Download presentation
Presentation is loading. Please wait.
Published byMaurice Tope Modified over 9 years ago
1
Copyright © 2009, McAfee, Inc. Presented By Mike Andrews Configuration WebSec 101 mike.andrews@foundstone.com mike@mikeandrews.com Intro Music by DoKashiteru via CCMixter
2
Nothing in isolation Network Operating System Libraries Application
3
Attack Surface ► Attack surface is the total number of possible attack vectors ► Think of a house, with doors and windows as the attack vectors ► Minimize surface area - want to make sure all doors and windows are locked and secure
4
From the bottom ► Each running network service is a door or window ► Generally on a WebApp only want external users to access ports 80 and 443 ● Turn off services like Telnet, FTP, SMTP, etc ● Some may be necessary - filter at firewall ► Some servers can be administered via web pages on administrative ports ● http://servername:5842
5
nMap ► nMap – “Network Mapper” ► Look for high-level TCP ports ► Connect to them and send HTTP request ● HEAD / HTTP/1.0
7
Checking for known vulnerabilities ► Need to know the type and version of the software ● From an internal/white-box point of view this is easy! ► Can be done for both OS and webserver ● nmap -O ● HEAD request --> Server Header
8
They Lie! ► Sometimes no SERVER: header, sometimes it lies! ● Fingerprint on response differences
9
How does HTTPrint work out the server type?
10
Join the dots ► Given a webserver type/version, sometimes the OS can be determined ● IIS/6.0 Windows box ● Sun ONE Solaris ● Apache ???
11
With information comes power! ► What to do with this info? ● Lookup known vulnerabilities for the platform
12
Changing the SERVER header ► Smells of “security by obscurity” ► I believe that … Apache/1.3.0 (Unix) PHP/3.0 SomeMod/9.3 … …is too much info ► Apache (>1.3) ● ServerTokens Prod[uctOnly] ► IIS ● IISLockdown/URLScan + RemoveServerHeader ● Remember the X-POWERED-BY header as well!
13
Scanning products ► Various products available to scan machines/networks to look for known vulns ► Network scanning vs Application scanning
14
Rest of the stack ► What about vulns in the rest of the stack? ● Issues with the app, framework and libraries will be addressed in future webcasts ● In terms of configuration, we want to remove unnecessary features/components and secure the ones that are left ► Left over files, samples, demos, etc ► Weak server configuration
15
Reviewing the web root ► Much easier to do if you have local access ► Look for all the places that are mapped ● Apache - httpd.conf DocumentRoot ● IIS - IIS Manager Web Sites + Virtual Directories ► Review files and directories - remove those that are not necessary to running the application ● If in doubt, move the file/directory out of the web root(s) and see if the application functions normally (VM clones?) ► Also look for installed applications - does anyone really need MSOffice on the web server? Games? CS Server?
16
Nikto/Wikto ► Example of a (free) tool which scans for potentially vulnerable files/settings ► Can generate a lot of false positives ● HTTP Codes (404’s etc) ● 200 OK problem ► Not necessarily security problems, but should be verified ● Left-over installation files / example scripts ● Known vulnerabilities / old versions ● Use –update to get most current signatures − Can also add your own custom ones
17
Identifying resources Request “bad” resource Does it exist? Positive vulnerability Custom response? Recognize? No vulnerability False Positive [y]
19
WebDAV ► WebDAV is a CVS system for web servers ● Allows for editing/modification/creation of web pages without have access to files on the server ● Uses normal HTTP auth – Basic, Digest, NTLM, etc ► Generally users do not need WebDAV for production servers, so turn it off (or secure it) ► Connect to the server and use the HTTP OPTIONS method to see if it’s enabled ● Test with tools like DAVExplorer, DAVE, PerlDAV, (FrontPage?) ● Turn off methods other than GET, POST, and HEAD
20
HTTP Options
21
Turning off HTTP verbs ► Apache ● Uninstall/disable Mod_DAV (or variants) − Look for DAV On in webconf file(s) ● Mod_Rewrite + RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|…|…) RewriteRule.* - [F] ► IIS ● Web Service Extensions Manager (in IIS Manager MMC) ● (4.0 + 5.0) URLScan + DenyVerbs
22
HTTPS ► HTTPS (HTTP over SSL) is a requirements on a lot of websites ● Provides Confidentially − Not only for PII or credit card info, but also for session tokens (more later) ● Provides Integrity − MITM attacks ● Authentication as well, but leave that for another time ► Strength of the SSL cipher used is important depending on the information being protected ● “weak” ciphers can be broken in as little as 4 hours
23
SSL Negotiation ► SSL selects the best cipher to use by negotiation between the server and browser ● Select the highest common available cipher ► SSLv2 Downgrade Attack ● Force a weaker cipher than is available ● Only allow “strong” ciphers ► Use SSLDigger and OpenSSL to check ciphers and versions
26
Removing SSL Ciphers ► Apache ● Mod_SSL + − SSLCipherSuite HIGH:+MEDIUM:!LOW:!SSLv2 − ‘+’ adds a cipher, ‘!’ removes a cipher − Can select specific ciphers instead of aliases − SSLCipherSuite !AES256-SHA:+RC2-CBC-MD5 ► IIS ● Site Properties Directory Security Require 128 Bits ● Can remove ciphers via RegEdit
27
Conclusion/wrap-up ► Ensure that machine is as “clean” as possible ● Stop unnecessary services and close the ports ● Remove all unnecessary pages / scripts / interfaces ► Disable HTTP methods ► Use SSLv3/TLS ► Remove all SSL ciphers other than “strong” or above ► See… ● LAMP - http://www.apachesecurity.net/ ● WISA - http://msdn2.microsoft.com/en- us/library/ms994921.aspx
28
Next Up: Authentication
29
Credits/references ► NetCat ● http://netcat.sourceforge.net/ ● (also available in Cygwin - http://www.cygwin.com/) ► SecurityFocus.com, Secunia.com, OSVDB.org ► HTTPrint ● http://net-square.com/httprint/ ► nMap ● http://insecure.org/nmap/
30
► Apache documentation ● http://httpd.apache.org/docs/1.3/mod/core.html#servertokens ● http://httpd.apache.org/docs/2.0/mod/mod_ssl.html ► IISLockdown ● http://www.microsoft.com/downloads/details.aspx?FamilyID=DDE9E FC0-BB30-47EB-9A61-FD755D23CDEC ► URLScan ● http://www.microsoft.com/technet/security/tools/urlscan.mspx ► Brute force weak SSL ciphers ● http://www.cl.cam.ac.uk/~rnc1/brute.html
31
► IIS SSL Ciphers registry hack ● http://support.microsoft.com/kb/216482 ● http://support.microsoft.com/kb/187498
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.