WebSec 101 Configuration Mike Andrews Presented By

WebSec 101
Presented By
Mike Andrews
[email protected]
[email protected]
Copyright © 2009, McAfee, Inc.
Intro Music by DoKashiteru via CCMixter
Nothing in isolation
Operating System
Attack Surface
► Attack
surface is the total number of possible
attack vectors
► Think of a house, with doors and windows as
the attack vectors
► Minimize
surface area - want to make sure all
doors and windows are locked and secure
From the bottom
► Each
running network service is a door or
► Generally
on a WebApp only want external
users to access ports 80 and 443
● Turn off services like Telnet, FTP, SMTP, etc
● Some may be necessary - filter at firewall
► Some
servers can be administered via web
pages on administrative ports
● http://servername:5842
nMap – “Network Mapper”
Look for high-level TCP ports
Connect to them and send HTTP request
● HEAD / HTTP/1.0
Checking for known vulnerabilities
► Need
to know the type and version of the
● From an internal/white-box point of view this is
► Can
be done for both OS and webserver
● nmap -O
● HEAD request -->
Server Header
They Lie!
► Sometimes
no SERVER: header, sometimes it
● Fingerprint on response differences
How does HTTPrint work out the server type?
Join the dots
► Given
a webserver type/version, sometimes
the OS can be determined
● IIS/6.0  Windows box
● Sun ONE  Solaris
● Apache  ???
With information comes power!
► What
to do with this info?
● Lookup known vulnerabilities for the platform
Changing the SERVER header
Smells of “security by obscurity”
I believe that …
Apache/1.3.0 (Unix) PHP/3.0 SomeMod/9.3 …
…is too much info
Apache (>1.3)
● ServerTokens Prod[uctOnly]
● IISLockdown/URLScan + RemoveServerHeader
● Remember the X-POWERED-BY header as well!
Scanning products
► Various
products available to scan
machines/networks to look for known vulns
► Network
scanning vs Application scanning
Rest of the stack
► What
about vulns in the rest of the stack?
● Issues with the app, framework and libraries will be
addressed in future webcasts
● In terms of configuration, we want to remove
unnecessary features/components and secure the
ones that are left
► Left
over files, samples, demos, etc
► Weak
server configuration
Reviewing the web root
Much easier to do if you have local access
Look for all the places that are mapped
● Apache - httpd.conf  DocumentRoot
● IIS - IIS Manager  Web Sites + Virtual Directories
Review files and directories - remove those that are not
necessary to running the application
● If in doubt, move the file/directory out of the web root(s) and
see if the application functions normally (VM clones?)
Also look for installed applications - does anyone really
need MSOffice on the web server? Games? CS Server?
► Example
of a (free) tool which scans for
potentially vulnerable files/settings
► Can
generate a lot of false positives
● HTTP Codes (404’s etc)
● 200 OK problem
► Not
necessarily security problems, but should
be verified
● Left-over installation files / example scripts
● Known vulnerabilities / old versions
● Use –update to get most current signatures
− Can also add your own custom ones
Identifying resources
Does it
No vulnerability
False Positive
No vulnerability
WebDAV is a CVS system for web servers
● Allows for editing/modification/creation of web pages
without have access to files on the server
● Uses normal HTTP auth – Basic, Digest, NTLM, etc
Generally users do not need WebDAV for production
servers, so turn it off (or secure it)
Connect to the server and use the HTTP OPTIONS
method to see if it’s enabled
● Test with tools like DAVExplorer, DAVE, PerlDAV, (FrontPage?)
● Turn off methods other than GET, POST, and HEAD
HTTP Options
Turning off HTTP verbs
► Apache
● Uninstall/disable Mod_DAV
(or variants)
− Look for DAV On in webconf file(s)
● Mod_Rewrite +
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|…|…)
RewriteRule .* - [F]
● Web Service Extensions Manager (in IIS Manager MMC)
● (4.0 + 5.0) URLScan + DenyVerbs
(HTTP over SSL) is a requirements on a
lot of websites
● Provides Confidentially
− Not only for PII or credit card info, but also for session
tokens (more later)
● Provides Integrity
− MITM attacks
● Authentication as well, but leave that for another
► Strength
of the SSL cipher used is important
depending on the information being protected
● “weak” ciphers can be broken in as little as 4 hours
SSL Negotiation
selects the best cipher to use by
negotiation between the server and browser
● Select the highest common available cipher
► SSLv2
Downgrade Attack
● Force a weaker cipher than is available
● Only allow “strong” ciphers
► Use
SSLDigger and OpenSSL to check ciphers
and versions
Removing SSL Ciphers
► Apache
● Mod_SSL +
− ‘+’ adds a cipher, ‘!’ removes a cipher
− Can select specific ciphers instead of aliases
− SSLCipherSuite !AES256-SHA:+RC2-CBC-MD5
● Site PropertiesDirectory Security
Require 128 Bits
● Can remove ciphers via RegEdit
Ensure that machine is as “clean” as possible
● Stop unnecessary services and close the ports
● Remove all unnecessary pages / scripts / interfaces
Disable HTTP methods
Remove all SSL ciphers other than “strong” or above
● LAMP - http://www.apachesecurity.net/
● WISA - http://msdn2.microsoft.com/enus/library/ms994921.aspx
Next Up: Authentication
● http://netcat.sourceforge.net/
● (also available in Cygwin - http://www.cygwin.com/)
SecurityFocus.com, Secunia.com, OSVDB.org
● http://net-square.com/httprint/
● http://insecure.org/nmap/
Apache documentation
● http://httpd.apache.org/docs/1.3/mod/core.html#servertokens
● http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
● http://www.microsoft.com/downloads/details.aspx?FamilyID=DDE9E
● http://www.microsoft.com/technet/security/tools/urlscan.mspx
Brute force weak SSL ciphers
● http://www.cl.cam.ac.uk/~rnc1/brute.html
SSL Ciphers registry hack
● http://support.microsoft.com/kb/216482
● http://support.microsoft.com/kb/187498