Futurama Logo

Welcome to the Futurama Support Site

The Futurama Support Site is the website where you can find Futurama and Futurama Vision documentation. If you have any questions about the support pages or if you want to provide us feedback please send us an e-mail.




Index Security - hardening
Previous  |  Next

 1      About Futurama
 1.1        Version information
 1.2        Getting Started
 1.2.1          Futurama Website
 1.2.1.1            Behavior of Futurama regarding TimeOuts, Login and Logoff
 1.2.1.2            Replacing an existing Futurama Session
 1.2.2          Futurama Webservice
 1.2.2.1            warmUpDocuments
 1.2.3          Futurama Export
 1.3        Overview - Futurama Modules
 1.3.1          Overview - Futurama Accounts
 1.3.2          Overview - Futurama Server
 1.3.3          Overview - Futurama Monitor
 1.3.4          Overview - Futurama Insight
 1.3.5          Overview - Futurama Console
 1.3.6          Overview - Futurama Webservice
 1.4        Loadbalancing Futurama applications
 1.4.1          Getting the most out of Futurama Web using the Load-Balancer
 1.4.2          Application Request Routing
 1.5        Text management and Multi-language
 2      Installation – Configuration – Testing
 2.1        Installation - Futurama Website Edition
 2.1.1          Installation Futurama HTML
 2.1.2          Installation Futurama Monitor
 2.1.3          Installation Futurama Insight
 2.1.4          Installation Futurama Accounts
 2.1.5          Installation SAML2LoadBalancer
 2.2        Installation - Futurama Export Edition
 2.2.1          Installation Futurama Console
 2.2.2          Installation Futurama Server
 2.3        Installation - Futurama Webservice Edition
 2.3.1          Installation Futurama Webservice
 2.4        Installation Futurama Editor
 2.5        Configuration
 2.5.1          Configuration - Cache
 2.5.2          Configuration - Calculation
 2.5.3          Configuration - Debug
 2.5.4          Configuration - File manager
 2.5.5          Configuration - Fileproviders
 2.5.6          Configuration - Format
 2.5.7          Configuration - History
 2.5.8          Configuration - Identity Provider
 2.5.9          Configuration - Log
 2.5.10           Configuration - Mail
 2.5.11           Configuration - Mapping
 2.5.12           Configuration - Monitor
 2.5.13           Configuration - PlugIns
 2.5.14           Configuration - Rendering
 2.5.15           Configuration - ScenarioRecording
 2.5.16           Configuration - Security
 2.5.17           Configuration - Server
 2.5.18           Configuration - Vision
 2.5.19           Configuration - WebAPI
 2.6        Logging
 2.7        Troubleshooting
 2.8        Security - hardening
 3      Updating and file compatibility
 3.1        Updating Futurama - Compatibility behavior
 3.2        Converting Futurama documents
 3.3        12819 - DataTable file updates
 3.4        12889 - DataTable file updates
 3.5        Conversion web.config to .NET Framework 4
 3.6        Deprecated conversion formulas
 4      Futurama Editor - How to
 4.1        At first glance
 4.2        Developing in the Futurama Editor
 4.2.1          Working with objects
 4.2.2          Evaluating objects
 4.2.3          Finding objects
 4.3        Transferring objects
 4.4        Testing objects
 4.5        Validating objects
 4.6        Troubleshooting objects
 4.7        Advanced/special functionality
 4.8        Checking the layout of objects
 5      Futurama - Formulas
 5.1        Futurama Formulas - Date and time
 5.1.1          Date
 5.1.2          Day
 5.1.3          Days360
 5.1.4          Days360Excel
 5.1.5          DaysInMonth
 5.1.6          DaysInPeriod
 5.1.7          Min
 5.1.8          Max
 5.1.9          Month
 5.1.10           Now
 5.1.11           WeekDay
 5.1.12           Year
 5.2        Futurama Formulas - Math
 5.2.1          Abs
 5.2.2          Add
 5.2.3          Divide
 5.2.4          Floor
 5.2.5          Ln
 5.2.6          Log
 5.2.7          Log10
 5.2.8          Mod
 5.2.9          Multiply
 5.2.10           Pi
 5.2.11           Power
 5.2.12           Rand
 5.2.13           Round
 5.2.14           RoundDown
 5.2.15           RoundUp
 5.2.16           SquareRoot
 5.2.17           Subtract
 5.3        Futurama Formulas - Statistical
 5.3.1          AverageDeviation
 5.3.2          Beta
 5.3.3          Binomial
 5.3.4          Covariance
 5.3.5          Factorial
 5.3.6          Gamma
 5.3.7          GeometricMean
 5.3.8          Lognormal
 5.3.9          Max
 5.3.10           Median
 5.3.11           Min
 5.3.12           Normal
 5.3.13           StandardDeviation
 5.3.14           Uniform
 5.3.15           Variance
 5.4        Futurama Formulas - Text
 5.4.1          CalculateBase64Hashcode
 5.4.2          CalculateXmlHashcode
 5.4.3          Concatenate
 5.4.4          ConcatenateBase64
 5.4.5          ContainsText
 5.4.6          Convert.CSV.2.XML
 5.4.7          ConvertFromBase64
 5.4.8          ConvertToBase64
 5.4.9          ConvertXml
 5.4.10           DecodeURL
 5.4.11           DecryptXml
 5.4.12           EncodeURL
 5.4.13           EncryptXml
 5.4.14           Find
 5.4.15           HashBase64EncodedFile
 5.4.16           HashBase64EncodedFileWithBase64
 5.4.17           HashText
 5.4.18           HashTextWithBase64
 5.4.19           Left
 5.4.20           Len
 5.4.21           Linefeed
 5.4.22           Lower
 5.4.23           Mid
 5.4.24           Proper
 5.4.25           ReadConfigKey
 5.4.26           ReadDirectoryNames
 5.4.27           ReadFile
 5.4.28           ReadFileAsBase64
 5.4.29           ReadFileNames
 5.4.30           ReadFileWithEncoding
 5.4.31           ReadXPathScalar
 5.4.32           ReadXPathVector
 5.4.33           Repeat
 5.4.34           Right
 5.4.35           Substitute
 5.4.36           Trim
 5.4.37           TrimLeft
 5.4.38           TrimRight
 5.4.39           Upper
 5.4.40           ValidatePattern
 5.4.41           XsdMessages
 5.5        Futurama Formulas - Logical
 5.5.1          And
 5.5.2          IsEmpty
 5.5.3          If
 5.5.4          IsEqual
 5.5.5          IsEven
 5.5.6          IsGreater
 5.5.7          IsGreaterEqual
 5.5.8          IsIBANChecksumValid
 5.5.9          IsLess
 5.5.10           IsLessEqual
 5.5.11           IsMemberOfGroup
 5.5.12           IsNotEqual
 5.5.13           IsOdd
 5.5.14           IsValidXml
 5.5.15           Not
 5.5.16           Or
 5.5.17           ValidateNPR
 5.6        Futurama Formulas - Table
 5.6.1          FindNextRow
 5.6.2          FindPreviousRow
 5.6.3          FindRow
 5.6.4          Sort
 5.6.5          VLookUp
 5.7        Futurama Formulas - Document
 5.7.1          CountErrors
 5.7.2          GetPathToDataFiles
 5.7.3          GetPortNumber
 5.7.4          GetRelativePathToDataFiles
 5.7.5          GetSessionID
 5.7.6          IsLicenceAvailable
 5.7.7          ReadError
 5.7.8          ReadIdentityProviderResult
 5.7.9          ReadRequestIP
 5.7.10           ReadRequestParameter
 5.7.11           ReadUserAgent
 5.7.12           ReadVersionNumber
 5.7.13           SessionTimeOut
 5.7.14           URL
 5.7.15           UserName
 5.8        Futurama Formulas - Conversion
 5.8.1          Convert.Excel.to.XML
 5.8.2          ConvertJSONtoXml
 5.8.3          ConvertTextToDate
 5.8.4          ConvertTextToNumber
 5.8.5          ConvertToBoolean
 5.8.6          ConvertToDouble
 5.8.7          ConvertToLong
 5.8.8          ConvertToString
 5.8.9          FormatDate
 5.8.10           FormatNumber
 5.8.11           Value
 5.9        Futurama Formulas - Matrix
 5.9.1          AddMatrices
 5.9.2          AddScalarToMatrix
 5.9.3          Cumulative
 5.9.4          CumulativeProductMatrix
 5.9.5          Distinct
 5.9.6          DivideMatrices
 5.9.7          DivideMatrixScalar
 5.9.8          DivideScalarMatrix
 5.9.9          Exponent
 5.9.10           First
 5.9.11           Floor
 5.9.12           If
 5.9.13           Index
 5.9.14           Inverse
 5.9.15           IsEqual
 5.9.16           IsGreater
 5.9.17           IsGreaterEqual
 5.9.18           IsNotEqual
 5.9.19           IsLess
 5.9.20           IsLessEqual
 5.9.21           Join
 5.9.22           Last
 5.9.23           Length
 5.9.24           MatrixProduct
 5.9.25           Max
 5.9.26           MaxScalarMatrix
 5.9.27           Mean
 5.9.28           Mid
 5.9.29           Min
 5.9.30           MinScalarMatrix
 5.9.31           MultiplyMatrices
 5.9.32           MultiplyMatrixVector
 5.9.33           MultiplyScalarMatrix
 5.9.34           Percentile
 5.9.35           PowerMatrix
 5.9.36           PowerMatrixScalar
 5.9.37           PowerScalarMatrix
 5.9.38           ReadMatrixFromXml
 5.9.39           Repeat
 5.9.40           Replace
 5.9.41           Reshape
 5.9.42           ReverseCumulativeProductMatrix
 5.9.43           ReverseMatrix
 5.9.44           Size
 5.9.45           Split
 5.9.46           SquareRootMatrix
 5.9.47           Step
 5.9.48           SubtractMatrices
 5.9.49           SubtractMatrixScalar
 5.9.50           SubtractScalarMatrix
 5.9.51           Sum
 5.9.52           Transpose
 5.9.53           UnitMatrix
 5.9.54           Vector
 5.10         Creating custom formulas in Futurama
 6      Futurama - Objects
 6.1        Action
 6.2        Aggregation
 6.3        Button
 6.4        ChangeValue
 6.5        CheckBox
 6.6        ClearCache
 6.7        DatabaseField
 6.8        DatabaseView
 6.9        DataTable
 6.10         DateBox
 6.11         DocConverter
 6.12         Document
 6.13         Download
 6.14         DropDownList
 6.15         EmailConverter
 6.16         ExcelConverter
 6.17         FileSaver
 6.18         FileUploader
 6.19         Fixed
 6.20         Formula
 6.21         GraphConverter
 6.22         HTMLInclude
 6.23         InterfacesNode
 6.24         LogMessage
 6.25         Navigator
 6.26         Node
 6.27         RadioButton
 6.28         RadioGroup
 6.29         Range
 6.30         Reference
 6.31         SubDocument
 6.32         TextBox
 6.33         UserTable
 6.34         UserVariable
 6.35         WebLabel
 6.36         WebListBox
 6.37         WebPage
 6.38         WebPanel
 6.39         WebReference
 6.39.1           WebReference - WCF Configuration
 6.40         WebService
 6.41         WebSlider
 6.42         WordConverter
 6.43         XmlBuilder
 6.44         XmlConverter
 6.45         XmlField
 6.46         XmlNode
 7      Futurama - Vision References
 7.1        Data
 7.1.1          ReadData
 7.1.2          WriteMessage
 7.1.3          GetPersonIdentifiers
 7.1.4          CreatePerson
 7.2        DataStore
 7.2.1          DeleteDataItem
 7.2.2          DeleteDataItemHierarchy
 7.2.3          DeleteDataItems
 7.2.4          GetDataItem
 7.2.5          GetDataItemHierarchy
 7.2.6          GetDataItems
 7.2.7          StoreData
 7.3        Accounts
 7.3.1          Activate Account
 7.3.2          Change Account
 7.3.3          Create Account
 7.3.4          GetQuestion
 7.3.5          GetQuestions
 7.3.6          Login
 7.3.7          ReadData
 7.3.8          ReinitializeAccount
 7.4        General
 7.4.1          TestConnection
 8      Futurama Vision
 8.1        Installation Futurama Vision
 8.1.1          Installation Futurama Vision Management Site
 8.1.2          Installation or Upgrade of the Futurama Vision Database
 8.2        Futurama Vision Management Site
 8.2.1          Futurama Vision Management Site - Admin
 8.2.2          Futurama Vision Management Site – Security
 8.2.3          Futurama Vision Management Site – Skinning
 8.2.4          Importing data into Futurama Vision
 8.2.4.1            Importing data by webservice
 8.2.4.2            Importing data from a Zip-file
 8.2.4.3            Importing data with Futurama Vision Batch
 8.2.4.4            Futurama Vision Webservice Security
 8.2.5          Further processing of data into Futurama Vision
 8.3        Futurama Vision File manager
 8.4        Activity overview
 8.5        Storing data in Vision from a Futurama application
 8.6        Futurama Vision – Data
 8.7        Futurama Accounts - Management Site
 8.7.1          Futurama Accounts - Table in Vision Database
 8.8        Futurama Server - Management Site
 8.8.1          Special Futurama Server Jobs
 8.9        Futurama Register - Management Site
 8.9.1          Configuration - Futurama Register
 8.10         Retrieving AppEvents from Futurama Vision
 8.11         Adding CustomPages to Vision
 9      Futurama Intermediate Control Output (FICO)
 9.1        FICO example - Change/Add HTML headers
 9.2        FICO example - Change Graph
 9.3        HTML5 Template
 10       Futurama Web API
 10.1         Postbacks of Futurama webcontrols
 10.2         Retrieving Resources using Web API
 10.3         WebAPI Session management
 11       Tutorials - Overview
 11.1         Tutorials - Examples and Downloads
 11.2         Beginners
 11.2.1           Creating formulas with Futurama
 11.2.1.1             Exercise 1: Pythagorean Theorem (Easy)
 11.2.1.2             Exercise 2: Newspaper stall (Medium)
 11.2.1.3             Exercise 3: Recursive functions (Difficult)
 11.2.1.4             Exercise 4: Leap Year (Difficult)
 11.2.1.5             Exercise 5: The Guessing Game I (Medium)
 11.2.2           Creating a Website Application
 11.2.2.1             Exercise 1: Creating a Website (Easy)
 11.2.3           Styling your website with CSS
 11.2.3.1             Exercise 1: Adding CSS (Easy)
 11.2.4           Adding interactivity to your website
 11.2.4.1             Exercise 1: Summation (Easy)
 11.2.4.2             Exercise 2: The Guessing Game II (Medium)
 11.2.4.3             Exercise 3: Nationality (Medium)
 11.2.4.4             Exercise 4: Nationality - RepeatTarget (Medium)
 11.2.4.5             Exercise 5: Reversed Guessing (Difficult)
 11.2.5           Working with Tables
 11.2.5.1             Exercise 1: Average (Easy)
 11.2.5.2             Exercise 2: Boundary values (Difficult)
 11.2.5.3             Exercise 3: Standard Deviation (Medium)
 11.2.6           Reading and processing XML-data in Futurama
 11.2.6.1             Exercise 1: Shares (Medium)
 11.2.7           Adding Graphs in Futurama
 11.2.7.1             Exercise 1: World Population (Easy)
 11.2.8           Working with Actions in Futurama
 11.2.8.1             Exercise 1: Changing Colors (Easy)
 11.2.8.2             Exercise 2: On and Off (Medium)
 11.2.8.3             Exercise 3: The ChangeValue object (Difficult)
 11.2.8.4             Exercise 4: The Guessing Game III (Medium)
 11.2.8.5             Exercise 5: CheckBox (Medium)
 11.2.9           Multiple Pages and Navigation
 11.2.10            Using XSLT to display data
 11.2.10.1              Exercise 1: Overview Summation (Easy)
 11.2.10.2              Exercise 2: Persons (Medium)
 11.2.10.3              Exercise 3: Leap Year Overview (Difficult)
 11.2.11            Webservices in Futurama
 11.2.11.1              Exercise 1: Example (Easy)
 11.2.12            Creating a Webservice Application
 11.2.12.1              Exercise 1: Add (Easy)
 11.2.12.2              Exercise 2: Webservice Nationality (Medium)
 11.2.13            Creating a Console Application
 11.2.13.1              Exercise 1: Adding extra fields (Easy)
 11.2.14            Generating Documents
 11.2.14.1              Exercise 1: Tax Rate (Medium)
 11.2.14.2              Exercise 2: Tax Rates Table (Difficult)
 11.3         Advanced
 11.3.1           Responsive Design
 11.3.1.1             Exercise 1: Orientation
 11.3.1.2             Exercise 2: Target different screen sizes
 11.4         Older Tutorials (Futurama Version 3.2)
 11.4.1           Futurama Editor Tutorial 1: The first sum
 11.4.2           Futurama Editor Tutorial 2: An annuity
 11.4.3           Futurama Editor Tutorial 3: Working with tables
 11.4.4           Futurama Editor Tutorial 4: Modelling a DB pension plan
 11.4.5           Futurama Editor Tutorial 5: Working with XML
 11.4.6           Futurama Web Tutorial 1: Hello world
 11.4.7           Futurama Web Tutorial 2: Buttons and Actions
 11.4.8           Futurama Web Tutorial 3: Textboxes
 11.4.9           Futurama Web Tutorial 4: DropdownLists
 12       Miscellaneous
 12.1         Responsive website
 12.2         Reducing memory usage for XmlNodes and XmlFields
 12.3         Explaining caching for websites and webservices
 12.4         Certificates - basic information
 12.5         Performance XML operations
 12.6         Creating XSD files and using them in combination with Futurama
 13       Templates
 14       Safe2Save WebAPI Sample
View  |  Print  |  PDF

451 documents found.


Security - hardening

System-administrator
Installation

User: System administrator

Prerequisites

- not applicable

Introduction

Hardening recommendations when using Futurama.

Description

Futurama is a development platform for calculation and communication applications. It can be used to create three different kinds of applications:

  1. Website applications: to create interactive webapplications (edition Futurama Website)
  2. Webservice applications: to create webservices that return the result of a calculation made in Futurama (edition Futurama Webservice)
  3. Export applications: to make an export of personalized data, such as PDF-files containing personal financial information (edition Futurama Export)

In many applications Futurama will be used to communicate about personal financial information. It is important to secure the access to this sensitive data. At this page a number of tips are given that can be used to harden the server where the data is installed. Most of these hardening tips are not Futurama specific, but are industry wide.  

Subjects

Mentioned below are several security subjects. Dependable on the Futurama edition that is used these subjects are more applicable. For each of the subjects in the next table is given whether they are applicable for each of the three Futurama edition. The subjects are treated more detailed in the next paragraph.

Subject Website Webservice Export
Disable trace X    
Disable system diagnostics   X  
Logging X X X
Secure webservice communication X X X
Encryption data X X X
Encryption web.config X X X
HTTPS X X  
Use cookies X    
Security Management Site X X X
Identity application pool X    
Firewall X X X
Network Intrusion Detection X X X
HSTS policy X    
Securing cookies X    
Maximizing number of sessions X    
Verify session on every request X    
Document/Folder restriction X X  
Disable download of XML files X    
Remove comments in files X    
Don't use a version number X X  
Use customErrors X    
Use robots.txt X    
Disable header options X    
Set X-Frame-Options Header X    
Remove X-AspNet-Version response header X    
Change value server response header X    
Add rel property to hyperlinks X    
Upgrade jQuery version X    
Disable version.aspx X    

Subjects - more detailed

In the paragraph mentioned above a list of hardening subjects is given. In this paragraph each of these subjects is treated more detailed. For each of the subjects a risk profile (low, medium, high) is given.

Disable trace

Risk

High

Explanation

When developing websites the trace setting in the web.config can be used for debugging purposes. The trace information can be retrieved by visiting the trace.axd page of your application. Generally you should not enable trace in a production situation, because this can display sensitive configuration information to anyone who views the website. So enable the trace only for debugging purposes and disable this as soon as your website moves to an (pre)production server.

Solution

Within the <system.web> section disable the trace:

<trace enabled="false" />

Disable system diagnostics

Risk

Low

Explanation

It is possible to log every message that is sent to a webservice or is received by a webservice. See the paragraph 'Logging webservice messages' at the Configuration - Log page for more information. The logging of these webservice can contain sensitive information. As these logging information will be stored on a secured server location this isn't a high secure risk.

Solution

Disable/remove the <system.diagnostics> section in the configuration file.

Logging

Risk

Low

Explanation

It is possible to log errors, warnings, information messages and debug messages while developing with Futurama. This information can be used during the development process to troubleshoot. In production this logging also can be used to monitor error messages. This logging information can contain sensitive data. As these logging information will be stored on a secured server location it isn't a high secure risk. However it isw recommendable to disable the information and debug logging messages. The warning and error messages can be enabled in order to monitor and solve errors that can occur during session of your web application.

Solution

See the Configure - Log page for the logging configuration. Set <messages value="false"/> and <debug value="false"/>. 

Secure webservice communication

Risk

Medium

Explanation

Part of the Futurama functionality is the communication with webservices. There are several situations:

Frequently sensitive data is sent to and from these webservices. It is recommended to secure this communication.

Solution

Futurama supports WCF webservices. This enables you to choose among a wide variety of security options, such as wsHttp-binding with transport or message encryption, wsHttp-binding with a certificate as a credential for the service, basisHttp-binding with authentication, rest services with an authorization header. See the applicable supportpages for more information about hte configuration of these WCF webservices.

Encryption data

Risk

Medium

Explanation

Futurama Vision can be used to store your data. This data usually is private. Although your Futurama Vision Database will be securely installed, and not publicly available you can take some extra action to protect your data by encrypt them.  

Solution

It is possible to import encrypted data into Futurama Vision. See 'Importing data into Futurama Vision', paragraph 'Encryption' for more information. All sensitive data except the unique identifier of your persons can be encrypted. The passwords to decrypt this information will be stored in the configuration file of the Futurama Vision Management Site. To extra protect this configuration file, encrypt the section which contains the password. See also at this page 'Encryption web.config' how to encrypt a web.config.   

Encryption web.config

Risk

Low

Explanation

Part of the installation of Futurama HTML and the installation of the Futurama Management Site is the configuration of the web.config. The web.config is a special ASP.NET file to be used in all kinds of ASP.NET web applications. It is possible to encrypt (sections of) this web.config. This could make sense in the situation that the web.config contains sensitive information. Although the web.config is a standard ASP.NET file, already protected to be seen by others, encrypting this file is an extra protection against malicious use. In the situation the Futurama Management Site is used, and the XML data is saved encrypted in the Futurama Vision Database (see paragraph 'Settings for encryption/decryption'), the web.config of the Management Site contains the passwords to encrypt (and decrypt) the data. In this situation encryption the web.config makes sense.     

Solution

Encryption of the web.config can be done by using the Aspnet_regiis.exe tool. Decryption of an encrypted config is only possible at the same server where the file is encrypted. This is an extra protection agains mailcious use. Command for the encryption of (for example) the appSettings section of the config is:

%WINDIR%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pef "appSettings" "location_config", 

where location_config is the location where the web.config is saved. To decrypt the web.config use the next command:

%WINDIR%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pdf "appSettings" "location_config"

HTTPS

Risk

High

Explanation

When visiting a website, the traffic exchanged between your browser and the web server is sent in clear text. Therefore if a malicious third party intercepts the traffic exchanged between the two parties, he or she can read what is being exchanged, such as authentication details or other sensitive personal information. So make sure to encrypt the connection between the browser and the server where your Futurama (web)application is installed.

Solution

Use the HTTPS protocol for your application instead of HTTP.

Use cookies

Risk

High

Explanation

Futurama supports sessions with and without cookies. When cookies are used, the session ID is stored in a cookie at the client of an user. This session ID is used to recognize an individual visitor between all the visits. Alternative is to use cookiesless sessions. In this situation the page link will contain the session id string (for example https://myapplication/(22b5c4zyybphaw2mt3hjni2n)/default.aspx). Main security problem when working with sessions is a possibility that malicious user will find out others' session id. If two users share same session id, they share same session variables too and website is considering them as one visitor. This could be a security risk if session is used for any private or sensitive data, or to allow access to restricted areas of web site. When cookies are used, session id can be protected using SSL and by marking a cookie as secure. But, in case of cookieless session, session id is part of URL and is much more vulnerable. Attacker could use network monitoring tool to see requested URLs. Because session id is part of URL, if you know requested URL you know session id too. Also, if malicious user get access to recent web server's logs, it is possible to read recent requested URLs and visit website with still active session.

So it is strongly recommended to use cookies.

Solution

Within the <system.web> section enable cookies:

<sessionState cookieless="false" />

Security Management Site

Risk

Low

Explanation

When using the Futurama Management Site to import and analyze data, and to monitor the use of your Futurama applications it is important to give users of the Management Site only access to pages that are relevant for them. It is possible to define which users can access which pages of the Management Site.

Solution

Use the security section of the Futurama Management Site to set up the advanced security.

Identity application pool

Risk

Medium

Explanation

An Internet Information Services (IIS) application pool is a grouping of URLs that is routed to one or more worker processes. Because application pools define a set of web applications that share one or more worker processes, they provide a convenient way to administer a set of websites and applications and their corresponding worker processes. During the installation of your Futurama web application in IIS a new application has to be created including an application pool.

Solution

Pending.

Firewall

Risk

High

Explanation

A firewall is a network security systems that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. Firewall can be used to secure the server with your (sensitive) data

Solution

Use a firewall and allow only incoming and outgoing traffic that is necessary for the use of your application.

Network Intrusion Detection

Risk

High

Explanation

Network Intrusion Detection monitors a network or systems for malicious activity or policy violations.

Solution

Use Network Intrusion Detection to monitor whether malicious activity at your server occurs.

HSTS policy

Risk

Medium

Explanation

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which is necessary to protect secure HTTPS websites against downgrade attacks. It allows webservers to declare that webbrowsers should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. Even when your webapplication is only accessible via HTTPS, it is possible for hackers to downgrade to the insecure HTTP.

Solution

In order to use HSTS-policy, in the web.config of your application within the <system.webServer> section the next configuration has to be made:

<httpProtocol>
	<customHeaders>
		<add name="Strict-Transport-Security" value="max-age=31536000"/>
	</customHeaders>
</httpProtocol>

Securing cookies

Risk

Low

Explanation

It is possible to set a secure flag on an ASP.NET session cookie, so that it will only be transmitted over HTTPS and never over plain HTTP.

Solution

Within the <system.web> section the next configuration has to be made:

<httpCookies httpOnlyCookies="true" requireSSL="true"/>

Furthermore in case forms authentication is used this will override the setting in httpCookies, setting is back to the default 'false'. In order to avoid this, an extra attribute has to added to the forms element as well:

<forms requireSSL="true">

Maximizing number of sessions

Risk

Medium

Explanation

When hosting a web application usually the maximum number of parallel sessions can be estimated. Exceeding this maximum of parallel session can be an indication of a hachers attack to your website. To avoid this, the allowed number of parallel session can be defined. 

Solution

This setting can be configured in the Futurama specific security-section of the web.config. See this page for information how to set the maximum number of parallel sessions.

Verify session on every request

Risk

Medium

Explanation

During a session within your web application subsequently request will be made, after each user action. To be sure that each of these requests are made by the user who started the session (and is authenticated to see the personal data) it is possible to verify session on every request. This prevents that the session is hijacked and cloned on a different machine.

Solution

This setting can be configured in the Futurama specific security-section of the web.config. See this page for information how to enable verify session on every request. It is possible to include or exclude a verification of the IP-address.

Document/Folder restriction

Risk

Medium

Explanation

In the configuration mapping section of Futurama it is possible to define which default folder and which default document Futurama should use. It is possible to override these default settings by setting this parameters in the URL (see for example the previous mentioned configuration mapping section’.  This implies that it might be possible for a user to open a different document by guessing possible values of the document and folder parameters.

Solution

This can be prevented from Futurama 16.11 onwards by specifying a list of allowed folder- and document-names in the mapping setting. Whenever a user enters a value that is not in this list, then a security error will be shown. For more information, visit this page.

Disable download of XML files

Risk

Medium

Explanation

When a user can download XML files, the user can also see the contents of the Futurama models. These models can contain sensitive information, such as the version number and the location where the document has last been edited.

Solution

You can prevent downloading of XML files by adding the following code to the web.config

<system.webServer>
    <security>
        <requestFiltering>
            <fileExtensions>
                <add fileExtension=".xml" allowed="false" />
            </fileExtensions>
        </requestFiltering>
    </security>
</system.webServer>

Remove comments in files

Risk

Low

Explanation

A Futurama application consists of files of different types. The Futurama models are stored in XML-files, but for example CSS-files, XSLT-files, HTML-files and js-files can be used. In these files it is possible to add comments. This comments can be useful in order to explain the code specified in these files. However it also can give hackers potential information.

Solution

Remove the comments from your files.

Don't use a version number

Risk

Low

Explanation

In your Futurama models version numbers can be used to identify the successive releases of your application. However this information can be used by potential hackers. So it is recommended not to show the version number of your application. 

Solution

Don’t show the version number of your application. If you actually do want to use a version number it is recommended only to show this version number at the private pages of your application (so, not at the login page of your application that might be accessible for everyone).

Use customErrors

Risk

Medium

Explanation

When browsing your Futurama Web application errors can occur. For instance when your page cannot be found (404 error) or when access to tour site is not allowed (403 error). When errors occur it is recommended to redirect the user to an error page. 

Solution

Use the customError element in the web.config. See https://support.futurama.eu/docs/all/page/305 for more information.

Use robots.txt

Risk

Low

Explanation

Search engines are browsing the internet to search for files. This generates traffic to your application, you maybe don’t want to have.

Solution

Use the robots.txt file to avoid this. This file is a simple textfile placed in the rootfile of your application. Engine spiders check in this robots.txt if they should access a file or not. To block all access use the next robots.txt file:

User-agent: *

Disallow: /

Disable header options

Risk

Low

Explanation

At your webserver default header options like OPTIONS, GET, POST, TRACE, HEAD will be supported. For the Futurama web applications in general only the POST en GET headers are relevant. Disable the other header options.

Solution

In the web.config the headers TRACE, OPTIONS and HEAD can be disabled by the next configuration, to be placed with <system.webServer>

<security>
	<requestFiltering>
		<verbs allowUnlisted="true">
			<add verb="OPTIONS" allowed="false" />
			<add verb="HEAD" allowed="false" />
			<add verb="TRACE" allowed="false" />
		</verbs>
	</requestFiltering>
</security>

Set X-Frame-Options Header

Risk

Low

Explanation

Clickjacking attacks are malicious attacks of tricking a webuser into clicking on something different from what the user perceives they are clicking on.

Solution

It is possible to protect your website against clickjacking attacks by including a X-Frame-Options header in the HTTP-response. See this page for the possible directives for X-Frame-Options. The SAME-ORIGIN value is recommended to use as in some situations the DENY option will not work correctly.

Remove X-AspNet-Version response header

Risk

Low

Explanation

Default in the header response from the server the X-AspNet-Version is given. This is information that can be used by hackers.

Solution

It is possible to remove the X-AspNet-Version response header. This can be configured within the <system.web> section of the web.config:

<httpRuntime enableVersionHeader="false" />

Change value server response header

Risk

Low

Explanation

Default in the header response from the server the server version is given. This is information that can be used by hackers.

Solution

It is possible to change the value of the server version. For example change the value to an empty string. This can be done in IIS by using the URL Rewrite module. Once installed follow the next steps:

  1. head to the IIS Manager and select your site, then URL Rewrite;
  2. select Server Variables and the add a new Server Variable called RESPONSE_SERVER
  3. once you have your new server variable, go back to the rules page, add a new rule and select a blank outbound rule
  4. give the rule a name, set the Matching Scope to Server Variable, the Variable name is RESPONSE_SERVER and set the Pattern to .* to match any content. Hit Apply to create your new rule.

These changes will now remove the content of the Server response header.

Add rel property to hyperlinks

Risk

Low

Explanation

When a hyperlink opens up a new window by using the

target="_blank"

it is vunerable for phising attacks. Because hackers could lead the website to other pages.

Solution

Within the extension (xsl) all the hyperlinks which has the property target blank are injected with the following attribute:

rel="noopener noreferrer"

Upgrade jQuery version

Risk

Low

Explanation

Using a jQuery version that is not up-to-date is  a security risk and should be updated  to an up-to-date version.

Solution

Within the extension file the jquery version is updated to version 1.12.1. From Futurama version 17.02 a jQuery file is included within the Futurama modules folder. When upgrading make sure the jQuery file within the 1702 of the Futurama modules map is used.

Disable version.aspx

Risk

Low

Explanation

The version.aspx page is a page that gives information regarding the Futurama documents that are used for the application, inclusing the version number, the save date and the user that has saved this document. This page gives potentially information that can be used by hackers.

Solution

Disable the version.aspx page in the web.config of your application. This can be done by including the next configuration within the <configuration> element:

<location path="version.aspx">
	<system.web>
		<authorization>
			<deny users="*"/>
		</authorization>
	</system.web>
</location>

Feedback

If you have any questions about this subject or if you want to provide us feedback please send us an e-mail.

Updated: 2018-04-30


Previous  |  Next