Cybergibbons.com

Terrible website security on www.apprentices4fs.com

2015-11-07

Companies in the physical security world often seem to have awful virtual security.

This site – “Apprentices for Fire & Security” – is a prime example of absolutely awful virtual security. And once again, these are not subtle issues – they are indicative of incompetent developers working on the security aspects of a website. Stop entrusting your security to people who do not know what they are doing.

Let us go through the obvious issues:

No HTTPS anywhere

The site handles passwords, emails, addresses, names, CVs, job postings. This is confidential information.

None of this is protected by HTTPS. It is all sent in the plain.

This is not forgiveable in 2015. It is embarrassing that anyone can deploy a site handling logins and CVs without it.

Update: as of mid-morning 9/11, HTTPS has been turned on for apprentices4fs.com and some other domains. You have to ask, why was this not done in the first place?

Passwords are emailed to users

When you setup your account, you chose a password. This password is immediately emailed to you.

This means that your password has now been sent in the plain across the Internet.

This is not good practice for very obvious reasons.

Passwords are stored in the plain

When you fill in the password reminder, your original password is emailed to you. This means the passwords are not hashed.

This means that if the database was to leak, it would reveal all the passwords.

This is terrible practice and it is widely known that it is terrible practice.

Passwords are truncated

Enter a 100 character password, and send a password reminder. The plain text password is now only 20 characters long.

This is a side effect of plain text password storage. If you store the password in the plain, you have to limit the password length to something. If you hash the password, the password could be “War & Peace” and the hash would still be of a fixed length.

This is terrible practice.

Passwords are not case sensitive

If you set your password to AAAAAA, you can login to the system with aaaaaa.

Even if you are using plain text storage, you don’t need to do this.

This massively reduces the number of different passwords available.

This is terrible practice.

Detailed error logging is turned on

If an error occurs, you are given a detailed error log.

This leaks information such as the directory structure, what attack mitigation rules are in place and so on. Sometimes these error logs can even leak things like usernames and passwords.

They should be turned off on a production server. This is web admin 101.

Open redirect on login form

Often when you access a page that requires authentication, a site will pass a referrer (i.e. the page you were on) to to the login page. This is so you are seamlessly returned to the page you wanted to access, after logging in.

It’s absolutely vital that this referrer URL is not a free choice.

Why? Picture this attack.

The attacker sends this URL to the victim:

The victim logs in to the real site, and are redirected to the attacker’s fake login page. This fake page says that the victim has entered their password incorrectly.

The victim logs in again. His credentials are stored by the attacker, and he is returned to the genuine site.

This is a glaringly obvious issue and very serious.

No protection against cross-site request forgery

There is no evidence of any protection against cross-site request forgery (CSRF). This includes pages used to change passwords and other details.

Cross-site request forgery means I can send a crafted link to a user (e.g. by email), and if they click on the link, the action will be carried out as the user.

A very simple example would be something like:

And the logged in user would have their password changed to ABCDEF.

The actual mechanics are more complex than this. Regardless, you cannot deploy a public facing website dealing with logins or confidential information without CSRF protection.

Cookies don’t have HTTPOnly flag set.

Cookies are used to remember that you are logged into a site using something called a session token. If you get hold of someone else’s session token, you can act as if you were logged in as them.

A common attack is to steal a cookie by making the browser run malicious Javascript (exploiting a vulnerability called XSS) that sends the cookie to an attacker.

The HTTPOnly flag prevents Javascript from reading the cookie. It makes stealing the cookie much harder. Above all, nearly all of the time, there is no penalty to setting it. It has no downsides

Again, this is basic stuff.

An arsehole security warning

Do anything they don’t like, and you get this. (which has since been made 403).

There’s a strong correlation, in my experience, between OTT warnings like this and incompetence.

Overzealous XXS filters

It’s vital you protect your site from an attack called XSS, where an attacker tries to inject their own JavaScript into your pages.

There are a number of ways of doing this. You can detect basic attempts and warn a user that there is an issue, probably logging the issue and alerting admins. If there is persistent and realistic threat, start banning IPs.

Immediately locking the IP out and issuing them with a ridiculous warning it not how to do XSS protection.

Visit the search page and search for <script>. Or just click here to do it for you. Be warned you will be banned from the site.

This has since been hidden, but someone had kindly screenshotted it:

In my experience of looking at over 100 sites, the ones that react to XSS like this tend to have wholly ineffective XSS filters – they only deal with the very obvious, and can be subverted. It’s like putting up a “Warning – Guard Dogs” sign, without the guard dogs.

Totally ineffective banning

If you trigger the overzealous XSS filters, you are banned. Or so it says.

That is, unless you use another browser. Or just manually change the user agent.

I suspect they have done this because otherwise you could easily perform a denial-of-service attack by blocking from many IPs.

This banning is token at best, and provides no extra security.

No security contact

Well, no contact at all. What do you have to do to get these people to respond to a security issue?

Conclusion

The security of this site is about as bad as it can get without just leaving everything in the open. There has been little to no regard to the security of the data or users. This is to the level that it is either extreme incompetence or negligence.

What is more worrying is that the people who developed this sell it as a product.

And, of course, who is behind this particular site? CSL Dualcom.

Update

99 other sites running software by the same company.

http://www.ballandhoolahan.co.uk/

http://www.scotjobsnet.co.uk/

http://www.careersforcare.co.uk/

http://www.bacme.com/

http://www.nqajobs.com

http://www.executive-careers.com

http://www.qualityjobs.org.uk

http://www.speech-language-therapy-jobs.org

http://www.sci-search.com

http://www.hawkinsthompson.com

http://www.barringtonjames.com

http://www.cybersecurityjobsite.com

http://www.renewablesjobshop.co.uk

http://www.forwardingjobs.com

http://www.gamesjobsdirect.com

http://jobs.midwives.co.uk

http://www.jobswithballs.com

http://www.computerjobs.ie/

http://www.housebuildingcareers.co.uk

http://www.hozpitality.ca

http://www.audiovisualjobs.com

http://www.medicaldirectorjobs.co.uk

http://jobs.bsee.co.uk

http://www.britishmedicaljobs.com

http://jobs.legalsupportnetwork.co.uk

http://www.mbmtravelexecutives.co.uk

http://www.understandingrecruitment.co.uk

http://www.robertsonbell.co.uk

http://www.thedovepartnership.co.uk

http://www.risetechnicalrecruitment.co.uk

http://www.balancerecruitment.com

http://www.atkinsonpage.co.uk

http://www.charismarecruitment.co.uk

http://www.cornucopiaitr.com

http://www.dnarecruit.com

http://www.talentcrew.co.uk

http://www.synergizecl.co.uk

http://www.primeuk.com

http://www.astoncharles.co.uk

http://www.adept-recruitment.co.uk

http://www.pensioncareers.co.uk

http://www.lawrencedeanrecruitment.co.uk

http://www.signetresources.co.uk

http://www.abikaconsulting.com

http://www.f10.co.uk

http://www.robertgilesagencies.com

http://www.esprecruitment.co.uk

http://www.market-recruitment.co.uk

http://www.creativepersonnel.co.uk

http://www.quicksilverjobs.co.uk

http://www.mitchellmaguire.co.uk

http://www.jimmyredrecruitment.com

http://www.westinpar.com

http://www.thesjbgroup.com

http://www.autoskills-uk.com

http://www.medtechsearch.co.uk

http://www.michaelbaileyassociates.com

http://www.encorepersonnel.co.uk

http://www.scanlonsearch.com

http://www.liquidhc.com

http://www.bodenresource.co.uk

http://www.gpa-procurement.com

http://www.lawconsultants.co.uk

http://www.demobjob.co.uk

http://www.cameronbrook.co.uk

http://www.clayton-recruitment.co.uk

http://www.ceemarecruitment.co.uk

http://www.craconsultants.com

http://www.pro-tax.co.uk

http://www.theoceanpartnership.com

http://www.agrifj.co.uk

http://www.bluecrestrecruitment.co.uk

http://www.brightleaf.co.uk

http://www.sterlingcross.com

http://www.fireandsecurityjobs.com

http://www.cprecruitment.co.uk/

http://www.academicsltd.com.au

http://www.centopersonnel.com

http://www.navis-consulting.com

http://www.oswinstrauss.com

http://www.eatjobs.co.uk/

http://www.oysterpartnership.com

http://www.oceanicresources.com

http://www.greenjobs.ie

http://www.pro-finance.co.uk

http://www.branwellford.co.uk

http://jobs.pmlive.com

http://www.creampersonnel.co.uk

http://www.acfinancial.co.uk

http://www.kasus.co.uk

http://www.liftandescalatorjobs.com

http://jobs.nasaconsulting.com

http://www.careersforcare.co.uk

http://www.kbbrecruitment.co.uk

http://www.nwmjobs.co.uk

http://www.i-payejobs.com

http://www.racsgroupjobs.com

http://jobs.paystream.co.uk

http://www.buildingproductjobs.com

They have 99 problems, but their HTTPS configuration isn’t one, because they don’t use it.