IDENTIFYING SECURITY ISSUES

IN A HIGHER INSTITUTE CMS LAB SITE

Panagiotis Loumpardias

Konstantinos Chimos

INTRODUCTION

Websites number rises constantly Websites are easy to build There are step by step guides for everything

Many users are turning to CMSs like (Drupal, Joomla, etc.) Universities also use them

ARE WEBSITES SAFE?

The answer should be “No one can really tell for sure!”

Searching for “Hack a website” returns 74 million results in Google

Website attacks in 2013 were 75% more than 2012

SECURING A WEBSITE

1. Design and deploy on a test server

2. Look for known vulnerabilities of the software you use

3. Check your site with security auditing tools

4. Fix vulnerabilities

5. Check again

AUDITING TOOLS

Lots of options Commercial Open Source Windows Linux With GUI Command line

TOOL 1 - ARACHNI

Open Source Runs on Mac & Linux Scalable resource usage combining more than one

machines User collaboration friendly Can run on remote computer and access it from web with

browser

ARACHNI RESULTSTitle Findings Severity

Cross-Site Request Forgery 85 High

A backdoor file exists on the server

32 High

Unencrypted password form 2 Medium

Backup file 81 Medium

Common sensitive file 14 Low

Password field with auto-complete

41 Low

Interesting response 50 Informational

E-mail address disclosure 2 Informational

RESULTS EVALUATION

Cross Site Request Forgery could only be exploited when posting full HTML as administrator

Server backdoors where false results Unencrypted password forms can lead to password

interception Backup files were also false results Some common sensitive files existed but without sensitive

information Auto completed password fields could lead to password loss

especially when there is physical access to user’s computer Interesting responses were mostly the server denying access E-mail addresses were public

TOOL 2 – OWASP ZAP

Open Source Cross Platform (Windows – Linux) Proposes solution for most results User can rate and comment on results for help in

troubleshooting

OWASP ZED RESULTS

Title Findings Severity

Cross-domain JavaScript source file inclusion

366 Low

Password Autocomplete in browser

364 Low

X-Content-Type-Options header missing

417 Low

X-Frame-Options header not set

394 Informational

RESULTS EVALUATION

Cross-domain JavaScript source file inclusion is true but all the files are coming from trusted sources

Password Autocomplete in browser can lead to password theft

X-Content-Type-Options header is missing and specific browsers can be tricked into treating malicious but cleverly named files to be executed

X-Frame-Options header is not set and can result to click jacking attacks

TOOL 3 - W3AF

Open Source Runs Best on Linux Can directly exploit some of the vulnerabilities it

discovers Does not display the result multiple times if found in all

pages It only exports the results in various formats but does not

save the program session

W3AF – RESULTSTitle Findings Severity

Server-header 2 Informational

Php_eggs 2 Informational

Dns_wildcard 1 Informational

Strange_http_codes 1 Informational

Click_jacking 1 High

Allowed_methods 2 Informational

Find_vhosts 1 Medium

hmap 1 Informational

RESULTS EVALUATION

Click Jacking was the only valid result Discovery of virtual hosts may prove to be problematic if

they are vulnerable

JSKY

Commercial Runs on Windows The only commercial program with a fully working and

not limited trial Describes the impact of vulnerabilities found Gives recommendations for troubleshooting

JSKY - RESULTS

Vulnerability Total found Severity

DELETE Method enabled 1 Informational

Instal.php 1 Low

Robots text file found 1 Informational

Possible sensitive directiories 6 Informational

RESULTS EVALUATION

None of them proved to be threatening in our case

CONCLUSION

Auditing with only one program may not be enough If on a budget, open source tools seem to give decent

results Using SSL should be the first thing to do if possible Chose a CMS with strong community support for more

help in troubleshooting Run your own and try to find even more results if possible