Security Risk Analysis for the Extreme Insecure Website

      Tyler Lovell                   Kennetha Anderson            Eugene Steslicki                   Justin Kurdila               Daniel Clark  Team Unconquered             Team Unconquered            Team Unconquered              Team Unconquered         Team UnconqueredFlorida State University     Florida State University     Florida State University       Florida State University Florida State University   tjl12@my.fsu.edu               kwanderson@fsu.edu           ems10j@my.fsu.edu           jrk12b@my.fsu.edu            dc14r@my.fsu.edu

Part A

AbstractThis term paper is designed to provide information and analysis of the vulnerabilities of the website we created. We decided to do a risk analysis of varying parts of the website as well as covering the vulnerabilities of it. This term paper is designed to define the security objectives, find the vulnerabilities and report on those vulnerabilities. We will be using different programs to go through different parts of the code in the website, finding what its security vulnerabilities are. After finding out what they are we will report on them and explain what can be done to fix these security vulnerabilities.

Keywords:  Vulnerabilities, Risk, Security, Virtual Machine, PhP, DoS, DDoS,Virtual Private Network

Introduction

Since the beginning of the Internet, security has been an issue. The Internet has changed the world, as we know it. Not only has the Internet revolutionized the world and the way we communicate, but it has also is an example of “sustained investment and commitment to research and development of an information infrastructure” (Daniel C. Lynch). Websites have evolved dramatically over the years going from a static page with few icons and links to dynamic web pages that can move with the scroll of your wheel. The majority of websites nowadays can accept user input data and can translate that into another form of information allowing users to login to that particular company's website.

Hackers are finding new ways to break into websites and steal people’s information. There are many ways hackers can get in or many ways hackers can get information simply from what people may enter into a text box. Hackers can exploit the software vulnerabilities through malformed Uniform Resource Locator (URL) or POST Headers. They can enact some of the attacks like Remote Code Execution (RCE), Remote/ Local File Inclusion (R/LFI), and SQL Injection (SQLI) attacks (Tony Perez). These attacks can exploit all sorts of vulnerabilities of web sites and web servers. These are just a few of the attacks that can happen. There are many more attacks than this, but these are the most common ones.

This paper will look at how to prevent hackers from entering our hypothetical website used in a previous lab during class. We will be using scan codes to find the vulnerabilities in this website and later find ways to prevent hackers from accessing these vulnerabilities. A few of the tools we will be using are a Web server scanner, a DoS Vulnerability scanner, and a PHP scanner. These will scan each of the separate parts of the code in the websites and look for holes on the code where a potential hacker could get in and access people’s data.

The tools we will be using to scan the website will look for vulnerabilities in specific parts of the coding. Each scanner that will be used is for a particular part that will scan each line and go into the directories of the files. On in particular that we will be using is the Web server scanner. This scanner performs tests against the web server’s item such as files and programs and makes sure they are not vulnerable to any

attacks. The PHP scanner looks into the PHP coding on the website. Hackers can upload code to the site and my sampling doing that they could have access to that site. This will sniff out that code and return values saying that the coding was not right.

The overall goal of this is to exploit the vulnerabilities of the extreme insecure website and conclude a solution as to how to fix these issues. We are using these particular tools and scanners to help us better show an example of what needs to be done.

Literary ReviewScanning for PHP vulnerabilities also serves as very important part of a secure web site. Sensitive sinks, command execution vulnerabilities and much more can lead to a possible loss of server security. Vulnerabilities in PHP code can also lead to unauthorized access. Having unauthorized access can lead to unwanted users committing malicious commands against the user’s program. Here are the countermeasure against sensitive sinks and unauthorized access:

--“Configure IIS to reject URLs with “../” to prevent path traversal” --“Lock down system command and utilities with restricted   ACLs” --“Stay current with patches and updates to ensure that newly discovered buffer overflows are

speedily patched” (Meier et al, 2003) --“Common vulnerabilities include weak IIS configuration and unpatched servers that allow path

traversal and buffer overflow attacks, both of which can lead to arbitrary code execution” (Meier et al, 2003)

--Sufficient countermeasures against possible unauthorized access include: Constructing secure and safe web permissions Securing files and folders with restricted NTFS permissions “Use .NET Framework access control mechanisms within your ASP.NET applications, including

URL authorization and principal permission demands” (Meier et al, 2003)

Denial-of-Service (DoS) attacks are one of the most powerful attacks performed by hackers that can impact a business or organization.  DoS attacks are an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.  A DDoS or Distributed Denial of Service attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually with one or more web servers. Many different network protocols can be used to launch these types of attacks.

In January 2014, DoS hackers took down major gaming sites League of Legends, EA.com and other well know gaming sites.  This was accomplished by abusing the Network Time Protocol (NTP). (Goodin, 2014). Prior to this attack, NTP attacks were almost unheard of because their impact was so small it did not show up on major reports.  However, as DoS attacks continue to increase in popularity, hackers are using different protocols to reduce the availability of services.  “69% percent of all DDoS attack traffic by bit volume in the first week of January 2014 was the result of NTP reflection” (Goodin, 2014).

In March of 2015, the Maine.gov state website was targeted by a DDoS attack that attempted to overwhelm the state’s web portal service with artificial web traffic.  Maine.gov released a statement on the attack.  Part of the statement mentioned, “The site remains online at this time, but users may experience slowness or notice other performance issues as the attack continues” (Drinkwater, 2015).  The group who took credit for the attack was ‘Vikingdom2015’.  This same group is also credited with the attack on Amazon Twitch and claims that it tried but failed to take down the official website of the National Security Agency (NSA) (Drinkwater, 2015).There are certain recommended preventive measures against DoS and DDoS attacks such as:

Firewalls

In the case of a simple attack, a firewall could have a simple rule added to deny all incoming traffic from the attackers, based on protocols, ports or the originating IP addresses. More complex attacks will however be hard to block with simple rules: for example, if there is an ongoing attack on port 80 (web service), it is not possible to drop all incoming traffic on this port because doing so will prevent the server from serving legitimate traffic.

SwitchesMost switches have some rate-limiting and ACL capability. These would have to be manually set.  Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection, and spoofed IP address filtering to detect and remediate denial-of-service attacks through automatic rate filtering and WAN Link failover and balancing.  These schemes will work as long as the DoS attacks can be prevented by using them.

RoutersSimilar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under a DoS attack.

Risk Evaluation Process

In order to accurately assess the security vulnerabilities of the Extreme Insecure website we have decided to create a step by step evaluation process. We modeled our process after Microsoft's threat modeling process which can be seen in Figure 1. While Microsoft's model can be applied to nearly any application, we have decided to break it down into a simplified version that anyone can understand. Figure 2 shows exactly how we have done this by breaking it down into three steps where step three is a loop that can be repeated until all security objectives and goals are met.

Step 1: Understanding the Hosting Environment and Website BreakdownIn order to fix any security problems in the Extreme Insecure website it is important to understand what the server and website architecture look like. The first thing we need to look at is the source code and layout of the website. The website consists of five listed pages that are available for navigation as well as several sub navigation pages that provide an updateable list of products and services that are offered. A full listing of the pages includes:

Primary Navigationo Index.htm – consists of information regarding the company and acts as the landing pageo Toc.htm – contains the links to services.htm and products.htm as well as information

regarding contento Feedback.htm – provides a location to offer feedback and contact the companyo News.htm – provides updates as to changes of the Extreme Insecure websiteo Search.htm – allows users to search the web site but currently directs the user to the

search_results.htm page Sub Navigation

o Services.htm – gives a list of the services that are providedo Products.htm – displays a listing and description of the products that are offered.o Search_results.htm – search.htm redirects the users here and displays the results of any

searcho Feedback_successful.htm – displayed after a successful feedback.htm submission

Worth Mentioningo Process.php – PHP script that processes form and search submissions and then outputs

the results.

Upon investigation, it can be found that the website was created using a tool offered by Microsoft known as Microsoft FrontPage. This software was originally offered as part of the Microsoft Office software package and was a “what you see is what you get” editing tool containing a graphics interface that allowed for easy website design. There are several problems with this that should be noted. The first is that Microsoft FrontPage was discontinued in 2006 when it was replaced by Microsoft Expression Web and SharePoint Designer (Wikipedia, 2015). This leads to the website being outdated and containing compatibility issues with new improvements to web scripting and design. The second problem is that Microsoft FrontPage

requires the use of server-side extensions that must be added to the server that the website is hosted on. The combination of these two problems leads to the server-side extensions being extremely vulnerable to new forms of malicious attacks.

Next we need to examine the hosting environment that our website is is built on. The infrastructure for the websites is hosted on the LIS 4774L assigned virtual machine (VM) and is accessed through the Hyper-V Server Management software. A VM is a virtual computer system that is “a tightly isolated software container with an operating system and application inside. . . A thin layer of software called a hypervisor decouples the virtual machines from the host and dynamically allocates computing resources to each virtual machine as needed” (VmWare, 2015). The VM operates on a virtual private network (VPN) located inside Florida State University’s network. This allows for the VM to operate as though it is connected to the global internet, but only being accessible to those inside of Florida State University’s network.

We created the structure for the web server on the VM through the installation of the LAMP server open-source software components. These components include the Ubuntu 12.04 Linux operating system, Apache 2.2 web server, MySQL database management system, and lastly PHP 5 scripting language.  The Apache 2.2 web server is what will manage the sending and receiving of data from and to the website over the internet. It will allow for the Extreme Insecure website to be accessible through the use of a browser once it is stored on the server.

Step 2: Security Goals and ObjectivesThe next step in the process of securing the website from threats that seek to compromise its confidentiality, integrity, and availability is to set out firm objectives and goals. We have chosen to follow a simple and modified version of the SAN Securing Web Application Technologies checklist that we feel is appropriate for our application. This checklist consists of the following criteria:

Error Handling and Loggingo Display Generic Error Messageso Log any and all data access and activityo Store logs securely

Data Protectiono Limit the usage and storage of sensitive informationo Disable data caching using cache control headers and autocomplete

Configuration and Operationo Harden the Infrastructureo Define an Incident handling plano Update existing code with the latest standards

Authenticationo Do not disclose too much information in error messages

Input and Output handlingo Set the encoding for the applicationo Validate the source of input

Access Controlo Apply the principle of least privilegeo Do not use invalid forwards or redirects

This list is subject to change as we progress through the steps of securing our website and new issues may come to our attention and take precedence. Once the majority of these have been accomplished we will feel more secure about the risks involved with hosting the Extreme Insecurity website.

Step 3: Identify Threats and Implement Countermeasures

Identifying Vulnerabilities with PHP                                               

Figure 1: Process.php

For the Extreme Insecure Web Site, there are multiple html files that are responsible for the site’s content and navigation. These files handle and compile languages such as HTML, CSS, and JavaScript. For identifying vulnerabilities in the web site, we focused on the single file that processed the PHP for the web site: process.php. The process.php file is responsible for printing the results of the user input in the products page. When the user enters an input such as ‘; cat Pointshere/points.htm’, and the process.php page uses the $_POST super global variable to navigate through the file structure. The php file then returns the correct content that the user queried. Figure 1 shows the content of process.php.

To scan for the vulnerabilities in our process page, our group decided use the RIPS PHP Vulnerability Scanner. When researching an appropriate scanner to test the PHP file for vulnerabilities, we began with The National Institute of Standards and Technology (NIST) website. The RIPS Scanner is a tool written by Johannes Dahse and is used to detect sensitive sinks (potentially vulnerable functions) that can be corrupted by a malicious user. Figure 2 shows the landing page for the RIPS scanner.

When researching the RIPS software, we learned that the scanner had to be installed on a local web server. So to use this scanner on my own machine,we would have to install a local web host to run PHP files on my computer. In order to use the RIPS software, we installed Apache, MySQL, MongoDB, PHP, Perl & Python for Windows (Ampps) on my computer. To access the scanner once we had Ampps running, we navigated to localhost\rips\. From here, we were able to input the correct local file path for the process.php page and execute the scan. Figure 3 shows the RIPS scan complete with the results returned.

 Figure 2: RIPS opening in \\localhost\rips\\             

 Figure 3: RIPS scan complete with vulnerabilities

Results

When reviewing the results from the scanner, we found that the security issue with the code was a command execution vulnerability. While the command execution vulnerability is the security risk that was returned, the RIPS Scanner checks for various vulnerabilities. Figure 4 shows the list of the vulnerabilities that the RIPS scanner checks. This vulnerability is known as a sensitive sink and the scanner found two in the process.php code. This vulnerability means that an attacker could potentially execute malicious commands which could be executed on the operating system. This vulnerability could lead to a full server compromise.

Countermeasures for PHP Vulnerabilities

The RIPS software offers a patch for the vulnerabilities it discovers. The scanner suggests to ‘limit the code to a very strict character subset or build a whitelist of allowed commands” and “avoid the usage of system command executing functions if possible” (Dahse, 2011). While conducting further research regarding countermeasures for command execution vulnerabilities, we found a very reliable and detailed resource for

threats and countermeasures. Microsoft offers ‘Improving Web Application Security: Threats and Countermeasures’ authored by J.D. Meier et al in 2003. This resource offers several countermeasures for arbitrary code execution or command execution vulnerabilities.

--“Configure IIS to reject URLs with “../” to prevent path traversal”--“Lock down system command and utilities with restricted   ACLs” --“Stay current with patches and updates to ensure that newly discovered buffer overflows are speedily patched” (Meier et al, 2003)--“Common vulnerabilities include weak IIS configuration and unpatched servers that allow path traversal and buffer overflow attacks, both of which can lead to arbitrary code execution” (Meier et al, 2003)--Sufficient countermeasures against possible unauthorized access include:

Constructing secure and safe web permissions Securing files and folders with restricted NTFS permissions “Use .NET Framework access control mechanisms within your ASP.NET applications, including

URL authorization and principal permission demands” (Meier et al, 2003)

Identifying Denial of Service VulnerabilitiesDoS Denial of Service attacks are an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.  A DDoS or Distributed Denial of Service attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually with one or more web servers.

DDoSPing v2.0

In researching a way to test our Extreme Insecurity website for DoS/DDoS vulnerabilities, we found a free utility offered by McAfee called DDosPing v2.0.  DDosPing v2.0 is a network admin utility for remotely detecting the most common DDoS programs.  DDoSPing is a remote scanner for the most common Distributed Denial of Service programs (often called Zombies by the press). These were the programs responsible for the recent rash of attacks on high profile web sites.  This tool will detect Trinoo, Stacheldraht and Tribe Flood Network programs running with their default settings, although setup of each program type is possible from the configuration screen. Scanning is performed by sending the appropriate UDP and ICMP messages at a controllable rate to a user defined range of addresses.

The software was downloaded and installed on a Windows VM on the classroom’s internal network and configured to scan the IP Address of the Linux VM running the Extreme Insecurity, Inc. website.  This

utility is also capable of scanning every IP Address on the 192.168.1 subnet.  There were no Zombie (compromised) servers detected.  See Figure 4.

Figure 4: DDoSPing v2.0 output

OWASP (Open Web Application Security Project) Switchblade v4.0

OWASP Switchblade is a denial of service tool used for testing the availability, performance and capacity of a web application to be proactive about this type of risk condition. In 2010 the tool was created by ProactiveRISK to educate the OWASP Community about the Denial of Service conditions that can exist with OSI Layer7 (Application Layer).  OWASP Switchblade is free to use and licensed under the http://creativecommons.org/licenses/by-sa/3.0 Creative Commons Attribution-ShareAlike 3.0 license.

We downloaded and ran the OWASP Switchblade Tool from a Windows VM and used it as the “attacker”.  The Windows VM was used to “attack” the Linux VM running the Extreme

Figure 4: DDoSPing v2.0 scan complete with no detected Zombies Insecurity website.

We used the OWASP Switchblade tool on our Extreme Insecurity web server to test for three different denial-of- service conditions:

·         Slow Headers

·         Slow POST

·         SSL renegotiation

Figure 5: OWASP SwitchBlade V4.0 - Testing Options

Connections – Field Definitions:

Target – Total number of connections spawned

Active – Number of connections currently created. A connection in this state may be created but not yet connected

Connected – Number of connections successfully connected to the server

Error/disconnected – Number of connections which have disconnected or failed to connect

Results

Figure 6: HTTP Attack Information – Slow headers

Figure 7: HTTP Attack Information – Slow POST

Figure 8: HTTP Attack Information – SSL renegotiation

Figure 9: Extreme Insecure Website being unresponsive

In each of the attack scenarios, the Extreme Insecure Website became unavailable/unresponsive for a period of 15 – 25 seconds.  These attacks successfully resulted in reducing the availability of the website.

Countermeasures

FirewallsIn the case of a simple attack, a firewall could have a simple rule added to deny all incoming traffic from the attackers, based on protocols, ports or the originating IP addresses. More complex attacks will however be hard to block with simple rules: for example, if there is an ongoing attack on port 80 (web service), it is not possible to drop all incoming traffic on this port because doing so will prevent the server from serving legitimate traffic.

SwitchesMost switches have some rate-limiting and ACL capability. These would have to be manually set.  Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection, and spoofed IP address filtering to detect and remediate denial-of-service attacks through automatic rate filtering and WAN Link failover and balancing.  These schemes will work as long as the DoS attacks can be prevented by using them.

RoutersSimilar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under a DoS attack

Identifying Web Server Vulnerabilities with Nikto  

Nikto2 is a vulnerability scanner checks for possible vulnerabilities that may arise concerning the relationship that the hosted site has with its corresponding web server. It is an easy to use, concise, and open source tool that can be downloaded through the command line using sudo apt-get install nikto. Nikto has many different add-ons such as output formatting and port modulation. All such options can be referenced a using the nikto -help command. After installing the application all you need a target IP address and page location to scan.

After entering the command nikto -host http:// xxx.xxx.x.xx/~path, nikto displays host information in the header of the report. The body of the report starts with the server type and permitted HTTP methods, and then lists every security vulnerability that the scanner has found with a corresponding OSVDB reference number and file location. Each OSVDB reference number can be searched on http://osvdb.org/ where more detailed information is provided about the particular vulnerability. The osvdb.org website provides a comprehensive review of every vulnerability including solutions that may help in resolving each security issue.

Results

From the nikto scan we were able to identify four separate vulnerability cases each in multiple different locations on the site. There were 14 vulnerabilities in total with the majority of the errors being minor errors involved with files that may contain sensitive information that could easily be hidden from the global perspective. Another aspect of the osvdb site is the reporting of Common Vulnerability Scoring System (CVSSv2) rating which is a factoring of three different parameters: access vector, access complexity, and authentication. The site also shows which of the three key factors of security (availability, confidentiality, and integrity) have been compromised.

Countermeasures

OSVDB-3092 - Were the first two error codes that the nikto scan gave me to look over this one deals with a file that has unnecessarily granted read permission to the world. This problem isn’t necessarily a security risk but can be if there were to be any sensitive information about the server in the files, the vulnerabilities database suggested removing the files from the web server and password protecting them

Conclusion

This paper was a comprehensive overview of the potential vulnerabilities that our website contained and gave some insight as to how to fortify the site against a number of different attacks. It doesn’t take much for an experienced hacker to threaten one of the three tenants of computer security and knowing how to diagnose and fix most all of the possible types of attacks is a necessity as a security professional.

Over the course of this paper some of the issues discussed dealt with coding as it pertained to the application coding such as the PHP vulnerabilities,  while others dealt with problems regarding the sites configurations to the network such as the possible DDOS vulnerabilities.

Understanding the ever-changing nature of computer security while sticking to a methodical auditing method are key to keeping your site safe from any attacker looking to find loop holes. At the same time, having the security of the site set up for success from the onset of it’s use can help prevent a lot of common problems that hackers may find and help to keep sensitive information in the hands of those who need it most.

Appendix

Figure 1 -

Figure 2 -

Figure 3 - Process.php

Figure 4 - RIPS opening in \\localhost\rips\\

Figure 5 -  RIPS scan complete with vulnerabilities

Figure 6 -

Figure 7 - DDoSPING v2.0

Figure 8 - OWASP SwitchBlade V4.0 - Testing Options

Figure 9 - HTTP Attack Information – Slow headers

Figure 10 - HTTP Attack Information – Slow POST

Figure 11 - HTTP Attack Information – SSL renegotiation

Figure 12 - Extreme Insecure Website being unresponsive

Figure 13 - Nikto Vulnerabilities

Figure 14 -

Figure 15 -

References

Dahse, J. (2011). RIPS - free PHP security scanner using static code analysis. Retrieved from SourceForge: http://rips-scanner.sourceforge.net/

Drinkwater, D. (2015, March 27). New hacking group DDoS attacks Amazon’s Twitch, US state websites. Retrieved October 21, 2015, from http://www.scmagazineuk.com/new-hacking-group-ddos-attacks-amazons-twitch-us-state-websites/article/405796/Goodin, D. (2014, January 8). DoS attacks that took down big game sites abused Web’s time-sync protocol. Retrieved October 21, 2015, from http://arstechnica.com/security/2014/01/dos-attacks-that-took-down-big-game-sites-abused-webs-time-synch-protocol/

Leiner, B., Cerf, V., Clark, D., Kahn, R., Kleinrock, L., Lynch, D., Postel, J., Roberts, L., Wolff, S. (2015, June 1). Brief History of the Internet. Retrieved October 21, 2015.

Meier, J., Mackman, A., & Dunner, M. (2003, June 1). Improving Web Application Security: Threats and Countermeasures. Retrieved October 20, 2015, from https://msdn.microsoft.com/en-us/library/ff649432.aspx

Microsoft FrontPage. (2015, September 6). In Wikipedia, The Free Encyclopedia. Retrieved 13:31, October 21,    2015, from https://en.wikipedia.org/w/index.php?title=Microsoft_FrontPage&oldid=679763549

National Institute of Standards and Technology. (n.d.). Retrieved October 20, 2015, from http://www.nist.gov/

VmWare. (2015). What is virtualization? Virtualization 101 Retrieved from https:www.vmware.com/virtualization/how-it-works.

SANS. (n.d.). Securing Web Application Technologies [SWAT] Checklist. Retrieved from SANS Securing the  Human: http://www.securingthehuman.org/developer/swat

OWASP. (2010, September 29). Threat Risk Modeling - OWASP. Retrieved from The Open Web Application Security Project: https://www.owasp.org/index.php/Threat_Risk_Modeling

Website Security: How Do Websites Get Hacked? - Sucuri Blog. (2015, May 18). Retrieved October 21, 2015.