The security concept is separated into two parts: the vulnerabilities of the Flarecast infrastructure and the protection of confidential resources.
The first part concerns attacks against the infrastructure from external or internal sources. This includes any kind of vectors including data manipulation as well as service disruption.
Security vulnerabilities affects two aspects of the infrastructure:
An attack on the internal infrastructure is very unlikely due the secure connection and the insensitive nature of space weather data. To reduce the vulnerability on the public interfaces we only provide a seperate database with read-only access which is periodically synchronized with the internal Flarecast database. Hereby, only attacks involving a service disruption are possible.
The following table gives a summary of possible attack vectors, there risk and impact level as well as possible countermeasures.
| Attack Vector | Description | Risk Level (1 - 5) | Impact Level (1 - 5) | Countermeasure |
|---|---|---|---|---|
| Attacks concerning general web applications | ||||
| Session hijacking | Attacker uses a man-in-the-middle attack while victim has an open connection to the internal infrastructure. Requires the attacker to break the given encryption of the SSH connection which is very unlikely. | 1 | 5 | Keep informed about issues concerning secure connections (e.g. OpenSSL vulnerability CVE-2016-6304) |
| Cross-site request forgery (XSRF, CSRF) | Victim has an open VPN session and runs a malicious script downloaded from an attacker's server. | 1 | 4 | Nonce tokens |
| Session fixation | Attacker provides a URL with a pre-defined session ID to the Victim. As soon as the Victim logs into the system the attacker can use the same session ID for his own requests. Very unlikely as the internal infrastructure is only accessible by a secure connection. | 1 | 3 | Inform end-users about the risk. |
| Cross-site scripting (XSS) | Victim/Docker container uploads malicious script which is executed while visualizing data by a web service. | 1 | 2 | HTML escaping |
| Open redirection | Victim/Attacker sends a request with a manipulated URL provided as query parameter, e.g. forcing a redirection. This may be a problem with oAuth2 and the 'Token' response type. Not trivial as oAuth2 validates the redirection URL. | 1 | 2 | HTML escaping |
| Cross-site script inclusion (XSSI) | Victim has an open VPN session and forwards JSON responses due a malicious script downloaded from an attacker's server. Possible but harmless, as all available resources are non-confidential. | 0 | 0 | - |
| Header injection (response splitting) | Victim/Attacker sends a request with a manipulated header field provided as query parameter which is then used within the response header. There is no route which allows to set the sesponse's header information | 0 | 0 | - |
| Mixed content | Due the mix of resources partly available by HTTP and partly by HTTPS e.g. a man-in-the-middle attack is possible. Harmless, due the secured connection to the internal infrastructure. | 0 | 0 | - |
| Referer leakage | Victim calls an external link from a sensitive URL which is then published within the 'referer' header field of the request to the external site. There is no link to an external site. (anyway harmless) | 0 | 0 | - |
| Specific to the design of web applications | ||||
| Cache poisoning | Victim's browser cache gets poisoned with a malicious version of the targed web application, e.g. due 'header injection'. | 3 | 1 | |
| Clickjacking | Attacker missuses the Flarecast service interfaces. | 2 | ||
| Content and character set sniffing | Possible in combination with XSS. | 1 | ||
| Cookie forcing (cookie injection) | Possible; harmless due VPN encryption | 0 | ||
| Denial-of-service (DoS) attacks | 4 | 4 | ||
| Framebusting | No frames available | 0 | 0 | |
| HTTP downgrade | Possible; harmless due VPN encryption | 0 | 0 | |
| Network fenceposts | Possible in combination with XSRF | 1 | ||
To cover
The above attack vectors are barely addressed at the moment due the following reasons: