GENERALI IAWM

DATAHUB

Web Application Penetration Testing

Technical Report

Doc. type: Technical Report Issue date: October 4, 2024 Version: 1.0
Classification: For Generali IAWM only

REPLY
C.so Francia, 110 - 10143 Torino - Italia
tel +39 011 7711594 - fax +39 011 7495416
[email protected]

www.reply.com
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

STATE OF THE DOCUMENT

Review Date Changes Approved by

1.0 04/10/2024 First release Reply

ATTACHMENTS

▪ 20240923 - Generali IAWM - DataHub - Vulnerabilities - v1.0.xlsx

Version: 1.0 Issue date: October 4, 2024 Page: 2/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

INDEX

1 INTRODUCTION 4
1.1 Description of the activity 4
1.2 Scope of the activity 4
1.3 Tools used 4
1.4 Methodology 5

2 EXECUTIVE SUMMARY 6

3 SEVERITY AND CLASSIFICATION 7

3.1 CVSSv3.1 score 7
3.1.1 Base metric 7
3.1.2 Temporal metric 7
3.1.3 Environmental metric 7
3.2 Severity levels 7
3.3 References 8

4 TECHNICAL DETAILS 9
4.1 Application vulnerabilities 9
4.1.1 Improper Isolation or Compartmentalization 9
4.1.2 Sensitive Data Exposure 14
4.1.3 Unencrypted communications 17
4.1.4 Session token in URL 18
4.1.5 User enumeration 19
4.1.6 Broken session management: session fixation 21
4.1.7 SSL cookie without Secure flag set 23
4.1.8 Formula Injection 24
4.1.9 Information disclosure: path discovery 27
4.1.10 Information disclosure: software version 28
4.1.11 Frameable response (Clickjacking) 29
4.1.12 Missing HTTP Security headers 32

LIST OF FIGURES 34

LIST OF TABLES 35

Version: 1.0 Issue date: October 4, 2024 Page: 3/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

1 INTRODUCTION

This document describes the activity, carried out by Reply in September 2024, aimed to assess the security of the
web application DataHub, by Generali IAWM, in QA environment.

1.1 Description of the activity

The here presented activity is what is commonly referred to as Web Application Penetration Test (WAPT), which
can be summarized as a series of attacks carried out against a target web application by the penetration tester,
impersonating a hypothetical aggressor. More precisely, the aggressor acts here in a gray box scenario: he,
therefore, has partial knowledge of the internal workings of the web application, such as a subset of credentials
(e.g., test accounts with different privileges) or high-level architectural information and network diagrams. The goal
is to simulate an attack scenario where the tester has acquired some level of insider knowledge about the web
application. This approach aims to provide a more realistic assessment of the security posture of the web
application, as it strikes a balance between the realism of black box testing (where the tester has no prior
knowledge) and the depth of analysis possible in white box testing (where the tester has full access to internal
details). It can also help identify vulnerabilities that may be challenging to discover in a purely black box scenario:
the tester can leverage the provided information to simulate more sophisticated attack scenarios.
The techniques used by Reply during the tests aim to cover a range of methodologies and scenarios as broad as
possible in order to identify all the plausible attack surfaces exposed by the targets. For this purpose, both
automated scanning tools and manual techniques were used.
This activity excludes any attacks aimed to exhaust the physical resources of the network under attack, causing
outages (Denial of Service), as well as attacks based on Social Engineering techniques.

1.2 Scope of the activity

The scope of the analysis is given in the following Table.

Application Name Environment URL

▪ NeoXam DataHub Client
DataHub QA ▪ http://datahubqa.corp.generali.net:8080/sw/visage

Table 1: Scope of the analysis - web application

The following users were provided by Generali IAWM for the activity.

Username Role
e3acapp4 Admin

Table 2: Scope of the analysis - users

1.3 Tools used

During the assessment phase, both automatic scanners and other tools (publicly available and/or owned by Reply)
were used.
The tools used include, among others:
▪ PortSwigger Burpsuite
▪ Tenable Nessus Professional
▪ Nmap

Version: 1.0 Issue date: October 4, 2024 Page: 4/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

1.4 Methodology
This activity has been performed using notebooks equipped with GNU/Linux or Windows 10 Operating Systems.

Tests are performed in accordance to the Open Source Security Testing Methodology available at
http://www.osstmm.org/, and hereby stands within best practices for security testing.

Version: 1.0 Issue date: October 4, 2024 Page: 5/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

2 EXECUTIVE SUMMARY

The here presented activity aimed to assess the security level of the web application DataHub, in QA environment.
Tests were conducted from Reply offices in Milan, reaching targets by using a dedicated environment provided by
Generali IAWM (e.g., VPN, Citrix and VMs).
Overall, the assessment led to the identification of 12 vulnerabilities, which are distributed as follows:

Figure 1: Vulnerabilities distribution by severity

The assessment of the application part highlighted the following weaknesses:

▪ 1 vulnerability with High impact
▪ 7 vulnerabilities with Medium impact
▪ 4 vulnerabilities with Low impact
Leveraging the most severe vulnerabilities, an attacker could execute arbitrary code on the server machine by
evading the Citrix environment and obtain sensitive data. This set of issues represents a threat to the
Confidentiality, Integrity and Availability of the application.
The overall risk highlighted by the here presented Web Application Penetration Testing is summarized in the table
below:

Target Application Side

DataHub High

Table 3: Global severity status of the analysis target

Version: 1.0 Issue date: October 4, 2024 Page: 6/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

3 SEVERITY AND CLASSIFICATION

This Section presents the metric used by Reply to associate a specific level of severity to each vulnerability
discovered during the here presented activity.

3.1 CVSSv3.1 score

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the
characteristics and impacts of IT vulnerabilities. CVSS consists of three groups: Base, Temporal and
Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual
representation that reflects the values used to derive the score.
For a complete reference of the scoring based on the framework CVSS refer to NVD Common Vulnerability Scoring
System Support v3.1 and FIRST CVSS 3.1 Guide.

3.1.1 Base metric

The Base metric group represents the intrinsic characteristics of a vulnerability that are constant over time and
across user environments. It is composed of two sets of metrics: the Exploitability metrics and the Impact metrics.
The Exploitability metrics reflect the ease and technical means by which the vulnerability can be exploited; that is,
they represent characteristics of the vulnerable component. On the other hand, the Impact metrics reflect the direct
consequence of a successful exploit to the impacted component, which could be different from the vulnerable one.

3.1.2 Temporal metric

The Temporal metric group reflects the characteristics of a vulnerability that may change over time but not across
user environments. More specifically, the Temporal metrics measure the current state of exploit techniques or code
availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability. For
example, the presence of a simple-to-use exploit kit would increase the CVSS score, while the creation of an
official patch would decrease it.

3.1.3 Environmental metric

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT
asset to a user’s organization, measured in terms of complementary/alternative security controls in place,
Confidentiality, Integrity, and Availability. The metrics are the modified equivalent of Base metrics and are assigned
values based on the component placement within organizational infrastructure.

3.2 Severity levels

The above-introduced score will be used in the present document to assign a level of severity to each security
issue. Table below summarizes the possible values of criticality with a brief description of their meaning.

Severity Level Description

The vulnerability allows the attacker to completely
Critical
compromise the target application. (CVSS score: 9.0-10.0)
The vulnerability allows executing malicious code, not
High authorized access to administrative sections of the application,
to access data stored on databases. (CVSS score: 7.0-8.9)
The vulnerability allows you to acquire sensitive information or
at least important that can be used in subsequent attacks. The
Medium
vulnerability could allow an attacker to modify the normal
operation of the application. (CVSS score: 4.0-6.9)
The vulnerability allows you to acquire information on the
Low configuration or at least permit an attack with limited impact on
the business of the client. (CVSS score: 0.0-3.9, 0.1-3.9 in

Version: 1.0 Issue date: October 4, 2024 Page: 7/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

case of Informational level)

Depending on the context and client needs, this further
severity level could be leveraged to represent the findings that
Informational
do not represent a security risk, but still deserve formal
notification in the report. (CVSS score: 0.0)

Table 4: Severity levels

3.3 References
For each detected vulnerability, a reference to one or more vulnerability database that is easily accessible in
Internet. These references allow you to retrieve, at the sites listed in, additional information on the vulnerability
reported.

Reference Description URL

CVE Common Vulnerabilities and Exposures http://www.cve.mitre.org/
CAN CVE Candidate Name http://www.cve.mitre.org/
BID Bugtraq ID http://www.securityfocus.com/bid
XF ISS XForce Database http://xforce.iss.net/
SECUNIA Secunia Bulletin http://secunia.com
OSVDB Open Source Vulnerability Data Base http://www.ovsdb.org
OWASP Open Web Application Security Project http://www.owasp.org
RHSA Red Hat Security Advisory http://www.redhat.com
CIAC Computer Incident Advisory Capability http://ciac.llnl.gov/ciac/index.html
MS Microsoft Security Bulletin http://security.microsoft.com
CERT CERT Vulnerability Database http://www.cert.org/kb/
NESSUS Nessus ID http://www.nessus.org

Table 5: References

Version: 1.0 Issue date: October 4, 2024 Page: 8/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

4 TECHNICAL DETAILS

This Section offers an in-depth analysis of the security issues discovered during the here presented activity. An
overview can be found in the following Table: for each vulnerability, the related severity level, as well as an ID for
future references, is provided.

ID Name Severity
Web
REPLY_IT_DATAHUB_202409_01 Improper Isolation or Compartmentalization High
REPLY_IT_DATAHUB_202409_02 Sensitive Data Exposure Medium
REPLY_IT_DATAHUB_202409_03 Unencrypted communications Medium
REPLY_IT_DATAHUB_202409_04 Session token in URL Medium
REPLY_IT_DATAHUB_202409_05 User enumeration Medium
REPLY_IT_DATAHUB_202409_06 Broken session management: session fixation Medium
REPLY_IT_DATAHUB_202409_07 SSL cookie without Secure flag set Medium
REPLY_IT_DATAHUB_202409_08 Formula Injection Medium
REPLY_IT_DATAHUB_202409_09 Information disclosure: path discovery Low
REPLY_IT_DATAHUB_202409_10 Information disclosure: software version Low
REPLY_IT_DATAHUB_202409_11 Frameable response (Clickjacking) Low
REPLY_IT_DATAHUB_202409_12 Missing HTTP Security headers Low

Table 6: Vulnerabilities overview

4.1 Application vulnerabilities

4.1.1 Improper Isolation or Compartmentalization

ID OWASP category
REPLY_IT_DATAHUB_202409_01 2021-A4-Insecure Design
Description
One of the commonly overlooked virtualization security issues is environment or application jailbreaking. Jailbreaking is the
ability to abuse an application running in the virtualized or physical environment to launch other applications, spawn command
shells, execute scripts and perform other unintended actions prohibited by administrators. Application jailbreaking can provide
an attacker with an initial foothold into the environment and domain. It is common for attackers to leverage this initial foothold
to gain access to the internal network, escalate privileges, move laterally, and compromise the entire enterprise environment.

Details
With the provided Citrix configuration is possible to escape from the application and execute any arbitrary command on the
host machine.

Starting from the NeoXam DataHub Client it is possible to escape from its context by following a few simple steps:

▪ Open any screen (e.g. Users), and then select "File → Print" (Figure 2)
▪ In the Print screen select "Microsoft Print to PDF" and hit OK (Figure 3)
▪ Once Windows Explorer is started, in the path bar enter the powershell command and hit enter (Figure 4)

Version: 1.0 Issue date: October 4, 2024 Page: 9/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

Figure 2: Context escape procedure - Abusing the File Print feature

Figure 3: Context escape procedure - Saving the file as PDF

Version: 1.0 Issue date: October 4, 2024 Page: 10/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

Figure 4: Context escape procedure - Entering the command in Windows Explorer

The payload allows to launch an instance of PowerShell and execute any command on the host machine.

Figure 5: Context escape procedure - Payload execution

It is possible to navigate within the system freely in search of useful information. For example, it is possible to navigate within
the installation path of the client itself, as shown in the figure below.

Version: 1.0 Issue date: October 4, 2024 Page: 11/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

Figure 6: NeoXam DataHub Client installation path

Furthermore, it is possible to access and surf the internet, as shown in the figure below.

Figure 7: Accessing the Internet

Consider that using a blacklist (as disable CMD or a single application) approach will not work, because an attacker could find
a different way to execute commands on the server.

Note that the vulnerability is exploitable with all the tested users and it is recommended to check the whole application.

Severity CVSSv3.1 score

High 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L)
Remediation
Where a full Desktop Environment is available to a user, this can be an especially challenging task. Operating Systems are
designed by default to be feature-rich and as user friendly as possible. Unfortunately, these two attributes are not synonymous
with security. We would recommend that any remote environment is configured in a pragmatic fashion, where the bare
minimum of functionality is offered to users to enable them to carry out their tasks. This serves the purpose of reducing the
overall attack surface that is available. All default configurations should be tweaked and hardened to minimize any possible
routes that an attacker may use to “break out” or escalate their privileges. For more information, please have a look at:

▪ https://www.citrix.com/about/legal/security-compliance/

Version: 1.0 Issue date: October 4, 2024 Page: 12/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

▪ https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/system-hardening-for-xenapp-and-
xendesktop.pdf

Findings
▪ NeoXam DataHub Client

Version: 1.0 Issue date: October 4, 2024 Page: 13/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

4.1.2 Sensitive Data Exposure

ID OWASP category
REPLY_IT_DATAHUB_202409_02 2021-A1-Broken Access Control
Description
Sensitive data has been found hardcoded inside the application code or its default files/resources, which could impact the
security of the application itself and the other data therein contained.

Sensitive data, such as encryption keys or default credentials, are sometimes incorporated in the source code by application
programmers for ease of development, and erroneously left in production stage. Any attacker, even with little reverse
engineering skills, could be able to find such data and use it for further attacks.

Details
An attacker, abusing the vulnerability described in Section 4.1.1, is able to access the Windows Explorer screen which
exposes a shared directory, as shown in the figure below.

Figure 8: Access to shared directory via powershell

Several files were found inside the shared directory, including log files of all client users, and other files containing sensitive
data, such as clear-text login credentials.

Below is a list of files and paths that expose sensitive data:

▪ \\corp.generali.net\fscitrixapp\XDPROFILES\XDHOMES\e3gdrigo\Documents\Shortcuts\Password.txt
▪ \\corp.generali.net\FSNASCIFS\NAS_SMARTCO_HIPERF\Log\QA\*

Version: 1.0 Issue date: October 4, 2024 Page: 14/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

Figure 9: Clear-text credentials

Figure 10: NeoXam DataHub log files

Please note that not all paths are accessible, as demonstrated by the following error shown in the figure below.

Version: 1.0 Issue date: October 4, 2024 Page: 15/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

Figure 11: Access denied

We strongly recommend implementing the suggested remediation on the indicated endpoints, but also to review the whole
application.

Severity CVSSv3.1 score

Medium 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Remediation
Sensitive data should not be hardcoded in application binaries; instead, the application should implement some secure
mechanism to gather it at runtime, and store it in a secure way (i.e., using encryption) only if necessary.

Findings
▪ \\corp.generali.net\FSNASCIFS\NAS_SMARTCO_HIPERF\Log\*
▪ \\corp.generali.net\fscitrixapp\*

Version: 1.0 Issue date: October 4, 2024 Page: 16/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

4.1.3 Unencrypted communications

ID OWASP category
REPLY_IT_DATAHUB_202409_03 2021-A2-Cryptographic Failures
Description
The application allows users to connect to it over unencrypted connections. An attacker suitably positioned to view a legitimate
user's network traffic could record and monitor their interactions with the application and obtain any information the user
supplies. Furthermore, an attacker able to modify traffic could use the application as a platform for attacks against its users
and third-party websites. Unencrypted connections have been exploited by ISPs and governments to track users, and to inject
adverts and malicious JavaScript. Due to these concerns, web browser vendors are planning to visually flag unencrypted
connections as hazardous.

To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. This scenario
typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate
or home network that is shared with a compromised computer. Common defenses such as switched networks are not
sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this
attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.

Please note that using a mixture of encrypted and unencrypted communications is an ineffective defense against active
attackers, because they can easily remove references to encrypted resources when these references are transmitted over an
unencrypted connection.

Details
Please note that without a proper encryption, sensitive information is vulnerable to interception by man-in-the-middle attackers.

Severity CVSSv3.1 score

Medium 5.3 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)
Remediation
Applications should use transport-level encryption (SSL/TLS) to protect all communications passing between the client and the
server. The Strict-Transport-Security HTTP header should be used to ensure that clients refuse to access the server
over an insecure connection.

Findings
▪ http://datahubqa.corp.generali.net:8080

Version: 1.0 Issue date: October 4, 2024 Page: 17/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

4.1.4 Session token in URL

ID OWASP category
REPLY_IT_DATAHUB_202409_04 2021-A7-Identification and Authentication Failures
Description
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any
forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed
around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed.

Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Details
The application exposes the session token in URLs. To demonstrate this, just take a look at Figure 12 where the JSESSIONID
token is highlighted in the URL.

Figure 12: Session token in URL

Severity CVSSv3.1 score

Medium 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Remediation
Applications should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in
forms that are submitted using the POST method.

Findings
▪ http://datahubqa.corp.generali.net:8080/sw/zkau [POST JSESSIONID]

Version: 1.0 Issue date: October 4, 2024 Page: 18/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

4.1.5 User enumeration

ID OWASP category
REPLY_IT_DATAHUB_202409_05 2021-A7-Identification and Authentication Failures
Description
An attacker having access to the shared directory used by NeoXam DataHub Client would be able to obtain valid usernames
by navigating inside specific paths.

Details
In fact, as shown in the figures below, simply navigating to the following paths:

▪ \\corp.generali.net\fscitrixapp\CTXHOMES\
▪ \\corp.generali.net\FSNASCIFS\NAS_SMARTCO_HIPERF\Log\QA\
it is possible to view a series of folders/files named with the usernames of the NeoXam DataHub Client.

Figure 13: Path 1 - Retrieving NeoXam DataHub Client usernames

Version: 1.0 Issue date: October 4, 2024 Page: 19/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

Figure 14: Path 2 - Retrieving NeoXam DataHub Client usernames

Severity CVSSv3.1 score

Medium 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Remediation
It is important that the NeoXam DataHub Client does not name the folders/files with the usernames of the NeoXam DataHub
users, but that it makes use, for example, of identifiers that are not referable to the usernames.

Findings
▪ \\corp.generali.net\FSNASCIFS\NAS_SMARTCO_HIPERF\Log\QA\*
▪ \\corp.generali.net\fscitrixapp\CTXHOMES\*

Version: 1.0 Issue date: October 4, 2024 Page: 20/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

4.1.6 Broken session management: session fixation

ID OWASP category
REPLY_IT_DATAHUB_202409_06 2021-A7-Identification and Authentication Failures
Description
Session Fixation is an attack that permits an attacker to hijack a valid user session; it leverages an error in the way some web
applications manage session IDs: when authenticating a user, they do not assign a new session ID, thus making it possible to
use an existing one. The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user
to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used
session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it.

Session fixation attack is a class of Session Hijacking, which steals the established session between the client and the Web
Server after the user logs in. Instead, the Session Fixation attack fixes an established session on the victim's browser, so the
attack starts before the user logs in.

Details
As shown in Figure 15, the application assigns a JSESSIONID as soon as the Login page is accessed. Once the user performs
the login operation, the application does not assign a different JSESSIONID from the previous one (Figure 16).

Figure 15: JSESSIONID before login

Figure 16: JSESSIONID after login

Severity CVSSv3.1 score

Medium 4.2 (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)
Remediation
The session ID must be renewed or regenerated by the web application after any privilege level change within the associated

Version: 1.0 Issue date: October 4, 2024 Page: 21/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

user session (e.g., authentication, password modification, etc.).

For further information, please refer to the following URL:

▪ https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

Findings
▪ http://datahubqa.corp.generali.net:8080/sw/visage/
▪ http://datahubqa.corp.generali.net:8080/sw/zkau

Version: 1.0 Issue date: October 4, 2024 Page: 22/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

4.1.7 SSL cookie without Secure flag set

ID OWASP category
REPLY_IT_DATAHUB_202409_07 2021-A5-Security Misconfiguration
Description
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP
connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the
secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's
scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.
Even if the domain that issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to
use links of the form http://example.com:443/ to perform the same attack.

To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. This scenario
typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate
or home network that is shared with a compromised computer. Common defenses such as switched networks are not
sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this
attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.

Details
Some cookies were transmitted from the application without Secure flag. It is necessary to enable the Secure flag at least for
session related tokens, such as:

▪ JSESSIONID
To demonstrate the problem, the figure below shows the value of the session cookie set after the login phase.

Figure 17: Secure flag not set

Severity CVSSv3.1 score

Medium 4.2 (AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)
Remediation
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS.
If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ
their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted
communications.

Findings
▪ http://datahubqa.corp.generali.net:8080/*

Version: 1.0 Issue date: October 4, 2024 Page: 23/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

4.1.8 Formula Injection

ID OWASP category
REPLY_IT_DATAHUB_202409_08 2021-A3-Injection
Description
The web application allows users to download content to a CSV/XLSX file without properly validate the exported data. If a user
opens the downloaded CSV/XLSX file in either Excel, Libre Office or Open Office this could lead to the execution of arbitrary OS
commands.

Details
The formula =cmd|' /C calc'!A0 can be injected into the highlighted exportable fields through the following request:

Request: [Update request - injection]

POST /sw/zkau HTTP/1.1

Host: datahubqa.corp.generali.net:8080
Content-Length: 302
ZK-SID: 889
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/129.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: */*
Origin: http://datahubqa.corp.generali.net:8080
Referer: http://datahubqa.corp.generali.net:8080/sw/visage/
Accept-Encoding: gzip, deflate, br
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=6ED007287A65FB83D3994FFCF54DBDB9
Connection: keep-alive

dtid=z_0yg&cmd_0=onBindCommand$message&uuid_0=vI8P0&data_0=%7B%22cmd%22%3A%22message%22%2C%22args%22%3A
%7B%22message_type%22%3A%22update%22%2C%22args%22%3A%7B%22reference%22%3A%7B%22holder_id%22%3A2%2C%22ro
w_id%22%3Anull%2C%22col_id%22%3A0%7D%2C%22value%22%3A%22%3Dcmd%7C'%20%2FC%20calc'!A0%22%7D%7D%7D
As mentioned, the values of the POST parameters highlighted above are included in an XLSX/CSV file, which can be
downloaded as below.

Figure 18: Export requests to a CSV/XLSX file

When the table is downloaded, the formula is still present and an inexperienced user could accidentally activate it if he/she
selects and confirms the cell containing the injected formula, executing a command that, in this case, will launch the calc
program, as shown in the figure below.

Version: 1.0 Issue date: October 4, 2024 Page: 24/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

Figure 19: Execution of the injected command that opens the calculator

Please, note that this vulnerability is someway mitigated by the software that are typically used to open this kind of file: users are
warned with a pop-up that notifies about the danger, as shown in the figure below.

Figure 20: Warning pop-up

We strongly recommend implementing the suggested remediation on the indicated endpoints, but also to review the whole
application code.

Severity CVSSv3.1 score

Medium 4.1 (AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N)
Remediation
When generating spreadsheets, fields that begin with any of these symbols:

▪ Equals to ("=")
▪ Plus ("+")
▪ Minus ("-")
▪ At ("@") should be stripped, or sanitized prepending them by a single quote (') character. This will ensure that the cell will not
be interpreted as a formula. Furthermore, MS Excel will preserve data integrity by hiding the single quote character when
rendering the spreadsheet. As a best security practice, we suggest, when possible, to limit all exported data to alpha-
numeric characters.

Findings

Version: 1.0 Issue date: October 4, 2024 Page: 25/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

▪ http://datahubqa.corp.generali.net:8080/sw/zkau [POST data_0]

Version: 1.0 Issue date: October 4, 2024 Page: 26/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

4.1.9 Information disclosure: path discovery

ID OWASP category
REPLY_IT_DATAHUB_202409_09 2021-A4-Insecure Design
Description
The application unintentionally reveals to its users information that is either sensitive, reserved, or useless for the purpose of
the application itself.

Even when apparently of limited use (e.g., the version of a remote software) any leakage could potentially reveal additional
attack surfaces.

Details
As shown in the figures below, some absolute paths are disclosed during NeoXam DataHub Client startup.

Figure 21: Absolute paths disclosure

Severity CVSSv3.1 score

Low 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Remediation
Review the application code and remove any useless insertion of sensitive or reserved data from the responses of the server.

Findings
▪ NeoXam DataHub Client

Version: 1.0 Issue date: October 4, 2024 Page: 27/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

4.1.10 Information disclosure: software version

ID OWASP category
REPLY_IT_DATAHUB_202409_10 2021-A4-Insecure Design
Description
The application unintentionally reveals to its users information that is either sensitive, reserved, or useless for the purpose of
the application itself.

Even when apparently of limited use (e.g., the version of a remote software) any leakage could potentially reveal additional
attack surfaces.

Details
As shown in the figures below, the application displays several information about the web servers in use. Specifically, by
navigating to the root path it's possible to view the default Apache Tomcat page.

Figure 22: Apache Tomcat default page

Severity CVSSv3.1 score

Low 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Remediation
Review the application code and remove any useless insertion of sensitive or reserved data from the responses of the server.

Findings
▪ http://datahubqa.corp.generali.net:8080/

Version: 1.0 Issue date: October 4, 2024 Page: 28/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

4.1.11 Frameable response (Clickjacking)

ID OWASP category
REPLY_IT_DATAHUB_202409_11 2021-A5-Security Misconfiguration
Description
If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it might be possible for a page
controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page
overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform
actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the
application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery,
and may result in unauthorized actions.

Note that some applications attempt to prevent these attacks from within the HTML page itself, using "framebusting" code.
However, this type of defense is normally ineffective and can usually be circumvented by a skilled attacker.

Details
The application is vulnerable to clickjacking attacks. Please, consider as proof of concept the following images.
Figure 23 shows the HTML code used to perform a clickjacking attack. Figure 24 shows the forged page where there is a
button overlaid on the target interface. The click of the button by a victim hijacks the victim to a "malicious" site.

Figure 23: Login page - HTML code

Version: 1.0 Issue date: October 4, 2024 Page: 29/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

Figure 24: Login page - Forged page

Severity CVSSv3.1 score

Low 3.1 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
Remediation
Server-side protection against clickjacking is provided by defining and communicating constraints over the use of components
such as iframes. However, implementation of protection depends upon browser compliance and enforcement of these
constraints. Two mechanisms for server-side clickjacking protection are X-Frame-Options and Content Security Policy.

X-Frame-Options was originally introduced as an unofficial response header in Internet Explorer 8 and it was rapidly adopted
within other browsers. The header provides the website owner with control over the use of iframes or objects so that inclusion
of a web page within a frame can be:

▪ prohibited (deny directive)

▪ restricted to the same origin as the website (sameorigin directive)
▪ restricted to a named website (allow-from directive)
X-Frame-Options: deny
X-Frame-Options: sameorigin
X-Frame-Options: allow-from https://normal-website.com

X-Frame-Options is not implemented consistently across browsers (the allow-from directive is not supported in Chrome
version 76 or Safari 12 for example). However, when properly applied in conjunction with Content Security Policy as part of a
multi-layer defense strategy it can provide effective protection against clickjacking attacks.

Content Security Policy (CSP) is a detection and prevention mechanism that provides mitigation against attacks such as XSS
and clickjacking. CSP is usually implemented in the web server as a return header of the form:

Content-Security-Policy: policy

where policy is a string of policy directives separated by semicolons. The CSP provides the client browser with information
about permitted sources of web resources that the browser can apply to the detection and interception of malicious behaviors.

The recommended clickjacking protection is to incorporate the frame-ancestors directive in the application's Content Security
Policy. The frame-ancestors 'none' directive is similar in behavior to the X-Frame-Options deny directive. The frame-ancestors
'self' directive is broadly equivalent to the X-Frame-Options sameorigin directive. The following CSP whitelists frames to the
same domain only:

Version: 1.0 Issue date: October 4, 2024 Page: 30/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

Content-Security-Policy: frame-ancestors 'self';

Alternatively, framing can be restricted to named sites:

Content-Security-Policy: frame-ancestors normal-website.com;

To be effective against clickjacking and XSS, CSPs need careful development, implementation and testing and should be used
as part of a multi-layer defense strategy.

Further information is provided in the following URL:

▪ https://owasp.org/www-community/attacks/Clickjacking

Findings
▪ http://datahubqa.corp.generali.net:8080/sw/visage/

Version: 1.0 Issue date: October 4, 2024 Page: 31/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

4.1.12 Missing HTTP Security headers

ID OWASP category
REPLY_IT_DATAHUB_202409_12 2021-A5-Security Misconfiguration
Description
When an HTTP request is performed by a client, the server responds with the content along with HTTP response headers.
These headers contain content metadata such as content-encoding, cache-control and also "security" information that tells the
browsers how to handle the web content.

Multiple misconfigurations were found in the response headers. They concern:

Strict-Transport-Security HTTP header The HTTP Strict Transport Security policy defines a timeframe where a browser
must connect to the web server via HTTPS. Without a Strict Transport Security policy, the web application may be vulnerable
against several attacks:

▪ If the web application mixes usage of HTTP and HTTPS, an attacker can manipulate pages in the unsecured area of the
application or change redirection targets in a manner that the switch to the secured page is not performed or done in a
manner, that the attacker remains between client and server.
▪ If there is no HTTP server, an attacker in the same network could simulate a HTTP server and motivate the user to click on
a prepared URL by a social engineering attack.

The protection is effective only for the given amount of time. Multiple occurrence of this header could cause undefined
behavior in browsers and should be avoided.

X-Frame-Options HTTP header provides clickjacking protection by not allowing iframes to load the site.

Referrer-Policy HTTP header controls how much referrer information (sent via the Referrer header) should be included with
requests.

Content-Security-Policy HTTP header CSP is a browser security mechanism that aims to mitigate XSS and some other
attacks. It works by restricting the resources that a page can load and restricting whether a page can be framed by other
pages. To enable CSP, a response needs to include an HTTP response header called Content-Security-Policy with a value
containing the policy. The policy itself consists of one or more directives, separated by semicolons.

X-Content-Type-Options HTTP header There was no "X-Content-Type-Options" HTTP header with the value nosniff set in
the response. The lack of this header causes that certain browsers, try to determine the content type and encoding of the
response even when these properties are defined correctly. This can make the web application vulnerable against Cross-Site
Scripting (XSS) attacks. E.g. the Internet Explorer and Safari treat responses with the content type text/plain as HTML, if they
contain HTML tags.

X-XSS-Protection HTTP header Cross-site scripting (XSS) filters in browsers check if the URL contains possible harmful XSS
payloads and if they are reflected in the response page. If such a condition is recognized, the injected code is changed in a
way, that it is not executed anymore to prevent a successful XSS attack.

For latest browsers, a strong CSP is enough. Anyway, many minor or older browsers (e.g. IE 11 - end of support 15th June
2022) still do not support CSP, therefore it is still recommended to keep X-XSS-Protection header.

Details
The figure shows the target header analysis.

Version: 1.0 Issue date: October 4, 2024 Page: 32/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

Figure 25: Missing HTTP security headers

Severity CVSSv3.1 score

Low 3.1 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
Remediation
Properly configure and include HTTP security headers in server responses. Here follows a list of some sample configurations:

▪ Enable Strict-Transport-Security header set to “max-age=<seconds>”;

▪ Enable X-XSS-Protection header set to “1; mode=block”;
▪ Enable X-Frame-Options header set to “DENY” or “SAMEORIGIN” according to requirements;
▪ Define X-Content-Type-Options with nosniff value;
▪ Define a Content-Security-Policy following the least privilege;
▪ Define a Referrer-Policy following the least privilege.

For further details, see also:

▪ https://geekflare.com/http-header-implementation/
▪ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
▪ https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Findings
▪ http://datahubqa.corp.generali.net:8080/sw/visage/

Version: 1.0 Issue date: October 4, 2024 Page: 33/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

LIST OF FIGURES

Figure 1: Vulnerabilities distribution by severity ........................................................................................................... 6

Figure 2: Context escape procedure - Abusing the File Print feature ........................................................................ 10
Figure 3: Context escape procedure - Saving the file as PDF ................................................................................... 10
Figure 4: Context escape procedure - Entering the command in Windows Explorer................................................. 11
Figure 5: Context escape procedure - Payload execution ......................................................................................... 11
Figure 6: NeoXam DataHub Client installation path ................................................................................................... 12
Figure 7: Accessing the Internet ................................................................................................................................. 12
Figure 8: Access to shared directory via powershell .................................................................................................. 14
Figure 9: Clear-text credentials ................................................................................................................................... 15
Figure 10: NeoXam DataHub log files ........................................................................................................................ 15
Figure 11: Access denied ........................................................................................................................................... 16
Figure 12: Session token in URL ................................................................................................................................ 18
Figure 13: Path 1 - Retrieving NeoXam DataHub Client usernames ......................................................................... 19
Figure 14: Path 2 - Retrieving NeoXam DataHub Client usernames ......................................................................... 20
Figure 15: JSESSIONID before login ......................................................................................................................... 21
Figure 16: JSESSIONID after login ............................................................................................................................ 21
Figure 17: Secure flag not set..................................................................................................................................... 23
Figure 18: Export requests to a CSV/XLSX file .......................................................................................................... 24
Figure 19: Execution of the injected command that opens the calculator .................................................................. 25
Figure 20: Warning pop-up ......................................................................................................................................... 25
Figure 21: Absolute paths disclosure ......................................................................................................................... 27
Figure 22: Apache Tomcat default page .................................................................................................................... 28
Figure 23: Login page - HTML code ........................................................................................................................... 29
Figure 24: Login page - Forged page ......................................................................................................................... 30
Figure 25: Missing HTTP security headers ................................................................................................................ 33

Version: 1.0 Issue date: October 4, 2024 Page: 34/35

Classification: For Generali IAWM only
Generali IAWM: DataHub
Web Application Penetration Testing - Technical Report

LIST OF TABLES

Table 1: Scope of the analysis - web application ......................................................................................................... 4

Table 2: Scope of the analysis - users ......................................................................................................................... 4
Table 3: Global severity status of the analysis target ................................................................................................... 6
Table 4: Severity levels ................................................................................................................................................. 8
Table 5: References ..................................................................................................................................................... 8
Table 6: Vulnerabilities overview .................................................................................................................................. 9

Version: 1.0 Issue date: October 4, 2024 Page: 35/35

Classification: For Generali IAWM only