WebSec 101 Configuration Mike Andrews Presented By

WebSec 101
Configuration
Presented By
Mike Andrews
mike.andrews@foundstone.com
mike@mikeandrews.com
Copyright © 2009, McAfee, Inc.
Intro Music by DoKashiteru via CCMixter
Nothing in isolation
Application
Libraries
Operating System
Network
Attack Surface
► Attack
surface is the total number of possible
attack vectors
► Think of a house, with doors and windows as
the attack vectors
► Minimize
surface area - want to make sure all
doors and windows are locked and secure
From the bottom
► Each
running network service is a door or
window
► Generally
on a WebApp only want external
users to access ports 80 and 443
● Turn off services like Telnet, FTP, SMTP, etc
● Some may be necessary - filter at firewall
► Some
servers can be administered via web
pages on administrative ports
● http://servername:5842
nMap
►
nMap – “Network Mapper”
►
Look for high-level TCP ports
Connect to them and send HTTP request
►
● HEAD / HTTP/1.0
Checking for known vulnerabilities
► Need
to know the type and version of the
software
● From an internal/white-box point of view this is
easy!
► Can
be done for both OS and webserver
● nmap -O
● HEAD request -->
Server Header
They Lie!
► Sometimes
no SERVER: header, sometimes it
lies!
● Fingerprint on response differences
How does HTTPrint work out the server type?
Join the dots
► Given
a webserver type/version, sometimes
the OS can be determined
● IIS/6.0  Windows box
● Sun ONE  Solaris
● Apache  ???
With information comes power!
► What
to do with this info?
● Lookup known vulnerabilities for the platform
Changing the SERVER header
►
Smells of “security by obscurity”
►
I believe that …
Apache/1.3.0 (Unix) PHP/3.0 SomeMod/9.3 …
…is too much info
►
Apache (>1.3)
● ServerTokens Prod[uctOnly]
►
IIS
● IISLockdown/URLScan + RemoveServerHeader
● Remember the X-POWERED-BY header as well!
Scanning products
► Various
products available to scan
machines/networks to look for known vulns
► Network
scanning vs Application scanning
Rest of the stack
► What
about vulns in the rest of the stack?
● Issues with the app, framework and libraries will be
addressed in future webcasts
● In terms of configuration, we want to remove
unnecessary features/components and secure the
ones that are left
► Left
over files, samples, demos, etc
► Weak
server configuration
Reviewing the web root
►
Much easier to do if you have local access
►
Look for all the places that are mapped
● Apache - httpd.conf  DocumentRoot
● IIS - IIS Manager  Web Sites + Virtual Directories
►
Review files and directories - remove those that are not
necessary to running the application
● If in doubt, move the file/directory out of the web root(s) and
see if the application functions normally (VM clones?)
►
Also look for installed applications - does anyone really
need MSOffice on the web server? Games? CS Server?
Nikto/Wikto
► Example
of a (free) tool which scans for
potentially vulnerable files/settings
► Can
generate a lot of false positives
● HTTP Codes (404’s etc)
● 200 OK problem
► Not
necessarily security problems, but should
be verified
● Left-over installation files / example scripts
● Known vulnerabilities / old versions
● Use –update to get most current signatures
− Can also add your own custom ones
Identifying resources
Request
“bad”
resource
Does it
exist?
Custom
response?
No vulnerability
[y]
[y]
Positive
vulnerability
Recognize?
False Positive
[y]
No vulnerability
WebDAV
►
WebDAV is a CVS system for web servers
● Allows for editing/modification/creation of web pages
without have access to files on the server
● Uses normal HTTP auth – Basic, Digest, NTLM, etc
►
Generally users do not need WebDAV for production
servers, so turn it off (or secure it)
►
Connect to the server and use the HTTP OPTIONS
method to see if it’s enabled
● Test with tools like DAVExplorer, DAVE, PerlDAV, (FrontPage?)
● Turn off methods other than GET, POST, and HEAD
HTTP Options
Turning off HTTP verbs
► Apache
● Uninstall/disable Mod_DAV
(or variants)
− Look for DAV On in webconf file(s)
● Mod_Rewrite +
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|…|…)
RewriteRule .* - [F]
► IIS
● Web Service Extensions Manager (in IIS Manager MMC)
● (4.0 + 5.0) URLScan + DenyVerbs
HTTPS
► HTTPS
(HTTP over SSL) is a requirements on a
lot of websites
● Provides Confidentially
− Not only for PII or credit card info, but also for session
tokens (more later)
● Provides Integrity
− MITM attacks
● Authentication as well, but leave that for another
time
► Strength
of the SSL cipher used is important
depending on the information being protected
● “weak” ciphers can be broken in as little as 4 hours
SSL Negotiation
► SSL
selects the best cipher to use by
negotiation between the server and browser
● Select the highest common available cipher
► SSLv2
Downgrade Attack
● Force a weaker cipher than is available
● Only allow “strong” ciphers
► Use
SSLDigger and OpenSSL to check ciphers
and versions
Removing SSL Ciphers
► Apache
● Mod_SSL +
− SSLCipherSuite HIGH:+MEDIUM:!LOW:!SSLv2
− ‘+’ adds a cipher, ‘!’ removes a cipher
− Can select specific ciphers instead of aliases
− SSLCipherSuite !AES256-SHA:+RC2-CBC-MD5
► IIS
● Site PropertiesDirectory Security
Require 128 Bits
● Can remove ciphers via RegEdit
Conclusion/wrap-up
►
Ensure that machine is as “clean” as possible
● Stop unnecessary services and close the ports
● Remove all unnecessary pages / scripts / interfaces
►
Disable HTTP methods
►
Use SSLv3/TLS
►
Remove all SSL ciphers other than “strong” or above
►
See…
● LAMP - http://www.apachesecurity.net/
● WISA - http://msdn2.microsoft.com/enus/library/ms994921.aspx
Next Up: Authentication
Credits/references
►
NetCat
● http://netcat.sourceforge.net/
● (also available in Cygwin - http://www.cygwin.com/)
►
SecurityFocus.com, Secunia.com, OSVDB.org
►
HTTPrint
● http://net-square.com/httprint/
►
nMap
● http://insecure.org/nmap/
►
Apache documentation
● http://httpd.apache.org/docs/1.3/mod/core.html#servertokens
● http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
►
IISLockdown
● http://www.microsoft.com/downloads/details.aspx?FamilyID=DDE9E
FC0-BB30-47EB-9A61-FD755D23CDEC
►
URLScan
● http://www.microsoft.com/technet/security/tools/urlscan.mspx
►
Brute force weak SSL ciphers
● http://www.cl.cam.ac.uk/~rnc1/brute.html
► IIS
SSL Ciphers registry hack
● http://support.microsoft.com/kb/216482
● http://support.microsoft.com/kb/187498