HPE Community
HPE OneView
1752449 Members
6294 Online
108788 Solutions
New Discussion юеВ

Security Questions

 
jp24
Occasional Contributor

тАО12-11-2018 12:05 AM

тАО12-11-2018 12:05 AM

Security Questions

As part of pen testing the following came back, is it possible to address these in OneView?

Username Enumeration - it was found to respond differently to existing and non-existing users which made it possible to enumerate legitimate users

Security Response Headers - the host did utilise common security headers as those recommended by OWASP secure headers project

0 Kudos
Reply
7 REPLIES 7
BhaskarV
Trusted Contributor

тАО12-13-2018 10:04 PM

тАО12-13-2018 10:04 PM

Re: Security Questions

Hi @jp24

Are you finding these with OneView 4.00 or 4.10?
The specific issue below you have stated:
Username Enumeration - it was found to respond differently to existing and non-existing users which made it possible to enumerate legitimate users
This defect has been fixed in a more recent version of OneView yet to be released.

On the below:
Security Response Headers - the host did utilise common security headers as those recommended by OWASP secure headers project
Did this come back as a violation in the pen-test result?

Regards,
Bhaskar

 


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
jp24
Occasional Contributor

тАО01-17-2019 04:09 AM

тАО01-17-2019 04:09 AM

Re: Security Questions

Hi Bhaskar,

Thank you for the reponse. These were related to version 4.10 of the Appliance.

Username Enumeration - Are you able to advise which version this may be?

Security Response Headers - although not defined critical from pen-test results which i understand follow industry standards it was their findings,  the calissifcation by the client may/see see it differently and prevent rollout.

0 Kudos
Reply
BhaskarV
Trusted Contributor

тАО01-31-2019 10:43 PM

тАО01-31-2019 10:43 PM

Re: Security Questions

Hi @jp24

The next upcoming OneView release right after 4.10, has the fix for the username enumeration problem.

On the request headers that are flagged as a violation by OWASP,  can you share any details on that?

Regards.
Bhaskar


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
jp24
Occasional Contributor

тАО02-05-2019 06:00 AM

тАО02-05-2019 06:00 AM

Re: Security Questions

Redacted Feedback 

Recommendation
It is strongly recommended recommend that the following security response headers are implemented in their highlighted
configuration:
яВ╖ X-XSS-Protection: 1; mode=block
яВ╖ Strict-Transport-Security: max-age=31536000; includeSubDomains
яВ╖ X-Content-Type-Options: nosniff
яВ╖ X-Frame-Options: deny
яВ╖ Cache-control: no store
яВ╖ Pragma: no-cache


References & Resources
яВ╖ https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers
яВ╖ https://www.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OTG-AUTHN-006)

0 Kudos
Reply
BhaskarV
Trusted Contributor

тАО02-05-2019 08:43 PM

тАО02-05-2019 08:43 PM

Re: Security Questions

Thanks @jp24  for sharing these.
Will check and respond.


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
BhaskarV
Trusted Contributor

тАО02-15-2019 05:37 AM

тАО02-15-2019 05:37 AM

Re: Security Questions

Hi @jp24 

Sorry about the delay.
The below headers are addressed in an upcoming release.

яВ╖ X-XSS-Protection: 1; mode=block
яВ╖ X-Content-Type-Options: nosniff
яВ╖ X-Frame-Options: deny
яВ╖ Pragma: no-cache

We are evaluating the below two still and we'll take them up approriately.
яВ╖ Cache-control: no store
яВ╖ Strict-Transport-Security: max-age=31536000; includeSubDomains

Thank you.

Regards,
Bhaskar

 


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
jp24
Occasional Contributor

тАО03-06-2019 02:36 AM

тАО03-06-2019 02:36 AM

Re: Security Questions

Thank you for the update.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.