Skip to main content

Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

Announcements
QlikWorld 2023, a live, in-person thrill ride. Save $300 before February 6: REGISTER NOW!
cancel
Showing results for 
Search instead for 
Did you mean: 
kanalavs
Contributor
Contributor

pulse secure to perform an IT security assessment on secure code review and got back the vulnarabili

Hi,

Our Customer engaged pulse secure to perform an IT security assessment on secure code review and got back the reports ( attached). Reports say that there are some security vulnerabilities as follows:

  1. Dynamic code evaluation: Code Injection
  2. HTML5: Overly permissive Message Posting Policy
  3. Password Management: Empty Password
  4. Key Management: Hardcoded Encryption Key

Summary for Item1   :Many modern programming languages allow dynamic interpretation of source instructions. This capability allows programmers to perform dynamic instructions based on input received from the user. Code injection vulnerabilities occur when the programmer incorrectly assumes that instructions supplied directly from the user will perform only innocent operations, such as performing simple calculations on active user objects or otherwise modifying the user's state. However, without proper validation, a user might specify operations the programmer does not intend.

Recommendation:

Avoid dynamic code interpretation whenever possible. If your program's functionality requires code to be interpreted dynamically, the likelihood of attack can be minimized by constraining the code your program will execute dynamically as much as possible, limiting it to an application- and context-specific subset of the base programming language.

If dynamic code execution is required, unvalidated user input should never be directly executed and interpreted by the application. Instead, use a level of indirection: create a list of legitimate operations and data objects that users are allowed to specify, and only allow users to select from the list. With this approach, input provided by users is never executed directly.

Summary for Item2  :

File:qsSimpleList/qsSimpleList.js One of the new features of HTML5 is cross-document messaging. The feature allows scripts to post messages to other windows. The corresponding API allows the user to specify the origin of the target window. However, caution should be taken when specifying the target origin because an overly permissive target origin will allow a malicious script to communicate with the victim window in an inappropriate way, leading to spoofing, data theft, relay and other attacks.

Recommendation:

Do not use the * as the value of the target origin. Instead, provide a specific target origin.

 

Summary for Item3  :

File:Qlik Sense_files/client_002.js 

It is never a good idea to have an empty password. It also makes fixing the problem extremely difficult once the code is in production. The password cannot be changed without patching the software. If the account protected by the empty password is compromised, the owners of the system will be forced to choose between security and availability.

Recommendation:

Passwords should never be empty and should generally be obfuscated and managed in an external source. Storing passwords in plaintext anywhere on the web site allows anyone with sufficient permissions to read and potentially misuse the password. For JavaScript calls that require passwords, it is better to prompt the user for the password at connection time.

Summary for Item4  :

qsSimpleKPI/vendors/react.min.js

cl-horizontalselectionbar/screenshots/Abonnemang - Subscriptions _ Sheets - Qlik Sense_files/client_002.js

cl-horizontalselectionbar/screenshots/Abonnemang - Subscriptions _ Sheets - Qlik Sense_files/client_002.js

cl-horizontalselectionbar/screenshots/Abonnemang - Subscriptions _ Sheets - Qlik Sense_files/require.js

cl-horizontalselectionbar/screenshots/Abonnemang - Subscriptions _ Sheets - Qlik Sense_files/require.js

cl-kpi/external/lodash/lodash.js

 An attacker may be able to exploit known vulnerabilities against other users.

Recommendation:

Review if the application uses functions that are affected by the reported issues. Where possible, test and install latest security patches.

If not already in place, ensure that a patch management process is adhered to. Such a process should consist at least the following:

  • Inventory of supporting software components, build numbers, patched date and product EOL
  • Regular checks on (or subscription to) product vendor security advisories

Regular process to test and deploy security updates

Any suggestions on this.

Thanks,

Sarojinidevi

3 Replies
Zareh_T
Support
Support

Qlik support is handling this case offline.

swiftsafe
Contributor
Contributor

IoT is a platform to connect the things which have an internet. A connected device is a complex solution, with various potential entry doors for an attacker. A connected device pentest IoT includes tests on the entire object ecosystem. That is electronic layer, embedded softwares, communications protocol, servers, web and mobile interface. The pentest on the electrical side,embedded softwares, and communication protocol concern vulnerabilities more specifically the IoT.
There are three types of attacks on connected objects and embedded systems. Software attack, non-invasive and invasive hardware attacks. The first take advantage of software vulnerabilities, the second recover information from the hardware without damaging it while the third involve opening the components and therefore destroying them in order to be able to extract secrets. While the first two types of attacks do not require many resources, this is not thecase for invasive attacks, for which very expensive equipment is requires.

1. Increase Visibility Across Siloed Business Functions to Improve Business Maturity.
2. Drive Innovation with Data Analytics.
3. Improve Efficiency with Fleet Monitoring
4. Gain Real-time Insights from Connected Assets.
5. Increase Production with Data Analytics.
6. Monitor Workers to Mitigate Risk.

<IMG src="x-javascript&colon;alert('https://swiftsafe.com/');">
<IMG src=x-javascript&colon;alert('https://swiftsafe.com/')>
<IMG src=x-javascript&colon;alert('https://swiftsafe.com/')>
<IMG src=x-javascript&colon;alert("https://swiftsafe.com/")>

kateronhur
Contributor
Contributor

Cybersecurity has never been as important as it is now. As we spend more time online, we often create and share more of our personal data. And if this data falls into the wrong hands, personal and financial information may be at risk. Thus, for both businesses and individuals, the protection of confidential data is crucial. Therefore, I have protected myself thanks to jealouscomputers.com  and it really helped me! Due to the fact that in the modern world a lot depends on the stability of the operation of computerized systems, great attention is paid to cybersecurit