Scoring bad at Pentest... thanks to Azure :)



As part of a security compliancy, we had our application (deployed in Azure), scanned with a Pentest by an external company.

I just received the Scan Reports, and I was surprised to see issues that I was sure we fixed (such as OWASP XSS (Cross Site Scripting) just to name one..

Well, after a quick analysis of the reports, it turns out that most of those issues belong to Azure resources!

By having our APIs behind Azure API Management, its Developer Portal was scanned as well, and resulted in a few issues (between Low and Medium, nothing critical).

The AAD login page, has a few of those issues as well, and because of the automatic redirect they seem caused by our app during the scan..

Obviously those resources are out of our control, and we can't do anything to fix those issues, maybe Microsoft will.

At the same time it is nice to find out that the hard work to secure our app paid off, and only a few minor issues were found that actually belong to it.

This is the list of issues belonging to Azure resources:


  • Medium (Medium) – Application Error Disclosure
  • Low (Medium) – Web Browser XSS Protection Not Enabled
  • Low (Medium) – Incomplete or No Cache-control and Pragma HTTP Header Set
  • Low (Medium) – X-Content-Type-Options Header Missing
  • Low (Medium) – Cookie Without Secure Flag
  • Low (Medium) – Cross-Domain JavaScript Source File Inclusion
  • Low (Medium) – Password Autocomplete in Browser

Comments

Popular posts from this blog

Cloud Computing using Microsoft Azure for Dummies

RabbitMQ on Kubernetes Container Cluster in Azure

PowerHell