Security Made Simple Series

About This Presentation

Title:

Security Made Simple Series

Description:

Malware/spyware. TCP wrappers/personal firewall. Time synchronization. Security Checklists ... Free and Economical Security and Performance Monitoring Tools ... – PowerPoint PPT presentation

Number of Views:357

Avg rating:5.0/5.0

Slides: 73

Provided by: michaele66

Category:

more less

Transcript and Presenter's Notes

Title: Security Made Simple Series

1
Security Made Simple Series

Web Application Testing
A Primer in Web Application Testing
and Securing your Web Servers

2
Web Testing Objective

Not to find fault
To work together, with the developers, to create
a better application

3
Outline

Audience
Prerequisites
Physical Security/Architecture
OS and web server configuration
Web application testing

4
Audience

Web developers - help developers understand what
security professionals look for
Network Administrators ability to perform some
basic security testing - good before you call in
a professional - you don't want to make their job
too easy

5
Pre-test Information Gathering

IP address/URL
2-3 accounts populated w/ different data
Network architecture diagram
User/Admin application documentation
Corporate security policy
Web server type (header retrieval)
Vulnerability listings
Web root listing
Application process flow diagram
URL / Role mapping
Configuration files (urlscan.ini, httpd.conf,
ssl.conf)

6
Header Retrieval

C\gtstunnel c r website443 d 80
C\gttelnet 127.0.0.1 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date Thu, 30 Mar 2006 154638 GMT
Server Apache/2.0.54 (Unix) mod_ssl/2.0.54
OpenSSL/0.9.6g mod_jk/1.2.14 mod_perl/2.0.0
Perl/v5.8.0
Connection close
Content-Type text/plain

7
Where to Find Web Server Vulnerabilities

Security Focus
Bug Traq
Vendor info
Hacker web sites
Internet searches
Hacker tools

8
Web Root Listing

The purpose of obtaining the web root listing is
to determine if
default web content, test pages, old data are
present on the system
other files (databases, scripts, admin
interfaces) are available
ACLs can be bypassed by direct URL manipulation
During web testing, these files may go unnoticed
if the web root is not provided. This may lead
to a future compromise of the system by
someone who stumbles upon the web page
an attacker or user who has familiarity with
this system or a similar system
Unix find . -print gt webroot.txt
Windows dir /b /s gt webroot.txt
Make sure to also get listings for virtual
directories!!!

9
URL / Role Mapping
10
Pre-test Requirements

Signed contract
Backed up / Development system
Admin contact (lockout, etc.)

11
Administrative Security Policy

Network architecture
OS configuration
Web server configuration and components
FrontPage permitted
HTML admin interface
Ports permitted
Operational readiness procedures
Remote administration procedures
Change control and update procedures
Security / log monitoring procedures
Performance monitoring procedures

12
Attack Points
13
Common Network Architecture
14
Recommended Network Architecture
15
Network Architecture

Port usage
TCP any 102465535 ltgt web server 80
TCP any 102465535 ltgt web server 443
DNS
NTP
Updates (OS/Web server/AV)
Security Monitoring (syslog or proprietary)
Performance Monitoring
Baseline (MD5-like)
Remote Administration
Access to web app and/or database
Load Balancer
Ensure that individual IPs cannot be accessed
from Internet
IDS
Dumb down web attack rules
Use connection-based rules
ARP spoofing

16
OS Configuration

Patches
Lockdown procedures/local security policy
Remove all non-essential programs
Remove all source code
Antivirus
Malware/spyware
TCP wrappers/personal firewall
Time synchronization

17
Security Checklists

www.nsa.gov/snac/

18
OS Testing

nmap
nmap 3.93 scan initiated Sun Apr 16 223045
2006 as nmap -O -P0 -v -oN nmap_ess.txt
www.enterprisesecuritysolutions.net
Interesting ports on c-68-46-38-72.hsd1.nj.comcas
t.net (68.46.38.72)
(The 1662 ports scanned but not shown below are
in state filtered)
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp closed ftp
25/tcp closed smtp
80/tcp open http
110/tcp closed pop3
143/tcp closed imap
Device type general purpose
Running Microsoft Windows NT/2K/XP
OS details Microsoft Windows 2000 SP3
TCP Sequence Prediction Classtruly random
Difficulty9999999
(Good luck!)
IPID Sequence Generation Incremental

19
Some Common Web Servers

Microsoft IIS
Apache
Lotus Domino
IBM WebSphere
Netscape/iPlanet/Sun One
Mainframe

20
Web Server Configuration

Patches
Lockdown procedures
Admin Security Policy
run as non-privileged user
restrict files from web user/service
Apache httpd.conf and ssl.conf
IIS lockdown and URLScan
Run Nikto and sslthing.sh

21
Apache httpd.conf

Set the directives "ServerSignature Off" and
ServerTokens Prod to limit the information
emanating from the server in its response headers
To disable TRACK and TRACE on Apache, add the
following lines for each virtual host in
httpd.conf
ltIfModule mod_rewrite.cgt RewriteEngine
on RewriteCond REQUEST_METHOD
(TRACETRACK) RewriteRule . - Flt/IfModulegt
On 2.0.55
RewriteEngine on
TraceEnable off

22
Apache httpd.conf

Enumeration of users may be possible by
requesting username (responds with Forbidden for
real users, not found for non-existent users).
The first method is to comment out the following
line in httpd.conf
LoadModule userdir_module libexec/apache/mod_
userdir.so
The second method is to disable it through
IfModule
ltIfModule mod_userdir.cgt
UserDir disabled
UserDir public_html
lt/IfModulegt
Note If you must allow some users to have
UserDir directories, use the following
ltIfModule mod_userdir.cgt
UserDir disabled
UserDir enabled user1 user2
UserDir public_html
lt/IfModulegt

23
Apache httpd.conf

To disable directory indexing, comment out the
following in httpd.conf
LoadModule autoindex_module libexec/apache2/mod_
autoindex.so
NOTE Numerous additional configuration lines
which depend on this module will need to be
commented out.
To disable access to manual pages, Comment out
the following in httpd.conf
AliasMatch /manual(?/(?deenesfrjakoru))
?(/.)? "/usr/local/share/doc/apache21"
ltDirectory "/usr/local/share/doc/apache2"gt
Options Indexes
AllowOverride None
Order allow,deny
Allow from all
ltFiles .htmlgt
SetHandler type-map
lt/Filesgt
SetEnvIf Request_URI /manual/(deenesfrj
akoru)/ prefer-language1
RedirectMatch 301 /manual(?/(deenesfrj
akoru))2,(/.)? /manual/12

24
IIS Lockdown
Before
After
25
URLScan What does it do?

Controls allow/deny verbs
Add TRACK and TRACE to list
Controls allow/deny extensions
Limits URL lengths
Normalizes http pre-processor
A must with IIS 5.0 and earlier
Using URLScan w/ IIS 6.0
RemoveServerHeader
DenyUrlSequences
Can be used to remove SQL tick()
RejectResponseUrl/ Default is
/ltRejected-by-UrlScangt

26
Additional IIS Config Tip

Remove Custom ASP.NET headers
Put in a Warning Banner

27
Nikto

- Nikto v1.35/1.36
--------------------------------------------------
-------------------------
Target IP 68.46.38.72
Target Hostname www.enterprisesecuritysolutions
.net
Target Port 80
Start Time Sun Apr 16 222514 2006
--------------------------------------------------
-------------------------
- Scan is dependent on "Server" string which can
be faked, use -g to override
Server Apache/2.0.54 (Unix) mod_ssl/2.0.54
OpenSSL/0.9.7f
Apache/2.0.54 appears to be outdated (current
is at least Apache/2.0.55). Apache 1.3.33 is
still maintained and considered secure.
mod_ssl/2.0.54 appears to be outdated (current
is at least 2.8.25) (may depend on server
version)
OpenSSL/0.9.7f appears to be outdated (current
is at least 0.9.8a) (may depend on server
version)
mod_ssl/2.0.54 OpenSSL/0.9.7f - mod_ssl 2.8.7
and lower are vulnerable to a remote buffer
overflow which may allow a remote shell
(difficult to exploit). http//cve.mitre.org/cgi-b
in/cvename.cgi?nameCAN-2002-0082.
/cgi.cgi/.htaccess - Contains authorization
information (GET)
.
.
.
/cgi.cgi/auth_data/auth_user_file.txt - The
DCShop installation allows credit card numbers to
be viewed remotely. See dcscripts.com for fix
information. (GET)

28
sslthing.sh

linux/ ./sslthing.sh www.website.net443 -v
Default request
TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
3DES(168)
Testing SSL2...
DES-CBC3-MD5 - 168 bits
RC2-CBC-MD5 - 128 bits
RC4-MD5 - 128 bits
RC4-64-MD5 - 64 bits (!)
DES-CBC-MD5 - 56 bits (!)
EXP-RC2-CBC-MD5 - 40 bits (!)
EXP-RC4-MD5 - 40 bits (!)
Testing TLS1...
EDH-RSA-DES-CBC3-SHA - 168 bits
DES-CBC3-SHA - 168 bits
RC4-SHA - 128 bits
RC4-MD5 - 128 bits

29
Apache SSL

Disable SSLv2
SSLCipherSuite ALL!ADH!EXPORT56RC4RSA!kEDH!aN
ULL!ADHHIGH!MEDIUM!LOW!SSLv2!EXP
Disable Medium and Weak Ciphers
SSLCipherSuite ALL!ADH!EXPORT56RC4RSA!kEDH!aN
ULL!ADHHIGH!MEDIUM!LOW!SSLv2!EXP
For detailed information about configuring the
ssl.conf file
http//httpd.apache.org/docs-2.0/mod/mod_ssl.html

30
IIS SSL

How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS
1.0 in Internet Information Services
http//support.microsoft.com/default.aspx?scidkb
en-us187498

31
IIS SSL

Configure IIS to require 128-bit encryption

32
Application Testing

Information Accessibility
Client Vulnerability Checks
Application Programming Checks
Various Server-Specific Vulnerabilities
User Account/Login Security Issues

33
Information Accessibility

Indexing
Access outside root
../../
Hidden information
Configuration and/or Application Structure
Information

34
Indexing
35
Hidden Information

An array with client ID numbers was identified in
the HTML code
var locationList new Array("0800??","1801??","1
801??","1804??")
URL encrypted with crypto function, unencrypted
URL found hidden in HTML code
List of account names
Admin screen with list of account names and
passwords

36
Application Structure Info
37
Client Vulnerability Checks

Account info in history file
Disk cache

38
Application Programming Checks

Known Vulnerable CGI Programs
Ability to Exploit Custom CGI Scripts
Buffer Overflow/Underflow
URL Manipulation
SQL Injection
Cross-Site Scripting
Persistent Cookie Manipulation
Session and Variable Manipulation
Secure Cookies
Application Logging

39
Buffer Overflow
40
Proper Error Message
41
URL Manipulation Case 1

Original URL
http//www.website.com/JSP/Welcome.jsp?CustomerNu
mber1UserNameguest1BaseURLhttp3A2F2Fwww.we
bsite.com2Ftest2FServletURLhttp3A2F2Fwww.we
bsite.com2Ftest2FJSP2FAccessLevel011001RealN
ameGuest28App.User29TextFileLocationc3A5C
trashReportFileLocationc3A5Ctrash5Creports5C
SelfVerifyfalseDSNameWebRemoteDSUserNameadmi
nistratorDSUserPasswordabc123
Changed URL
http//www.website.com/JSP/Welcome.jsp?CustomerNu
mber1UserNameguest1BaseURLhttp3A2F2Fwww.we
bsite.com2Ftest2FServletURLhttp3A2F2Fwww.we
bsite.com2Ftest2FJSP2FAccessLevel111011RealN
ameGuest28App.User29TextFileLocationc3A5C
trashReportFileLocationc3A5Ctrash5Creports5C
SelfVerifyfalseDSNameWebRemoteDSUserNameadmi
nistratorDSUserPasswordabc123

42
URL Manipulation Case 1
43
URL Manipulation Case 2

wget http//www.website.com/account/999000 gt
999000.txt
wget http//www.website.com/account/999001 gt
999001.txt
wget http//www.website.com/account/999002 gt
999002.txt
.
.
.
wget http//www.website.com/account/999998 gt
999998.txt
wget http//www.website.com/account/999999 gt
999999.txt

44
SQL Injection
45
Cross-Site Scripting (XSS)

ltSCRIPT Language"Javascript"gtalert("Hello")lt/SCR
IPTgt

46
Persistent Cookie Manipulation
47
Variable Manipulation Case 1

By changing the UserID from 17 to 18, the
user assumes the privileges of another

48
Variable Manipulation Case 2

I used Achilles to intercept the web pages coming
back from the web server

lt!-- Only what they have access to... --gt
lttdgtlta href"JavaScript SystemAdmin()"gtltimg
src"https//website.com/TEST/Images/Main_SystemAd
min.gif" width"93" height"100" alt"Admin"
border"0"gtlt/agtlt/tdgt
lttdgtlta href"JavaScriptFileControl()"gtltimg
src"https//website.com/TEST/Images/Main_FileCont
rol.gif" width"93" height"100" alt"File
Control" border"0"gtlt/agtlt/tdgt
lttdgtlta href"JavaScriptApplications()"gtltimg
src"https//website.com/TEST/Images/Main_Applicat
ions.gif" width"93" height"100"
alt"Applications" border"0"gtlt/agtlt/tdgt
lttdgtlta href"JavaScriptReports()"gtltimg
src"https//website.com/TEST/Images/Main_Verifica
tion.gif" width"93" height"100"
alt"Verification" border"0"gtlt/agtlt/tdgt
lttdgtlta href"JavaScriptReports()"gtltimg
src"https//website.com/TEST/Images/Main_Reports.
gif" width"93" height"100" alt"Reports"
border"0"gtlt/agtlt/tdgt
lt/trgt
lttrgt
lt!-- Only what they have access to... --gt
lttd valign"baseline" align"center"gt lta
href"JavaScriptSystemAdmin()"gtSystemAdminlt/agt
lt/tdgt
lttd valign"baseline" align"center"gt lta
href"JavaScriptFileControl()"gtFile Controllt/agt
lt/tdgt
lttd valign"baseline" align"center"gt lta
href"JavaScriptApplications()"gtApplicationslt/agt
lt/tdgt
lttd valign"baseline" align"center"gt lta
href"JavaScriptVerification()"gtVerificationlt/agt
lt/tdgt
lttd valign"baseline" align"center"gt lta
href"JavaScriptReports()"gtReportslt/agt lt/tdgt

49
Variable Manipulation Case 2
50
Variable Manipulation Case 3
51
Variable Manipulation Case 3
52
Variable Manipulation Case 3
53
Variable Manipulation Case 3
54
Use of Secure Cookies

The session cookies that are passed to the client
do not indicate that the cookies should be passed
within an SSL connection (secure). Cached data
can be used to perform replay attacks or extract
information that can be used to narrow an attack.
The following cookie is issued by the server
Set-cookie UIDa9digiek3 PATH/
The following example provides the Secure
indicator
Set-cookie UIDa9digiek3 PATH/ Secure

55
Application Logging

Recommendations
1. Standard syslog format is preferred for flat
file logs (RFC 3164)
2. A session can be traced and parsed on IP
address or session cookie
3. Log events are associated to one another by
the IP address and/or session cookie, exception
code, event code, and sequence code
4. Important data from GET/POST (URL and data)
are recorded in log
5. Ensure that regular expression characters are
not used in the log
Desired Results
A. Log can be parsed by IP address and/or session
ID.
B. Log can be parsed based upon facility. (See
RFC 3164)
C. Log can be parsed based upon error level (See
RFC 3164)
d. All log entries are time stamped. Application
input (both URL POST and POST data) can be
associated with the error message.

56
Various Server-Specific Vulnerabilities

Client certificates
Ability to Add or Modify Data on the Web Server
Ability to view configuration files

57
Lotus Domino Files to Protect

setup.nsf
catalog.nsf
admin4.nsf
webadmin.nsf
certlog.nsf
log.nsf
names.nsf
domcfg.nsf
domlog.nsf

58
User Account/Login Security Issues

Login credential check
Login timeout
Report last good/failed login
Account lockout
Concurrent logins
Warning banner
Ability to logout
Password rules
Default usernames/passwords in use

59
Poor Logon Credential Check
Valid account Invalid password
Invalid account Invalid password
A web site should not differentiate between a
non-existent account and an invalid
username/password combination. Ensure that the
responses for an invalid account or a valid
account with an incorrect password are the same.
60
Use SSL for User Credentials/Data

Use of Basic Authentication Base64 decode
root_at_localhost /tools ./websniff -v
192.168.1.70 2234 gt 172.16.31.45
GET /acid/acid_main.php HTTP/1.1
Accept image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword,
/
Accept-Language en-us
Accept-Encoding gzip, deflate
User-Agent Mozilla/4.0 (compatible MSIE 6.0
Windows NT 5.0)
Host 172.16.31.45
Connection Keep-Alive
Cookie PHPSESSID531d9931581ac33d69d1ca917f206d5d
Authorization Basic c25vcnQ6dGVzdA
---------- USER snort PASS test
----------

61
Report Last Good/Failed Login
Web sites should report previous login
information and failed login attempts back to the
client (ISO19977 Section 9.5.2).
62
Concurrent Logins

Principle of one user per account
Shared accounts should not be allowed
Log off the first session.
Send the first session a notice that a second
session was logged into with the same account.
The first session should be instructed to contact
the system administrator if this may be the
result of a compromised account.
The second user would be permitted to log in, but
would receive a message indicating that the
account was in use elsewhere and also be
instructed to contact the system administrator if
this is the result of a compromised account.

63
Concurrent Logins
Message appearing at new session
Message appearing at old session
64
Account Lockout
An attacker attempting a brute force attack
should receive a Login Failed message for all
accounts, even after account lockout. If the
correct password is input after the account is
locked out, then an account lockout message
should appear
An account lockout mechanism should be enabled
65
Sample Warning Banner

This system is for the use of authorized users
only. These systems and equipment are subject to
monitoring to ensure proper functioning, to
protect against improper or unauthorized use or
access, and to verify the presence or performance
of applicable security features or procedures,
and for other like purposes. Such monitoring may
result in the acquisition, recording, and
analysis of all data being communicated,
transmitted, processed or stored in this system
by a user. If monitoring reveals evidence of
possible criminal activity, such evidence may be
provided to law enforcement personnel. Use of
this system constitutes consent to such
monitoring.

http//www.ciac.org/ciac/bulletins/j-043.shtml
ISO17799 Section 9.5.2
66
Ability to Logout

Ensure that using Back button on browser does
not bring you back into a valid session
Reset session cookies upon logout
Timeout result in logout
Consider logging out the user out if the user
navigates to a different web site

67
Sample Password Rules

The password shall contain a combination of at
least six alphanumeric characters, including at
least one alphabetic, one numeric, and one
special (e.g. punctuation) character.
The password shall not contain the associated
user ID.
As an option, dictionary words can be restricted.
No more than two repeating characters.
No sequencing of characters and/or numbers.
Password aging (min/max) and history should be
maintained.
Refer to NIST for additional recommendations
(http//www.itl.nist.gov/fipspubs/fip112.htm)

68
Brutus
Brute force password checker
69
Report Findings Classification

Each finding should be categorized as an
exposure, a concern, an observation, or an
informational finding
Exposures are the most critical findings, posing
an immediate risk to the security of the system,
and need to be addressed in as timely a manner as
possible.
Concerns are findings that pose some risk to the
system, but need not be addressed with the same
priority as exposures.
Observations are security issues that need to be
noted, but do not pose a significant risk to the
system.
Informational findings and Notes do not identify
any security risk but are noted as items of
interest.

70
Report Findings

3.5.3 Report Last Good/Failed Login Concern
It is a standard security practice to report the
last login date, time, and any failed login
attempts since the last successful login to alert
users (ISO17799 Section 9.5.2) if someone has
been trying to access their account. The
location logins originate from should also be
logged in the web log and be made accessible to
the administrator.
No last login date or number of failed logins
since last successful login are provided to the
user.
Figure 3-18 No last login date or number of
failed logins since last successful login
Figure 3-19 EXAMPLE Page showing last
successful/failed login
RECOMMENDATION Web sites should report previous
login information and failed login attempts back
to the client.