5-2 Performing a Website Vulnerability and Security Assessment

Software testing

A much broader set of procedures than website security assessments

In many cases, includes an assessment of website security as a subset of the overall testing process

Software testing often includes, at a minimum, the following checks of the application:

Meets the initial design requirements provided by the party requesting the application; referred to as verification and validation

Operates as expected and without any errors

Can be implemented so that it does not cause issues with other applications it may integrate with; referred to as compatibility

Websites typically consist of four elements:

Web server software, such as Microsoft’s Internet Information Services or Apache HTTP Server

A hardware server and operating system that the web server runs on

A software application that uses the web server to collect or distribute information

A database that stores the information being used by the application and/or web server

Performing an Initial Discovery on the Targeted Website

First step in a website assessment is to identify the components that make up the website and that will be tested

Discovery activity is also referred to as fingerprinting and enumeration

• Identifying and listing various components of a website platform that need to be tested or attacked

Information sought during discovery:

Internet Protocol (IP) addresses associated with the website platform

Services and/or applications that are running on the servers in the website platform, for example, Hypertext Transfer Protocol (HTTP), Domain Name System (DNS), File Transfer Protocol (FTP), Telnet, and Simple Mail Transfer Protocol (SMTP)

The operating systems on all hardware servers supporting the website platform

Any known (published) vulnerabilities with the services, applications, or operating systems

Ping

A utility designed to send a packet to an IP address to determine if it is active

Ping command is typically executed against a single IP address; a ping sweep is the act of running the utility across a range of IP addresses

Ping sweep also called host discovery

Nmap

Nmap is short for Network Mapper

Nmap’s core functionality: ping sweeping, port scanning, and operating system (OS) detection

“Standard” Nmap scan performs nonintrusive activities; those unlikely to impact the server or appear to security systems as an attack:

• Basic ping operations, such as whether the IP address is alive/up or down/nonresponsive or total time for the ping packet to travel round-trip

• The Media Access Control (MAC) address of the network card using the IP address that was scanned

• Open/active or closed/inactive status of the 1000 most commonly used Transmission Control Protocol (TCP) ports

Operating system (OS) fingerprinting

Identifying the OS running on hardware systems that support the web server, application, and database components

Two of the most popular OS fingerprinting tools are Nmap and Nessus.

Nmap returns the OS fingerprint as part of a “regular scan” profile selected in Zenmap, or it can be specifically requested by executing the following command:

• nmap -O ip address

The result will be a line in the output resembling the following:

• OS details: Linux 2.6.19 - 2.6.31

Nessus Vulnerability and Port Scan

Although a few features overlap, Nessus considered complementary to Nmap

Composed of two components: a scanning engine and thousands of plug-ins that associate vulnerabilities with items such as services, operating systems, applications, and so on

To scan a system, user first creates a policy (chooses options and plug-ins) and then runs the scan

Has the ability to perform both authenticated and unauthenticated scans

• Authenticated scan requires permission to log onto target system to scan

• Unauthenticated is the default

A typical single-server website consists of the following:

A web server OS: The operating system of the hardware server that the components reside on

A web server application: The actual application that is collecting, using, and/or providing data

A web server front-end: The web server software that presents the application to users in the form of HTTP pages

Website forms: The input fields, or forms, that are used to gather data from users

An assessment of the web server OS should involve the following:

Identifying the OS type and version

Identifying major service packs and patches that have been installed

Identifying the active services or ports being supported by the OS

Identifying any known vulnerabilities associated with the previously identified components

Typical enumeration and assessment of the web server OS might be as follows:

1. If the IP address of the web server is unknown, or if multiple web servers are suspected present on the network, run an Nmap scan with the “Quick” profile selected against the entire IP address range.

• Any IP addresses reported as having ports 80 and/or 443 open should indicate they are web servers.

2. Run a vulnerability scan against those IP addresses. If using Nessus, a scan with the default plug-ins enabled would suffice.

• This will produce a report that includes information about the OS and any vulnerabilities associated with the OS and other running services.

3. If privileged credentials are available for the OS, such as a Windows administrator-equivalent logon or a UNIX root-equivalent ID, it is recommended to run an authenticated vulnerability scan.

• Depending on the scanner being used, this could help identify vulnerabilities with weak password policies, domain relationships, and so on.

4. Manually review the available services that are enabled at the web server OS level and determine if they are necessary.

• Unnecessary services, even if found to have no vulnerabilities, can present a future risk to the system.

Additional items to look for when scanning the web server OS include the following:

Insecure Simple Network Management Protocol (SNMP) configurations that use default names or strings and may allow an attacker to intercept server monitoring traffic.

Weak passwords or password policies. Testing actual passwords typically requires using a separate password auditing/hacking utility.

Services that allow remote connectivity to the web server OS such as Telnet, SSH, rlogin, and so on.

If present, use SANS Institute (https://www.sans.org/) or the Carnegie Mellon University Computer Emergency Readiness Team (https://www.sei.cmu.edu/about/divisions/cert/index.cfm) websites to research vulnerabilities and attacks related to those services.

Web Server Application

Web server application can be anything from a grouping of scripts to a fully custom-coded program

In many cases, assessing web server applications consists of scanning the application for known vulnerabilities as well as performing more specific testing of the code itself

Tools like Nessus or Metasploit may be useful in finding and testing vulnerabilities in application

Recommended that the code be reviewed by a commercial source code assessment tool such as WebInspect or IBM Rational Appscan

Source code tools examine various programming languages and find poorly designed or insecure coding

Techniques that could present risks:

Ability to circumvent the application’s authentication process

Code or command injection that forces the application to perform in a certain manner

Manipulating uniform resource locators (URLs) or data input fields to traverse data directories or the application itself

Typical steps of a basic web application security assessment:

Identify the type of application that is running on the web server, such as Microsoft SharePoint, an email system, or a form-based front-end for a database.

Research the application to determine the types of code or scripting languages being used, such as C++ or Java.

Select an appropriate utility to run against the web application or scripts, such as N-Stalker. (See http://www.nstalker.com/alliance/.)

Common activities performed when assessing website front-end software:

Identify the type of website front-end software in use, such as Microsoft Internet Information Services (IIS) or Apache.

Determine the functions that the front-end software is supposed to provide—simple presentation of Hypertext Markup Language (HTML) pages, data input/output, access to sensitive files/data, and so on.

Run a web server security utility such as Nessus, N-Stalker, or Acunetix Web Vulnerability Scanner. In addition to looking for basic vulnerabilities, the scanners should be configured to test for cross-site scripting.

Use a utility such as HTTrack Website Copier to crawl, or scan, the website’s pages for hidden fields. Hidden fields are sometimes used to track the activities or actions of the website user.

HTTrack can also provide information about the website’s directory structure. This can be useful in performing a directory traversal attack in which the user attempts to access hidden directories by simply changing the URL in the web browser address bar.

Use resources such as Google’s advanced search commands to search the website for potentially sensitive files or information. Some examples of useful Google search commands that can be entered directly into the Google search field include:

ssn site:acme.com: Searches the site Acme.com for any webpages that include the text “ssn”

acme.com -filetype:doc: Searches the Acme.com site and returns all files with .doc extensions stored on the website

May have problems if a user enters bad or improperly formatted text

Example: Entering a very large number of characters into a field that expects only a few

Properly configured or well-written website application would require the correct number of characters to be entered or check for incorrect data and not process it

Improperly formatted data involves entering special commands into fields; often known as code injection or cross-site scripting (XSS)

Most vulnerability scanners can perform a basic scan for XSS and code injection vulnerabilities

Websites that store, transmit, or process credit card numbers must

comply with Payment Card Industry Data Security Standard (PCI DSS)

Failure to comply can result in losing the right to process credit card transactions as well as to fines for website owner

The following PCI DSS requirements are most related to performing vulnerability and security assessments:

Requirement 2, vendor-supplied defaults

• If a website must be PCI compliant, it is recommended that a security assessment tool be used that can check for vendor default accounts and passwords.

Requirement 6, secure systems and applications

• Some controls in this requirement require tests for specific types of issues, such as input validation, cross-site scripting, data injection flaws, malicious code execution, and error handling.

Requirement 11, testing systems and processes

• This requirement contains the mandate that web applications and systems be regularly scanned for vulnerabilities, from both inside the network where the server sits and from the internet.

Planned attacks also called penetration testing, or pen testing for short

General process consists of:

Developing a plan of attack

Identifying the security gaps and holes

Attempting to escalate privilege

Attack plan for web front-end systems often centers on:

Application’s user interface

How a website visitor, legitimate or not, could gain unauthorized access to data through the web server or application

Basic planned attack on a website front-end might include the following:

Strategy: Attacking input fields and forms in an attempt to gain unauthorized access

Systems: Website Acme.com

Techniques: Input invalid data into fields, attack authentication form, and attempt buffer overflow

Earlier scans with vulnerability programs should have produced information on the:

OS version

Type of web software running

Patch levels

Configuration settings (possibly)

Those pieces of information provide insight into possible security gaps.

Review the HTML source code for hidden fields.

Privilege escalation

Exploiting a vulnerability or flaw in a system to gain access to resources not otherwise available to the attacker or tester

Applies to gaining a higher role in the system (vertical privilege escalation) and gaining access to files or data that normally are restricted to peer users (horizontal privilege escalation)

Vulnerabilities in Back-End Systems and Structured Query Language (SQL) Databases

Back-end systems are also subject to risk if not properly secured.

Because the back-end databases of a web application solution typically do not offer the same variety of services that a front-end system does, planned attacks may be easier.

The strategy for attempting to compromise back-end systems is relatively the same, though.

The intention is to gain access to data, either through compromising a database or escalating a privilege level.

Back-End: Develop an Attack Plan

Developing attack plan for a back-end system or database is similar to developing one for web front-end system

Many attack methods can be performed through the same web application or forms

Difference in planning an attack on a database is that additional discovery tools need to be used to identify database type

Once database type is identified, general plan of attack on a database might attempt the following:

Access or retrieve data by injecting data into fields or forms

Access or retrieve data by gaining privileged access

Crash the database to gain privileged access to other portions of the system

Probing database applications for gaps and holes is common using penetration testing software

Probing database applications for gaps and holes is common using penetration testing software like

Metasploit

• Freeware tool, adept at exploit testing

• Has modules or preconfigured test scripts for numerous database types and their vulnerabilities

• Not very user friendly

Back-End: Escalate the Privilege Level

Attempting to escalate privileges for back-end databases is similar to strategy used for web server applications.

Metasploit is a good utility for attempting various strategies for escalating privileges.

Caution: Many scripts and techniques used to gain escalated privilege level involve strategies to crash either the application or the database itself.

Perform an SQL Injection for Data Extraction

Most scanning and pen test utilities now have built-in SQL injection testing capabilities.

However, SQL injection is a fairly simple activity that an attacker can attempt manually by manipulating URLs in a browser.

SQL injection is the act of inserting various SQL commands into a URL, or sometimes into a form field, so that the command will be run against the back-end database.

To contain a basic SQL injection attempt:

1. Look for webpages that contain data entry fields for entering data such as a username or password. Webpages for that purpose are typically not static HTML but written using a language like ASP or PHP. These webpages will contain extensions such as .asp, .php, or .jsp somewhere in the string of characters.

   • For example, http://mydatabase.com/index.asp?user= might correspond to a text box asking for a logon ID.

2. Upon typing the name Sam into the logon ID field on the webpage, the string would look like: http://mydatabase.com/index.asp?user=Sam. The database might then start a query to look for the name Sam in its tables, and the actual database query might look like: SELECT*FROM customers WHERE User =’Sam’

3. By either manipulating the URL or entering data into the field, you can now try some characters that have special meaning in SQL queries such as a single quote ‘, or two dashes --.

   • The single quote tells SQL to escape from the search criteria and back to the SQL statement. Knowing this, you can enter data to the webpage’s field to be injected as part of the SQL statement. For example, entering the characters ‘ OR 1 = 1 tells the statement to return data if statement processes are true. Because 1 always equals 1, the statement is true, and all data are returned.

4. More advanced knowledge of SQL query formatting or SQL server commands are necessary to get creative with SQL injection. Basically, though, any type of SQL command can now be inserted into the text box or URL and, if properly formatted, cause the SQL server to execute the command as if the attacker was sitting at the SQL console. For example, the following text would cause SQL to stop its normal query and execute anything after the semicolon, such as a privileged SQL server exec command: ‘; exec.

The general structure for an assessment report includes the following:

Executive summary

Summary of findings

Details of the vulnerability assessment

Details of the security assessment

Recommended remediations

Best Practices for Website Vulnerability and Security Assessments

Choose the right tools.

Test inside and out.

Think outside the box.

• Be on the lookout for new techniques.

Research, Research, Research

• Tools and techniques are a start.

• Knowing things like the technology behind the attacks, how attacks are evolving, which industries the attacks are happening in, and so on will prove invaluable in truly securing an application or website.

• Perform a web search for the server’s name occasionally to see if any attackers or online tools are targeting the system or application.