HPE Community
HPE OneView
1751797 Members
5086 Online
108781 Solutions
New Discussion

Re: Security Questions

 
jp24
Occasional Contributor

‎12-11-2018 12:05 AM

‎12-11-2018 12:05 AM

Security Questions

As part of pen testing the following came back, is it possible to address these in OneView?

Username Enumeration - it was found to respond differently to existing and non-existing users which made it possible to enumerate legitimate users

Security Response Headers - the host did utilise common security headers as those recommended by OWASP secure headers project

0 Kudos
Reply
7 REPLIES 7
BhaskarV
Trusted Contributor

‎12-13-2018 10:04 PM

‎12-13-2018 10:04 PM

Re: Security Questions

Hi @jp24

Are you finding these with OneView 4.00 or 4.10?
The specific issue below you have stated:
Username Enumeration - it was found to respond differently to existing and non-existing users which made it possible to enumerate legitimate users
This defect has been fixed in a more recent version of OneView yet to be released.

On the below:
Security Response Headers - the host did utilise common security headers as those recommended by OWASP secure headers project
Did this come back as a violation in the pen-test result?

Regards,
Bhaskar

 


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
jp24
Occasional Contributor

‎01-17-2019 04:09 AM

‎01-17-2019 04:09 AM

Re: Security Questions

Hi Bhaskar,

Thank you for the reponse. These were related to version 4.10 of the Appliance.

Username Enumeration - Are you able to advise which version this may be?

Security Response Headers - although not defined critical from pen-test results which i understand follow industry standards it was their findings,  the calissifcation by the client may/see see it differently and prevent rollout.

0 Kudos
Reply
BhaskarV
Trusted Contributor

‎01-31-2019 10:43 PM

‎01-31-2019 10:43 PM

Re: Security Questions

Hi @jp24

The next upcoming OneView release right after 4.10, has the fix for the username enumeration problem.

On the request headers that are flagged as a violation by OWASP,  can you share any details on that?

Regards.
Bhaskar


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
jp24
Occasional Contributor

‎02-05-2019 06:00 AM

‎02-05-2019 06:00 AM

Re: Security Questions

Redacted Feedback 

Recommendation
It is strongly recommended recommend that the following security response headers are implemented in their highlighted
configuration:
 X-XSS-Protection: 1; mode=block
 Strict-Transport-Security: max-age=31536000; includeSubDomains
 X-Content-Type-Options: nosniff
 X-Frame-Options: deny
 Cache-control: no store
 Pragma: no-cache


References & Resources
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers
https://www.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OTG-AUTHN-006)

0 Kudos
Reply
BhaskarV
Trusted Contributor

‎02-05-2019 08:43 PM

‎02-05-2019 08:43 PM

Re: Security Questions

Thanks @jp24  for sharing these.
Will check and respond.


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
BhaskarV
Trusted Contributor

‎02-15-2019 05:37 AM

‎02-15-2019 05:37 AM

Re: Security Questions

Hi @jp24 

Sorry about the delay.
The below headers are addressed in an upcoming release.

 X-XSS-Protection: 1; mode=block
 X-Content-Type-Options: nosniff
 X-Frame-Options: deny
 Pragma: no-cache

We are evaluating the below two still and we'll take them up approriately.
 Cache-control: no store
 Strict-Transport-Security: max-age=31536000; includeSubDomains

Thank you.

Regards,
Bhaskar

 


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
jp24
Occasional Contributor

‎03-06-2019 02:36 AM

‎03-06-2019 02:36 AM

Re: Security Questions

Thank you for the update.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.