QuickBooks Intuit Anywhere App - Security Review

From ConsoliBYTE Wiki
Jump to: navigation, search

When you go to publish Intuit Anywhere, you have to go through a technical check. Intuit works with a 3rd-party vendor to ensure that your application isn't doing “bad things”.

The 3rd-party vendor is going to run an automated vulnerability scanning tool against your server (IBM Rational AppScan, http://www-142.ibm.com/software/products/us/en/subcategory/rational/SWI50), checking for thousands of different known vulnerabilities. It's going to submit all of your forms, log in to your application and poke around, send junk data through the URL, check for common vulnerable URLs, etc.

In addition to the automated scan, you're going to be asked to submit your code so that they can review it. An actual person is going to look over you code (especially your SAML gateway) and see if they find anything wrong with it.

Contents

General Requirements

See Intuit's list here:


Code Review

Intuit is going to ask you to submit your code to them/the 3rd-party security company they use. They're going to want any code which:

  • Deals with SAML (if applicable, not all apps will use OAuth)
  • Deals with OAuth
  • Deals with OpenID (if applicable, not all apps will use OAuth)
  • Touches any IPP APIs
  • Touches any IDS APIs

If you're using one of the provided DevKits (PHP, .NET, Java, etc.) that Intuit or another third-party (e.g. ConsoliBYTE) provides, *make sure you tell Intuit this* as the DevKits have already been reviewed and it will speed up the review process.


Commonly Vulnerable URLs

The automated scanning tool tests for common URLs which may provide access to sensitive data. Things like:

  • /phpMyAdmin/
  • /cgi-bin/test.cgi


XSS Attacks

Any input you accept from the user (via GET, POST, COOKIE, or otherwise) should be checked for nasty things like:

"><script>alert('Do something bad!');</script>

Input Filters

Make sure you check to ensure that user input is valid. If it should be an integer, make sure it's an integer, if it should be a float, make sure it's a float, etc. etc. etc.

Output Filters

Any output you display should be run through an HTML entity filter to convert things like > and < to > and <


HTML Forms

Unique tokens or "nonce"

Any HTML forms you display should embed a one-time use token generated by the server. The one-time user token should be tied to that specific user, and should be then checked on form submission to ensure that it is valid and from the correct user. Invalidate the token after a reasonable time (a few hours maybe?) or after it has been used. More details here:

http://en.wikipedia.org/wiki/Cross-site_request_forgery


Server Configuration

Make sure you have a valid, third-party signed SSL certificate

Turn your server signature *off*. In Apache, you can do this:

ServerSignature Off
ServerTokens Prod

Disable TRACE/TRACK support. In Apache, you can do this:

TraceEnable off

Disable LOW/MEDIUM strength SSL ciphers and old protocols. In Apache, you can do this:

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
SSLProtocol -ALL +SSLv3 +TLSv1