HHS En10 Web Security and Privacy

LESSON 10
WEB SECURITY AND

PRIVACY
License for Use Inform!ion
The following lessons and workbooks are open and publicly available under the following
terms and conditions of ISECOM:
ll works in the !acker !ighschool pro"ect are provided for non#commercial use with
elementary school students$ "unior high school students$ and high school students whether in a
public institution$ private institution$ or a part of home#schooling% These materials may not be
reproduced for sale in any form% The provision of any class$ course$ training$ or camp with
these materials for which a fee is charged is e&pressly forbidden without a license including
college classes$ university classes$ trade#school classes$ summer or computer camps$ and
similar% To purchase a license$ visit the 'ICE(SE section of the !acker !ighschool web page at
www%hackerhighschool%org)license%
The !!S *ro"ect is a learning tool and as with any learning tool$ the instruction is the influence
of the instructor and not the tool% ISECOM cannot accept responsibility for how any
information herein is applied or abused%
The !!S *ro"ect is an open community effort and if you find value in this pro"ect$ we do ask
you support us through the purchase of a license$ a donation$ or sponsorship%
ll works copyright ISECOM$ +,,-%
"
LESSON 10 # WEB SECURITY AND PRIVACY
Table of Contents
.'icense for /se0 Information%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%1 2undamentals of 3eb Security%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1,%1%1 !ow the web really works%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%1%+ 4attling the 'ocks%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%1%5 'ooking through Tinted 3indows # SS'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1,%1%- !aving someone else do it for you 6 *ro&ies%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1,%+ 3eb 7ulnerabilities%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%+%1 Scripting 'anguages%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%+%+ Common 3eb pplication *roblems%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1,%+%5 8uidelines for 9uilding Secure 3eb pplications%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%5 !TM' 9asics 6 brief introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%5%1 4eading !TM'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%5%+ 7iewing !TM' at its Source%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1,%5%5 'inks %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%5%- *ro&y methods for 3eb pplication Manipulation%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1,%- *rotecting your server%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%-%1 2irewall%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%-%+ Intrusion :etection System ;I:S<%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%= Secure Communications%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%=%1 *rivacy and Confidentiality%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%=%+ >nowing if you are communicating securely%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%? Methods of 7erification%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%?%1 OSSTMM%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
E&ercises%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
2urther 4eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
$
Con!ri%&!ors
Simon 9iles
*ete !er@og$ ISECOM
9ill Matthews
!ernAn Marcelo 4acciatti
Chris 4amire@
*% Shreekanth
>im Truett $ ISECOM
Marta 9arcelB$ ISECOM
:ario 4iCuelme Dornow
'
10.1 Fundamentals of Web Security
3hat you do on the 3orld 3ide 3eb is your business% Or so you would think% 9ut itEs "ust not
true% 3hat you do on the web is about as private and anonymous as where you go when
you leave the house% gain$ you would think that itEs your business and many$ including
ISECOM$ would agree with you% !owever$ consider a private investigator following you
around town$ writing down what you saw and who you spoke with%
The focus of this lesson is to get you learn how to protect yourself on the web and to do that$
you will have to learn where the dangers are%
The 3orld 3ide 3eb works in a very straight#forward manner% Once connected to the
Internet through you IS*$ you open a browser$ tell it a website$ and you get that website on
your screen% !owever$ the truth is in the details% !ow does the web really workF
Cuick trip to the 3orld 3ide 3eb Consortium ;35C<$ those fine folks who make standards
for the web$ will teach you all you want to know about the web% http:))www%w5%org% Even
the history of the web: http:))www%w5%org)!istory%html The problem is$ will definitions and
standards teach you how to be safeF pparently not% The people who want to hurt you do
not necessarily follow the standards%
10(1(1 )o* !+e *e% re,,- *or.s
The steps involved in connecting to the Internet and then to the web are very detailed even if
it does seem to be smooth from the user end%
So what happens for real when you "ust want to get to the ISECOM websiteF ssuming you
are already connected to the internet$ here are the steps that occur in order:
1% Gou open your browser%
+% Gou type in the /4' ;website name<%
5% 3ebsite name saved in !istory Cache on the hard disk%
-% Gour computer looks up the name of the address to your default :(S server to find
the I* address%
=% Gour computer connects to the server at the I* address provided at the default
web port of H, TC* if you used .!TT*:))0 or --5 TC* if you used .!TT*S:))0 at the front
of the web server name ;by the way$ if you used !TT*S then there are other steps
involved using server certificates which we will not follow in this e&ample<%
?% Gour computer reCuests the page or directory you specified with the default often
being .inde&%htm0 if you donEt specify anything% 9ut the server decides tEs default
and not your browser%
I% The pages are stored in a cache on your harddisk% Even if you tell it to store the
information in memory ;4M<$ there is a good chance it will end up somewhere on
your disk either in a *8E2I'E or in a S3*2I'E%
H% The browser nearly instantaneously shows you what it has stored% gain$ there is a
difference between .perceived speed0 and .actual speed0 of your web surfing
which is actually the difference between how fast something is downloaded
;actual< and how fast your browser and graphics card can render the page and
graphics and show them to you ;perceived<% Just because you didnEt see it doesnEt
mean it didnEt end up in your browser cache%
/
The history of the 3orld 3ide 3eb ; "ust .web0 from now on < started at CE4(
1
in 1KHK% It was
conceived by Tim 9erners#'ee and 4obert Cailliau who built a basic hyperte&t based system
for sharing information% Over the ne&t few years Tim 9erners#'ee continued to develop the
system until in 1KK5 CE4( announced that the web was free for anyone to use$ and the web
as we know it now e&ploded onto the scene%
The 3eb is a client and server based concept$ with clients such as Internet E&plorer$ 2irefo&$
Mo@illa$ Opera$ (etscape and others connecting to web servers such as IIS and pache
which supply them with content in the form of !TM'
+
pages% Many companies$ organi@ations
and individuals have collections of pages hosted on servers delivering a large amount of
information to the world at large%
So why do we care about web security thenF 3eb servers often are the eCuivalent to the
shop window of a company% It is a place where you advertise and e&hibit information$ but this
is supposed to be under your control% 3hat you donEt want to do is leave the window open so
that any passer by can reach in and take what they want for free$ and you ideally want to
make sure that if someone throws a brick$ that the window doesnEt shatter L /nfortunately
web servers are comple& programs$ and as such have a high probability of containing a
number of bugs$ and these are e&ploited by the less scrupulous members of society to get
access to data that they shouldnEt be seeing%
nd the reverse is true as well% There are risks also associated with the client side of the
eCuation like your browser% There are a number of vulnerabilities which have been discovered
in the last year which allow for a malicious web site to compromise the security of a client
machine making a connection to them%
10(1(" R!!,in0 !+e Loc.s
Standard !TM' pages are transferred using !TT*
5
$ this standard TC* based protocol is plain
te&t based and this means that we can make connections to a server easily using tools such
as .telnet0 or .netcat0% 3e can use this facility to gain a great deal of information about
what software is running on a specific server% 2or e&ample :
simon@exceat:~> netcat www.computersecurityonline.com 80
HEAD / HTTP/.0
!TT*)1%1 +,, O>
:ate: 2ri$ ,I Jan +,,= 1,:+-:5, 8MT
Server: pache)1%5%+I 9en#SS')1%-H ;/ni&< *!*)-%+%5
'ast#Modified: Mon$ +I Sep +,,- 15:1I:=- 8MT
ETag: M1fH1d#5+a#-1=H15,+M
ccept#4anges: bytes
Content#'ength: H1,
Connection: close
Content#Type: te&t)html
9y entering .!E: ) !TT*)1%,0 followed by hitting the .4eturn0 key twice$ I can gain all of the
information above about the !TT* Server% Each version and make of !TT* Server will return
different information at this reCuest 6 an IIS server will return the following :
1 Centre Europen pour la Recherche Nuclaire ;European Centre for (uclear 4esearch<
+ !yper Te&t Markup 'anguage
5 !yper Te&t Transfer *rotocol
1
simon@exceat:~> netcat www.microso!t.com 80
HEAD / HTTP/.0
!TT*)1%1 +,, O>
Connection: close
:ate: 2ri$ ,I Jan +,,= 11:,,:-= 8MT
Server: Microsoft#IIS)?%,
*5*: C*NM'' I(: :S* CO4 :M CO(o C/4 C/So I7o I7:o *S *S: TI TE'o O/4
SMo C(T COM I(T (7 O(' *!G *4E */4 /(IM
O#*owered#9y: S*%(ET
O#sp(et#7ersion: 1%1%-5++
Cache#Control: public$ ma&#ageNK,=I
E&pires: 2ri$ ,I Jan +,,= 15:51:-5 8MT
'ast#Modified: 2ri$ ,I Jan +,,= 1,:-=:,5 8MT
Content#Type: te&t)html
Content#'ength: 1+K5-
Gou can take this further and obtain more information by using the .O*TIO(S0 reCuest in the
!TT* reCuest as follows :
simon@exceat:~> netcat www.computersecurityonline.com 80
"PT#"$% / HTTP/.0
!TT*)1%1 +,, O>
:ate: 2ri$ ,I Jan +,,= 1,:5+:5H 8MT
Server: pache)1%5%+I 9en#SS')1%-H ;/ni&< *!*)-%+%5
Content#'ength: ,
llow: 8ET$ !E:$ *OST$ */T$ :E'ETE$ CO((ECT$ O*TIO(S$ *TC!$ *4O*2I(:$
*4O**TC!$ M>CO'$ CO*G$ MO7E$ 'OC>$ /('OC>$ T4CE
Connection: close
This will give you all of the allowed !TT* commands that the server will respond to%
:oing all of this by hand is rather tedious$ and matching it manually against a database of
know signatures and vulnerabilities is more than anyone would want to do% 2ortunately for us$
some very enterprising people have come up with an automated solution called .nikto0%
.(ikto0 is a *erl script which carries out various tests automagically L The options are as follows:
#CgidirsP Scan these C8I dirs: EnoneE$ EallE$ or a value like E)cgi)E
#cookies print cookies found
#evasionP ids evasion techniCue ;1#K$ see below<
#findonly find http;s< ports only$ donEt perform a full scan
#2ormat save file ;#o< 2ormat: htm$ csv or t&t ;assumed<
#generic force full ;generic< scan
#hostP target host
#idP host authentication to use$ format is userid:password
#mutateP mutate checks ;see below<
#nolookup skip name lookup
#outputP write output to this file
#portP port to use ;default H,<
#rootP prepend root value to all reCuests$ format is )directory
#ssl force ssl mode on port
#timeout timeout ;default 1, seconds<
#usepro&y use the pro&y defined in config%t&t
2
#7ersion print plugin and database versions
#vhostP virtual host ;for !ost header<
;P means it reCuires a value<

These options cannot be abbreviated:
#debug debug mode
#dbcheck synta& check scanQdatabase%db and userQscanQdatabase%db
#update update databases and plugins from cirt%net
#verbose verbose mode

I:S Evasion TechniCues:
1 4andom /4I encoding ;non#/T2H<
+ :irectory self#reference ;)%)<
5 *remature /4' ending
- *repend long random string
= 2ake parameter
? T9 as reCuest spacer
I 4andom case sensitivity
H /se 3indows directory separator ;R<
K Session splicing
Mutation TechniCues:
1 Test all files with all root directories
+ 8uess for password file names
5 Enumerate user names via pache ;)Suser type reCuests<
- Enumerate user names via cgiwrap ;)cgi#bin)cgiwrap)Suser type reCuests<
.(ikto0 is Cuite comprehensive in its reporting as you can see from the following scan :
exceat:/& ./ni'to.pl ()ost www.computersecurityonline.com
(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
( $i'to .*+/.,- ( www.cirt.net
. Tar/et #P: ,0.*0.+.,
. Tar/et Hostname: www.computersecurityonline.com
. Tar/et Port: 80
. %tart Time: 1ri 2an 0 ,:,*:34 ,003
(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
( %can is 5epen5ent on 6%er7er6 strin/ w)ic) can 8e !a'e59 use (/ to o7erri5e
. %er7er: Apac)e/.*.,0 :en(%%;/.+8 <=nix> PHP/+.,.*
( %er7er 5i5 not un5erstan5 HTTP .9 switc)in/ to HTTP .0
. %er7er 5oes not respon5 wit) ?+0+? !or error messa/es <uses ?+00?>.
. T)is may increase !alse(positi7es.
. Allowe5 HTTP @et)o5s: AET9 HEAD9 P"%T9 P=T9 DE;ETE9 B"$$EBT9 "PT#"$%9 PATBH9 PC"P1#$D9
PC"PPATBH9 @DB";9 B"PE9 @"FE9 ;"BD9 =$;"BD9 TCABE
. HTTP met)o5 ?P=T? met)o5 may allow clients to sa7e !iles on t)e we8 ser7er.
. HTTP met)o5 ?B"$$EBT? may allow ser7er to proxy client reGuests.
. HTTP met)o5 ?DE;ETE? may allow clients to remo7e !iles on t)e we8 ser7er.
. HTTP met)o5 ?PC"P1#$D? may in5icate DAF/He8DAF is installe5. T)is may 8e use5 to /et
5irectory listin/s i! in5exin/ is allowe5 8ut a 5e!ault pa/e exists.
. HTTP met)o5 ?PC"PPATBH? may in5icate DAF/He8DAF is installe5.
. HTTP met)o5 ?TCABE? is typically only use5 !or 5e8u//in/. #t s)oul5 8e 5isa8le5.
. Apac)e/.*.,0 appears to 8e out5ate5 <current is at least Apac)e/,.0.30>. Apac)e .*.* is
still maintaine5 an5 consi5ere5 secure.
. :en(%%;/.+8 appears to 8e out5ate5 <current is at least .33>
. PHP/+.,.* appears to 8e out5ate5 <current is at least 3.0.>
. PHP/+.,.* ( PHP 8elow +.*.* may allow local attac'ers to sa!e mo5e an5 /ain access to
unaut)oriIe5 !iles. :#D(8,0*.
. Apac)e/.*.,0 ( Hin5ows an5 "%/, 7ersion 7ulnera8le to remote exploit. BA$(,00*(0+40
. Apac)e/.*.,0 ( Apac)e .* 8elow .*.,- are 7ulnera8le to o7er!lows in mo5Jrewrite an5
mo5Jc/i. BA$(,00*(03+,.
. /~root ( Enumeration o! users is possi8le 8y reGuestin/ ~username <respon5s wit) 1or8i55en
!or real users9 not !oun5 !or non(existent users> <AET>.
. /icons/ ( Directory in5exin/ is ena8le59 it s)oul5 only 8e ena8le5 !or speci!ic 5irectories
<i! reGuire5>. #! in5exin/ is not use5 all9 t)e /icons 5irectory s)oul5 8e remo7e5. <AET>
. / ( TCABE option appears to allow K%% or cre5ential t)e!t. %ee
)ttp://www.c/isecurity.com/w)ite)at(mirror/H)itePaperJscreen.p5! !or 5etails <TCABE>
. / ( TCABD option <?TCABE? alias> appears to allow K%% or cre5ential t)e!t. %ee
)ttp://www.c/isecurity.com/w)ite)at(mirror/H)itePaperJscreen.p5! !or 5etails <TCABD>
. /BF%/Entries ( BF% Entries !ile may contain 5irectory listin/ in!ormation. <AET>
3
. /ima/es/ ( in5ex o! ima/e 5irectory a7aila8le <AET>
. /manual/ ( He8 ser7er manualL ts' ts'. <AET>
. /c/i(8in/c/iwrap ( %ome 7ersions o! c/iwrap allow anyone to execute comman5s remotely. <AET>
. /c/i(8in/c/iwrap/~a5m ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap
wit) t)e ?((wit)(Guiet(errors? option to stop user enumeration. <AET>
. /c/i(8in/c/iwrap/~8in ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap
. /c/i(8in/c/iwrap/~5aemon ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap
. /c/i(8in/c/iwrap/~lp ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap
. /c/i(8in/c/iwrap/~root ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap
. /c/i(8in/c/iwrap/~xxxxx ( :ase5 on error messa/e9 c/iwrap can li'ely 8e use5 to !in5 7ali5
user accounts. Cecompile c/iwrap wit) t)e ?((wit)(Guiet(errors? option to stop user
enumeration. <AET>
. /c/i(8in/c/iwrap/~root ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap
. /css ( Ce5irects to )ttp://www.computer(security(online.com/css/ 9 T)is mi/)t 8e
interestin/...
. ,++- items c)ec'e5 ( 3 item<s> !oun5 on remote )ost<s>
. En5 Time: 1ri 2an 0 ,:,3:*4 ,003 <00 secon5s>
(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
)ost<s> teste5
/sing the other options you can fine tune (ikto to do e&actly what you need to achieve$
including stealth$ mutation and cookie detection%
10(1($ Loo.in0 !+ro&0+ Tin!e4 Win4o*s 5 SSL
It wasnEt too long before everyone reali@ed that !TT* in plain te&t wasnEt much good for
security% So the ne&t variation was to apply encryption to it% This comes in the form of SS'
-
$ and
is a reasonably secure -, or 1+H bit public key encryption method% /sing a -, bit key is a lot
less secure than the 1+H bit and$ with speciali@ed hardware$ may well be brute force
breakable within a period of minutes$ where as the 1+H bit key will still take longer that the
age of the /niverse to break by brute force% There are however more comple& technical
attacks using something called a known cypherte&t attack 6 this involved calculating the
encryption key by analy@ing a large number of messages ; T 1 million < to deduce the key% In
any case$ you arenEt going to be rushing to try and crack 1+H bit encryption 6 so what can we
learn about SS' !TT* ServersF
Uuite a lot actually% s the SS' merely encrypts the standard !TT* traffic$ if we set up an SS'
tunnel$ we can Cuery the server as we did in section 1%1% Creating an SS' tunnel is Cuite
straight forward$ and there is a utility called .stunnel0 purely for this purpose% Enter the
following into a file called stunnel%conf$ ;replacing ssl%enabled%host with the name of the SS'
server that you want to connect to:
clientNyes
verifyN,
Vpsuedo#httpsW
accept N H,
connect N ssl%enabled%host:--5
TIMEO/Tclose N ,
Stunnel will then map the local port H, to the remote SS' *ort --5 and will pass out plain te&t$
so you can connect to it using any of the methods listed above :
- Secure Sockets 'ayer
6
simonXe&ceat:ST netcat 1+I%,%,%1 H,
)EAD 7 )TTP71(0
!TT*)1%1 +,, O>
Server: (etscape#Enterprise)-%1
:ate: 2ri$ ,I Jan +,,= 1,:5+:5H 8MT
Content#type: te&t)html
'ast#modified: 2ri$ ,I Jan +,,= ,=:5+:5H 8MT
Content#length: =-5I
ccept#ranges: bytes
Connection: close
10(1(' )8in0 someone e,se 4o i! for -o& # Pro9ies
*ro&ies are middlemen in the !TT* transaction process% The client reCuests the pro&y$ the pro&y
reCuests the server$ the server responds to the pro&y and then the pro&y finally passes back
the reCuest to the client$ completing the transaction% *ro&y servers are vulnerable to attacks
in themselves$ and are also capable of being a "umping off point for launching attacks onto
other web servers% They can however increase security by filtering connections$ both to and
from servers%
10(" We% V&,ner%i,i!ies
The simplicity of giving someone something that they ask for is made much more comple&
when youEre in the business of selling% 3eb sites that sell to you$ companies selling products$
bloggers selling ideas and personality$ or newspapers selling news$ reCuires more than "ust
!TM'#encoded te&t and pictures% :ynamic web pages that help you decide what to ask for$
show you alternatives$ recommend other options$ upsell add#ons$ and only give you what you
pay for reCuire comple& software% 3hen we say goodbye to websites and hello to web
applications we are in a whole new world of security problems%
10("(1 Scri:!in0 Ln0&0es
Many scripting languages have been used to develop applications that allow businesses to
bring their products or services to the web% Though this is great for the proliferation of
businesses$ it also creates a new avenue of attack for hackers% The ma"ority of web
application vulnerabilities come not from bugs in the chosen language but in the methods
and procedures used to develop the web application as well as how the web server was
configured% 2or e&ample$ if a form reCuests a @ip code and the user enters .abcde0$ the
application may fail if the developer did not properly validate incoming form data% Several
languages can be used for creating web applications$ including C8IYs$ *!* and S*%
Common ;!e*- In!erfce <C;I=: 3hatis%com defines a C8I as . standard way for a web
server to pass a web userYs reCuest to an application program and to receive data back to
forward to the user%0 C8I is part of the webYs !yperte&t Transfer *rotocol ;!TT*<% Several
languages can be used to facilitate the application program that receives and processes
user data% The most popular C8I applications are: C$ CPP$ Java and *E4'%
10
P)P # )-:er!e9! Pre:rocessor <P)P=> *!* is an open#source server#side scripting language
where the script is embedded within a web page along with its !TM'% 9efore a page is sent
to a user$ the web server calls *!* to interpret and perform any operations called for in the
*!* script% 3hereas !TM' displays static content$ *!* allows the developer to build pages
that present the user with dynamic$ customi@ed content based on user input% !TM' pages
that contain *!* scripting are usually given a file name with the suffi& of .%php0%
Ac!i8e Ser8er P0es <ASP=> 3eb pages that have an %asp ctive server pages ;S*<$ are
database drive dynamically created 3eb page with a %S* e&tension% They utili@e ctiveO
scripting ## usually 79 Script or Jscript code% 3hen a browser reCuests an S*$ the 3eb server
generates a page with !TM' code and immediately sends it back to the browser 6 in this way
they allow web users to view real time data$ but they are more vulnerable to security
problems%
10("(" Common We% A::,ic!ion Pro%,ems
3eb applications do not necessarily have their own special types of problems but they do
have some of their own terms for problems as they appear on the web% s web application
testing has grown$ a specific security following has grown too and with that$ a specific
classification of web vulnerabilities% Common web application problems are classified below
according to the OSSTMM 4isk ssessment 7alues
;http:))www%isecom%org)securitymetrics%shtml<$ a specific way to measure security by how it
affects how things work%
RAV What it means Web Examples
uthenticatio
n
These are the identification and
authori@ation mechanisms used to
be certain that the person or
computer using the web
application is the correct person to
be using it%
Every time you login to a web page that
has your personal data then you are
authenticating% uthentication often
means "ust giving a login and password%
Sometimes it means giving an
identification number or even "ust
coming from n acceptable I* ddress
;white#listing<%
(on#
4epudiation
record that proves that the data
sent to or from the web application
was really sent and where%
lthough you may not see it$ most web
applications keep track of purchases
you make from a particular I* address
using a particular browser on a
particular operating system as a record
that it was most likely smeone on your
computer who made that purchase%
3ithout specific .authentication0 they
canEt guarantee 1,,Z it was you though%
Confidentialit
y
way to assure that
communication with the web
application cannot be listened in
on by another person%
The !TT*S part of interaction with a web
application provides pretty good
confidentiality% It does a decent "ob of
making your web traffic with the web
app from being publicly readable%
11
*rivacy way to assure that the way you
contact and communicate with
the web application cannot be
pre#determined by another person%
3hile it is very rare$ it is not unimaginable
that a web application that contains
very private information would not even
show you it is there unless you come from
the right place and know the right secret
combination to get the web app to be
accessible% One way is to have to click
a picture in = different places in a
specific order to get to the login screen%
nother manner is called port#knocking
and it means that the server reCuires a
specific seCuence of interactions before
it opens a port$ such as the !TT* port$ to
the user%
Indemnificati
on
These are ways to assure that the
web application has legal
protection or at the least$ can be
financially protected with
insurance%
Some web sites clearly print on the login
screen that itEs for authori@ed personnel
only% If someone steals a login and
password or even brute#forces it open$
the attacker$ if caught$ cannot say he
didnEt know it was private%
Integrity This is a record of the validity of the
communication with the web
application to assure that what is
sent and then received by the
other is the same thing and if it
changed$ both the web pplication
and the user have a record of the
change%
Some web apps provide a .!S!0 with
files to be downloaded% This !S! is a
number generated from that specifc file%
3hen you download the file$ you can
check the !S! you generate from the
file against the one they post% This is to
assure that some attacker is not trying to
trick you with a different file either
replaced or through deception$ such as
in Cross Site Scripting%
Safety This is how we protect the web
application from itEs own security
devices% If security fails$ we need
to make sure that it does not affect
the operation of the web
application as a whole%
It is very possible to have an application
use a daemon that can re#initiali@e itself
or even prevent an attack from crashing
any part of itself by presenting itself only
virtually% Gou can also find scenarios
where a web app uses an intrusion
detection mechanism that .stops0
attacks by blocking the attacker by I*
address% In this case$ we canEt say Safety
e&ists if the security device is configured
to prevent an attacker from spoofing
the web appEs own resources and
causing this defense to block important
traffic% Instead$ it is considered either a
misconfiguration of the defense or in
some cases a weakness of design% :onEt
confuse a poorly made or .accidental0
defense with a designed loss control%
1"
/sability way to prevent the user from
having to make security decisions
about interacting with the web
application% This means that
proper security is built in and the
user doesnEt have to choose which
or what security mechanisms to
turn on or off%
3hen a web app reCuires use of !TT*
over SS' ;!TT*S< then we can say that it is
using /sability as part of security%
!owever$ if it lets you choose to interact
with it less securely$ for e&ample$ to send
your credit card number by insecure e#
mail rather than post it via a form by
way of !TT*S$ then it is (OT e&ercising
/sabilty%
Continuity This is how we keep a service
based on a web application from
failing to work no matter what
problem or disaster occurs%
Often times a web app that receives a
lot of traffic will have a reverse pro&y in
front of it which directs the traffic to one
of many mirrored web servers% This way$
if one goes down$ service is not
interrupted% nother e&ample is a web
application that caches its website to
many different servers over the internet
so when you visit one$ you are nt
actually going to the originating web
server% If a cache goes down or gets
corrupted$ then the traffic will get
redirected to another cache or the
originating website%
larm notification$ either immediate or
delayed$ regarding a problem with
any of these mechanisms%
basic form of alarm is the log file
generated by the web server% The bad
thing about an alarm is that you can
choose to ignore it% This is especially true
if it sounds all the time ;think of the story
of the boy who cried .wolf0% Or in the
case of a log file$ it may not sound at all%
larm is only as good as your reaction
time to it%
E9ercises>
1( Open up google and type in .inurl:search%asp0 or .inurl:search%php0% 3ith any of the
websites which come up$ attempt to type in the following in the search field ?scri:!@,er!
<+e,,o=?7scri:!@% 3hat happensF Try this for several sites%
"( In google$ type in .inurl:login%asp0 ond .inurl:login%php0% 3ith any of the websites which
come up$ attempt to type in special characters ;X[\]^< for both the username and
password% 3hat happensF Try this for several sites%
$( >nowing the types of security mechanisms a web application may have$ open your
favorite$ interactive website and try to identify if it has security mechanisms which conform to
any of the 47 classifications%
'( Commonly discussed web vulnerabilities are Cross Site Scripting ;OSS< and SU' in"ection%
3hat are they and how does an attacker use them to steal data or information from a web
applicationF
1$
10("($ ;&i4e,ines for B&i,4in0 Sec&re We% A::,ic!ions
3hile there are many opinions and most of the details to building with security in mind come
from the logic of the programmer and their skill with the programming language$ these basic
guidelines are also derived from materials available from the OSSTMM
;http:))www%osstmm%org<%
1% ssure security does not reCuire user decisions%
+% ssure business "ustifications for all inputs and outputs in the application%
5% Uuarantine and validate all inputs including app content%
-% 'imit trusts ;to systems and users<%
=% Encrypt data%
?% !ash the components%
I% ssure all interactions occur on the server side%
H% 'ayer the security%
K% Invisible is best# show only the service itself%
1,% Trigger it to alarm%
11% Security awareness is reCuired for users and helpdesks%
E9ercises>
1% 8ive e&amples for any three of the above guidelines%
+% 8ive three types of technologies that one could apply to a web application as an
alarm%
10($ )TAL Bsics # A %rief in!ro4&c!ion
!TM' is a set of instructions that e&plains how information is to be presented from a web server
;pache$ Internet Information Server< to a browser ;2irefo&$ Opera<% It is the heart of the 3orld
3ide 3eb%
!TM' can do much more than "ust display data on a web page% It can also provide data
entry forms$ where data can be entered for processing by a higher level language ;*erl$ *!*$
etc<% In a business setting this is where !TM' is at its most useful but in a hacker setting$ this is
where !TM' is at its most vulnerable%
10($(1 Re4in0 )TAL
!TM' is communicated with a series of tags or markups% Each opening tag$ _h1T$ for instance$
must have a closing tag$ _)h1T% This tells the browser to stop the markup described by the
preceding tag% Opening and closing tags are a part of well#formed !TM'%
Take$ for e&ample$ the code:
_htmlT
_headT_titleT!ello 3orld_)titleT_)headT
_bodyT
_h1T!ello 3orldL_)h1T
_)bodyT
1'
_)htmlT
2igure 1: !TM' Code
3e are telling the browser this is an !TM' document with the tag _htmlT and we have a title
of E!ello 3orldE with the _titleT tag% The _bodyT tag tells our browser .here is where the
information you will be displaying goes%0 2inally$ the _h1T tags tells the browser to display the
information in .!eading 10 style% The tags that are preceded with a E)E are merely the closing
tag$ this tells the browser to stop displaying the contents described by the opening tag%
E&ercise 1: Cut and paste the code in figure one and paste it into a te&t file called hello%html%
Open that file in your browser of choice and you should see something similar to this:
1/
10($(" Vie*in0 )TAL ! i!s So&rce
ll modern browsers contain a way to view the underlying !TM' code that generated the
web page you are looking at% In most cases$ this is the .view source0 option under the .view0
menu in your browser%
E&ercise +: Choose 7iew ##T 7iew Source in your browser while surfing your favorite web page%
11
Illustration 1View Menu
The results should be something pretty similar to this:
!TM' code is visible to anyone with a web browser% This is why it is very important when coding
web pages to not try to hide passwords or important information in the !TM' source code% s
you can see$ its not very secret%
10($($ Lin.s
'inks ;or hyper#links< are really the heart of !TM' page building% The biggest strength of !TM' is
the ability to link to other documents% link$ in the conte&t of !TM' is denoted as _a
hrefN0www%yahoo%com0Twww%yahoo%com_)aT The link will appear as www%yahoo%com on
your website% This will take visitors of your site to Gahoo%
'inks can be checked and followed followed by so#called link checker programs% These
programs search !TM' source code for the _a hrefNT_)aT tags and then create a file or inde&
of the found links% Spammers will often use this techniCue to find email addresses or contact
forms they can use to spread their mass emails% 'ink checkers can also be used to check your
website for .broken0 links or links that donEt go anywhere% This can happen a lot even in
relatively small sites%
E&ercise 1: Create a link
Create a link to www%hackerhighschool%org that displays as !acker !igh School on your web
page%
9onus e&ercise: /se the tool
12
Illustration 2Source viewed in text editor
1% 2ind and download a link checking program
+% 4un that program against www%hackerhighschool%org and document how
many broken links you find%
10($(' Pro9- me!+o4s for We% A::,ic!ion Ani:&,!ion
n !TT* pro&y server serves as a middle man between a web server and a web client
;browser<% It intercepts and logs all connections between them and in some cases can
manipulate that data reCuest to test how the server will respond% This can be useful for testing
applications for various cross#site scripting attacks ;provide reference link here<$ SU' In"ection
attacks and any other direct reCuest style attack% pro&y testing utility ;Spike*ro&y$ 3eb*ro&y$
etc<$ will assist with most of these tests for you% 3hile some have an automation feature$ you
will Cuickly learn that it is actually a weak substitute for a real person behind the wheel of such
tools%
E&ercise 1: Choose your software
1% :ownload a pro&y utility
+% Install the software according to the 4E:ME file
5% Change your browser setting to point to the new pro&y
This is usually port H,H, on localhost for these tools but read the
instructions to be sure%
Once the pro&y server is installed and your browser is pointed at it$ surf around the site your
testing% 4emember$ be sure to use a website that you have permission to test% Once you have
surfed around$ point your browser to the pro&yEs admin page ;for Spike*ro&y$ it
http:))www%immunitysec%com)resources#freesoftware%shtml< and begin testing the site% 2rom
the admin interface you can have the tool brute force the siteEs authentication methods or
test for cross#site scripting% ;ctually$ we recommend using Mo@illa or 2irefo& and
http:))livehttpheaders%mo@dev%org) and http:))addneditcookies%mo@dev%org) together to
modify headers and cookies on the fly without the need for a seperate pro&y port% (ot only
does it really simplify things$ itEs a much more powerful tool set as we teach it in ISECOMEs
OSSTMM *rofessional Security Tester class ;O*ST<% 9ut since you will need to know about
setting up pro&ies for other things$ like ad and spam filters$ privacy filters$ etc% 3e thought you
should actually set one up for real and Spike is a good one to try%<
pro&y server can be a powerful tool in helping you determine how solid a web application
is% 2or penetration tests or vulnerability assessments$ you must have a good pro&y tool in your
toolbo&% There are detailed tutorials available on using Spike*ro&y at
http:))www%immunitysec%com)resources#papers%shtml%
10(' Pro!ec!in0 -o&r ser8er
There are several steps that can be taken to protecting your server% These include ensuring
that your software is always updated and patched with any security updates that are
available from the manufacturer% This includes ensuring that your OS and web servers are
updates as well% In addition$ 2irewalls and Intrusion detections systems can help protect your
server$ as discussed below%
13
10('(1 Bire*,,
2irewalls originally were fireproof walls used as barriers to prevent fire from spreading$ such as
between apartment units within a building% The same term is used for systems ;hardware and
software< that seeks to prevent unauthori@ed access of an organi@ationEs information% 2irewalls
are like security guards that$ based on certain rules$ allow or deny access to)from traffic that
enters or leaves an organi@ation ;home< system% They are important systems safe guards that
seek to prevent an organi@ationYs system from being attacked by internal or e&ternal users% It is
the first and most important security gate between e&ternal and internal systems%
2irewalls are generally placed between the Internet and an organi@ationYs information system%
The firewall administrator configures the firewall with rules allowing or denying information
packets from entering into or leaving the organi@ation%
The rules are made using a combination of Internet *rotocol ;I*< address and *orts` such rules
are made depending on the organi@ation needs e%g% in a school$ students are allowed in
based on identity card%
The rule to the security guard in a school would be to allow all persons that carry a valid
identity card and deny everyone else% !owever the security guard would have another rule
for e&iting from the school` the rule would be to allow everyone e&it e&cept small children
unless accompanied by adults% similar system is followed for firewall configuration
depending on the nature of the organi@ation$ the criticality of information asset$ cost of
security$ security policy and risk assessment%
The firewall "ust like a security guard cannot "udge the contents of the information packet` "ust
like the guard allows all persons with a valid identity card irrespective of nature of the persons$
firewall allows entry or e&it based mainly on I* address and *ort numbers% !ence an entry or
e&it is possible by masking I* address or *ort% To mitigate this risk$ organi@ations use Intrusion
:etection System$ which is e&plained in the ne&t section%
There are various kinds of firewall depending on the features that it has vi@% packet filter
;operates on I* packets<$ stateful firewall ;operates based connection state< or application
firewall ;using pro&y<%
E&ample of a firewall rule could be: 9lock inbound TC* address +,,%++-%=-%+=5 from port 15=%
;n imaginary e&ample<` such rule would tell a computer connected to Internet to block any
traffic originating from the computer with an I* address +,,%++-%=-%+=5 using *ort 15=%
Important activities relating to firewalls are initial configuration ;creating initial rules<$ system
maintenance ;additions or change in environment<$ review of audit logs$ acting on alarms
and configuration testing%
10('(" In!r&sion De!ec!ion S-s!em <IDS=
Imagine in a school that has proper security guards` how will the authorities detect entry of
unauthori@ed personsF The authorities would install burglar alarm that will ring on entry of
unauthori@ed persons% This is e&actly the function of intrusion detection system in computer
parlance% 2irewall ;security guard or fence< and I:S ;burglar alarm or patrolling guard< work
together` while firewall regulates entry and e&its$ I:S alerts)denies unauthori@ed access%
16
So how does I:S helpF Just like burglar alarms$ I:S alerts the authori@ed person ;alarm rings<
that an authori@ed packet has entered or left% 2urther$ I:S can also instantly stop such access
or user from entering or e&iting the system by disabling user or access% It can also activate
some other script` I:S can for e&ample prevent or reduce impact of denial of service by
blocking all access from a computer or groups of computer%
I:S can be host based or network based` host based I:S are used on individual computers
while network I:S are used between computers% !ost based I:S can be used to detect$ alert
or regulate abnormal activity on critical computers` network I:S is similarly used in respect of
traffic between computers% I:S thus can also be used to detect abnormal activity%
I:S like patrolling guard regularly monitors network traffic to detect any abnormality e%g% high
traffic from some computers or unusual activity on a server$ e%g% user logged onto application
and involved in malicious activity% I:S compare any event with historical data to detect any
deviation% On detection of deviation$ I:S act depending on the rule created by I:S
administrator such as alerting$ storing such intrusion in audit logs$ stopping user from doing any
activity or generating script for starting a string of activities% I:S can also detect deviation
based on its database of signatures 6 any deviation to signature is detected and acted upon#
this action is similar to anti virus software% I:S is also used for detection of any activity on
critical resource or for forensic by Cuietly watching the suspect%
E9ercises>
1% re both firewall and Intrusion :etection System reCuired in an organi@ation for
securing its information systemF If yes whyF If not$ why notF
+% Think of an e&ample of a specific use of firewall rules that is applicable to the front
desk person in a school` does she need to access InternetF If not$ how will the rule be
enforcedF
5% Can a student access the school score database that contains complete information
on e&amination scores of all students% !ow will this be controlledF !ow will this be
detected in case an e&ternal party using Internet unauthori@edly accesses itF
10(/ Sec&re Comm&nic!ions
8enerally$ the concept associated with security communications are the processes of
computer systems that creates confidence and reduces risks% 2or electronic communications$
three reCuirements are necessary to ensure security% < uthenticity b< Integrity c< (on
repudiation%
A&!+en!ici!-: This concept has to do with ensuring that the source of a communication is who
it claims to be% It is not difficult to falsify electronic mail$ or to slightly vary the name of a web
page$ and thus redirect users$ for e&ample http:))www%diisney%com appears to be the :isney
web page$ but it has + letters MiM and can be confusing% In this case$ you are actually
transferred to a gambling site and the communications are not safe%
In!e0ri!-: That a communication has Integrity means that what was sent$ is e&actly what
arrives$ and has not undergone alterations ;voluntary or involuntary< in the passage%
Non re:&4i!ion> If the conditions of authenticity and Integrity are fulfilled$ non#repudiation
means that the emitter cannot deny the sending of the electronic communication%
"0
2or e&ample$ if a 3eb site grants a pri@e to me$ and I can prove it # that is to say$ if a 3eb site
sends a discount coupon$ and I verify that the 3eb site is authentic$ and that nobody
manipulated the information in the way$ the site cannot deny that the coupon was sent%
The form used to assure these conditions from a 3eb site is called an electronic certificate%
Maintaining the conditions of security gives us tranCuillity in our electronic communications$
and allows to assure the principle the privacy in the cyberspace%
10(/(1 Pri8c- n4 Confi4en!i,i!-
Most web sites receive some information from those who browse them # either by e&plicit
means like forms$ or more covert methods like cookies or even navigation registries% This
information can be helpful and reasonable 6 like remembering your book preferences on
ma@on%com and$ therefore$in order to ensure security to the person who browses$ many sites
have established declarations of *rivacy and Confidentiality%
Pri8c- refers keeping your information as yours 6 or limiting it to close family or your friends$ or
your contacts$ but at the most$ those who you have agreed to share the information% (o one
wants their information shared everywhere without control$ for that reason$ there are sub"ects
declared as private$ that is to say$ that of restricted distribution%
On the other hand$ the confi4en!i,i!- talks about that a sub"ectEs information will stay secret$
but this time from the perspective of the person receiving that information%
2or e&ample$ if you desire a pri@e$ but you do not want your information distributed$ you
declare that this information is private$ authori@e the information to a few people$ and they
maintain confidentiality% If for some reason$ in some survey$ they ask to you specifically for that
pri@e$ and you respond that if you have it$ you would hope that that information stays
confidential$ that is to say$ who receive the information keep it in reserve%
3e could generali@e the definition of confidentiality like Mthat the information received under
condition of privacy$ I will maintain as if it was my own private informationM% It is necessary to
declare the conditions of the privacy of information handling$ to give basic assurances of
security%
lso it is recommended that you read the conditions established by the web site you visit in
their privacy policy%
E9ercise>
1% 4eview the conditions of privacy of world#wide suppliers of 3ebMail: 8oogle and
!otmail and of manufacturer like 8eneral Motors motors
http:))www%gm%com)privacy)inde&%html% re they eCualF Of those$ who will share the
information that I giveF 3hat measures will I be able to take if they do not observe
these rulesF
10(/(" Cno*in0 if -o& re comm&nic!in0 sec&re,-
"1
Even with conditions of *rivacy and Confidentiality$ somebody can still intercept the
communications% In order to give conditions discussed at the beginning of this section$ a layer
of security has been previously discussed called SS'$ which uses digital certificates to establish
a safe connection ;is to say that it fulfills the authenticity$ integrity and non repudiation< and
provides a level with encryption in communications ;this is to hide information so that if
somebody takes part of the information$ they cannot access it$ because the message is
encypted so that only the sender that sends it and the receiver$ with a correct certificates$ is
able to understand it<% This layer is called Security Socket 'ayer$ SS'$ and is visible through two
elements within the web browser%
The communications is considered to be safe when the web address /4' changes from !TT*
to https$ this change even modifies the port of the communication$ from H, to --5% lso$ in the
lower bar of the navigator$ a closed padlock appears$ which indicates conditions of security
in the communications%
If you put mouse on this padlock$ a message will apepar detailing the number of bits that are
used to provide the communications ;the encryption level<$ which as of today$ 1+H bits is the
recommended encryption level% This means that a number is used that can be represented in
1+H bits to base the communications%
type of called trick phishing e&ists ;http:))www%antiphishing%org)< in which a 3eb mimics the
page to make seem from a bank ;they copy the graphics$ so that the clients enter their data$
trusting that it is the bank$ although it is not it<% In order to avoid these situations$ the
authenticity of the site should be verified$ and checked that the communications are safe
;https and the closed padlock<$ and to the best of your knowledge$ it verifies the certificate%
10(1 Ae!+o4s of Verific!ion
t this point$ you have had opportunity to know the foundations the security in the 3eb$ the
main aspects related to some of the vulnerabilities found commonly in the web servers used
to lodge the different sites with which we routinely interact when browsing in Internet$ and the
form in which different defects in the development of web applications$ affect the security
and)or the privacy of the users in general%
On the other hand$ you have learned some of the technologies on which we rely to protect
our servers and also our privacy% !owever$ probably at this moment$ you are reali@ing
Cuestions such as: I am safe$ now that I have taken the corresponding actionsF Is my system
safeF The developers that have programmed some of the functionalities that I have used in
my 3eb site$ have they taked care of ensuring aspects to the securityF !ow I can verify these
aspectsF
s probably you have thought$ it is not enough to apply manufacturer updates or trust the
good intentions of the developer$ when your security or privacy is concerned% In the past$
there have been several cases in which manufacturerEs patches corrected one vulnerability$
but causing another problem in the system$ or once patched discovered a new vulnerability%
:ue to this and other reasons$ you will have to consider$ that is absolutely necessary to verify
freCuently the implemented systems$ in order to the system MremainsM safe%
'uckily$ many people have developed in their own time$ some MMethods of 7erificationM$ most
of which are available free$ so that we all may take advantage of the benefits of its use% Such
they are based on the e&perience of hundreds of professionals$ and include numerous Mgood
practicesM regarding implementing technology in safe form% Therefore$ it is recommended$
that you adopt these methodologies at the time of making your tasks of verification%
""
n e&ample of these$ the OSSTMM is discussed briefly below%
10(1(1 OSSTAA
The OSSTMM$ which is an abbreviation for MOpen Source Security Testing Manual
MethodologyM is one of the methodologies of testing security that is widely used% s described
in its introduction$ although certain individual tests are mentioned$ these are not particularly
revolutionary$ the methodology altogether represents a standard of essential reference$ for
anyone wanting to carry out a test of security in an ordered format and with professional
Cuality% The OSSTMM$ is divided in several sections% In the same way$ it is possible to identify
within it$ a series of specific testing modules$ through which each dimension of security is
tested and integrated with the tasks needed to ensure security%
This sections include: *ersonnel Security$ :ata (etwork Security$ Telecommunications Security$
3ireless Communications Security$ and *hysical Security$ and the sections of this methodology
detail security from the point of view of 3!IC! test to do$ 3!G to do it and 3!E( to do it%
The OSSTMM by itself details the technical scopes and traditional operation of security$ but $
and this is perhaps one of the very important aspects$ not the e&act tests$ rather it presents$
what should be tested$ the form in which the test results must be presented)displayed$ the
rules for testers to follow to assure best results$ and also$ incorporates the concept of security
metrics with 47s ;4isk ssessment 7alues< to put a factual number on how much security you
have% The OSSTMM is a document for professionals but it is never too early to try to
understand it and learn how it works% The concepts are very thorough and itEs written in an
easy#to#comprehend style%
E9ercises
1% *atching is a common problem today where web administrators are currently needing
to patch code as new vulnerabilities are discovered% 4esearch for a case in where a
new problem occurred when installing a new security patch% :iscuss about the
possibilities and conseCuences that an administrator$ who has a new patch to install$
reali@es that this will open a breach in its system that already was resolved% Should the
patch still be installedF In relation to this sub"ect$ would it matter whether you have the
source code and notF
+% 8o to http:))cve%mitre%org and go to search for C7Es% Enter the name of a web server
;ie pache< into the search field% 3hen did the latest vulnerability get releasedF !ow
often have vulnerabilities come out ;weekly$ monthly$ etc%<F In reference to Cuestion
number one$ is patching a realistic solution to securityF 3hy or why notF 3hat other
security measures can be used if you decide not to play the cat and mouse game of
patchingF
5% :ownload a copy of the OSSTMM and review the methodology concepts% 3hat
aspects would you emphasi@e from this methodologyF !ow you think that this
methodology can integrate with your verifications of securityF
-% 3hat you can find out of the 47sF
"$
B&r!+er Re4in0
http:))www%osstmm%org
http:))www%oreilly%com)catalog)websec+)chapter)ch,H%html
http:))www%w5%org)Security)2aC)
http:))www%privacyalliance%org)
http:))www%perl%com)pub)a)+,,+),+)+,)css%html
http:))www%oreilly%com)catalog)webprivp5p)chapter)ch,1%pdf
http:))www%defenselink%mil)specials)websecurity)
http:))www%epic%org)
http:))www%cgisecurity%com)
http:))www%eff%org)privnow)
!ere are some sites to check out if you want more information on creating your own
web pages or !TM' in general%
http:))www%htmlgoodies%com)
http:))www%htmlhelp%com)
http:))www%w5schools%com)
"'

HHS En10 Web Security and Privacy

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HHS En10 Web Security and Privacy

Uploaded by

Copyright:

Available Formats

LESSON 10

WEB SECURITY AND

You might also like