identifying security issues in a higher institute cms lab site panagiotis loumpardias konstantinos...
TRANSCRIPT
IDENTIFYING SECURITY ISSUES
IN A HIGHER INSTITUTE CMS LAB SITE
Panagiotis Loumpardias
Konstantinos Chimos
INTRODUCTION
Websites number rises constantly Websites are easy to build There are step by step guides for everything
Many users are turning to CMSs like (Drupal, Joomla, etc.) Universities also use them
ARE WEBSITES SAFE?
The answer should be “No one can really tell for sure!”
Searching for “Hack a website” returns 74 million results in Google
Website attacks in 2013 were 75% more than 2012
SECURING A WEBSITE
1. Design and deploy on a test server
2. Look for known vulnerabilities of the software you use
3. Check your site with security auditing tools
4. Fix vulnerabilities
5. Check again
AUDITING TOOLS
Lots of options Commercial Open Source Windows Linux With GUI Command line
TOOL 1 - ARACHNI
Open Source Runs on Mac & Linux Scalable resource usage combining more than one
machines User collaboration friendly Can run on remote computer and access it from web with
browser
ARACHNI RESULTSTitle Findings Severity
Cross-Site Request Forgery 85 High
A backdoor file exists on the server
32 High
Unencrypted password form 2 Medium
Backup file 81 Medium
Common sensitive file 14 Low
Password field with auto-complete
41 Low
Interesting response 50 Informational
E-mail address disclosure 2 Informational
RESULTS EVALUATION
Cross Site Request Forgery could only be exploited when posting full HTML as administrator
Server backdoors where false results Unencrypted password forms can lead to password
interception Backup files were also false results Some common sensitive files existed but without sensitive
information Auto completed password fields could lead to password loss
especially when there is physical access to user’s computer Interesting responses were mostly the server denying access E-mail addresses were public
TOOL 2 – OWASP ZAP
Open Source Cross Platform (Windows – Linux) Proposes solution for most results User can rate and comment on results for help in
troubleshooting
OWASP ZED RESULTS
Title Findings Severity
Cross-domain JavaScript source file inclusion
366 Low
Password Autocomplete in browser
364 Low
X-Content-Type-Options header missing
417 Low
X-Frame-Options header not set
394 Informational
RESULTS EVALUATION
Cross-domain JavaScript source file inclusion is true but all the files are coming from trusted sources
Password Autocomplete in browser can lead to password theft
X-Content-Type-Options header is missing and specific browsers can be tricked into treating malicious but cleverly named files to be executed
X-Frame-Options header is not set and can result to click jacking attacks
TOOL 3 - W3AF
Open Source Runs Best on Linux Can directly exploit some of the vulnerabilities it
discovers Does not display the result multiple times if found in all
pages It only exports the results in various formats but does not
save the program session
W3AF – RESULTSTitle Findings Severity
Server-header 2 Informational
Php_eggs 2 Informational
Dns_wildcard 1 Informational
Strange_http_codes 1 Informational
Click_jacking 1 High
Allowed_methods 2 Informational
Find_vhosts 1 Medium
hmap 1 Informational
RESULTS EVALUATION
Click Jacking was the only valid result Discovery of virtual hosts may prove to be problematic if
they are vulnerable
JSKY
Commercial Runs on Windows The only commercial program with a fully working and
not limited trial Describes the impact of vulnerabilities found Gives recommendations for troubleshooting
JSKY - RESULTS
Vulnerability Total found Severity
DELETE Method enabled 1 Informational
Instal.php 1 Low
Robots text file found 1 Informational
Possible sensitive directiories 6 Informational
RESULTS EVALUATION
None of them proved to be threatening in our case
CONCLUSION
Auditing with only one program may not be enough If on a budget, open source tools seem to give decent
results Using SSL should be the first thing to do if possible Chose a CMS with strong community support for more
help in troubleshooting Run your own and try to find even more results if possible