HPE OneView
cancel
Showing results for 
Search instead for 
Did you mean: 

Security Questions

 
jp24
Occasional Contributor

Security Questions

As part of pen testing the following came back, is it possible to address these in OneView?

Username Enumeration - it was found to respond differently to existing and non-existing users which made it possible to enumerate legitimate users

Security Response Headers - the host did utilise common security headers as those recommended by OWASP secure headers project

7 REPLIES 7
BhaskarV
HPE Pro

Re: Security Questions

Hi @jp24

Are you finding these with OneView 4.00 or 4.10?
The specific issue below you have stated:
Username Enumeration - it was found to respond differently to existing and non-existing users which made it possible to enumerate legitimate users
This defect has been fixed in a more recent version of OneView yet to be released.

On the below:
Security Response Headers - the host did utilise common security headers as those recommended by OWASP secure headers project
Did this come back as a violation in the pen-test result?

Regards,
Bhaskar

 


Accept or Kudo
Highlighted
jp24
Occasional Contributor

Re: Security Questions

Hi Bhaskar,

Thank you for the reponse. These were related to version 4.10 of the Appliance.

Username Enumeration - Are you able to advise which version this may be?

Security Response Headers - although not defined critical from pen-test results which i understand follow industry standards it was their findings,  the calissifcation by the client may/see see it differently and prevent rollout.

BhaskarV
HPE Pro

Re: Security Questions

Hi @jp24

The next upcoming OneView release right after 4.10, has the fix for the username enumeration problem.

On the request headers that are flagged as a violation by OWASP,  can you share any details on that?

Regards.
Bhaskar


Accept or Kudo
jp24
Occasional Contributor

Re: Security Questions

Redacted Feedback 

Recommendation
It is strongly recommended recommend that the following security response headers are implemented in their highlighted
configuration:
 X-XSS-Protection: 1; mode=block
 Strict-Transport-Security: max-age=31536000; includeSubDomains
 X-Content-Type-Options: nosniff
 X-Frame-Options: deny
 Cache-control: no store
 Pragma: no-cache


References & Resources
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers
https://www.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OTG-AUTHN-006)

BhaskarV
HPE Pro

Re: Security Questions

Thanks @jp24  for sharing these.
Will check and respond.


Accept or Kudo
BhaskarV
HPE Pro

Re: Security Questions

Hi @jp24 

Sorry about the delay.
The below headers are addressed in an upcoming release.

 X-XSS-Protection: 1; mode=block
 X-Content-Type-Options: nosniff
 X-Frame-Options: deny
 Pragma: no-cache

We are evaluating the below two still and we'll take them up approriately.
 Cache-control: no store
 Strict-Transport-Security: max-age=31536000; includeSubDomains

Thank you.

Regards,
Bhaskar

 


Accept or Kudo
jp24
Occasional Contributor

Re: Security Questions

Thank you for the update.