Copyright © 2009, McAfee, Inc.

Presented ByMike Andrews

Configuration

WebSec 101

mike.andrews@foundstone.commike@mikeandrews.com

Intro Music by DoKashiteru via CCMixter

Nothing in isolation

Network

Operating System

Libraries

Web server

Framework / App Server

Application

Attack Surface

► Attack surface is the total number of possible attack vectors

► Think of a house, with doors and windows as the attack vectors

► Minimize surface area - want to make sure all doors and windows are locked and secure

From the bottom

► Each running network service is a door or window

► Generally on a WebApp only want external users to access ports 80 and 443● Turn off services like Telnet, FTP, SMTP, etc● Some may be necessary - filter at firewall

► Some servers can be administered via web pages on administrative ports● http://servername:5842

nMap

► nMap – “Network Mapper”

► Look for high-level TCP ports► Connect to them and send HTTP request

● HEAD / HTTP/1.0

Checking for known vulnerabilities

► Need to know the type and version of the software● From an internal/white-box point of view this is

easy!► Can be done for both OS and webserver

● nmap -O● HEAD request --> Server Header

They Lie!

► Sometimes no SERVER: header, sometimes it lies! ● Fingerprint on response differences

How does HTTPrint work out the server type?

Join the dots

► Given a webserver type/version, sometimes the OS can be determined● IIS/6.0 Windows box● Sun ONE Solaris● Apache ???

With information comes power!

► What to do with this info?● Lookup known vulnerabilities for the platform

Changing the SERVER header

► Smells of “security by obscurity”

► I believe that …Apache/1.3.0 (Unix) PHP/3.0 SomeMod/9.3 …

…is too much info

► Apache (>1.3)● ServerTokens Prod[uctOnly]

► IIS● IISLockdown/URLScan + RemoveServerHeader● Remember the X-POWERED-BY header as well!

Scanning products

► Various products available to scan machines/networks to look for known vulns

► Network scanning vs Application scanning

Rest of the stack

► What about vulns in the rest of the stack?● Issues with the app, framework and libraries will

be addressed in future webcasts● In terms of configuration, we want to remove

unnecessary features/components and secure the ones that are left

► Left over files, samples, demos, etc

► Weak server configuration

Reviewing the web root

► Much easier to do if you have local access

► Look for all the places that are mapped● Apache - httpd.conf DocumentRoot● IIS - IIS Manager Web Sites + Virtual Directories

► Review files and directories - remove those that are not necessary to running the application● If in doubt, move the file/directory out of the web root(s)

and see if the application functions normally (VM clones?)

► Also look for installed applications - does anyone really need MSOffice on the web server? Games? CS Server?

Nikto/Wikto

► Example of a (free) tool which scans for potentially vulnerable files/settings

► Can generate a lot of false positives● HTTP Codes (404’s etc)● 200 OK problem

► Not necessarily security problems, but should be verified● Left-over installation files / example scripts● Known vulnerabilities / old versions● Use –update to get most current signatures

− Can also add your own custom ones

Identifying resources

Request “bad” resourc

e

Does it exist?

Positive vulnerability

Custom respons

e?

Recognize?

No vulnerability

No vulnerability

False Positive

[y]

[y] [y]

WebDAV

► WebDAV is a CVS system for web servers● Allows for editing/modification/creation of web pages

without have access to files on the server● Uses normal HTTP auth – Basic, Digest, NTLM, etc

► Generally users do not need WebDAV for production servers, so turn it off (or secure it)

► Connect to the server and use the HTTP OPTIONS method to see if it’s enabled● Test with tools like DAVExplorer, DAVE, PerlDAV,

(FrontPage?)● Turn off methods other than GET, POST, and HEAD

HTTP Options

Turning off HTTP verbs

► Apache● Uninstall/disable Mod_DAV (or variants)

− Look for DAV On in webconf file(s)

● Mod_Rewrite +RewriteEngine OnRewriteCond %{REQUEST_METHOD} ^(TRACE|…|…)RewriteRule .* - [F]

► IIS● Web Service Extensions Manager (in IIS

Manager MMC)● (4.0 + 5.0) URLScan + DenyVerbs

HTTPS

► HTTPS (HTTP over SSL) is a requirements on a lot of websites● Provides Confidentially

− Not only for PII or credit card info, but also for session tokens (more later)

● Provides Integrity− MITM attacks

● Authentication as well, but leave that for another time

► Strength of the SSL cipher used is important depending on the information being protected● “weak” ciphers can be broken in as little as 4

hours

SSL Negotiation

► SSL selects the best cipher to use by negotiation between the server and browser● Select the highest common available cipher

► SSLv2 Downgrade Attack● Force a weaker cipher than is available● Only allow “strong” ciphers

► Use SSLDigger and OpenSSL to check ciphers and versions

Removing SSL Ciphers

► Apache● Mod_SSL +

− SSLCipherSuite HIGH:+MEDIUM:!LOW:!SSLv2− ‘+’ adds a cipher, ‘!’ removes a cipher− Can select specific ciphers instead of aliases− SSLCipherSuite !AES256-SHA:+RC2-CBC-MD5

► IIS● Site PropertiesDirectory Security

Require 128 Bits● Can remove ciphers via RegEdit

Conclusion/wrap-up

► Ensure that machine is as “clean” as possible● Stop unnecessary services and close the ports● Remove all unnecessary pages / scripts / interfaces

► Disable HTTP methods

► Use SSLv3/TLS

► Remove all SSL ciphers other than “strong” or above

► See…● LAMP - http://www.apachesecurity.net/● WISA -

http://msdn2.microsoft.com/en-us/library/ms994921.aspx

Next Up: Authentication

Credits/references

► NetCat● http://netcat.sourceforge.net/ ● (also available in Cygwin - http://www.cygwin.com/)

► SecurityFocus.com, Secunia.com, OSVDB.org

► HTTPrint● http://net-square.com/httprint/

► nMap● http://insecure.org/nmap/

► Apache documentation● http://httpd.apache.org/docs/1.3/mod/core.html#servertokens● http://httpd.apache.org/docs/2.0/mod/mod_ssl.html

► IISLockdown● http://www.microsoft.com/downloads/details.aspx?

FamilyID=DDE9EFC0-BB30-47EB-9A61-FD755D23CDEC

► URLScan● http://www.microsoft.com/technet/security/tools/urlscan.mspx

► Brute force weak SSL ciphers● http://www.cl.cam.ac.uk/~rnc1/brute.html

► IIS SSL Ciphers registry hack● http://support.microsoft.com/kb/216482● http://support.microsoft.com/kb/187498