Securing ADSS Web RA can be viewed as a series of steps, that involves the platform, authentication, objects (including data), and application level security that access the system. OWASP (Open Web Application Security Project) standards are implemented to secure ADSS Web RA application for application level security.


We take security of application very seriously and keep on improving in all required areas.

Content Security Policy (CSP) Headers


Content Security Policy headers implemented  to add layer of security that helps to detect and mitigate certain types of attacks, only the URLs mentioned under CSP header will be allowed by the application (i.e. Go Sign or Bootstrap) whereas any other external and not trusted links will be blocked by the application if they are not added under CSP header.


Following headers are added under web config file:


<add name="Content-Security-Policy" value="object-src 'none'; default-src 'self' https://client.go-sign-desktop.com:8782/gosign-desktop https://netdna.bootstrapcdn.com; connect-src 'self' https://client.go-sign-desktop.com:8782 ; child-src 'self' https://www.google.com/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; style-src 'self' 'unsafe-inline'; img-src 'self' * data: blob:;" />


Version Disclosure


In this vulnerability attack an attacker can get information of the systems in use and potentially develop further attacks targeted at the specific version of ASP.NET. An attacker might use the disclosed information to inject specific security vulnerabilities for the version identified.


Add following tag inside rewrite tags:


<outboundRules>
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>

Missing Invalid CIPHER


Missing Invalid Cipher implements to restrict the use of certain cryptographic algorithms and protocols in the Schannel.dll file. This information also applies to Independent Software Vendor (ISV) applications that are written for the Microsoft Cryptographic API (CAPI).


Click here to fix this issue by following the steps mentioned and to enable CIPHER from Windows registry.


Request Max-Length Issue


To mitigate this vulnerability a maximum request length per server is defined. A default value should be provided (for example 10 MB) which the user could override.


To fix max length issue, add following tag in web.config under<system.webServer> tag:


<security>
        <requestFiltering>
        <requestLimits maxQueryString="8192" />
        </requestFiltering>
</security>


Cross Site Scripting (XSS)


Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.


To prevent Cross Site Scripting attack in ADSS Web RA application OWASP (Open Web Application Security Project) standard rules are implemented all across application.


SQL Injection


SQL injection is a web security vulnerability that allows an attacker to manipulate with the database queries that an application makes to communicate with database. It generally allows an attacker to reads sensitive information of users that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access.


In Web RA application SQL Injection attacks are prevented using standard techniques. i.e. Parameterized queries.


Data and Key Encryption


In ADSS Web RA application, encryption is also implemented to secure data to prevent from unauthorized access. KEK (Key Encryption Key) used to encrypt the Data Encryption Key, whereas DEK (Data Encryption Encryption) is being used to encrypt underlying data.


Avoid Clickjacking


Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on a button or link, to another server in which they have an identical looking window. The attacker hijacks the clicks that are meant for the original server and sends them to the another server.


To prevent clickjacking, the X-Frame-OptionsHTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>


Add following header in web config file:


<add name="X-Frame-Options" value="DENY" />


Cross-Site Request Forgery (CSRF)


Cross-Site Request Forgery (CSRF) is an attack where a malicious site sends a request to a vulnerable site where the user is currently logged in.


To prevent ADSS Web RA from this vulnerability attack, HTTPOnly cookies been implemented. HTTPOnly cookies cannot be read by client-side scripts, therefore marking a cookie as HTTPOnly can provide an additional layer of protection against cross-site scripting attacks. During a cross-site scripting attack, an attacker might easily access cookies and hijack the victim's session.


To help prevent CSRF attacks, ASP.NET MVC also uses anti-forgery tokens, also called request verification tokens. All cookies in ADSS Web RA application are marked as secure except cookie used in anti-forgery token validation. To understand anti-forgery token validation click here.