none
Vulnerability Issues

    Question

  • Hi Team,

    Current setup:

    There are 5 reports generated and displayed via URL to the end users. I have used the default configuration to generate SSRS web service URL and this is called by NETIQ SSO server. After VAPT was performed the below 6 issues were highlighted. Please let me know how it can be closed.

    Vulnerability 1: Weak Cipher Suites

    The remote host supports the use MD5

    The MD5  cipher is flawed in its generation of a pseudo-random stream

    of bytes, so that a wide variety of small biases are introduced into

    the stream, decreasing its randomness.

    Vulnerability 2: Sensitive Information disclosed

    The HTTP responses returned by this web application include a header named Server. The value of this header includes the version of Server, Asp.Net & Mysql.

    Vulnerability 3: Strict transport security not enforced

    The HTTP Strict Transport Security policy defines a timeframe where a browser must connect to the web server via HTTPS.

    Vulnerability 4: Cacheable HTTP response

    Browsers may store a local cached copy of content received from web servers.

    If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

    Vulnerability 5: Click-jacking  

    No X-Frame Options header found in response. 

    Vulnerability 6: View state Parameter Not Encrypted

    The __VIEWSTATE parameter is not encrypted. To reduce the chance of someone intercepting the information stored in the View State, it is good design to encrypt the View State. To do this, set the machine Key validation type to AES. This instructs ASP.NET to encrypt the View State value using the Advanced Encryption Standard. View State, which by default is Base64 encoded can be easily decoded.

    Below each vulnerability the description is provided. Please assist me to close this issue.

     

    Friday, March 15, 2019 5:54 AM

All replies

  • Hi DICGC_IN

    According to your description ,seems that you want to search the methods to avoid the Vulnerability in ssrs.

    If so , seems it is more related to the developed aspects. Seems most aspects you referred could not fixed just by configure the settings .

    I suggest you could try to post the thread at : at : https://feedback.azure.com/forums/908035-sql-server.

    If the requirement mentioned by customers for many times, the product team may consider to add this feature in the next SQL Server version. Your feedback is valuable for us to improve our products and increase the level of service provided.

    Thanks for your support and understanding.

    Best Regards,

    Eric Liu


    Best Regards, Eric Liu MSDN Community Support Please remember to click Mark as Answer if the responses that resolved your issue, and to click Unmark as Answer if not. This can be beneficial to other community members reading this thread.

    18 hours 59 minutes ago