Hi,
We are in the process of implementing Microsoft Dynamics 365 BC v15 W1 on-premises for a customer. Before moving to production, the internal rules of the customer require that any application must pass the penetration testing. The customer has carried out the penetration testing for the BC web application and the results that they have shared with us indicate three vulnerabilities related to BC. The identified vulnerabilities and the suggested remediation steps by the customer are listed below. Since our experience is in NAV/BC functional areas, we are not sure if there is any way to address these vulnerabilities in BC.
- Session Fixation Vulnerability
Remediation/Suggestions: In order to prevent session fixation attacks, any data that will be used as a cookie value by the application should not be allowed to be changed by the user and these values should not be used in the next stages. In addition, Session cookie values must be changed after login, and a different session key must be used for post-login transactions.
- Session Cookie Doesn’t Change After Login
Remediation/Suggestions:
In ASP.NET-based applications, a sample code fragment like the following can be used to force the session key to be changed after the login process.
Session.Abandon ();
Response.Cookies.Add (new HttpCookie ("ASP.NET_SessionId", ""));
- Autocomplete Not Disabled for Sensitive Form Fields
Remediation/Suggestions: The Autocomplete attribute should be disabled for sensitive form fields containing information such as username, password, credit card information. Please refer to the link below for further information.
Any help or suggestion would be highly appreciated.
Thanks and regards,
Luli
