Detecting Security Misconfiguration issues in openIMIS

Software security is a complex topic that requires to be tackled from multiple different angles in order to be fully covered. One of the common root sources of security issues is Security Misconfiguration. It refers to improperly configured settings, features, or environments, leaving systems vulnerable to various attacks. 

The following case study describes Security Misconfiguration issues we detected during our comprehensive openIMIS security testing. Our analysis provides a detailed framework for understanding these vulnerabilities, how they were identified, and the actions we took to mitigate them.

Significance

Security Misconfiguration can significantly impact openIMIS by exposing the system to various risks, including unauthorized access, data breaches, and denial of service incidents. This vulnerability is listed in the OWASP Top 10 as one of the most common vulnerabilities affecting web applications. Ensuring correct configuration and maintaining a secure environment is crucial for protecting openIMIS from these threats, safeguarding the system’s functionality, and maintaining the integrity of its users’ data.

Testing and discovery

Testing approach

Our penetration testing framework, an enhanced version of the OWASP checklist tailored for web applications, guided our systematic approach to evaluating the security of openIMIS. Initially, our team leveraged our extensive experience with the system to gather information and prepare attack vectors specifically designed to uncover vulnerabilities within openIMIS. 

Following this tailored threat modeling, we employed a suite of automated tools to scan and assess the overall state of the system’s security. This combination of expert knowledge and verified testing tools ensures comprehensive coverage and precision in identifying potential security weaknesses, particularly those related to Security Misconfiguration.

At SolDevelo, we specialize in comprehensive software security services, including penetration testing, code review, and security audits. Our expertise and tools ensure that systems like openIMIS are thoroughly examined for vulnerabilities.

Discovery

During the testing phase, our focus was broad yet targeted, encompassing a variety of potential Security Misconfiguration issues outlined in our testing framework:

  • Session management schema: We tested the overall session management schema to ensure it was secure and properly configured.
  • Cookies attributes: We examined the attributes of cookies, including their security settings, to prevent unauthorized access.
  • Session fixation: We checked for vulnerabilities that could allow session fixation attacks, ensuring that user sessions could not be hijacked or misused.
  • Exposed session variables: We tested for exposed session variables that could lead to information leakage or unauthorized access.
  • Cross-Site Request Forgery: We checked for vulnerabilities that could allow Cross-Site Request Forgery (CSRF) attacks, ensuring secure request handling.
  • Logout functionality: We evaluated the logout functionality to ensure it properly terminated sessions, preventing unauthorized access after logout.
  • Session timeout: We checked for appropriate session timeout settings to prevent sessions from being left open for too long.
  • Session puzzling: We tested for vulnerabilities that could lead to session puzzling, ensuring session data remained secure.
  • Session hijacking: We checked for vulnerabilities that could allow session hijacking, preventing unauthorized takeover of user sessions.

The discovery process revealed several critical vulnerabilities, notably:

  • JWT security configuration: We found that the security configuration for JSON Web Tokens (JWTs) was not robust enough, leaving session tokens vulnerable to compromise.
  • Cookies attribute security configuration: The attributes of cookies lacked sufficient security settings, making them susceptible to unauthorized access.

Vulnerability analysis and mitigation

The following section is dedicated to the analysis of vulnerabilities we uncovered in openIMIS while testing its security configuration. To provide you with a full understanding of the case, we will go through the identified issues one by one, describing our testing methods, findings, potential impact, and recommendations for mitigation. This detailed case study aims at raising awareness on the common Security Misconfiguration problems, and offers possible solutions to effectively deal with them.

JWT security misconfiguration

How we tested it

We conducted a comprehensive audit of the JSON Web Token (JWT) handling and configuration within the openIMIS system. Our testing approach involved both manual code reviews and automated analysis using Burp Suite to identify potential vulnerabilities. Specifically, we focused on evaluating token expiration policies, security attributes, and the cryptographic methods employed for encoding and decoding JWTs.

SolDevelo offers advanced security assessments for JWT implementations as part of our software security services, ensuring robust protection against common vulnerabilities.

How we found it

Our audit identified critical vulnerabilities in the JWT implementation. The primary issues were related to token expiration, inadequate security attributes, and weak cryptographic approaches for token encoding and decoding.

Evidence

  • Entropy analysis results: We performed an entropy analysis using Burp Suite’s sequencer with a sample size of 20,004 requests to the development server. The analysis revealed a complete lack of randomness (‘0 bits’ of entropy) in the tokens, indicating predictability and insecurity in token generation.
  • Code snippet security assessment: A review of the provided code snippets showed a lack of randomness in key generation and token creation. The code did not use a cryptographic random number generator or other best practices, such as random jti claims or securely generated unique session identifiers. This finding was corroborated by the Burp Suite entropy analysis.
  • GraphQL JWT settings: The JWT configuration in the system included settings such as JWT_VERIFY_EXPIRATION and JWT_LONG_RUNNING_REFRESH_TOKEN, but failed to incorporate sufficient security measures to ensure token robustness.

Impact

The vulnerabilities identified in the JWT configuration pose a significant risk to the security of the openIMIS system. The likelihood of exploitation is medium due to the well-known nature of common JWT vulnerabilities. However, the impact is high, as successful exploitation could lead to unauthorized access and the compromise of sensitive information.

Risk analysis

  • Likelihood: Medium, given the well-documented nature of JWT vulnerabilities and their exploitability.
  • Impact: High, as exploitation could result in unauthorized access and significant data breaches.

Recommendations

To mitigate the identified vulnerabilities and enhance the security of JWT handling within the openIMIS system, we recommend the following actions:

  1. Shorten JWT expiration: Reduce the JWT expiration time from one day to 15 minutes to minimize the window for token misuse.
  2. Include essential security claims: Ensure JWTs include critical claims such as jti to enable token uniqueness and traceability.
  3. Transition to RS256: Switch from HS256 to RS256 to utilize a private/public key pair, which enhances security by separating the token signing and verification processes.
  4. Routine key rotation: Establish a routine for rotating cryptographic keys to prevent long-term exploits based on a compromised key.
  5. Add ‘nbf’ claim: Include the nbf (not before) claim in tokens to specify when they become valid, preventing premature use.
  6. Apply secure flag: Ensure the Secure flag is applied to JWTs, preventing them from being transmitted over non-secure channels.
  7. Use JWTs solely for authentication: Avoid using JWTs for session storage. Instead, use them solely for authentication purposes to reduce the risk of token theft and replay attacks.

By implementing these recommendations, the openIMIS system can significantly enhance the security of its JWT handling, mitigating the risk of unauthorized access and ensuring the integrity of its sensitive information.

Cookies attribute security misconfiguration

How we tested it

During our security assessment, we conducted a thorough analysis of the application’s cookie management and CSRF (Cross-Site Request Forgery) token strength. Our approach included using Burp Sequencer to evaluate the robustness of CSRF tokens and reviewing the handling of cookies, particularly those used for JSON Web Tokens (JWTs) and other security-related tokens.

SolDevelo’s expertise in cookie management and CSRF protection is part of our comprehensive software security services, designed to safeguard web applications against various threats.

How we found it

Our detailed review identified several potential security vulnerabilities in the handling and configuration of cookies within the openIMIS system.

Evidence

  • CSRF token strength analysis: Using Burp Sequencer, we assessed the strength of CSRF tokens. The analysis revealed that the CSRF tokens were not strong enough to provide adequate protection against forgery attacks.
  • Cookie management review: Our review of the application’s cookie management practices highlighted several issues:
    • Cookies transmitting JWTs and csrftoken were not flagged as HttpOnly, making them accessible to client-side scripts.
    • The Secure flag was not consistently applied, potentially allowing cookies to be transmitted over non-secure channels.
    • The SameSite attribute was not set on cookies, increasing the risk of CSRF vulnerabilities.

Impact

The identified vulnerabilities in cookie attribute configuration pose a moderate risk to the security of the openIMIS system. The likelihood of exploitation is low, but the potential impact is medium, as it could lead to unauthorized actions being performed on behalf of users, compromising user sessions and sensitive data.

Risk analysis

  • Likelihood: Low, due to the specific conditions required for successful exploitation.
  • Impact: Medium, as exploitation could result in unauthorized actions and compromise sensitive information.

Recommendations

To address the identified vulnerabilities and improve the security of cookie handling within the openIMIS system, we recommend implementing the following measures:

  1. Validate Referer header: Implement server-side checks to validate the Referer header of incoming requests, ensuring they originate from the application’s domain. This helps prevent CSRF attacks by verifying the source of the request.
  2. HttpOnly and secure flags: Ensure that cookies transmitting JWTs and csrftoken are flagged as HttpOnly and Secure. The HttpOnly flag prevents access by client-side scripts, and the Secure flag ensures that cookies are only transmitted over HTTPS.
  3. SameSite attribute: Set the SameSite attribute on cookies to “Strict” or “Lax” to prevent the browser from sending these cookies with cross-site requests. This mitigates CSRF vulnerabilities by ensuring that only same-site requests include the relevant cookies.
  4. Strengthen CSRF tokens: Enhance the strength of CSRF tokens by using a more robust token generation mechanism. Ensure that tokens are sufficiently random and unpredictable to withstand forgery attacks.

By implementing these recommendations, the openIMIS system can significantly enhance the security of its cookie handling and mitigate the risk of CSRF attacks, thereby protecting user sessions and sensitive data.

Technologies used

security misconfiguration owasp
security misconfiguration burp suite

Better safe than sorry

By partnering with SolDevelo, you can benefit from our extensive expertise in software security services, ensuring your systems are robust and secure against various threats.


openIMIS security testing

Learn more about our extensive openIMIS security testing with these real-life examples:

Author

Scroll to Top