Security testing of

excitingwonderlakeInternet και Εφαρμογές Web

13 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

71 εμφανίσεις

Security testing of
study information
system

Security team:

Mati
s

Alliksoo

Alo

Konno

Urmo

Lihten

Taavi

Podzuks

Sander
Saarm


Current situation


Our study information
system is developed
inhouse.


This is used by 1
0

applied universities.


There are more than

1
4

000
active
users

and
more than 28000 can log
in.


Current situation (2)


Technical information


Php5 zend framework


Mysql batabase


Linux operating system


There are 3 servers


Live system Web frontend


Live system database


Development server (Web frontend and database)





Problem


Study information systems security has been tested only
by developers , this is not a good practice.

This should
be done by external testers.






Goals

1.
Study what web v
ulnerab
ilitis are and how to use them,
because we did not have any experience in
pen
-
test
ing.

2.
Learn about web tesing framework environments and
how to use them.

3.
Find out best tools to work with and test on
Damn
Vulnerable Web App
lication and later on the study
information system.

4.
Finding vulnerabilities in the study infromation system.

5.
Document our work.

Top 10 Web V
ulnera
bilities


A1: Injection

(SQL, PHP, ….)


A2: Cross
-
Site Scripting (XSS)


A3: Broken Authentication and Session Management


A4: Insecure Direct Object References


A5: Cross
-
Site Request Forgery (CSRF)


A6: Security Misconfiguration


A7: Insecure Cryptographic Storage


A8: Failure to Restrict URL Access


A9: Insufficient Transport Layer Protection


A10:
Unvalidated

Redirects and Forwards


Used/tested

web

testing

frameworks

Samurai Web Testing Framework

1.
BurpSuite

2.
Fireforce

3.
Cookie editor

4.
Dvwa

(
redirected

to

BackTrack

5 R2
)


Backtrack 5 R2

1.
BurpSuite

2.
Subgraph

Vega

3.
Wapiti

4.
W3af

5.
Nessus

6.
Owasp
-
zap













Windows t
ools



Acunetix Web Vulnerability Scanner

Cross Site Request Forgery

We started with generating html POST request to change
authenticated user language.



Cross Site Request Forgery
(
2
)

Next

we

made a
html

POST
request

what

uses

USER_ID
to

change

authenticated

users

password
.




Changing
Ad
ministator password

1.
Found out USER_ID of the administator by checking
administators picture URL in study information system.

2.
We created html request and uploaded it to a trusted
webserver as .jpg, to fool the administator.

3.
Tricked administrator to log into the study information
system by telling something is wrong in study
information system.

4.
For explanation of the problem we told him to check the
fake screenshot (sent him the infected URL)

5.
As he opened it his password changed automatically and
he was kicked out of the system.

6.
Issue was obviously very quickly fixed.


Failure to Restrict URL Access


Found vulnerability in URL, where students can see other
students’ grades just by changing USER_ID in PDF
download URL.


This failure was found knowing the vulnerabilitys and by
randomly testing all pages.


This data is very sensitive and it was fixed immidiately.


Results


Got overview of most commonly used vulnerabilities and
how to use them in testing.


Learned how to use different pen
-
testing tools and web
test environments.


Study information system is now free of couple critical
bugs.


Documentation:
https://wiki.itcollege.ee/index.php/Security_team


Thank you for listening!

Questions?