Support #5186: [SCP ID :##2578##] : VAPT Findings for Year 2014 (Internet Banking Segment) Web Application Penetration Testing. - KFH Support - Penril Support System

Support #5186

[SCP ID :##2578##] : VAPT Findings for Year 2014 (Internet Banking Segment) Web Application Penetration Testing.

Added by Zahir Abd Latif over 9 years ago. Updated almost 9 years ago.

Status:

Closed - End of life cycle

Start date:

February 11, 2015

Priority:

Normal

Due date:

Assignee:

Zahir Abd Latif

% Done:

100%

Category:

MY RIB

Spent time:

Target version:

Description

Hi,
Kindly attend below request:

IT security has conducted the web application penetration testing and attached the summary of the findings.
Kindly need your help and expertise to review and revert on the findings.

VAPT2014-Internal VA for IB segment (IT Apps).xls (499 KB) Zahir Abd Latif, February 11, 2015 17:58

VAPT2014.7z - documentation (492 KB) William Gozali Tan, May 28, 2015 15:09

web.xml - Sample setting (703 Bytes) Aditya Prathama, June 01, 2015 16:16

before.png - before implementation (9.26 KB) Aditya Prathama, June 01, 2015 16:16

after.png - after implementation (11.2 KB) Aditya Prathama, June 01, 2015 16:16

History

#1 Updated by Zahir Abd Latif over 9 years ago

Assignee changed from William Gozali Tan to Ahmad Hazri

Dear Hazri,

Kindly assist to update the current status in Redmine.

Thanks.

#2 Updated by Zahir Abd Latif over 9 years ago

Dear Ateh,

Any updates on this case?
Kindly assist to update the current status in Redmine.

Thanks.

#3 Updated by Ahmad Hazri over 9 years ago

Status changed from New - Begin Life Cycle to Pending Customer Feedback

Hi Zahir

Put SCP under 'Customer Working' since awaiting their response to Proceed teh resolution.

#4 Updated by William Gozali Tan over 9 years ago

Assignee changed from Ahmad Hazri to Aditya Prathama

#5 Updated by William Gozali Tan over 9 years ago

File VAPT2014.7z added

Need Aditya to apply the fix for WEB-IB002 : HTML Comments Sensitive Information Disclosure.
for more details about the issue, kindly refer to the attachment.

#6 Updated by Aditya Prathama over 9 years ago

File web.xml added
File before.png added
File after.png added
Assignee changed from Aditya Prathama to William Gozali Tan

I successfully blocked HTTP request for OPTION TRACE HEAD and allow only POST and GET. this may be a problem for anonymous user get App Server Information in our Web Application.

for the setting just add to web.xml under <web-app> tag add 2 <security-constraint> tag which attached on this
and for your reference there is Screenshot before and after security implement
thanks

#7 Updated by Zahir Abd Latif almost 9 years ago

Status changed from Pending Customer Feedback to Closed - End of life cycle
Assignee changed from William Gozali Tan to Zahir Abd Latif
% Done changed from 0 to 100

Issue closed in SCP.

Also available in: Atom PDF

B - Production Support » KFH Support

Issues