[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Cross-Site Scripting PCI Question

From: "Greg Sparrow" <gsparrow@xxxxxxx>
Subject: RE: [WEB SECURITY] Cross-Site Scripting PCI Question
Date: Thu, 5 Mar 2009 13:52:16 -0500
------_=_NextPart_001_01C99DC2.D7C4135C
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Raymond,

I currently hold both QSA and PA-QSA certificates and am actively
involved in assessments. I agree completely with Trey's comments... As
we all know "the devils in the details" but in general the answer to
your question lies in how the underlying network architecture has been
designed. Scope definition within PCI follows closely in line with the
controls placed around Layers 2 & 3 of the OSI model. Proper network
segmentation and technical controls can remove the other domains/systems
from the scope of a PCI Assessment. Start with where you are storing the
CC data and work your way outward. Create a data flow diagram that
documents how CC data flows in/out of the environment and what systems
store and process the data internally. This should give you a better
idea what systems should be in scope for the assessment.

=20

Hope this helps!

=20

Thanks,

Greg Sparrow

=20

________________________________

From: Raymond Forbes [mailto:rforbes@e-stalkers.net]=20
Sent: Wednesday, March 04, 2009 7:34 PM
To: Trey Ford
Cc: websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Cross-Site Scripting PCI Question

=20

I agree taking a currently running ecommerce solution and trying to
adapt it for isolation, and prove that it is separated, would not be a
good idea.  However, I believe developing good isolation methods from
higher risk environments from lower risk goes a long way to increasing
your security posture.  If you are developing a new ecommerce solution,
absolutely develop it in such a way that the main environment has as
little impact on your ecommerce infrastructure as possible.  This can
happen by establishing separate session management strategies, locking
down cookies, or even having a separate domain.  Not only does this
reduce your compliance footprint, it keeps you from going to the guy who
writes the daily blog and saying "ok, now the security of our ecommerce
relies on you."

-Raymond


On 3/4/09 4:04 PM, "Trey Ford" <ford.trey@gmail.com> wrote:

Raymond,

Most organizations will consider their infrastructure as a 'special
case'... but I totally agree that isolation will drastically reduce the
network and systems scope of a PCI audit.  I think we are treading on
thin ice when doing this with websites.

When working to determine scope of the PCI audit, and attempting to
minimize the number of system components included- remember that the QSA
(Qualified Security Assessor) ultimately makes that decision.  Involving
the QSA into your segmentation efforts earlier can save you time and
money in debating your methods later.

FWIW, when I went through QSA training years ago (I am no longer an
'active' QSA performing on site audits), about 25% of the training time
was devoted to SCOPING.  They take it pretty seriously.  You want to get
this right.  You probably do not want to get this wrong.  Leverage a
QSA.  (reference the scoping flow chart on page 72 of the PCI-DSS
version 1.2)

The QSA will probably be open to input and guidance, but they are
ultimately responsible for measuring how your organization has applied
the standard.

~trey
http://treyford.wordpress.com






On Wed, Mar 4, 2009 at 3:09 PM, Raymond Forbes <rforbes@e-stalkers.net>
wrote:

That is not necessarily true for PCI.  It completely depends on your
organization.  If your ecommerce is completely separate from the rest of
your infrastructure and the cookies are defined for those sub-domains
then you PCI is not involved.  Remember, PCI only applies to PCI
systems.  So they need to process, transmit or store PCI data.  If you
can prove the systems with the vulns do not, they are not in scope.

-Raymond



On 3/4/09 2:21 PM, "Cook, Geoffrey" <gcook@expesite.com
<http://gcook@expesite.com> > wrote:

I would be inclined to say yes as the existence of those vulnerabilities
imply deficiencies in either their development processes and/or their
vulnerability management processes.  You are certifying the operation of
the company as a whole and not just the details of one URL in
particular.  I believe it is requirement 6.5 that states all web
applications have to be developed in a manner that is consistent with
secure coding best practices.
=20
Geoff
=20

From: Joe Hargrove [mailto:ae31337@gmail.com]=20
Sent: Wednesday, March 04, 2009 2:50 PM
To: websecurity@webappsec.org <http://websecurity@webappsec.org>=20
Subject: [WEB SECURITY] Cross-Site Scripting PCI Question

Let's say that we have a website that consists of many different
subdomains, like this:
=20
http://www.example.com
http://blogs.example.com=20
http://shopping.example.com
https://payment.example.com
=20
All of the pages that take credit card information as input are hosted
under the payment.example.com <http://payment.example.com>
<http://payment.example.com>  subdomain. Would XSS vulnerabilities on
pages within the first 3 subdomains be issues that would/should cause
the company to fail a PCI compliance audit?

=20


------_=_NextPart_001_01C99DC2.D7C4135C
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>Re: [WEB SECURITY] Cross-Site Scripting PCI Question</title>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:blue;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dblue>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Raymond,<o:p></o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>I currently hold both QSA and =
PA-QSA
certificates and am actively involved in assessments. I agree completely =
with
Trey&#8217;s comments&#8230; As we all know &#8220;the devils in the =
details&#8221;
but in general the answer to your question lies in how the underlying =
network architecture
has been designed. Scope definition within PCI follows closely in line =
with the
controls placed around Layers 2 &amp; 3 of the OSI model. Proper network
segmentation and technical controls can remove the other domains/systems =
from
the scope of a PCI Assessment. Start with where you are storing the CC =
data and
work your way outward. Create a data flow diagram that documents how CC =
data
flows in/out of the environment and what systems store and process the =
data internally.
This should give you a better idea what systems should be in scope for =
the
assessment.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Hope this =
helps!<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Thanks,<o:p></o:p></span></font></p>=


<p class=3DMsoNormal><st1:PersonName w:st=3D"on"><font size=3D2 =
color=3Dnavy
 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:navy'>Greg
 Sparrow</span></font></st1:PersonName><font size=3D2 color=3Dnavy =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'><o:p></o:p></span=
></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> =
Raymond Forbes
[mailto:rforbes@e-stalkers.net] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Wednesday, March =
04, 2009
7:34 PM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> Trey Ford<br>
<b><span style=3D'font-weight:bold'>Cc:</span></b> =
websecurity@webappsec.org<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> Re: [WEB =
SECURITY]
Cross-Site Scripting PCI Question</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><font size=3D2 =
face=3DCalibri><span
style=3D'font-size:11.0pt;font-family:Calibri'>I agree taking a =
currently running
ecommerce solution and trying to adapt it for isolation, and prove that =
it is
separated, would not be a good idea. &nbsp;However, I believe developing =
good
isolation methods from higher risk environments from lower risk goes a =
long way
to increasing your security posture. &nbsp;If you are developing a new
ecommerce solution, absolutely develop it in such a way that the main
environment has as little impact on your ecommerce infrastructure as =
possible.
&nbsp;This can happen by establishing separate session management =
strategies,
locking down cookies, or even having a separate domain. &nbsp;Not only =
does this
reduce your compliance footprint, it keeps you from going to the guy who =
writes
the daily blog and saying &#8220;ok, now the security of our ecommerce =
relies
on you.&#8221;<br>
<br>
-Raymond<br>
<br>
<br>
On 3/4/09 4:04 PM, &quot;Trey Ford&quot; &lt;<a =
href=3D"ford.trey@gmail.com">ford.trey@gmail.com</a>&gt;
wrote:</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri'>Raymond,<br>
<br>
Most organizations will consider their infrastructure as a 'special =
case'...
but I totally agree that isolation will drastically reduce the network =
and
systems scope of a PCI audit. &nbsp;I think we are treading on thin ice =
when
doing this with websites.<br>
<br>
When working to determine scope of the PCI audit, and attempting to =
minimize
the number of system components included- remember that the QSA
&nbsp;(Qualified Security Assessor) ultimately makes that decision.
&nbsp;Involving the QSA into your segmentation efforts earlier can save =
you
time and money in debating your methods later.<br>
<br>
FWIW, when I went through QSA training years ago (I am no longer an =
'active'
QSA performing on site audits), about 25% of the training time was =
devoted to
SCOPING. &nbsp;They take it pretty seriously. &nbsp;You want to get this =
right.
&nbsp;You probably do not want to get this wrong. &nbsp;Leverage a QSA.
&nbsp;(reference the scoping flow chart on page 72 of the PCI-DSS =
version 1.2)<br>
<br>
The QSA will probably be open to input and guidance, but they are =
ultimately
responsible for measuring how your organization has applied the =
standard.<br>
<br>
~trey<br>
<a =
href=3D"http://treyford.wordpress.com";>http://treyford.wordpress.com</a><=
br>
<br>
<br>
<br>
<br>
<br>
<br>
On Wed, Mar 4, 2009 at 3:09 PM, Raymond Forbes &lt;<a
href=3D"rforbes@e-stalkers.net">rforbes@e-stalkers.net</a>&gt; =
wrote:</span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><font size=3D2 =
face=3DCalibri><span
style=3D'font-size:11.0pt;font-family:Calibri'>That is not necessarily =
true for
PCI. &nbsp;It completely depends on your organization. &nbsp;If your =
ecommerce
is completely separate from the rest of your infrastructure and the =
cookies are
defined for those sub-domains then you PCI is not involved. =
&nbsp;Remember, PCI
only applies to PCI systems. &nbsp;So they need to process, transmit or =
store
PCI data. &nbsp;If you can prove the systems with the vulns do not, they =
are
not in scope.<br>
<br>
-Raymond<br>
<br>
<br>
<br>
On 3/4/09 2:21 PM, &quot;Cook, Geoffrey&quot; &lt;<a =
href=3D"gcook@expesite.com">gcook@expesite.com</a>
&lt;<a =
href=3D"http://gcook@expesite.com";>http://gcook@expesite.com</a>&gt; =
&gt;
wrote:</span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><font size=3D2 =
color=3D"#1f497d"
face=3DCalibri><span =
style=3D'font-size:11.0pt;font-family:Calibri;color:#1F497D'>I
would be inclined to say yes as the existence of those vulnerabilities =
imply
deficiencies in either their development processes and/or their =
vulnerability
management processes. &nbsp;You are certifying the operation of the =
company as
a whole and not just the details of one URL in particular. &nbsp;I =
believe it
is requirement 6.5 that states all web applications have to be developed =
in a
manner that is consistent with secure coding best practices.<br>
&nbsp;<br>
Geoff<br>
&nbsp;<br>
</span></font><font size=3D2 face=3DCalibri><span =
style=3D'font-size:11.0pt;
font-family:Calibri'><br>
</span></font><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> Joe =
Hargrove [<a
href=3D"mailto:ae31337@gmail.com";>mailto:ae31337@gmail.com</a>] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Wednesday, March =
04, 2009
2:50 PM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> <a
href=3D"websecurity@webappsec.org">websecurity@webappsec.org</a> &lt;<a
href=3D"http://websecurity@webappsec.org";>http://websecurity@webappsec.or=
g</a>&gt;
<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [WEB SECURITY] =
Cross-Site
Scripting PCI Question<br>
</span></font><br>
<font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>Let&#8217;s
say that we have a website that consists of many different subdomains, =
like
this:<br>
&nbsp;<br>
<a href=3D"http://www.example.com";>http://www.example.com</a><br>
<a href=3D"http://blogs.example.com";>http://blogs.example.com</a> <br>
<a =
href=3D"http://shopping.example.com";>http://shopping.example.com</a><br>
<a =
href=3D"https://payment.example.com";>https://payment.example.com</a><br>
&nbsp;<br>
All of the pages that take credit card information as input are hosted =
under
the payment.example.com &lt;<a =
href=3D"http://payment.example.com";>http://payment.example.com</a>&gt;
&nbsp;&lt;<a =
href=3D"http://payment.example.com";>http://payment.example.com</a>&gt;
&nbsp;subdomain. Would XSS vulnerabilities on pages within the first 3
subdomains be issues that would/should cause the company to fail a PCI
compliance audit?</span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><font size=3D3
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C99DC2.D7C4135C--
References:
- Re: [WEB SECURITY] Cross-Site Scripting PCI Question
  - From: Trey Ford
- Re: [WEB SECURITY] Cross-Site Scripting PCI Question
  - From: Raymond Forbes
Prev by Date: Re: [WEB SECURITY] "Enterprise Web Application Security Program"... baby steps
Next by Date: Re: [WEB SECURITY] fuzzy testing
Previous by thread: Re: [WEB SECURITY] Cross-Site Scripting PCI Question
Next by thread: Re: [WEB SECURITY] Cross-Site Scripting PCI Question
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site