Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 Intro Music by DoKashiteru.

Published byMaurice Tope Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 Intro Music by DoKashiteru."— Presentation transcript:

1 Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru via CCMixter

2 Nothing in isolation Network Operating System Libraries Application

3 Attack Surface ► Attack surface is the total number of possible attack vectors ► Think of a house, with doors and windows as the attack vectors ► Minimize surface area - want to make sure all doors and windows are locked and secure

4 From the bottom ► Each running network service is a door or window ► Generally on a WebApp only want external users to access ports 80 and 443 ● Turn off services like Telnet, FTP, SMTP, etc ● Some may be necessary - filter at firewall ► Some servers can be administered via web pages on administrative ports ● http://servername:5842

5 nMap ► nMap – “Network Mapper” ► Look for high-level TCP ports ► Connect to them and send HTTP request ● HEAD / HTTP/1.0

6

7 Checking for known vulnerabilities ► Need to know the type and version of the software ● From an internal/white-box point of view this is easy! ► Can be done for both OS and webserver ● nmap -O ● HEAD request --> Server Header

8 They Lie! ► Sometimes no SERVER: header, sometimes it lies! ● Fingerprint on response differences

9 How does HTTPrint work out the server type?

10 Join the dots ► Given a webserver type/version, sometimes the OS can be determined ● IIS/6.0  Windows box ● Sun ONE  Solaris ● Apache  ???

11 With information comes power! ► What to do with this info? ● Lookup known vulnerabilities for the platform

12 Changing the SERVER header ► Smells of “security by obscurity” ► I believe that … Apache/1.3.0 (Unix) PHP/3.0 SomeMod/9.3 … …is too much info ► Apache (>1.3) ● ServerTokens Prod[uctOnly] ► IIS ● IISLockdown/URLScan + RemoveServerHeader ● Remember the X-POWERED-BY header as well!

13 Scanning products ► Various products available to scan machines/networks to look for known vulns ► Network scanning vs Application scanning

14 Rest of the stack ► What about vulns in the rest of the stack? ● Issues with the app, framework and libraries will be addressed in future webcasts ● In terms of configuration, we want to remove unnecessary features/components and secure the ones that are left ► Left over files, samples, demos, etc ► Weak server configuration

15 Reviewing the web root ► Much easier to do if you have local access ► Look for all the places that are mapped ● Apache - httpd.conf  DocumentRoot ● IIS - IIS Manager  Web Sites + Virtual Directories ► Review files and directories - remove those that are not necessary to running the application ● If in doubt, move the file/directory out of the web root(s) and see if the application functions normally (VM clones?) ► Also look for installed applications - does anyone really need MSOffice on the web server? Games? CS Server?

16 Nikto/Wikto ► Example of a (free) tool which scans for potentially vulnerable files/settings ► Can generate a lot of false positives ● HTTP Codes (404’s etc) ● 200 OK problem ► Not necessarily security problems, but should be verified ● Left-over installation files / example scripts ● Known vulnerabilities / old versions ● Use –update to get most current signatures − Can also add your own custom ones

17 Identifying resources Request “bad” resource Does it exist? Positive vulnerability Custom response? Recognize? No vulnerability False Positive [y]

18

19 WebDAV ► WebDAV is a CVS system for web servers ● Allows for editing/modification/creation of web pages without have access to files on the server ● Uses normal HTTP auth – Basic, Digest, NTLM, etc ► Generally users do not need WebDAV for production servers, so turn it off (or secure it) ► Connect to the server and use the HTTP OPTIONS method to see if it’s enabled ● Test with tools like DAVExplorer, DAVE, PerlDAV, (FrontPage?) ● Turn off methods other than GET, POST, and HEAD

20 HTTP Options

21 Turning off HTTP verbs ► Apache ● Uninstall/disable Mod_DAV (or variants) − Look for DAV On in webconf file(s) ● Mod_Rewrite + RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|…|…) RewriteRule.* - [F] ► IIS ● Web Service Extensions Manager (in IIS Manager MMC) ● (4.0 + 5.0) URLScan + DenyVerbs

22 HTTPS ► HTTPS (HTTP over SSL) is a requirements on a lot of websites ● Provides Confidentially − Not only for PII or credit card info, but also for session tokens (more later) ● Provides Integrity − MITM attacks ● Authentication as well, but leave that for another time ► Strength of the SSL cipher used is important depending on the information being protected ● “weak” ciphers can be broken in as little as 4 hours

23 SSL Negotiation ► SSL selects the best cipher to use by negotiation between the server and browser ● Select the highest common available cipher ► SSLv2 Downgrade Attack ● Force a weaker cipher than is available ● Only allow “strong” ciphers ► Use SSLDigger and OpenSSL to check ciphers and versions

24

25

26 Removing SSL Ciphers ► Apache ● Mod_SSL + − SSLCipherSuite HIGH:+MEDIUM:!LOW:!SSLv2 − ‘+’ adds a cipher, ‘!’ removes a cipher − Can select specific ciphers instead of aliases − SSLCipherSuite !AES256-SHA:+RC2-CBC-MD5 ► IIS ● Site Properties  Directory Security  Require 128 Bits ● Can remove ciphers via RegEdit

27 Conclusion/wrap-up ► Ensure that machine is as “clean” as possible ● Stop unnecessary services and close the ports ● Remove all unnecessary pages / scripts / interfaces ► Disable HTTP methods ► Use SSLv3/TLS ► Remove all SSL ciphers other than “strong” or above ► See… ● LAMP - http://www.apachesecurity.net/ ● WISA - http://msdn2.microsoft.com/en- us/library/ms994921.aspx

28 Next Up: Authentication

29 Credits/references ► NetCat ● http://netcat.sourceforge.net/ ● (also available in Cygwin - http://www.cygwin.com/) ► SecurityFocus.com, Secunia.com, OSVDB.org ► HTTPrint ● http://net-square.com/httprint/ ► nMap ● http://insecure.org/nmap/

30 ► Apache documentation ● http://httpd.apache.org/docs/1.3/mod/core.html#servertokens ● http://httpd.apache.org/docs/2.0/mod/mod_ssl.html ► IISLockdown ● http://www.microsoft.com/downloads/details.aspx?FamilyID=DDE9E FC0-BB30-47EB-9A61-FD755D23CDEC ► URLScan ● http://www.microsoft.com/technet/security/tools/urlscan.mspx ► Brute force weak SSL ciphers ● http://www.cl.cam.ac.uk/~rnc1/brute.html

31 ► IIS SSL Ciphers registry hack ● http://support.microsoft.com/kb/216482 ● http://support.microsoft.com/kb/187498

Download ppt "Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 Intro Music by DoKashiteru."

Similar presentations

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Copyright © 2008, McAfee, Inc. Presented By Mike Andrews Introduction WebSec 101 Intro Music by DoKashiteru.

Copyright © 2008, McAfee, Inc. Presented By Mike Andrews Introduction WebSec 101 Intro Music by DoKashiteru.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward.

December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
DT211/3 Internet Application Development Active Server Pages & IIS Web server.

DT211/3 Internet Application Development Active Server Pages & IIS Web server.
Case Studies for Projects. Network Audit A brief description of the systems (via fingerprinting, if black box is used) Network perimeter should be described.

Case Studies for Projects. Network Audit A brief description of the systems (via fingerprinting, if black box is used) Network perimeter should be described.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Configuring a Web Server. Overview  Understand how a Web server works  Install IIS (Internet Information Services) and Apache Web servers  Examine.

Configuring a Web Server. Overview  Understand how a Web server works  Install IIS (Internet Information Services) and Apache Web servers  Examine.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Module 1: Installing Internet Information Services 5.0.

Module 1: Installing Internet Information Services 5.0.
Web Server Configuration Alokes Chattopadhyay Computer & Informatics Centre IIT Kharagpur.

Web Server Configuration Alokes Chattopadhyay Computer & Informatics Centre IIT Kharagpur.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as e-mail.

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

Similar presentations

Ads by Google