Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 Intro Music by DoKashiteru.

Similar presentations

Presentation on theme: "Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 Intro Music by DoKashiteru."— Presentation transcript:

1 Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 Intro Music by DoKashiteru via CCMixter

2 Nothing in isolation Network Operating System Libraries Application

3 Attack Surface ► Attack surface is the total number of possible attack vectors ► Think of a house, with doors and windows as the attack vectors ► Minimize surface area - want to make sure all doors and windows are locked and secure

4 From the bottom ► Each running network service is a door or window ► Generally on a WebApp only want external users to access ports 80 and 443 ● Turn off services like Telnet, FTP, SMTP, etc ● Some may be necessary - filter at firewall ► Some servers can be administered via web pages on administrative ports ● http://servername:5842

5 nMap ► nMap – “Network Mapper” ► Look for high-level TCP ports ► Connect to them and send HTTP request ● HEAD / HTTP/1.0


7 Checking for known vulnerabilities ► Need to know the type and version of the software ● From an internal/white-box point of view this is easy! ► Can be done for both OS and webserver ● nmap -O ● HEAD request --> Server Header

8 They Lie! ► Sometimes no SERVER: header, sometimes it lies! ● Fingerprint on response differences

9 How does HTTPrint work out the server type?

10 Join the dots ► Given a webserver type/version, sometimes the OS can be determined ● IIS/6.0  Windows box ● Sun ONE  Solaris ● Apache  ???

11 With information comes power! ► What to do with this info? ● Lookup known vulnerabilities for the platform

12 Changing the SERVER header ► Smells of “security by obscurity” ► I believe that … Apache/1.3.0 (Unix) PHP/3.0 SomeMod/9.3 … …is too much info ► Apache (>1.3) ● ServerTokens Prod[uctOnly] ► IIS ● IISLockdown/URLScan + RemoveServerHeader ● Remember the X-POWERED-BY header as well!

13 Scanning products ► Various products available to scan machines/networks to look for known vulns ► Network scanning vs Application scanning

14 Rest of the stack ► What about vulns in the rest of the stack? ● Issues with the app, framework and libraries will be addressed in future webcasts ● In terms of configuration, we want to remove unnecessary features/components and secure the ones that are left ► Left over files, samples, demos, etc ► Weak server configuration

15 Reviewing the web root ► Much easier to do if you have local access ► Look for all the places that are mapped ● Apache - httpd.conf  DocumentRoot ● IIS - IIS Manager  Web Sites + Virtual Directories ► Review files and directories - remove those that are not necessary to running the application ● If in doubt, move the file/directory out of the web root(s) and see if the application functions normally (VM clones?) ► Also look for installed applications - does anyone really need MSOffice on the web server? Games? CS Server?

16 Nikto/Wikto ► Example of a (free) tool which scans for potentially vulnerable files/settings ► Can generate a lot of false positives ● HTTP Codes (404’s etc) ● 200 OK problem ► Not necessarily security problems, but should be verified ● Left-over installation files / example scripts ● Known vulnerabilities / old versions ● Use –update to get most current signatures − Can also add your own custom ones

17 Identifying resources Request “bad” resource Does it exist? Positive vulnerability Custom response? Recognize? No vulnerability False Positive [y]


19 WebDAV ► WebDAV is a CVS system for web servers ● Allows for editing/modification/creation of web pages without have access to files on the server ● Uses normal HTTP auth – Basic, Digest, NTLM, etc ► Generally users do not need WebDAV for production servers, so turn it off (or secure it) ► Connect to the server and use the HTTP OPTIONS method to see if it’s enabled ● Test with tools like DAVExplorer, DAVE, PerlDAV, (FrontPage?) ● Turn off methods other than GET, POST, and HEAD

20 HTTP Options

21 Turning off HTTP verbs ► Apache ● Uninstall/disable Mod_DAV (or variants) − Look for DAV On in webconf file(s) ● Mod_Rewrite + RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|…|…) RewriteRule.* - [F] ► IIS ● Web Service Extensions Manager (in IIS Manager MMC) ● (4.0 + 5.0) URLScan + DenyVerbs

22 HTTPS ► HTTPS (HTTP over SSL) is a requirements on a lot of websites ● Provides Confidentially − Not only for PII or credit card info, but also for session tokens (more later) ● Provides Integrity − MITM attacks ● Authentication as well, but leave that for another time ► Strength of the SSL cipher used is important depending on the information being protected ● “weak” ciphers can be broken in as little as 4 hours

23 SSL Negotiation ► SSL selects the best cipher to use by negotiation between the server and browser ● Select the highest common available cipher ► SSLv2 Downgrade Attack ● Force a weaker cipher than is available ● Only allow “strong” ciphers ► Use SSLDigger and OpenSSL to check ciphers and versions



26 Removing SSL Ciphers ► Apache ● Mod_SSL + − SSLCipherSuite HIGH:+MEDIUM:!LOW:!SSLv2 − ‘+’ adds a cipher, ‘!’ removes a cipher − Can select specific ciphers instead of aliases − SSLCipherSuite !AES256-SHA:+RC2-CBC-MD5 ► IIS ● Site Properties  Directory Security  Require 128 Bits ● Can remove ciphers via RegEdit

27 Conclusion/wrap-up ► Ensure that machine is as “clean” as possible ● Stop unnecessary services and close the ports ● Remove all unnecessary pages / scripts / interfaces ► Disable HTTP methods ► Use SSLv3/TLS ► Remove all SSL ciphers other than “strong” or above ► See… ● LAMP - ● WISA - us/library/ms994921.aspx

28 Next Up: Authentication

29 Credits/references ► NetCat ● ● (also available in Cygwin - ►,, ► HTTPrint ● ► nMap ●

30 ► Apache documentation ● ● ► IISLockdown ● FC0-BB30-47EB-9A61-FD755D23CDEC ► URLScan ● ► Brute force weak SSL ciphers ●

31 ► IIS SSL Ciphers registry hack ● ●

Download ppt "Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 Intro Music by DoKashiteru."

Similar presentations

Ads by Google