Latest JAS v1.1.0
144 plugins online

Security audit

So one of the things we wanted to do during the Release Candidate testing was a security audit. We've assessed a number of tools out there (OpenVAS, Nikto and w3af) and we settled on w3af. It allowed us to easily scan JAS for a vast amount of known security issues and gives a good indication of what issues there are and pointers to how to resolve them.

Now since JAS itself is just a framework there's not a lot to audit using a web security scanner. What can however be scanned are website implemented using JAS. So first up was a "full audit" (CSRF, SQLi, XSS, brute force, click jacking, etc.) on this website to see whether it would hold up. The only thing that came out of this was that it was susceptible to click jacking and a number of trivial things around the underlying infrastructure (i.e. the web-server), which is not surprising as it was a stock Apache installation without any security hardening. Other than that no significant security issues were found.

Round 2, let's knock on the door of the JAS backend and see whether we may enter. As the JAS backend requires reasonably strict passwords the standard brute force didn't have any effect. More over since the backend doesn't show anything other than a login box to anonymous users there wasn't anything to break. So as long as you're not leaving your credentials lying around there doesn't seem to be a way into the backend.

Ok so what if you are logged in to the backend and someone tricks you? By far the most elaborate scan we did was the JAS backend with the root user logged in. Like on the website it found it was susceptible to click jacking but it also had 2 XSS issues. The latter is rather serious as that could potentially be used to hijack someones session, effectively getting direct access to the backend. Obviously these issues were resolved and rerunning the full audit showed that both the backend and this website were now almost free of issues.

The only serious issue left is Cross-Site Request Forgery (CSRF) which could allow an attacker to submit content to the JAS backend. That said this would only be possible if you're logged into the JAS backend and you click on a forged link on another tab that was especially crafted for your website. Since fixing this issue would affect almost every form in JAS it was decided to push the fix to JAS 1.1.