IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE Panagiotis Loumpardias Konstantinos Chimos
INTRODUCTION Websites number rises constantly Websites are easy to build There are step by step guides for everything Many users are turning to CMSs like (Drupal, Joomla, etc.) Universities also use them
ARE WEBSITES SAFE? The answer should be “No one can really tell for sure!” Searching for “Hack a website” returns 74 million results in Google Website attacks in 2013 were 75% more than 2012
SECURING A WEBSITE 1. Design and deploy on a test server 2. Look for known vulnerabilities of the software you use 3. Check your site with security auditing tools 4. Fix vulnerabilities 5. Check again
AUDITING TOOLS Lots of options Commercial Open Source Windows Linux With GUI Command line
TOOL 1 - ARACHNI Open Source Runs on Mac & Linux Scalable resource usage combining more than one machines User collaboration friendly Can run on remote computer and access it from web with browser
ARACHNI RESULTS TitleFindingsSeverity Cross-Site Request Forgery85High A backdoor file exists on the server32High Unencrypted password form2Medium Backup file81Medium Common sensitive file14Low Password field with auto-complete41Low Interesting response50Informational address disclosure2Informational
RESULTS EVALUATION Cross Site Request Forgery could only be exploited when posting full HTML as administrator Server backdoors where false results Unencrypted password forms can lead to password interception Backup files were also false results Some common sensitive files existed but without sensitive information Auto completed password fields could lead to password loss especially when there is physical access to user’s computer Interesting responses were mostly the server denying access addresses were public
TOOL 2 – OWASP ZAP Open Source Cross Platform (Windows – Linux) Proposes solution for most results User can rate and comment on results for help in troubleshooting
OWASP ZED RESULTS TitleFindingsSeverity Cross-domain JavaScript source file inclusion 366Low Password Autocomplete in browser 364Low X-Content-Type-Options header missing 417Low X-Frame-Options header not set394Informational
RESULTS EVALUATION Cross-domain JavaScript source file inclusion is true but all the files are coming from trusted sources Password Autocomplete in browser can lead to password theft X-Content-Type-Options header is missing and specific browsers can be tricked into treating malicious but cleverly named files to be executed X-Frame-Options header is not set and can result to click jacking attacks
TOOL 3 - W3AF Open Source Runs Best on Linux Can directly exploit some of the vulnerabilities it discovers Does not display the result multiple times if found in all pages It only exports the results in various formats but does not save the program session
W3AF – RESULTS TitleFindingsSeverity Server-header2Informational Php_eggs2Informational Dns_wildcard1Informational Strange_http_codes1Informational Click_jacking1High Allowed_methods2Informational Find_vhosts1Medium hmap1Informational
RESULTS EVALUATION Click Jacking was the only valid result Discovery of virtual hosts may prove to be problematic if they are vulnerable
JSKY Commercial Runs on Windows The only commercial program with a fully working and not limited trial Describes the impact of vulnerabilities found Gives recommendations for troubleshooting
JSKY - RESULTS VulnerabilityTotal foundSeverity DELETE Method enabled1Informational Instal.php1Low Robots text file found1Informational Possible sensitive directiories6Informational
RESULTS EVALUATION None of them proved to be threatening in our case
CONCLUSION Auditing with only one program may not be enough If on a budget, open source tools seem to give decent results Using SSL should be the first thing to do if possible Chose a CMS with strong community support for more help in troubleshooting Run your own and try to find even more results if possible