I had the opportunity to have the security of the Hunchentoot lisp web server set-up, from the previous post, and a web application using Hunchentoot reviewed by a reputable firm. In short this is what they had to say:
“it would appear that the server administrators should be commended for their network-level hardening of the target system”
Its not a hundred percent clean bill of health because only automated testing was used with some manual interventions to validate the auto testing.
Here are some of the issues that where picked up:
1. Nginx Version Disclosure Issue Summary: The Nginx version was detected by viewing the HTTP response headers received from the remote server. This information gives potential attackers additional information about the system they are attacking. Versions should be omitted where possible. Recommendations: Disable the Nginx server tokens.
General web application issues:
Note: These issues are most likely caused by how I use Hunchentoot and not a problem with Hunchentoot or the rest of the set-up it self. Obviously not all of these issues are pertinent to all web applications but its still good to know about them.
1. POST Parameters Accepted as GET Parameters (Rated Low) Issue Summary: Some web frameworks collapse the POST and GET parameters into a single collection. This is a flawed design pattern from a security standpoint. If a page accepts POST parameters as GET parameters an attacker would be able to effect change on websites through Cross-Site Request Forgery or leverage this design flaw with other vulnerabilities to attack the system hosting the web application. Recommendations: POST variables and GET variables should be distinct and no attempt to collapse to two collections should occur. 2. Form Autocomplete Active (Rated Low) Issue Summary: Most recent browsers have features that will save form field content entered by users and then automatically complete the form entry the next time the fields are encountered. This feature is enabled by default and could leak sensitive information since it is stored on the hard drive of the user. The risk of this issue is greatly increased if users are accessing the application from a shared environment. Recommendations: Set autocomplete to "off" on all your forms. 3. Missing HttpOnly Flag on Cookie (Rated Low) Issue Summary: The session-identifying cookies did not have the HttpOnly flag set. This flag was introduced to safeguard session details. Once enabled, browsers (that recognise the flag) will disallow all scripts from accessing and / or manipulating the cookie information. Recommendations: Set the flag on all session-identifying cookies. 4. Missing Secure Flag on Cookie (Rated Low) Issue Summary: The session-identifying cookies did not have the Secure flag set. This flag instructs compliant browsers to avoid transmitting session details over unencrypted channels. Recommendations: Set the flag on all session-identifying cookies.
I hope these notes will help you build safer and better web applications in lisp.
I would appreciate any feedback from the Hunchentoot community on how to avoid these issues in Hunchentoot.