Sample Security Assessment Report

Project Ref.
JOB17034
By Taran Dhillon
CLEVERCLOUD PCI DSS ENVIRONMENT

SECURITY ASSESSMENT REPORT
This document details the security posture of the CleverCloud PCI DSS environment based on the
findings identified by Hivint during the PCI DSS annual penetration test in April 2017.
1. Executive Summary
Hivint conducted a security assessment of the CleverCloud PCI DSS environment. The purpose of
the security test was to assess the robustness of the PCI DSS environment against the disclosure of
sensitive information to external attackers.
Target Systems Risk Level

➢ External Infrastructure & Web-Applications Penetration Test Medium
➢ AWS Vulnerability Assessment
➢ Internal Network Infrastructure Review
➢ Hosted Capture Web/API & VOIP Penetration Test
➢ Tokenizer API & Source Code Review & Testing
Key Weaknesses
CleverCloud Weakness Profile
• Possible for unauthenticated users to
Application Insufficient
determine the password policy and Authentication
Misconfiguration
username naming convention
• Exposed source code files that could
assist attackers in enumerating
application functionality Weak
• Weak permissions set for machine Password
Policies
configuration compliance reports Directory
Indexing
• Absence of multi-factor authentication
which may allow attackers to gain
access if credentials are intercepted
CleverCloud Risk Profile
Key Recommendation
• Ensure username/password policies and
valid usernames are not disclosed
• Remove or restrict access to sensitive
Risk Level
files
• Modify permissions to only permit
authenticated users to view sensitive
data
• Enable multi-factor authentication on 0 2 4 6 8 10
all accounts
Extreme High Medium Low Very Low
Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 1

Table of Contents
1. Executive Summary ........................................................................................................................... 1
2. Priority of Weakness ......................................................................................................................... 4
3. Introduction ...................................................................................................................................... 5
External Infrastructure & Web-Application Penetration Test ....................................................... 5
AWS Vulnerability Assessment ..................................................................................................... 5
Internal Network Infrastructure Review ....................................................................................... 5
Hosted Capture Web/API & VOIP Penetration Test ...................................................................... 5
Tokenizer API & Source Code Review & Testing ........................................................................... 5
4. Detailed Findings .............................................................................................................................. 6
4.1. External Infrastructure & Web-Application Penetration Test .................................................... 6
EXT-1 Insufficient Authentication: Insufficient Password Complexity ................................. 6
EXT-2 Application Misconfiguration: Exposed Git Files on Web-Servers ............................. 9
EXT-3 Directory Indexing: Application Resources Directory Listing Enabled ..................... 12
EXT-4 Application Misconfiguration: Insufficient Framing Protection Controls ................ 14
EXT-5 Insufficient Authentication: Username Enumeration .............................................. 16
EXT-6 Application Misconfiguration: Web Server with Default Page Enabled................... 18
4.2. AWS Vulnerability Assessment................................................................................................. 20
AWS-1 Insufficient Authentication: Amazon S3 – Weak Permissions ................................. 20
AWS-2 Insufficient Authentication: Multi-Factor Authentication Not Enabled ................... 24
AWS-3 Weak Password Policies: Password Policy Not Defined .......................................... 25
AWS-4 Unencrypted AWS Volumes In-Use ......................................................................... 27
AWS-5 Amazon S3 Logging Disabled ................................................................................... 28
AWS-6 AWS EC2 Termination Protection Disabled ............................................................. 30
4.3. Internal Network Infrastructure Review .................................................................................. 31
4.4. Hosted Capture Web/API & VOIP Penetration Test ................................................................. 32
Test Procedure (API & VOIP) ........................................................................................................... 32
API-1 Application Misconfiguration: Cookie Without HttpOnly Attribute ........................ 33
API-2 Application Misconfiguration: Cookie without ‘Secure’ Flag ................................... 34
4.5. Tokenizer API & Source Code Review & Testing ...................................................................... 36
Assessed Targets ............................................................................................................ 38
Project Schedule ........................................................................................................... 39
Test Methodology ........................................................................................................ 40
Application Security Testing – Test Cases ....................................................................................... 40

Infrastructure Security Testing – Test Cases ................................................................................... 41
Security Assessment Toolset ........................................................................................................... 42
Time Boxing .................................................................................................................................... 42
Risk Assessment ........................................................................................................... 44
Revision History ............................................................................................................ 46

2. Priority of Weakness
This section provides the priority of the findings identified during the security assessment. The priority
is based on the rated risk for each security issue.
Risk Ref. Weakness
Medium EXT-1 Insufficient Authentication: Insufficient Password Complexity

Medium EXT-2 Application Misconfiguration: Exposed Git Files on Web-Servers
Medium AWS-1 Insufficient Authentication: Amazon S3 – Weak Permissions
Medium AWS-2 Insufficient Authentication: Multi-Factor Authentication Not Enabled

Low EXT-3 Directory Indexing: Application Resources Directory Listing Enabled
Low EXT-5 Application Misconfiguration: Insufficient Framing Protection Controls

Low EXT-6 Insufficient Authentication: Username Enumeration
Low AWS-3 Weak Password Policies: Password Policy Not Defined

Low AWS-4 Unencrypted AWS Volumes In-Use
Low API-1 Application Misconfiguration: Cookie Without HttpOnly Attribute
Low API-2 Application Misconfiguration: Cookie without ‘Secure’ Flag
Very Low EXT-7 Application Misconfiguration: Web Server with Default Page Enabled

3. Introduction
Hivint performed the following tests on CleverCloud’s PCI DSS environment using techniques
commonly used by malicious attackers.
External Infrastructure & Web-Application Penetration Test

• Passive and active reconnaissance of in-scope systems
• Automated & manual infrastructure and Web-Application testing to uncover potential

vulnerabilities in CleverCloud’s PCI DSS environment
AWS Vulnerability Assessment

• AWS configuration assessment based on AWS best practices
Internal Network Infrastructure Review

• An assessment of the OpenVAS scans performed by CleverCloud
Hosted Capture Web/API & VOIP Penetration Test

• Testing of CleverCloud’s Hosted Capture Web/API + VOIP (integrated environment) to
uncover potential issues that could be leveraged by attackers
Tokenizer API & Source Code Review & Testing

• A review of the Tokenizer source code
• Testing of the Tokenizer API

4. Detailed Findings
This section provides detailed descriptions and analysis of the security issues identified during the
security assessment of the CleverCloud PCI DSS environment.
4.1. External Infrastructure & Web-Application Penetration Test

The following security issues were identified during the External Infrastructure & Web-Application
Penetration Test.
EXT-1 Insufficient Authentication: Insufficient Password Complexity
Description Application security is fundamentally reliant on the effective implementation of

authentication controls. Insufficient authentication occurs when a web application
permits an attacker to access content or functionality without having to properly
authenticate.
Username and password pairs are used to uniquely authenticate the identity of a
user during the login process. Hivint has identified that the HCP web-application
does not enforce a complex password policy of ten (10) characters or greater. A
minimum character length of less than ten (10) characters is now considered weak
according to Open Web Application Security Project (OWASP) as detailed in the
reference below.
Furthermore, it was found that the password policy is shown to the user when
they attempt to login. This information may assist attackers in generating custom
wordlists to attack the HCP application after valid usernames have been
enumerated.
Proof of 1. Navigate to the affected page.

Concept
2. Enter any username and a single character in the password field.
3. Observe the password policy displayed below the password entry textbox
indicating 8-character passwords are accepted (screenshot below):

Note: The password policy and username specifications are also disclosed in the
source code. (screenshot below):
Vulnerable page:
• https://hcp.securecapture.cloud/

Consequence Major: Weak passwords may result in user accounts being brute-forced and
unauthorised access being gained to CleverCloud systems, therefore the
consequence of this vulnerability is major.
Likelihood Rare: An attacker would still have to bypass the web application’s lock-out
mechanism so exploitation via brute-force would be rare.
Risk Medium
Remediation Open Web Application Security Project (OWASP) recommends a password length
of ten (10) characters or greater. This greatly decreases the success rate of
password guessing brute force attacks being performed against the application.
Reference(s) https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Password_Lengt
h

EXT-2 Application Misconfiguration: Exposed Git Files on Web-Servers
Description Application misconfigurations are often caused by unnecessary features enabled

by default. These default configurations if left enabled, may provide an avenue
for attackers to bypass authentication methods, or gain unauthorised access to
CleverCloud systems.
During testing, it was discovered that HCP and API applications contain GIT files
that are exposed to the internet. The exposure of these files may lead to the
unintended disclosure of application information including filenames, software
version information, configuration settings, IP addresses and user accounts.
Proof of 1. Navigate to a URL from the affected URLs list

Concept 2. Observe the file contents (an example is shown in the following screenshot):
Affected URLs:
• https://api.securecapture.cloud/.git/config
• https://api.securecapture.cloud/.git/description
• https://api.securecapture.cloud/.git/HEAD
• https://api.securecapture.cloud/.git/index
• https://api.securecapture.cloud/.git/packed-refs
• https://api.securecapture.cloud/.git/logs/HEAD
• https://api.securecapture.cloud/.git/objects/7a/eb556772497a98fb0b1f
3567019d8df1b84023
• https://api.securecapture.cloud/.git/objects/c2/25e21ec333d6aad43242
4196a0fd753dae090d

• https://api.securecapture.cloud/.git/objects/54/3f0b47afbbf01910ade7c
ae011bf99a7e45397
• https://api.securecapture.cloud/.git/objects/c4/1635b205eef31a44946e
d516506847ee829f20
• https://api.securecapture.cloud/.git/refs/heads/master
• https://hcp.securecapture.cloud/.git/config
• https://hcp.securecapture.cloud/.git/description
• https://hcp.securecapture.cloud/.git/HEAD
• https://hcp.securecapture.cloud/.git/index
• https://hcp.securecapture.cloud/.git/packed-refs
• https://hcp.securecapture.cloud/.git/logs/HEAD
• https://hcp.securecapture.cloud/.git/objects/2b/0c2dc6ac8fefad2c2002
baab276813b438467c
• https://hcp.securecapture.cloud/.git/objects/01/a7561fc6e4ec65d7b9df
068b0db9b4f67b1b1a
• https://hcp.securecapture.cloud/.git/objects/67/883539f1057bd5323ef4
63fb9d564fe66567df
• https://hcp.securecapture.cloud/.git/objects/37/6df3204db6d927c5e59
b397122262ef44e60ac
• https://hcp.securecapture.cloud/.git/objects/ba/3b71f569a9a2857e321f
47f74d9b5f814e7b51
• https://hcp.securecapture.cloud/.git/objects/e1/c63694a5e914ec3d2afd
525bca97934c78d26e
• https://hcp.securecapture.cloud/.git/refs/heads/master
• https://hcp.securecapture.cloud/.git/objects/a6/cdc2b6cb574c3fd231f6
b7aa2d51f428a2b5fa
• https://tokenserver.securecapture.cloud/.gitignore
Consequence Moderate: The contents disclosed in default application files could assist
attackers in crafting targeted attacks against web-applications and users. But due
to time constraints a thorough analysis was not possible.
Likelihood Possible: Attackers often use automated scripts and tools to discover default
application files so enumeration of these URLs is trivial.
Risk Medium
Remediation Disable access to the files or remove the files if they are not required.
Reference(s) Apache documentation on how to implement .htaccess restrictions on

directories:

https://httpd.apache.org/docs/2.4/howto/htaccess.html

EXT-3 Directory Indexing: Application Resources Directory Listing Enabled
Description During testing, Hivint discovered directory indexing to be enabled on the HCP
and API web-servers. Directory indexing may provide an attacker with
information that could be used to launch attacks against web-applications,
application users or other systems operated by CleverCloud. Although the files
identified included only image files and icons, it is strongly recommended to
disable directory listing for all applications.
Proof of 1. Browse to a vulnerable path (as shown below).

Concept 2. Observe the listing of the corresponding directory.
The following screenshot demonstrates a listing of image files and icons on an
affected application:
Vulnerable paths:
• https://hcp.securecapture.cloud/icons/
• https://api.securecapture.cloud/icons/
Consequence Minor: Disclosure of these icons and image files may assist attackers in crafting
attacks against the API and HCP web-servers as the files indicate the web-server
is running an instance of Apache web-software, however, vulnerabilities in the
software would need to be found prior to an attacker being to exploit these
systems.

Likelihood Possible: Directory indexing is a common web-application security issue and
identifying listable directories is trivial.
Risk Low
Remediation Disallow directory indexing on all application directories on all web-servers.

Modify the .htaccess file to prevent unauthorised users from accessing
application resources:
Options All -Indexes
Reference(s) http://httpd.apache.org/docs/trunk/mod/mod_dir.html#directoryindex

EXT-4 Application Misconfiguration: Insufficient Framing Protection
Controls
Description Application misconfigurations are usually caused by unnecessary features enabled

by default and may provide an avenue for attackers to bypass authentication
methods or gain access to sensitive information.
Hivint identified CleverCloud hosts that do not have framing protection
implemented. Framing protection is required to ensure an attacker cannot frame
a website within an untrusted, third-party domain. Attackers often use 'click-
jacking' attacks (e.g. framing a target website within their own website) to trick
users into entering their credentials or other sensitive information which are then
captured by the attacker.
Proof of 1. Retrieve application headers using the curl command:

Concept curl -k -I https://hcp.securecapture.cloud
2. Observe the lack of framing policies in the application response, e.g. 'X-Frame-
Options' (screenshot below):
The screenshot below demonstrates the application framed within a third party
untrusted domain:

HTML source: <iframe src="https://hcp.securecapture.cloud">
Vulnerable path(s):
• https://hcp.securecapture.cloud
Consequence Minor: A lack of framing policies enables 'click-jacking' attacks where an attacker
may cause a user to unwittingly perform actions within the application, on behalf
of the attacker. This is often caused by the vulnerable application being loaded in
an invisible ‘iframe’ and may result in unauthorised access to the application and
other sensitive information.
Likelihood Unlikely: An attacker would need to trick a user with valid credentials to login
from a third-party domain where the site has been framed.
Risk Low
Remediation Configure the application to return the ‘X-Frame-Options’ attribute in application

response header.
X-Frame-Options: DENY – prevents framing of the application
X-Frame-Options: SAMEORIGIN – allows framing of application pages of the same
origin as the response
Reference(s) https://www.owasp.org/index.php?title=Clickjacking_Defense_Cheat_Sheet
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

EXT-5 Insufficient Authentication: Username Enumeration
Description Application security is reliant on the effective implementation of authentication

controls. Insufficient authentication processes that leak username information
for example, allows an attacker to perform a targeted attack against the
authentication mechanism.
The HCP application responds differently when a valid and invalid username is
submitted. This may allow attackers to perform username enumeration attacks
against the HCP application to discover valid usernames which could then be
bruteforced or leveraged to gain access to CleverCloud systems.
Proof of Manual Attack Example:

Concept
1. Navigate to the vulnerable page.
2. Attempt to login with an invalid user account and observe the error message
“Invalid username. (error code: 404)” indicating the username is invalid
(screenshot below).
Automated Attack Example (Burp Suite):

1. Start Burp Suite and intercept an application login attempt using any
username/password combination
2. Send the request to the intruder module and attack the application with a list
of usernames
3. Sort the results by size and observe the application response size of 741-bytes
if a successful username is found.
The following screenshot shows successful enumeration of the username
“andrew”:

Vulnerable page:
• https://hcp.securecapture.cloud/
Consequence Minor: The disclosure of usernames does not lead to a direct compromise of the
application but may assist attackers in performing targeted attacks against
application users such as password guessing attacks and social engineering
attacks. Successful password guesses and phishing attacks may allow an attacker
to gain unauthorised access to the application and CleverCloud systems.
Likelihood Possible: Tools and browser-plugins are publicly available to aid in enumerating
valid accounts in a short amount of time, therefore it is possible for this type of
attack to occur.
Risk Low
Remediation Configure the application to return generic messages during the

login/authentication process.
Reference(s) N/A

EXT-6 Application Misconfiguration: Web Server with Default Page Enabled
Description Application misconfigurations are often caused by unnecessary features enabled

by default. These default configurations such as enabling default web server
pages, may provide an avenue for attackers to gain system information.
During testing, Hivint identified that multiple default web-application pages were
present. Default pages are often used by attackers to infer what software may be
present on a web-server. This information could then be leveraged to perform
targeted attacks against the web-applications, application users and the web-
server.
Proof of 1. Navigate to a vulnerable page.

Concept
2. Observe the information disclosed.
The following screenshot displays a default Apache Icons README page found
during testing:
Affected page(s):
• https://api.securecapture.cloud/icons/README
• https://hcp.securecapture.cloud/icons/README
Consequence Insignificant: Default web pages cannot be leveraged to directly to compromise

the web server. The internal server information disclosed however, may aid an
attacker in crafting targeted attacks against the web server and application.

Likelihood Possible: Enabling default web server pages is a common configuration issue.
There is a possible likelihood that an application user will come across a default
web page while interacting with the application.
Risk Very Low
Remediation Disable the default web server pages. Additionally, uninstall all default sample
pages.
Reference(s) N/A

4.2. AWS Vulnerability Assessment
The following security issues were identified during the AWS Vulnerability Assessment.
AWS-1 Insufficient Authentication: Amazon S3 – Weak Permissions
Description During testing, it was found that the permissions for two Amazon S3 instances
permitted read/write access to unauthenticated users and read access to
everyone. It is recommended to review these instances to ensure these
permissions have been configured correctly and adjust where necessary.
Proof of 1. Login to the AWS Console Auditor Access by navigating to

Concept https://711199061232.signin.aws.amazon.com/console
2. Change the region to “Asia Pacific (Sydney)”
3. Navigate to the S3 configuration page and select one of the affected instances,
e.g. “clevercloud-scap-report” and observe the potentially weak permissions
(screenshot below):
4. Click on “objects” to observe a listing of the files available to external users

without authentication. The naming convention suggests the internal IP structure
of CleverCloud machines (screenshot below):

5. Click on one of the html links (e.g. “ip-10-100-110-168-scap-report.html “) and
observe the publicly accessible URL (screenshot below):

6. Click on the link to view the publicly disclosed data (screenshot below):

Affected S3 Instances:
• clevercloud-scap-report
• clevercloud-doc
Consequence Moderate: The information disclosed appears to be a compliance scan report

containing the internal IP structure of CleverCloud machines along with machine
configuration data and compliance scoring information. If a machine was to
contain a high-risk vulnerability an attacker would be able to potentially view and
exploit the machine.
Note: Due to time constraints, the information could not be thoroughly examined.
Likelihood Possible: Since the information is publicly accessible it is possible for an attacker to
access these reports.
Risk Medium
Remediation Modify the permissions to only permit access to users that require this data.
Review permissions for all S3 instances and ensure no sensitive information is
disclosed.
Reference(s) https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf

AWS-2 Insufficient Authentication: Multi-Factor Authentication Not Enabled
Description During testing, Hivint identified that multi-factor authentication is not enabled in
the AWS configuration / identity access and management settings. Multi-factor
authentication increases the security of the user authentication process by
confirming multiple forms of information and not relying on only usernames and
passwords for authentication. An example of a multi-factor mechanism is a
hardware device with a code that changes at a pre-defined interval.
Proof of 1. Login to AWS and navigate to the “Identity Access & Management” (link -
Concept https://711199061232.signin.aws.amazon.com/console)
2. Observe the activate MFA warning message as shown in the following
screenshot:
Consequence Moderate: If an attacker were to phish or intercept valid AWS user credentials
they may be able to login and modify machine configuration, and/or access
sensitive company and user data.
Likelihood Possible: Due to the prevalence of phishing/social engineering attacks, it may be

possible for an attacker to obtain valid user credentials.
Risk Medium
Remediation Activate and enforce multi-factor authentication on the “Identity and Access
Management” settings page.

AWS-3 Weak Password Policies: Password Policy Not Defined
Description CleverCloud’s Amazon Web Services (AWS) Identity and Access Management
(IAM) user account password policies are defined by the organisation and should
specify complexity requirements and mandatory rotation periods.
The assessed infrastructure does not have a defined policy for IAM user
passwords.
Proof of 1. Login to AWS and navigate to the “Identity Access & Management” (link -
Concept https://711199061232.signin.aws.amazon.com/console)
2. Observe the activate “Apply an IAM password policy” warning message as
shown in the following screenshot:
Consequence Minor: This vulnerability will not lead to a direct compromise of the assessed
system. However, successful password guessing brute-force attacks will result in
unauthorised access to the CleverCloud’s AWS resources.
Likelihood Unlikely: This requires a malicious attacker to successfully perform a password

guessing brute-force or dictionary attacks. The probability of the success of the
attack increases with weak passwords and no defined password policy. However,
attackers would need to first gain access to the AWS management console.
Risk Low
Remediation AWS account password policies should be reviewed to ensure the AWS
recommended password policy values listed below are applied.

• Maximum password age (recommended value <= 90)
• Minimum password length (recommended value >= 8)
• Password expiration enabled
• Passwords meet complexity requirements (require lowercase, uppercase,
numeric and special characters)
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_a
ccount-policy.html

AWS-4 Unencrypted AWS Volumes In-Use
Description During testing, Hivint identified multiple unencrypted AWS volumes appear to be
in-use. An absence of full-disk-encryption may allow attackers to retrieve data if
the un-encrypted volumes were accessed. It is therefore recommended to enable
encryption for all volumes and review internal encryption requirements for all
storage devices.
Proof of 1. Login to the AWS Console Auditor Access page and navigate to the storage
Concept configuration settings.
2. Observe the un-encrypted volumes as shown in the following screenshot:
Consequence Moderate: If corporate/customer data is stored on un-encrypted volumes an

attacker may be able to retrieve potentially sensitive information if they were to
gain access to the un-encrypted volumes.
Likelihood Rare: An attacker would first have to gain access to CleverCloud’s AWS services to
access the un-encrypted volumes by intercepting credentials or using social
engineering attacks.
Risk Low
Remediation Enforce encryption on all volumes and review internal encryption requirements
and policies.
Ensure sensitive data is never stored on un-encrypted storage devices.
Reference(s) N/A

AWS-5 Amazon S3 Logging Disabled
Description During Hivint’s review of the AWS S3 configuration it was found that logging was
disabled on all S3 storage buckets. It is recommended to enable logging in order to
track requests for access to AWS S3 buckets.
Proof of 1. Login to the AWS console and navigate to the S3 configuration settings
Concept
2. Select ‘properties’ and observe ‘disable logging’ is selected as shown in the
following screenshot:
Affected hosts(s):
• config-bucket-711199061232
• clevercloudvideo
• clevercloud-vm-migration
• clevercloud-scap-report
• clevercloud-doc
• clevercloud-cloudtrail

• clevercloud-aws-config
• clevercapture-logs
• cf-templates-6wzrefd8dvqh-ap-southeast-2
Consequence Minor: Although an absence of logging will not lead to a compromise of any
machines, a lack of logging and regular log-reviews may allow changes to S3
instances to go un-noticed.
Likelihood N/A
Risk Low
Remediation Activate logging by enabling logging in the S3 Management Console.
Reference(s) AWS Access Logging Documentation:

https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf

AWS-6 AWS EC2 Termination Protection Disabled
Description During the AWS assessment component of the security assessment, Hivint
discovered that Termination Protection is disabled on EC2 instances. Termination
protection is used to protect EC2 instances against accidental termination which
could lead to data-loss.
Proof of 1. Login to the AWS console and navigate to the EC2 instances page
Concept
2. Right-click an EC2 instance and select “Change Termination Protection” to view
the termination settings as shown below:
Consequence Moderate: A lack of termination protection may allow EC2 instances to be

terminated if access to CleverCloud’s AWS services was gained by a malicious
attacker.
Likelihood Rare: An attacker would first need to gain access to CleverCloud’s AWS services to
terminate EC2 instances by intercepting credentials or using social engineering
attacks.
Risk Low
Remediation Enable termination protection for all EC2 instances.
Reference(s) https://aws.amazon.com/premiumsupport/knowledge-center/accidental-
termination/

4.3. Internal Network Infrastructure Review
The Internal Network Infrastructure Review consisted of examining the results of an OpenVAS scan
as performed by CleverCloud prior to the security assessment.
The scan performed by CleverCloud included machines in the range of IP addresses 10.100.x.x
(screenshot below):
Examination of the results of the scan demonstrated no High, Medium or Low security issues but 200
log-level issues were reported (as per OpenVAS screenshot below):
The log-level issues were reviewed and contained only the presence of open ports such as SSH (port
22) HTTP/HTTPS services (ports 80/443/8443) and RPC (port 111) but due to time constraints, a
thorough review and rescan was not performed.

4.4. Hosted Capture Web/API & VOIP Penetration Test
The Hosted Capture Web/API & VOIP Penetration Test involved testing of the Soft Phone and Hosted
Capture Web/API components to ensure PCI DSS requirements are met.
Test Procedure (API & VOIP)

The procedure for testing the API & VOIP system included the following steps:
1. Load Zoiper application and add account from https://clevercloud-
doc.s3.amazonaws.com/Clevercloud%20Pentest%20Guide.html
2. Dial trunk line from mobile phone - +612 91881942, select option 2
3. Receive call in Zoiper client
4. Navigate to URL: https://hcp.securecapture.cloud/hcp_testpages/ipsi.php
5. Enter 'short code' which is the mobile phone number that was used in Step 2
6. Click start to accept input
7. Enter card digits on mobile phone to capture in URL above
The test process was repeated several times and wireshark captures and intercepting proxy tests
were performed to simulate the steps an attacker would take to exploit the system or gain access to
sensitive data.
During testing, no non-compliant PCI DSS data was disclosed and all credit card fields were masked
appropriately. The only security issues identified during testing included: SSL cookie without secure
flag set and Cookie without HttpOnly flag set as described on the following pages.

API-1 Application Misconfiguration: Cookie Without HttpOnly Attribute
Description Cookies are used by the CleverCloud Hosted Capture application to uniquely
identify an authorised user’s application session. The Hosted Capture application
does not set the ‘HttpOnly’ attribute on the ‘PHPSESSID’ cookie when sending the
cookie within a HTTP response. This enables the cookie to be requested by
untrusted scripts and could be leveraged by an attacker in a Cross-Site Scripting
(XSS) attack. An attacker could use this cookie to hijack an application user’s
session and gain unauthorised access to the Hosted Capture application and API.
Proof of 1. Authenticate to the Hosted Capture application using a web browser with a web
Concept interception proxy.
2. Observe the lack of the ‘HttpOnly’ attribute in the ‘PHPSESSID’ cookie in the
application response.
Vulnerable path:
https://hcp.securecapture.cloud/api.php/hosted_payment/process
Sample cookie:
Domain: hcp.securecapture.cloud
Cookie Name: PHPSESSID
Value: 8hv9uvpnv4mnlsb2n3oeh3c2o7
Path: /
httpOnly: False
Consequence Moderate: The retrieval of the sensitive ‘PHPSESSID’ cookie from an authenticated
user’s session would result in an attacker being able to hijack the valid user’s
session and gain unauthorised access to the Hosted Capture application.
Likelihood Rare: Exploitation of this security issue is a two-step process that would require an
additional vulnerability to present, such as a Cross-Site Scripting vulnerability and
for a malicious attacker to successfully trick an authenticated CleverCloud Hosted
Capture application user into viewing a malicious link.
Risk Low
Remediation Configure the application to send the ‘HttpOnly’ attribute for all sensitive
application cookies.
Reference(s) https://www.owasp.org/index.php/HttpOnly

API-2 Application Misconfiguration: Cookie without ‘Secure’ Flag
Description Cookies are used by the CleverCloud Hosted Capture application to uniquely
identify an authorised user’s application session. The CleverCloud Hosted Capture
application does not set the ‘Secure’ flag on the ‘PHPSESSID’ cookie when sending
the cookie within a HTTP response. This may result in the cookie being disclosed
during transmission to an attacker in a Man-in-the-Middle (MitM) attack scenario
or from an attacker leveraging a Cross Site Scripting (XSS) vulnerability. An
attacker could use this cookie to hijack an application user’s session and gain
unauthorised access to the CleverCloud Hosted Capture application.
Proof of 1. Authenticate to the CleverCloud Hosted Capture application using a web

Concept browser with a web interception proxy.
2. Observe the lack of the ‘Secure’ flag in the ‘PHPSESSID’ cookie in the application
response (as shown in the following screenshot):
Consequence Moderate: The retrieval of the sensitive ‘PHPSESSID’ cookie from an authenticated
user would result in an attacker being able to hijack the valid user’s session and
gain unauthorised access to the CleverCloud Hosted Capture application.
Likelihood Rare: Exploitation of this security issue is a two-step process that requires an
attacker to be strategically located within the communication path of an
authenticated client and the CleverCloud Hosted Capture application web server.
Alternatively, the attacker is required to successfully coerce an application user
into requesting an unencrypted connection.

Risk Low
Remediation Configure the application to send the ‘Secure’ flag for all sensitive application
cookies.
Reference(s) https://www.owasp.org/index.php/SecureFlag

4.5. Tokenizer API & Source Code Review & Testing
The Tokenizer API & Source Code Review & Testing included testing of the Tokenizer API using Curl &
Python and reviewing the source code using code review tools such as RIPS.
Tokenizer API Test
Testing of the Tokenizer API involved the use of Wireshark to ensure all communications were sent
securely. Due to time constraints, thorough testing could not be performed but results concluded no
credit card data was sent insecurely.
An example of a test performed is as follows:
1. Start a running capture in Wireshark and issue an API call with customer credit card details (as
shown below):
2. Observe the application response with tokenised data (screenshot below):
3. Search the Wireshark capture for credit card details to confirm no credit card info has been
transmitted insecurely.

Tokenizer Code Review
Review of the source code involved the use of the RIPS PHP code review tool and a brief manual
review.
RIPS was configured to scan for all available vulnerabilities that included the OWASP Top 10
(screenshot below):
Results of testing returned a single, potential Cross-Site Scripting Vulnerability (screenshot below):
CleverCloud was advised of this potential vulnerability but an exploit could not be found on the
tokenizer server - https://tokenserver.securecapture.cloud

Assessed Targets
As part of CleverCloud security assurance process, the following systems were assessed to determine
the security posture of CleverCloud’s PCI DSS environment.
• External Infrastructure & Web-Application Penetration Test

o api.securecapture.cloud
o hcp.securecapture.cloud
• AWS Vulnerability Assessment

o AWS configuration
• Internal Network Infrastructure Review

o Review of OpenVAS vulnerability scan
• Hosted Capture Web/API & VOIP Penetration Test

o https://hcp.securecapture.cloud/hcp_testpages/ipsi.php
o VOIP System (via Zoiper)
• Tokenizer API & Source Code Review & Testing

o Code review of source code contained within cctokenizer.zip
o Testing of Tokenizer AP at https://tokenserver.securecapture.cloud

Project Schedule
The following is the Hivint security assessment schedule and roles and responsibilities for this
engagement:
Date Name Role and Responsibility
10 April 2017 Barry Grek Project Management
10 Apr 2017 – 13 Apr 2017 Taran Dhillon Technical Security Testing

10 Apr 2017 – 13 Apr 2017 Lily Chau Quality Assurance

Test Methodology
Application Security Testing – Test Cases
Our core application security testing model is based around the WASC Threat Classification view of
Weaknesses. This approach allows for the key issues with web applications to be analysed, while
ensuring that an ‘all threats’ approach is taken as to how that weakness could arise.
Ref. Weakness OWASP Top 10 X-Ref1
AW1 Application/Server Misconfiguration 2013-A5 – Security misconfigurations
AW2 Directory Indexing 2007-A6 – Information Leakage
AW3 Improper Filesystem Permission 2013-A5 – Security misconfigurations
AW4 Improper Input Handling 2013-A1 – Injection

2013-A3 – Cross-Site Scripting (XSS)
AW5 Improper Output Handling 2013-A1 – Injection

2013-A3 – Cross-Site Scripting (XSS)
2013-A10 – Unvalidated Redirects and Forwards
AW6 Information Leakage 2007-A6 – Information Leakage
AW7 Insecure Indexing 2013-A5 – Security misconfigurations

2007-A6 – Information Leakage
AW8 Insufficient Anti-automation 2013-A2 – Broken Authentication and Session Management

2007-A6 – Information Leakage
AW9 Insufficient Authentication 2013-A2 – Broken Authentication and Session Management

2013-A6 – Sensitive Data Exposure
2013-A8 – Cross-Site Request Forgery (CSRF)
AW10 Insufficient Authorisation 2013-A2 – Broken Authentication and Session Management

2013-A4 – Insecure Direct Object References
2013-A6 – Sensitive Data Exposure
2013-A7 – Missing Function Level Access Control
AW11 Password Circumvention 2013-A2 – Broken Authentication and Session Management
AW12 Insufficient Process Validation -
AW13 Insufficient Session Expiration 2013-A2 – Broken Authentication and Session Management
AW14 Insufficient Transport Layer 2013-A5 – Security Misconfiguration

Protection 2013-A9 – Using Components with Known Vulnerabilities
AW15 Insufficient Auditing and Logging -
1
The Open Web Application Security project (OWASP):
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Application security assessment is generally conducted through some combination of design review,
code review, and application penetration testing.
Hivint has developed an application testing methodology that can be adapted to a range of security
testing targets and with consideration of a range of industry leading benchmarks and approaches:
• Open Source Security Testing Methodology Manual (OSSTMM) v3
• SANS/MITRE Common Weakness Enumeration (CWE) Top 25
• Open Web Application Security Project (OWASP) Top 10 Vulnerabilities
• Web Application Security Consortium (WASC)

Through building our methodology around Weaknesses rather than Attacks, we can ensure that the
methodology remains relevant for a broad spectrum of system types.
We conduct our testing using a structured approach. Our testing process involves initial application
and system familiarisation – that is, getting a thorough understanding of how the system works, how
the security elements are intended to operate, and the key business logic underpinning any core
transactional functionality – followed by in-depth and comprehensive assessment of the web
application itself.
Infrastructure Security Testing – Test Cases

Ref. Weakness
IW1 Software Flaws
IW2 System Misconfiguration (Servers)
IW3 System Misconfiguration (Security Devices)
IW4 Information Leakage
Infrastructure penetration testing involves attempts to compromise a target system using the same
techniques commonly used by malicious attackers, focused on infrastructure components such as
servers, operating systems, network and security devices.
Our infrastructure security assessment process uses localised scanning system, and runs a series of
scans to identify key infrastructure security issues as detailed in the test cases below. Based on the
data identified from these scans, additional testing is conducted to provide concrete demonstration
of vulnerability and removal of false positives. This usually follows the following process:
• Network Discovery: The purpose of this step is to discover and map out the local
infrastructure of the target network. At the end of the network discovery, the penetration
tester should have a basic layout of the local network infrastructure.
• Target Identification: This step aims to identify a host of interest. This is usually a specific IP
range, or a single host/server with many available open ports and corresponding services. At
the completion of the target identification step, the penetration tester would have identify a
specific target that is most likely to allow penetration of the target network. This may

sometimes include additional infrastructure, such additional subnets, that were discovered
during the detailed assessment and analysis.
• Vulnerability Assessment: This step includes detailed assessment and analysis of the security
posture of the identified target. This includes assessing and analysing the services and
software packages running on the identified network, and vulnerabilities that are commonly
found on them.
• Vulnerability Exploitation: The step requires that the penetration tester perform manual
verifications of the vulnerabilities that are commonly found on the available services on the
target system. This usually includes attempts to bypass security controls, and the lack of, to
perform unauthorised and most often unauthenticated transactions with the vulnerable
services identified in the previous step.
• Network Penetration: Successful exploitation of the identified vulnerabilities will allow

unauthorised penetration of the local network infrastructure and subsequent privilege
escalation activities to access sensitive data and functionality.
Security Assessment Toolset

Security assessment tools are software applications that are designed to assist in identification of
security vulnerabilities, reducing the time and effort to execute repeat processes. The following tools
were used during the security assessment:
• Burp Suite Pro web interception proxy
• Nessus Professional vulnerability scanner
• Nmap network security scanner
• Metasploit exploitation toolkit
• Wireshark network analysis tool
• Nikto web application vulnerability scanner
• Dirsearch directory brute forcing tool
• Dirbuster directory brute forcing tool
• DVCS-Ripper – Git Repo Ripper
Time Boxing
Many applications would require an unfeasibly large amount of testing to provide coverage of all
functions within the application with respect to all user types and the permutations of such users and
access. This is particularly the case for systems with a high number of user types and/or privilege levels
(as testing every permutation of one account’s ability to interact with every other account can create
hundreds, or thousands, of such permutations).
As a result, most tests are effectively “time boxed”, which means that a set amount of time is allocated
for testing based on the assessed risk presented by the application and the budget available, and
within that time, test tasks are prioritised based on the areas of highest risk – both the most likely
vulnerabilities to exist; and those that would cause the greatest harm.

The environment provisioned for the security assessment will influence the results of the test. Where
a fragile and sensitive environment is used and where network access controls are present, it may be
necessary to take a ‘gentler’ approach to the test with a corresponding reduction in the level of
coverage able to be achieved in a certain time period. If specific load constraints of the system are
known, please provide us with the accepted rate limiting or other restrictions in place during testing.
In the test conducted against the CleverCloud’s PCI DSS environment, the following test types or
system areas were not able to be comprehensively tested in the available time:
• Thorough testing of API components including: SOAP & Tokenizer
• In-depth fuzzing of CleverCloud web-applications and API components
• Rescan of internal network infrastructure with OpenVAS
• Thorough review of CleverCloud source-code

Risk Assessment
The ISO (International Organisation of Standardisation) 31000 series is a family of risk management
standards used widely within various industries as a guideline to internal or external audit
programmes. The security assessment adopts the ISO 31000 risk assessment approach, incorporating
risk assessment concepts from the MITRE organisations. These form the risk ratings assessed in this
report. The following tables provide description of the likelihood, consequence and resulting risk
rating used in this security assessment.
The interpretation of the likelihood of an event occurring is described as per below:
Likelihood Rating Interpretation
Almost certain The event is expected to occur.

(e.g. 1 incident every month)
Likely The event will probably occur.

(e.g. 1 incident every 6 months)
Possible The event should occur at some time.
(e.g. 1 incident every year)
Unlikely The event could occur at some time.
(e.g. 1 incident every 2 years)
Rare The event may occur only in exceptional circumstances.

(e.g. 1 incident every 5 or more years)
Hivint considers the following as contributing factors to the likelihood of an event occurring.
• The value of assets contained within the vulnerable system

E.g. Credit card details or dummy test data
• The skills required to successfully exploit the vulnerable system using the vulnerability
identified
• The availability of exploits on the public domain
• The complexity of the exploit
• The level of access on the vulnerable system required to exploit the security issue
E.g. Privileged administrative user or anonymous user

The interpretation of the consequence of an event occurring is described as per below:
Consequence Rating Sample Interpretation
Insignificant Little disruption to the user community.

Technologies in use will require little/no effort to change.
Isolated complaint from individual stakeholder able to be managed via
business as usual operations.
Minor Minor disruption to user community.

The ability to provide the required service is impaired.
Complaints from key stakeholder requiring management attention.
Moderate Some inconvenience to the user community.

The ability to provide a service is severely compromised.
Moderate effort required to implement an alternative solution.
Public criticism from key stakeholders regarding the organisation’s
services or activities.
Major Noticeable impact on user community.

Some core services unavailable.
Potential for serious distress or minor injury.
Sustained criticism from majority of key stakeholders on suitability of
organisation in its current form.
Catastrophic Community unable to function without significant support.
Key technologies no longer available and no viable alternative exists.
Potential for major injury or fatalities.
Irreparable damage to relationships with key stakeholders and potential
for organisation to cease operating in current form.
The resultant risk rating is detailed in the following risk matrix:
Rare Unlikely Possible Likely Almost

Certain
Insignificant Very Low Very Low Very Low Low Low
Minor Very Low Low Low Low Low

Moderate Low Medium Medium Medium Medium
Major Medium Medium High High High
Catastrophic High High Extreme Extreme Extreme

Revision History
Version Date Name Revision Comment

0.1 13 Apr 2017 Taran Dhillon Initial report draft
0.2 13 April 2017 Lily Chau Internal report review
0.3 17 April 2017 Barry Grek Client report release

1.0 <DD Month 2017> <Author Name> Client final report

Sample Security Assessment Report

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sample Security Assessment Report

Uploaded by

Copyright:

Available Formats

Project Ref.

CLEVERCLOUD PCI DSS ENVIRONMENT

Target Systems Risk Level

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 1

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 2

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 3

Risk Ref. Weakness

Medium EXT-1 Insufficient Authentication: Insufficient Password Complexity

Medium AWS-1 Insufficient Authentication: Amazon S3 – Weak Permissions

Medium AWS-2 Insufficient Authentication: Multi-Factor Authentication Not Enabled

Low EXT-5 Application Misconfiguration: Insufficient Framing Protection Controls

Low AWS-3 Weak Password Policies: Password Policy Not Defined

Low API-2 Application Misconfiguration: Cookie without ‘Secure’ Flag

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 4

External Infrastructure & Web-Application Penetration Test

• Automated & manual infrastructure and Web-Application testing to uncover potential

AWS Vulnerability Assessment

Internal Network Infrastructure Review

Hosted Capture Web/API & VOIP Penetration Test

Tokenizer API & Source Code Review & Testing

• Testing of the Tokenizer API

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 5

4.1. External Infrastructure & Web-Application Penetration Test

EXT-1 Insufficient Authentication: Insufficient Password Complexity

Description Application security is fundamentally reliant on the effective implementation of

Proof of 1. Navigate to the affected page.

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 6

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 7

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 8

Description Application misconfigurations are often caused by unnecessary features enabled

Proof of 1. Navigate to a URL from the affected URLs list

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 9

Reference(s) Apache documentation on how to implement .htaccess restrictions on

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 10

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 11

Proof of 1. Browse to a vulnerable path (as shown below).

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 12

Remediation Disallow directory indexing on all application directories on all web-servers.

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 13

Description Application misconfigurations are usually caused by unnecessary features enabled

Proof of 1. Retrieve application headers using the curl command:

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 14

Remediation Configure the application to return the ‘X-Frame-Options’ attribute in application

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 15

Description Application security is reliant on the effective implementation of authentication

Proof of Manual Attack Example:

Automated Attack Example (Burp Suite):

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 16

Remediation Configure the application to return generic messages during the

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 17

Description Application misconfigurations are often caused by unnecessary features enabled

Proof of 1. Navigate to a vulnerable page.

Consequence Insignificant: Default web pages cannot be leveraged to directly to compromise

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 18

Risk Very Low

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 19

AWS-1 Insufficient Authentication: Amazon S3 – Weak Permissions

Proof of 1. Login to the AWS Console Auditor Access by navigating to

4. Click on “objects” to observe a listing of the files available to external users

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 20

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 21

Hivint – CleverCloud <Target System Name> Security Assessment 2017 | 22

Consequence Moderate: The information disclosed appears to be a compliance scan report