Powerpoint Slides - McAfee

makeshiftklipInternet και Εφαρμογές Web

31 Οκτ 2013 (πριν από 4 χρόνια και 13 μέρες)

109 εμφανίσεις

Copyright
©

2009,
McAfee, Inc.

Presented By

Mike Andrews

Configuration

WebSec

101

mike.andrews@foundstone.com

mike@mikeandrews.com


Intro Music by
DoKashiteru

via
CCMixter

Nothing in isolation

Network

Operating System

Libraries

Application

Attack Surface


Attack surface is the total number of possible
attack vectors


Think of a house, with doors and windows as
the attack vectors







Minimize surface area
-

want to make sure all
doors and windows are locked and secure

From the bottom


Each running network service is a door or
window



Generally on a
WebApp

only want external
users to access ports 80 and 443


Turn off services like Telnet, FTP, SMTP, etc


Some may be necessary
-

filter at firewall



Some servers can be administered via web
pages on administrative ports


http://servername:5842

nMap


nMap



“Network
Mapper




Look for high
-
level TCP ports


Connect to them and send HTTP request


HEAD / HTTP/1.0

Checking for known vulnerabilities


Need to know the type and version of the
software



From an internal/white
-
box point of view this is
easy!


Can be done for both OS and
webserver


nmap

-
O


HEAD request
--
>


Server Header

They Lie!


Sometimes no SERVER: header, sometimes it
lies!


Fingerprint on response differences

How does
HTTPrint

work out the server type?

Join the dots


Given a
webserver

type/version, sometimes
the OS can be determined


IIS/6.0


Windows box


Sun ONE


Solaris


Apache


???

With information comes power!


What to do with this info?


Lookup known vulnerabilities for the platform

Changing the SERVER header


Smells of “security by obscurity”



I believe that …


Apache/1.3.0 (Unix) PHP/3.0
SomeMod
/9.3 …

…is too much info



Apache (>1.3)


ServerTokens

Prod[
uctOnly
]



IIS


IISLockdown
/
URLScan

+
RemoveServerHeader


Remember the
X
-
POWERED
-
BY

header as well!


Scanning products


Various products available to scan
machines/networks to look for known
vulns








Network scanning
vs

Application scanning

Rest of the stack


What about
vulns

in the rest of the stack?


Issues with the app, framework and libraries will be
addressed in future webcasts


In terms of configuration, we want to remove
unnecessary features/components and secure the
ones that are left



Left over files, samples, demos, etc




Weak server configuration


Reviewing the web root


Much easier to do if you have local access



Look for all the places that are mapped


Apache
-

httpd.conf



DocumentRoot


IIS
-

IIS Manager


Web Sites + Virtual Directories



Review files and directories
-

remove those that are not
necessary to running the application


If in doubt, move the file/directory out of the web root(s) and
see if the application functions normally (VM clones?)



Also look for installed applications
-

does anyone really
need MSOffice on the web server? Games? CS Server?


Nikto
/
Wikto


Example of a (free) tool which scans for
potentially vulnerable files/settings



Can generate a lot of false positives


HTTP Codes (404’s etc)


200 OK problem



Not necessarily security problems, but should
be verified


Left
-
over installation files / example scripts


Known vulnerabilities / old versions


Use

update to get most current signatures


Can also add your own custom ones




Identifying resources

Request
“bad”
resource

Does it
exist?

Positive
vulnerability

Custom
response?

Recognize?

No vulnerability

No vulnerability

False Positive

[y]

[y]

[y]

WebDAV


WebDAV

is a CVS system for web servers


Allows for editing/modification/creation of web pages
without have access to files on the server


Uses normal HTTP auth


Basic, Digest, NTLM, etc



Generally users do not need
WebDAV

for production
servers, so turn it off (or secure it)



Connect to the server and use the HTTP OPTIONS
method to see if it’s enabled


Test with tools like
DAVExplorer
, DAVE,
PerlDAV
, (FrontPage?)


Turn off methods other than GET, POST, and HEAD

HTTP Options

Turning off HTTP verbs


Apache


Uninstall/disable
Mod_DAV

(or variants)


Look for
DAV On
in
webconf

file(s)


Mod_Rewrite

+


RewriteEngine

On

RewriteCond

%{REQUEST_METHOD} ^(TRACE|…|…)

RewriteRule

.*
-

[F]



IIS


Web Service Extensions Manager (in IIS Manager MMC)


(4.0 + 5.0)
URLScan

+
DenyVerbs

HTTPS


HTTPS (HTTP over SSL) is a requirements on a
lot of websites


Provides
Confidentially


Not only for PII or credit card info, but also for session
tokens (more later)


Provides
Integrity


MITM attacks


Authentication as well, but leave that for another
time



Strength of the SSL cipher used is important
depending on the information being protected


“weak” ciphers can be broken in as little as 4 hours

SSL Negotiation


SSL selects the best cipher to use by
negotiation between the server and browser


Select the highest common available cipher



SSLv2 Downgrade Attack


Force a weaker cipher than is available


Only allow “strong” ciphers



Use
SSLDigger

and
OpenSSL

to check ciphers
and versions


Removing SSL Ciphers


Apache


Mod_SSL

+


SSLCipherSuite

HIGH:+MEDIUM:!LOW:!SSLv2


‘+’ adds a cipher, ‘!’ removes a cipher


Can select specific ciphers instead of aliases


SSLCipherSuite

!AES256
-
SHA:+RC2
-
CBC
-
MD5



IIS


Site
Properties

Directory

Security



Require 128 Bits


Can remove ciphers via
RegEdit



Conclusion/wrap
-
up


Ensure that machine is as “clean” as possible


Stop unnecessary services and close the ports


Remove all unnecessary pages / scripts / interfaces



Disable HTTP methods



Use SSLv3/TLS



Remove all SSL ciphers other than “strong” or above



See…


LAMP
-

http://www.apachesecurity.net/


WISA
-

http://msdn2.microsoft.com/en
-
us/library/ms994921.aspx

Next Up: Authentication

Credits/references


NetCat


http://netcat.sourceforge.net/


(also available in
Cygwin

-

http://www.cygwin.com/)



SecurityFocus.com, Secunia.com, OSVDB.org



HTTPrint


http://net
-
square.com/httprint/



nMap


http://insecure.org/nmap/


Apache documentation


http://httpd.apache.org/docs/1.3/mod/core.html#servertokens


http://httpd.apache.org/docs/2.0/mod/mod_ssl.html



IISLockdown


http://www.microsoft.com/downloads/details.aspx?FamilyID=DDE9E
FC0
-
BB30
-
47EB
-
9A61
-
FD755D23CDEC



URLScan


http://www.microsoft.com/technet/security/tools/urlscan.mspx



Brute force weak SSL ciphers


http://www.cl.cam.ac.uk/~rnc1/brute.html


IIS SSL Ciphers registry hack


http://support.microsoft.com/kb/216482


http://support.microsoft.com/kb/187498