Masters in information system Security management Concordia University of Edmonton spatel3@student.concordia.ab.ca
Abstract - Security vulnerabilities occur in most websites. The
quick, typical forms to build a website are prone to SQL injection 1) System requirements for Nessus : attacks, cross-site scripting attacks and brute force attacks and a) Windows 10 other bugs that are less popular. Many tools for detecting or minimizing the vulnerabilities of popular websites have created. b) Nessus Vulnerability Scanner-Version 8.9.0-x64 for Existing strategies involve the construction of the web or are Windows 10 vulnerable to false positives. This report provides a fully link: https://www.tenable.com/downloads/nessus automated way of identifying website weakness. It hardens the Website by using WordPress plugins and Hardening from the webserver domain by inserting an SSL Certificate and shifting 2) Configuration of Nessus and Scanning : from Hypertext Transfer Protocol(HTTP) to the Hypertext After Installation, I started with the configuration of Transfer Protocol Secure (HTTPs) and Unable directory listings. Nessus. First, after installation its lets us select the product like essential, professional, Nessus manager. I selected the Nessus Keywords—SQL injection, Cross-site scripting, brute force, essential for the start. I had to give my email to get the vulnerabilities, SSL certificate. Activation code on my mail .after activation; I had to set a login name and password for my Nessus. It took nearly 1/2 Hr I. INTRODUCTION to install all plugins and components completely. next, I did This report provides information now on how I to harden my the Basic scan to my website by adding IPv6 eCommerce Website. I have used A WordPress CMS for my address(2605:fd00:4:1001:f816:3eff:fe45:b015) in the target. Website, and WordPress runs millions of websites over the The next phase, Is for Scanning the Website for internet. And we hosted our Website over a Ubuntu web Vulnerabilities testing in Advanced Scan mode. In advance, server using Plugins provided by Cybera. Hardening the Scan, I made a configuration to find out the Vulnerabilities. Website means adding various layers of protection to reduce the changes are as follows: the potential attack surface. Hardening also requires manual computer enhancement steps or software adjustments. There a) In discovery Subsection, I selected 'Host Discovery' 6 Common security flaws in most of the E-commerce sites, to Begin a network discovery search to see what hosts on your i.e. SQL injection, buffer overflows, remote command Network, like IP, FQDN, operating systems and access ports, Execution, price Manipulation, cross-site scripting and Ddos if applicable. attack. It is less common for customers to use a website with b) Turn on remote Host Ping. This option allows weaknesses or bad security irrespective of the product, as it Nessus to decide if remote hosts are alive in several ports. becomes much more comfortable and doesn't want its General configurations and ping methods show when setting information compromised or hacked and doesn't trust the to On. and ensured "Test the local Nessus host "and "Use fast Website with its card details. In this report, I have done a network discovery" is enabled to use in the absence of a proxy Security scan and then started handing my site by using or load balancer to validate the response of a server, when a Plugins, migrating from http to https(SSL certification) and ping response is responded by Nessus to avoid false positives. by Hardening from the server-side. Such variations in the The quick discovery of the Network bypasses these further layers are essential for understanding the actions of security tests. and for hardening the site. c) Select all ping methods (ARP, TCP, ICMP (Assume ...), UDP). II. METHODOLOGY d) Confirm the boot period wait for five minutes under A. Analysis of Weakness of Ecommerce Website "Wake-on-LAN." Nessus: Nessus tests cover a wide range of e) Click on Port Scanning. Choose all choices under technology, from operating systems, network devices, high- "Local Port Enumerators." speed control machines, repositories and web servers. The f) Ensure that both "SYN" and "UDP" are chosen type o Exposure and Vulnerabilities Nessus will search for : under "Network Port Scanners." • Unauthorized access to sensitive data on a network could g) In service discovery, under the general setting, make have Vulnerabilities. sure all the options are selected. • Config Flaws Example: Open mail, Missing Patches etc. h) In the "Assessment" section, Under the subheading • Standard password, common passwords and blank/lost "General," you will confirm the "Perform thorough tests" and passwords for some system account. "Override Normal Accuracy" choices. Confirm that the • Nessus and run a Dictionary attack by calling Hydra; it's "antivirus definition grace period" is 0 days. a password cracking tool which includes Medusa and i) Under Brute Force, make sure all options are john the ripper. selected. • Denials of service. j) Confirm that this feature is disabled in the category The Nessus scanner allows predetermined tests (for "Malware" Assessment while maintaining the current example, host findings and malware detection) to be used. For category settings. legitimate testing, the Nessus scanner itself is open source and k) Continue with Report Subsection, ensuring all three free to use. choices are chosen in the subsection "Processing." Confirm "report as much information as possible" under "Override normal verbosity." After all this configuration, I saved the setting and started scanning and found Flaws on the Website.
Fig 2. Shows the Captcha ask during login in the admin
account. C. Enable firewall and allow trusted services through a Fig 1. shows the advance scan of Vulnerabilities scan using firewall Nessus Ubuntu's primary firewall activation method is ufw. ufw is a user-friendly way to create an IPv4 or IPv6 firewall designed to facilitate the iptables firewall setup. ufw is not meant to B. Plugins to harden the Website of WordPress deliver the full functionality of the firewall through its control interface, but instead provides a convenient way of adding or All in One WP security plugin: The All in One WP deleting simple rules. It is used mainly for the host-based Security plugin is a free download and has many features, firewall. including an advanced firewall and a Brute Force authentication defense. It has a security scoring system. It provides a particular security module from the Tips and Tricks D. Migration of Web from HTML to HTMLs HQ. A markup language that is being specifically designed for the display of applications as websites on web browsers. It is a complete solution for your security concerns with HTML is the same as other languages, which means the WordPress and a great way to protect your current WordPress structure syntax and layout of a document. HTML stands for installations. To eliminate security risk by vulnerability Hypertext Transfer Protocol, while HTMLs stands for detection and the installation and introduction of the new Hypertext Transfer Protocol Secure. IN HTML is data or WordPress security practice and techniques suggested. All In transmitted data is stolen, then it is easily readable to the One WP Security also utilizes a unique grading system for attacker while in HTMLs, it is Encrypted and secure with the protection points to determine how well the protection help of an SSL Certificate(SSL stands for Secure Socket features that you installed to secure your Website. Layer). Often, certificate providers such as DigiCert would After Installing and activating Plugin, we will harden the provide a validated and trusted SSL certificate at a fee. I have site. First, we will change the Username other than admin applied the SSL features and not the certificate authentication because admin is the default username, which is typical and for this lab. So I created a self-signed certificate that is not usual. Second, we will make sure that our password is more signed by any trusted certification authorities included in the secure so that it takes several years to crack by any attacks. web browser so that I can not use this certificate to confirm Thirdly we will configure "Login Lockdown Options." will the identification of our application. make a Maximum Login Attempts try to 3-4 times if anyone Username or password fail attempts and Login Retry Time Period to 5. Under User Registration, I Enable Manual approval of New Registration and add CAPTCHA(Completely Automated Public Turing Test ) and add a honeypot on the registration page to add A layer of protection in my site. Now next, I configured Database Security Settings so that WordPress table prefix from "wp_" to something robust so that SQL Injection can be avoided.
Further, I step up automatic Backup with a time interval of
1 week and no. of the backup file to one file. In Filesystem Fig 3. Show the DigiCert certification type with the price. Security settings, I disable PHP files Editing. Next, I configure the blacklist Manager so that it can lock IP from Unauthorize TLS/SSL works using a public certification and private access. Further, enable Basic Firewall Protection and disable key. SSL process that converts plaintext to ciphertext. It seems Trace and track. that the hackers have a junk text that decrypts it. An attacker will need to have a private key. In SSL Certification, a public key issued to encrypt the text and the Private key to decrypt the Text. I created a self-signed key and certificate pair with Next, I tried accessing my site with http:// to see whether OpenSSL in a single command: it will redirect to https or not as I added a redirect command “openssl req -x509 -nodes -days 365 -newkey rsa:2048 - in my configuration. keyout /etc/ssl/private/apache-selfsigned.key -out To check the certificate is served or not. I check it on the /etc/ssl/certs/apache-selfsigned.crt” Qualys ssl test method, to check I need proper DNS and IPv6 address. I get it from cybera under the metadata section of a) Configuring Apache to Use SSL instance. After I got the DNS, open up the following site in a As we Created key and certificate under the /etc/ssl web browser: https://www.ssllabs.com/ssltest/index.html and directory. I need to modify the apache to take the benefits of started scanning and got the report. the SSL certificate. Firstly I configured the snippet with secure SSL Settings. Created a new snippet with then of ssl- params.conf under /etc/apache2/conf-available folder and will disable the HSTS.
b) Changing the Default Apache SSL Virtual Host File:
Today, all HTTP and encrypted HTTPS traffic are supported on the site/browsers. For greater security, HTTP should be automatically redirected to HTTPS. It can easily bypass this segment by adding the following code line in Fig 4. shows the scan of SSL certificate default “/etc/apache2/sites-available/000-default.conf ” file. ✓ Redirect permanent "/" “https://[ipaddress of ur E. Disable directory listing: website]/” A web server feature that shows a collection of all the files without an index file including index.php and default.asp is In my Site I add the following to redirect to my Site: the directory listing. For instance, by type in ✓ redirect permanent “/” "http:/www.example.com/incoming/" in your browser, you “http://[2605:fd00:4:1001:f816:3eff:fe45:b015]/” can see everything in that directory when you create a folder called "income." You don't need a password or anything. c) Adjusting the Firewall: To prevent accessing the file from the browser. In apache Now, as I used the ufw firewall, To allow SSL traffic, I has a function to disable it by running the command needed to adjust the setting as Apache adds some profile “a2dismod autoindex”. during installation. And to see the profile, I used the “ufw app list” command. After I got to see the list, I add apache service F. Upgrade php7.0 to php7.4 and removing info.php: to the firewall by using the command “ufw allow ‘Apache The reason behind upgrading PHP is to fix the bugs which Full’ ”.To see the status of ufw, I used the ufw status were found in the older version of PHP. Rater; I say to make command. it security focus. And will be removing the Info.php my running “rm info.php” command.
d) Enabling the changes in Apache:
G. Ecommerce web application vulnerability test: As I alter the setting of ufw, now I enable the SSL and I must reassess the differences in control and direct header modules in Apache, enable my SSL ready virtual host comparison before and after hardening and correction of and will restart apache my following commands: vulnerabilities after harnessing the e-commerce application ✓ A2enmod ssl After the post-assessment, specific learning targets will be ✓ A2enmod header accomplished because a clear safety benchmark is reached. ✓ A2enmod default-ssl Analyze the Nessus Essentials ' vulnerability assessment report by restarting the device. ✓ A2enmod ssl-params A2enmod is a script to enable Apache services or modules. III. CONCLUSION After all, this was done, I needed to check that I didn’t My aim was to find the weaknesses in my website with make any syntax error and to make sure I used the Nessus and to harden it with plugins and Self-signed “Apache2ctl configtest” command. After all the syntax is ok, Certificates. I used the "All in One WP Security" plugin for I restarted the apache. hardening the WordPress and implemented and self-signed certificate by making changing the configuration of Apache files. By comparing the scan result of website taken before and e) Testing Encryption and the SSL certificate: after Hardening.by hardening my website it increased the To see whether the certificate is supported. I tried security and found less vulnerability come to its initial scan. assessing my site by using https:// instead of http:// it askes to And by doing so I accomplished the objectives of my lab 2. whether proceed to unsafe site or not its because we have ass an ssl certificate which we have created it's not by my browser’s trusted certificate authorities. IV. APPENDIX
Fig 9 shows the Change of Admin Username.
Fig 5. Shows the Updated version of PHP
Fig 6. Shows the firewall updates /configuration. Fig 10. Shows the final scan Results of Web Vulnerabilities.