Defense Information Systems Agency - Security Technical Implementation Guide Report

 Scan Name: Webscantest-includeAPIs-reactjs
 Date: 8/24/2016 11:24:23 PM
 Authenticated User: testuser
 Total Links / Attackable Links: 416 / 416
 Target URL: http://webscantest.com
 Reports:

Important Compliance Information and Limit of Liability

This information has been gathered during a scan of your web application. By checking your online properties for issues such as insecure data collection forms, cookie presence, third-party links, cross-site-scripting vulnerabilities, and SQL-injection vulnerabilities, the scan generates an automatic checklist of potential compliance issues. By taking advantage of this information, you can then proactively filter and prioritize identified issues to ensure faster remediation of your organization's most critical regulatory compliance concerns.

It is important to note that while this automatically-generated information is intended to greatly enhance the efficiency with which you may remediate compliance issues, it does not presume to represent the full scope of compliance with DISA-STIG regulations. These results represent a subset of the requirements that can be gathered automatically from your web application. Further, as regulations are subject to change, this report may have been generated with a version of the application that has not been updated to reflect those changes. It is therefore the sole responsibility of the user to know the regulations and comply with them.

The issues presented in this report correspond to the Defense Information Systems Agency - Security Technical Implementation Guide (DISA-STIG).

The information presented here is not to be regarded as legal advice. It does not express or imply any guarantee of compliance with any law or regulation. It is the sole responsibility of the user of this report to seek competent legal counsel for advice on compliance with any laws and regulatory requirements and to otherwise take whatever measures are necessary for such compliance. Rapid 7 Inc. assumes no responsibility for any use or misuse of any information presented in this report.


DISA-STIG Compliance Results

The results of this report do not cover the full set of requirements for DISA-STIG compliance. This information has been gathered during a scan of your web application, and will only cover the following requirements as is possible from a "blackbox" analysis.
For access to the Defense Information Systems Agency - Security Technical Implementation Guide visit their website http://iase.disa.mil/stigs/.

Pass or Fail for a requirement is based on the sub-requirements we are able to test for in an automated Web Application Assessment. All other sub-requirements are not factored in.

Best Practices

Requirement 3.5: Best Practices - The establishment of various best practices is an important aspect of a secure development environment. These best practices will provide consistent quality code when developing custom applications.
Requirement 3.5.1: Secure Defaults (APP3110: CAT II) - The Designer will ensure the application installs with unnecessary functionality disabled by default.
Failed
Requirement 3.5.2: Error Handling (APP3120: CAT II) - The Designer will ensure the application is not subject to error handling vulnerabilities.
N/A
Requirement 3.5.3: Secure Failure (APP3130: CAT I) The Designer will ensure the application follows the secure failure design principle.
Passed
Failed

Data

Requirement 3.7: Improper data handling, storage, and transmission can lead to information disclosure or malicious modification.
Requirement 3.7.4: Data Transmission (APP3250.1: CAT I) The Designer will ensure unclassified, sensitive data transmitted through a commercial or wireless network is protected using NIST-certified cryptography.
Failed
Failed

Authentication

Requirement 3.8: Authentication is a security mechanism designed to verify the identity of a user or other service wishing to access the application. Authentication safeguards against unauthorized access and use. Authentication establishes a trust mechanism between the user or other service and the application.
Requirement 3.8.4.2: Password Complexity and Maintenance (APP3320.1: CAT II) - The Designer will ensure the application has the capability to require account passwords having a minimum of 15 alphanumeric characters in length.
Failed
Requirement 3.8.4.3: Password Transmission (APP3330: CAT I) - The Designer will ensure the application transmits account passwords in an approved encrypted format.
Passed
Requirement 3.8.5: Authentication Credentials Protection (APP3350: CAT I) The Designer will ensure the application does not contain embedded authentication data.
Failed
Requirement 3.8.6: User Accounts (APP3390: CAT I) - The Designer will ensure users' accounts are locked after three consecutive unsuccessful logon attempts within one hour.
N/A
Requirement 3.8.7: Sessions (APP3405: CAT I) - The Designer will ensure the application supports detection and/or prevention of communication session hijacking.
Failed
Failed

Access Control

Requirement 3.9: Access Control - An access control flaw exists if users or processes can view or modify data to which they should not be permitted. This could result in situations ranging from information disclosure to system compromise and could potentially result in the compromise of other systems on the network.
Requirement 3.9.2: (APP3480.1: CAT I) The Designer will ensure access control mechanisms exist to ensure data is accessed and changed only by authorized personnel.
Failed
Requirement 3.9.3: Excessive Privileges (APP3500: CAT II) - The Designer will ensure the application executes with no more privileges than necessary for proper operation.
Passed
Failed

Input Validation

Requirement 3.10: Input Validation (APP3510: CAT I) - The Designer will ensure the application validates all input.
Requirement 3.10.1: SQL Injection Vulnerabilities (APP3540.1: CAT I) - The Designer will ensure the application is not vulnerable to SQL injection.
Failed
Requirement 3.10.2: Integer Vulnerabilities (APP3550: CAT I) - The Designer will ensure the application is not vulnerable to integer arithmetic issues.
Passed
Requirement 3.10.4: Command Injection Vulnerabilities (APP3570: CAT I) The Designer will ensure the application does not allow command injection.
Failed
Requirement 3.10.5: Cross Site Scripting (XSS) Vulnerabilities (APP3580: CAT I) - The Designer will ensure the application does not have XSS vulnerabilities.
Failed
Requirement 3.10.6: Cross Site Request Forgery (CSRF) Vulnerabilities (APP3585: CAT II) The Designer will ensure the application does not have CSRF vulnerabilities.
Failed
Requirement 3.10.7: Buffer Overflow Vulnerabilities (APP3590.1: CAT I) The Designer will ensure the application does not have buffer overflows.
Failed
Failed

Application Information Disclosure

Requirement 3.12: Hidden Fields in Web Pages (APP3610: CAT I) The Designer will ensure the application does not use hidden fields to control user access privileges or as a part of a security mechanism.
Passed
Requirement 3.13: Application Information Disclosure - Information disclosure vulnerabilities are leaks of information from an application which are used by the attacker to perform a malicious attack against the application. This information itself may be the target of an attacker, or the information could provide an attacker with data needed to compromise the application or system in a subsequent attack. (APP3620: CAT II) The Designer will ensure the application does not disclose unnecessary information to users.
Failed

Mobile Code

Requirement 3.16: Mobile Code
Requirement 3.16.21: Category 2 Mobile Code in Constrained Environment (APP3720: CAT II) The Designer will ensure unsigned Category 2 mobile code executing in a constrained environment has no access to local system and network resources.
Passed
Passed

Web Services

Requirement 3.17: Service Oriented Architecture (SOA).
Requirement 3.17.1.1: Web Service Availability (APP3760: CAT II) - The Designer will ensure web services are designed and implemented to recognize and react to the attack patterns associated with application-level DoS.
Passed
Requirement 3.17.1.3: Extensible Markup Language (XML) Injection (APP3760: CAT II) - (APP3810: CAT I) The Designer will ensure the application is not vulnerable to XML injection.
N/A
Passed

Deployment

Requirement 6.5: Unnecessary Services (APP6030: CAT II) The Information Assurance Officer (IAO) will ensure unnecessary services are disabled or removed.
Passed