addresses/ranges/subnets, domains, URLs, etc. Part 4c. Scan Customer Designated Out-of-Scope Components (Not Scanned) Requires description for each IP Address/range/subnet, domain, URL 35.161.196.143:No connectivity to CDE. 35.160.88.126:No connectivity to CDE. 52.38.97.42:No connectivity to CDE. ec2-35-160-88-126.us-west-2.compute.amazonaws.com:no connectivity to CDE. 52.26.194.82:No connectivity to CDE. ec2-52-40-117-186.us-west-2.compute.amazonaws.com:no connectivity to CDE. ec2-35-161-196-143.us-west-2.compute.amazonaws.com:no connectivity to CDE. 35.164.114.95:No connectivity to CDE. intranet.vin65.com:no connectivity to CDE. 54.70.133.102:No connectivity to CDE. test.vin65.com:no connectivity to CDE. evineage.vin65.com:no connectivity to CDE. ec2-54-200-136-44.us-west-2.compute.amazonaws.com:no connectivity to CDE. ec2-52-26-194-82.us-west-2.compute.amazonaws.com:no connectivity to CDE. ec2-52-38-97-42.us-west-2.compute.amazonaws.com:no connectivity to CDE.

ec2-35-165-60-161.us-west-2.compute.amazonaws.com:no connectivity to CDE. 64.141.87.170:No connectivity to CDE. exchange.vin65.com:no connectivity to CDE. 35.165.60.161:No connectivity to CDE. siteadmin2.k1technology.com:no connectivity to CDE. ec2-35-164-114-95.us-west-2.compute.amazonaws.com:no connectivity to CDE. 52.40.117.186:No connectivity to CDE. 54.200.136.44:No connectivity to CDE. ec2-54-70-133-102.us-west-2.compute.amazonaws.com:no connectivity to CDE.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback