ISS

Overview• MySQL Misconfigurations

• DoS Attack

• DDoS Attack

• Sessions Hijacking

• Sessions Management

MySQL RDBMS• The world's second most widely use

• Open-source relational database management system (RDBMS)

• Owned by Oracle Corporation

• Have used in many applications like: Wordpress, Joomla, ..

• Have used in many large-scale websites like: Facebook, Flicker, ..

MySQL Misconfigurations Threats• Default password for “root” account’s

• Using “root” account in Web Applications

• Listening over TCP/IP without any constraints

• Web Server and Database server on the same system/device

• Default User account’s and databases

• LOAD_FILE function

MySQL Misconfigurations solutions• Set new password for “root” account

• Remove all default user accounts and databases

• Disable LOAD_FILE function

• Disable listening on TCP/IP connections from anonymous sources

• Set maximum number of connections and timeout

• Apply critical patch update fixes without delay

DoS Attack• Denial of Service is an action that prevents or impairs the authorized use of networks, systems, applications by exhausting resources such as CPU, bandwidth, disc space ….

• Categories of resources which can be attacked

• network bandwidth, system resources, application resources

• Typical aims of DoS attacks:

• consuming bandwidth with large traffic volumes

• overload or crash the network handling software

• send specific types of packets to consume limited available resources

Layer 4 DDoS Attack• Sends thousands of packets per second from the attacker directly to the target

• Like throwing a brick through a window

• Takes thousands of participants to bring down a large site

• LOIC (Low Orbit Ion Cannon) is a good tool to get job

• Easily tracked, easy to block, high bandwidth

Layer 7 DDoS Attack• Subtle, concealable attack

• Can be routed through proxies

• Low bandwidth

• Not easily detected, harder to trace

• Can be very difficult to distinguish from normal traffic

Slowloris

Apache Recommendations Key Directives

Maxclients, Timeout, MaxKeepAliveRequests, KeepAlive and KeepAlive Timeout

Traffic Shapingmod_throttle - limit the frequency of requests allowed from a single client within a window of timemod_bwshare - bandwidth throttling by HTTP client IP addressmod_limitipconn - limit the number of simultaneous downloads permitted from a single IP addressmod_dosevasive - detects too many connections and temporaribly block offending IP addressmod_security – WAF, filtering, monitoring, logging

Load/Stressing testinghttp_loadJmeterSlowloris + DoS tools

SQL Wildcard Attacks• Affect MS SQL and other databases (MySQL, PostsgreSQL,Access)

• Query should return few or no results – it must go through theentire data on the database

• OR combinations should be different otherwise db performancealgorithms may optimise query

• Longer query, longer time to execute

• Avoids caching in the database, so every query would bedifferent

Recommendations Perform input validation and filtering based on whitelist

Discard wildcards and other potential characters Limit number of characters on the query Input type strict validation (e.g. number must be a number)

Implement CAPTCHA for advanced searches/queries

Search/Query Limits Set limit of searches/queries per user per day Only authenticated users can run consuming search/queries Limit SQL query execution time

Limit number of records/rows returned by database

Memcached High performance, memory object caching system

Session• A session can be defined as a server-side storage of information.

• A visitor accessing the web site is assigned a unique id, the so-called session id.

• This is either stored in a cookie on the user side or is propagated in the URL.

• The rest of the information and variables are stored on server.

• Session variables hold information about one single user, and are available to all pages in one application.

Session Hijacking• Session hijacking is when an attacker gets access to the session state of a legitimate user.

• The attacker steals a valid session ID which is used to get into the system and retrieve the data.

Session Hijacking types• Predictable Session Token.

• Session Sniffing.

• Client Side Attacks (XSS, Malicious JS codes, Trojans, etc..) .

• Blind Hijack.

• Man-in-the-middle (MITM).

Session management• Session identifiers should be sufficiently randomized.

• Sessions should timeout every while.

• Use HTTPS.

• Regenerate Session ID when move between HTTP and HTTPS.

• Validate Session ID values coming from clients.

• Associating Session Information with SSL information.