Scoring bad at Pentest... thanks to Azure :)



As part of a security compliancy, we had our application (deployed in Azure), scanned with a Pentest by an external company.

I just received the Scan Reports, and I was surprised to see issues that I was sure we fixed (such as OWASP XSS (Cross Site Scripting) just to name one..

Well, after a quick analysis of the reports, it turns out that most of those issues belong to Azure resources!

By having our APIs behind Azure API Management, its Developer Portal was scanned as well, and resulted in a few issues (between Low and Medium, nothing critical).

The AAD login page, has a few of those issues as well, and because of the automatic redirect they seem caused by our app during the scan..

Obviously those resources are out of our control, and we can't do anything to fix those issues, maybe Microsoft will.

At the same time it is nice to find out that the hard work to secure our app paid off, and only a few minor issues were found that actually belong to it.

This is the list of issues belonging to Azure resources:


  • Medium (Medium) – Application Error Disclosure
  • Low (Medium) – Web Browser XSS Protection Not Enabled
  • Low (Medium) – Incomplete or No Cache-control and Pragma HTTP Header Set
  • Low (Medium) – X-Content-Type-Options Header Missing
  • Low (Medium) – Cookie Without Secure Flag
  • Low (Medium) – Cross-Domain JavaScript Source File Inclusion
  • Low (Medium) – Password Autocomplete in Browser

Comments

Post a Comment

Popular posts from this blog

Cloud Computing using Microsoft Azure for Dummies

Image
Microsoft Azure is one of the first On-Demand Cloud Services available since several years, along with Amazon . So what is this Cloud Computing ? “Cloud computing, also known as 'on-demand computing', is a kind of Internet-based computing, where shared resources, data and information are provided to computers and other devices on-demand” [ Wikipedia ] Since a few years, and especially thanks to the worldwide Globalization , the amount of data exchanged over the Internet has been growing exponentially, bringing into the game some new paradigm such as Big Data , which challenged the existing hardware and infrastructure at every level. Most public exposed systems and websites had suddenly to deal with a huge amount of traffic, data and requests, from any part of the world, with potential peaks at any given time, 24/7.  This represented a big challenge for the stability and availability of systems, which for most businesses required an incredib
Read more

RabbitMQ on Kubernetes Container Cluster in Azure

Image
Introduction This post is quite technical (and long, and detailed), so sit down, enjoy your coffee, and let’s get started! Containers are becoming the way forward in the DevOps and IT worlds, as they greatly simplify deployments of applications and IT infrastructure . RabbitMQ is “the most widely deployed open source message broker”, and easy to use within a Docker Container Image . Kubernetes is considered the De-facto Standard for Container Orchestration . To follow this tutorial you can use the built in Azure Cloud Shell , or download and install the Azure CLI , and use PowerShell locally. Make sure you have installed  Azure PowerShell . You will also need Kubectl , so make sure you install that too (I suggest Choco as the easiest way). Here I am using PowerShell . Resource Group First you have to login to Azure through PowerShell: az login You will receive a message such as: To sign in , use a web browser to open the page http
Read more

AD vs AAD (Active Directory vs Azure Active Directory)

Image
Comparing AD vs AAD is a bit like comparing apples and oranges; they are two very different technologies used for different scenarios and needs . As organizations look to move a great deal of their infrastructure to Azure , Active Directory ceases to become the right option .  Azure AD therefore, becomes the solution that is recommended. This post is aimed at explaining the main reasons behind this statement. On-Premise Active Directory Windows Server AD offers 5 core services. · Active Directory Domain Services (ADDS) · Active Directory Certificate Services (ADCS) · Active Directory Rights Management Services (ADRMS) · Active Directory Lightweight Directory Services (ADLDS) · Active Directory Federation Services (ADFS) Those 5 services together make up the entirety of on-premises AD . When most of us talk about AD , we’re mostly talking about ADDS . None of those 5 services are available in Azure AD . When you thi
Read more