1. IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE Panagiotis Loumpardias Konstantinos Chimos

2. INTRODUCTION  Websites number rises constantly  Websites are easy to build  There are step by step guides for everything  Many users are turning to CMSs like (Drupal, Joomla, etc.)  Universities also use them

3. ARE WEBSITES SAFE?  The answer should be “No one can really tell for sure!”  Searching for “Hack a website” returns 74 million results in Google  Website attacks in 2013 were 75% more than 2012

4. SECURING A WEBSITE 1. Design and deploy on a test server 2. Look for known vulnerabilities of the software you use 3. Check your site with security auditing tools 4. Fix vulnerabilities 5. Check again

5. AUDITING TOOLS  Lots of options  Commercial  Open Source  Windows  Linux  With GUI  Command line

6. TOOL 1 - ARACHNI  Open Source  Runs on Mac & Linux  Scalable resource usage combining more than one machines  User collaboration friendly  Can run on remote computer and access it from web with browser

7. ARACHNI RESULTS TitleFindingsSeverity Cross-Site Request Forgery85High A backdoor file exists on the server32High Unencrypted password form2Medium Backup file81Medium Common sensitive file14Low Password field with auto-complete41Low Interesting response50Informational E-mail address disclosure2Informational

8. RESULTS EVALUATION  Cross Site Request Forgery could only be exploited when posting full HTML as administrator  Server backdoors where false results  Unencrypted password forms can lead to password interception  Backup files were also false results  Some common sensitive files existed but without sensitive information  Auto completed password fields could lead to password loss especially when there is physical access to user’s computer  Interesting responses were mostly the server denying access  E-mail addresses were public

9. TOOL 2 – OWASP ZAP  Open Source  Cross Platform (Windows – Linux)  Proposes solution for most results  User can rate and comment on results for help in troubleshooting

10. OWASP ZED RESULTS TitleFindingsSeverity Cross-domain JavaScript source file inclusion 366Low Password Autocomplete in browser 364Low X-Content-Type-Options header missing 417Low X-Frame-Options header not set394Informational

11. RESULTS EVALUATION  Cross-domain JavaScript source file inclusion is true but all the files are coming from trusted sources  Password Autocomplete in browser can lead to password theft  X-Content-Type-Options header is missing and specific browsers can be tricked into treating malicious but cleverly named files to be executed  X-Frame-Options header is not set and can result to click jacking attacks

12. TOOL 3 - W3AF  Open Source  Runs Best on Linux  Can directly exploit some of the vulnerabilities it discovers  Does not display the result multiple times if found in all pages  It only exports the results in various formats but does not save the program session

13. W3AF – RESULTS TitleFindingsSeverity Server-header2Informational Php_eggs2Informational Dns_wildcard1Informational Strange_http_codes1Informational Click_jacking1High Allowed_methods2Informational Find_vhosts1Medium hmap1Informational

14. RESULTS EVALUATION  Click Jacking was the only valid result  Discovery of virtual hosts may prove to be problematic if they are vulnerable

15. JSKY  Commercial  Runs on Windows  The only commercial program with a fully working and not limited trial  Describes the impact of vulnerabilities found  Gives recommendations for troubleshooting

16. JSKY - RESULTS VulnerabilityTotal foundSeverity DELETE Method enabled1Informational Instal.php1Low Robots text file found1Informational Possible sensitive directiories6Informational

17. RESULTS EVALUATION  None of them proved to be threatening in our case

18. CONCLUSION  Auditing with only one program may not be enough  If on a budget, open source tools seem to give decent results  Using SSL should be the first thing to do if possible  Chose a CMS with strong community support for more help in troubleshooting  Run your own and try to find even more results if possible