Security Testing with ZAProxy
Genesys performs security testing with OWASP Zed Attack Proxy (ZAProxy) to make sure the Genesys Co-browse solution is invincible to known attacks.
The ZAProxy is an easy-to-use, integrated penetration testing tool for finding vulnerabilities in websites and web applications.
Among others, ZAProxy supports the follow methods for penetration security testing:
Genesys uses both methods.
Passive Scan Overview
ZAP is an Intercepting Proxy. It allows you to see all of the requests made to a website/web app and all of the responses received from it. For example, you can see AJAX calls that might not otherwise be obvious.
Once set up, ZAP automatically passively scans all of the requests to and responses from the web application being tested.
While mandatory use cases for the application that is being tested are followed (either manually or automatically), ZAProxy analyzes the requests to verify the usual operations are safe.
Active Scan Overview
Active scanning attempts to find potential vulnerabilities by using known web attacks against the selected targets. Active scanning is an attack on those targets. ZAProxy emulates known attacks when active mode is used.
Through active scanning, Genesys Co-browse is verified against the following types of attacks:
- Spider attack — Automatically discovers all URL links found on a web resource, sends requests, and analyzes results (including src attributes, comments, low-level information disclosure, and so on).
- Brute browsing (based on the Brute Force technique) — Systematically makes requests to find secure resources based on known (commonly used) rules. For example, backup, configuration files, temporary directories, and so on.
- Active scan — Attempts to perform a predefined set of attacks on all resources available for the web resource. You can find the default set of rules here.
- Ajax spider — Automatically discovers web resources based on presumed rules of AJAX control (JS scripts investigation, page events, common rules, dynamic DOM, and so on).
Some issues reported by ZAProxy security testing are not actual vulnerabilities:
- High risk security alert "Remote file inclusion".
To allow certain types of dynamic content synchronization, Co-browse may proxy some of the website's static assets (for example, CSS files). The response content is only interpreted by browsers as a corresponding asset (like CSS), because it is retrieved through according means (for example, in case of CSS through stylesheet links). Illegible assets are skipped. The source for a proxied asset is always the web site page itself, which is by definition a legitimate resource. To limit access to Co-browse resource proxy mechanism, use the allowedExternalDomains option.
Medium risk security alert "Secure page browser cache" and Low risk security alert "Incomplete or no cache-control and pragma HTTPHeader set".
As mentioned above, Co-browse may proxy some of the website's static assets (like CSS). Browser side caching of such resources is determined by original servers that own those resources and are responsible for proper caching. In other words, Co-browse will just serve the same headers that the original website serves. In most cases, such static assets do not contain any sensitive information and can be safely cached. However, if you decide to disable all caching for these resources, you can do this on Co-browse side using the dislabeCaching option, without the need to modify headers on your website's side. Note that this may increase traffic load for both end users (if they opt to Co-browse), and agents.
Medium level security alert "X-Frame-Options header not set".
Low risk security alert "Cookie set without HttpOnly flag".