- Community Home
- >
- Software
- >
- HPE OneView
- >
- Security Questions
-
- Forums
-
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
- HPE Blog, Austria, Germany & Switzerland
- Blog HPE, France
- HPE Blog, Italy
- HPE Blog, Japan
- HPE Blog, Middle East
- HPE Blog, Russia
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
-
Blogs
- Advancing Life & Work
- Advantage EX
- Alliances
- Around the Storage Block
- HPE Blog, Latin America
- HPE Blog, Middle East
- HPE Blog, Saudi Arabia
- HPE Blog, South Africa
- HPE Blog, UK & Ireland
- HPE Ezmeral: Uncut
- OEM Solutions
- Servers & Systems: The Right Compute
- Tech Insights
- The Cloud Experience Everywhere
-
Information
- Community
- Welcome
- Getting Started
- FAQ
- Ranking Overview
- Rules of Participation
- Tips and Tricks
- Resources
- Announcements
- Email us
- Feedback
- Information Libraries
- Integrated Systems
- Networking
- Servers
- Storage
- Other HPE Sites
- Support Center
- Aruba Airheads Community
- Enterprise.nxt
- HPE Dev Community
- Cloud28+ Community
- Marketplace
-
Forums
-
Blogs
-
Information
-
English
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-11-2018 12:05 AM
12-11-2018 12:05 AM
Security Questions
As part of pen testing the following came back, is it possible to address these in OneView?
Username Enumeration - it was found to respond differently to existing and non-existing users which made it possible to enumerate legitimate users
Security Response Headers - the host did utilise common security headers as those recommended by OWASP secure headers project
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-13-2018 10:04 PM
12-13-2018 10:04 PM
Re: Security Questions
Hi @jp24
Are you finding these with OneView 4.00 or 4.10?
The specific issue below you have stated:
Username Enumeration - it was found to respond differently to existing and non-existing users which made it possible to enumerate legitimate users
This defect has been fixed in a more recent version of OneView yet to be released.
On the below:
Security Response Headers - the host did utilise common security headers as those recommended by OWASP secure headers project
Did this come back as a violation in the pen-test result?
Regards,
Bhaskar
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
01-17-2019 04:09 AM
01-17-2019 04:09 AM
Re: Security Questions
Hi Bhaskar,
Thank you for the reponse. These were related to version 4.10 of the Appliance.
Username Enumeration - Are you able to advise which version this may be?
Security Response Headers - although not defined critical from pen-test results which i understand follow industry standards it was their findings, the calissifcation by the client may/see see it differently and prevent rollout.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
01-31-2019 10:43 PM
01-31-2019 10:43 PM
Re: Security Questions
Hi @jp24
The next upcoming OneView release right after 4.10, has the fix for the username enumeration problem.
On the request headers that are flagged as a violation by OWASP, can you share any details on that?
Regards.
Bhaskar
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
02-05-2019 06:00 AM
02-05-2019 06:00 AM
Re: Security Questions
Redacted Feedback
Recommendation
It is strongly recommended recommend that the following security response headers are implemented in their highlighted
configuration:
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: deny
Cache-control: no store
Pragma: no-cache
References & Resources
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers
https://www.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OTG-AUTHN-006)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
02-05-2019 08:43 PM
02-05-2019 08:43 PM
Re: Security Questions
Thanks @jp24 for sharing these.
Will check and respond.
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
02-15-2019 05:37 AM
02-15-2019 05:37 AM
Re: Security Questions
Hi @jp24
Sorry about the delay.
The below headers are addressed in an upcoming release.
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: deny
Pragma: no-cache
We are evaluating the below two still and we'll take them up approriately.
Cache-control: no store
Strict-Transport-Security: max-age=31536000; includeSubDomains
Thank you.
Regards,
Bhaskar
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
03-06-2019 02:36 AM
03-06-2019 02:36 AM
Re: Security Questions
Thank you for the update.
Hewlett Packard Enterprise International
- Communities
- HPE Blogs and Forum
© Copyright 2021 Hewlett Packard Enterprise Development LP