04-05-2013 08:21 AM
SInce this upgrade was purchased last year our agency has been trying to move it into our production environment. The issue that we are having is that before any of our web based applications can be moved into the production environment they must be scanned using Cenzic Hailstorm. We are currently at Version 220.127.116.11 and the score that the application has received in a very high score of 4151. We have tried to work with the company to no avail, we decided to try and come over to the iser community to see if anyone else had this issue. The issues that Cenzic has identified are:
Non-SSL Form / Non-SSL Password - These are only issues if the site being scanned (in test mode) was supposed to be in SSL but failed for whatever reason. Since this was a scan of a test location, SSL was probably not set up, so this isn't a concern.
Form Caching / Cross-Frame Scripting - Adding the following code to the <HEAD> section of the html on your pages / include file / master page:
This should eliminate all of the Form Caching and Cross-Frame scripting issues.
Cookie Vulnerabilities - Add this code to your web.config file:
<httpCookies httpOnlyCookies="true" requiressl="true" />
This should resolve this issue.
Web Server Vulnerabilities - This isn't something that we need to be concerned about from an application perspective as this vulnerability simply identifies the type of web server the application is running on and lists it's potential vunlerabilities
Thank you for any help that you may be able to provide..