Upload
maurice-tope
View
215
Download
2
Tags:
Embed Size (px)
Citation preview
Copyright © 2009, McAfee, Inc.
Presented ByMike Andrews
Configuration
WebSec 101
[email protected]@mikeandrews.com
Intro Music by DoKashiteru via CCMixter
Nothing in isolation
Network
Operating System
Libraries
Web server
Framework / App Server
Application
Attack Surface
► Attack surface is the total number of possible attack vectors
► Think of a house, with doors and windows as the attack vectors
► Minimize surface area - want to make sure all doors and windows are locked and secure
From the bottom
► Each running network service is a door or window
► Generally on a WebApp only want external users to access ports 80 and 443● Turn off services like Telnet, FTP, SMTP, etc● Some may be necessary - filter at firewall
► Some servers can be administered via web pages on administrative ports● http://servername:5842
nMap
► nMap – “Network Mapper”
► Look for high-level TCP ports► Connect to them and send HTTP request
● HEAD / HTTP/1.0
Checking for known vulnerabilities
► Need to know the type and version of the software● From an internal/white-box point of view this is
easy!► Can be done for both OS and webserver
● nmap -O● HEAD request --> Server Header
They Lie!
► Sometimes no SERVER: header, sometimes it lies! ● Fingerprint on response differences
How does HTTPrint work out the server type?
Join the dots
► Given a webserver type/version, sometimes the OS can be determined● IIS/6.0 Windows box● Sun ONE Solaris● Apache ???
With information comes power!
► What to do with this info?● Lookup known vulnerabilities for the platform
Changing the SERVER header
► Smells of “security by obscurity”
► I believe that …Apache/1.3.0 (Unix) PHP/3.0 SomeMod/9.3 …
…is too much info
► Apache (>1.3)● ServerTokens Prod[uctOnly]
► IIS● IISLockdown/URLScan + RemoveServerHeader● Remember the X-POWERED-BY header as well!
Scanning products
► Various products available to scan machines/networks to look for known vulns
► Network scanning vs Application scanning
Rest of the stack
► What about vulns in the rest of the stack?● Issues with the app, framework and libraries will
be addressed in future webcasts● In terms of configuration, we want to remove
unnecessary features/components and secure the ones that are left
► Left over files, samples, demos, etc
► Weak server configuration
Reviewing the web root
► Much easier to do if you have local access
► Look for all the places that are mapped● Apache - httpd.conf DocumentRoot● IIS - IIS Manager Web Sites + Virtual Directories
► Review files and directories - remove those that are not necessary to running the application● If in doubt, move the file/directory out of the web root(s)
and see if the application functions normally (VM clones?)
► Also look for installed applications - does anyone really need MSOffice on the web server? Games? CS Server?
Nikto/Wikto
► Example of a (free) tool which scans for potentially vulnerable files/settings
► Can generate a lot of false positives● HTTP Codes (404’s etc)● 200 OK problem
► Not necessarily security problems, but should be verified● Left-over installation files / example scripts● Known vulnerabilities / old versions● Use –update to get most current signatures
− Can also add your own custom ones
Identifying resources
Request “bad” resourc
e
Does it exist?
Positive vulnerability
Custom respons
e?
Recognize?
No vulnerability
No vulnerability
False Positive
[y]
[y] [y]
WebDAV
► WebDAV is a CVS system for web servers● Allows for editing/modification/creation of web pages
without have access to files on the server● Uses normal HTTP auth – Basic, Digest, NTLM, etc
► Generally users do not need WebDAV for production servers, so turn it off (or secure it)
► Connect to the server and use the HTTP OPTIONS method to see if it’s enabled● Test with tools like DAVExplorer, DAVE, PerlDAV,
(FrontPage?)● Turn off methods other than GET, POST, and HEAD
HTTP Options
Turning off HTTP verbs
► Apache● Uninstall/disable Mod_DAV (or variants)
− Look for DAV On in webconf file(s)
● Mod_Rewrite +RewriteEngine OnRewriteCond %{REQUEST_METHOD} ^(TRACE|…|…)RewriteRule .* - [F]
► IIS● Web Service Extensions Manager (in IIS
Manager MMC)● (4.0 + 5.0) URLScan + DenyVerbs
HTTPS
► HTTPS (HTTP over SSL) is a requirements on a lot of websites● Provides Confidentially
− Not only for PII or credit card info, but also for session tokens (more later)
● Provides Integrity− MITM attacks
● Authentication as well, but leave that for another time
► Strength of the SSL cipher used is important depending on the information being protected● “weak” ciphers can be broken in as little as 4
hours
SSL Negotiation
► SSL selects the best cipher to use by negotiation between the server and browser● Select the highest common available cipher
► SSLv2 Downgrade Attack● Force a weaker cipher than is available● Only allow “strong” ciphers
► Use SSLDigger and OpenSSL to check ciphers and versions
Removing SSL Ciphers
► Apache● Mod_SSL +
− SSLCipherSuite HIGH:+MEDIUM:!LOW:!SSLv2− ‘+’ adds a cipher, ‘!’ removes a cipher− Can select specific ciphers instead of aliases− SSLCipherSuite !AES256-SHA:+RC2-CBC-MD5
► IIS● Site PropertiesDirectory Security
Require 128 Bits● Can remove ciphers via RegEdit
Conclusion/wrap-up
► Ensure that machine is as “clean” as possible● Stop unnecessary services and close the ports● Remove all unnecessary pages / scripts / interfaces
► Disable HTTP methods
► Use SSLv3/TLS
► Remove all SSL ciphers other than “strong” or above
► See…● LAMP - http://www.apachesecurity.net/● WISA -
http://msdn2.microsoft.com/en-us/library/ms994921.aspx
Next Up: Authentication
Credits/references
► NetCat● http://netcat.sourceforge.net/ ● (also available in Cygwin - http://www.cygwin.com/)
► SecurityFocus.com, Secunia.com, OSVDB.org
► HTTPrint● http://net-square.com/httprint/
► nMap● http://insecure.org/nmap/
► Apache documentation● http://httpd.apache.org/docs/1.3/mod/core.html#servertokens● http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
► IISLockdown● http://www.microsoft.com/downloads/details.aspx?
FamilyID=DDE9EFC0-BB30-47EB-9A61-FD755D23CDEC
► URLScan● http://www.microsoft.com/technet/security/tools/urlscan.mspx
► Brute force weak SSL ciphers● http://www.cl.cam.ac.uk/~rnc1/brute.html
► IIS SSL Ciphers registry hack● http://support.microsoft.com/kb/216482● http://support.microsoft.com/kb/187498