kingston university thesis - design and implementation of a secure web application

DESIGN AND IMPLEMENTATION OF A SECURE WEB APPLICATION

GEORGIOS DELAPORTAS

Master of Science in Networking and Data Communications

THESIS

Kingston University London



Thesis Title

Design and Implementation of a Secure Web Application

Dissertation submitted

for the Degree of Master of Science in Networking and Data Communications

By

GEORGIOS DELAPORTAS

SUPERVISOR

DR. PANAGIOTIS KOTZANIKOLAOU

KINGSTON UNIVERSITY, SCHOOL OF COMPUTING AND INFORMATION SYSTEMS

ΤEI OF PIRAEUS, DEPARTMENTS OF ELECTRONICS AND AUTOMATION

JANUARY 2011

TABLE OF CONTENTS

1. Introduction …………………………………………………………………...5

2. Setting up and test environment ……………………………………...….……8

2.1. The virtual machine ……………………………………………….....8

2.2. The Windows 2003 server ………………………………………….10

2.3. The Apache web server ……………………………….…………….12

2.4. The PHP interpreter and Smarty engine …………………….………13

2.5. The MySQL RDBMS ……………………………………….……...14

2.6. Other configurations and options ………………………………...…16

2.7. Design and development of a demo web application ………............17

2.7.1. Design concepts …………………………………………..17

2.7.2. Development concepts ……………………………………19

3. Vulnerability assessment ……………………………………………………22

3.1. Vulnerability scanners ……………………………………………...22

3.2. Port scanners ……………………………………………………..…28

3.3. Packet sniffers and analyzers ……………………………………….31

3.4. Intrusion detection systems …………………………………………32

3.5. Passwords strength tests …………………………………………….33

3.6. Exploits of the web application ……………………………………..35

3.7. Comments on results ………………………………………………..36

4. Proposed solutions, security measures and configurations ………………….38

4.1. General solutions …………………………………………………...38

4.2. Firewalls ……………………............................................................43

4.3. SSL ………………………………………………………………....44

4.4. Advanced configurations ……………………...…….……….……45

4.5. Quality Assurance of the web application …………………..…….46

5. Conclusions ………………………………………………...………..…….48

References ………………………………………………………....…….…….49

Appendix A – Source code …………………….……………………...............52

Appendix B – Detailed security reports ………………………………….……61

1. Introduction

The Internet nowadays offers many applications on the web. Web applications can

handle and manage today what, only a few years ago, would be difficult if not

totally impossible. It is globally accepted that the Internet has tremendously

involved. The World Wide Web offers to the companies penetration to the world

wide market in more intelligent, efficient and instant ways. The new trends in e-

commerce the last decade and the need for instant advertising in many fashions all

over the world at the same time, marks the Internet as the most suitable tool in

comparison to the classic TV or radio broadcasts. As soon as the companies and

organizations realized this and that the Internet can host applications already

presented as individual programs for PCs then a new era has begun [3].

Web applications are today very popular indeed. They offer services all over the

globe simultaneously based on the web. This is critical due to the consumers’

needs and the speed of the e-marketing. These are the most superior reasons that

web applications had so shortly been accepted and adapted. Some of these web

applications are more complex systems that are preferred to be called platforms or

e-platforms and host other applications that rely on them. Well known paradigms

of global web applications are social network applications such as facebook and

mySpace. Other big categories of popular web applications are the Enterprise

Resource Planning (ERP), Content Relationship Management (CRM), and

Content Management System (CMS). Especially for Content Management

Systems the development the last 4 years is growing rapidly. Projects such as

Joomla! [15], Drupal [16], OSCommerce [17], Zen Cart [18] and other CMS have

given the ability to setup mini platforms not even to companies but also to end

users in order to develop personal web pages or even large-scale e-shops. An e-

shop sells through the web what the salesmen would sell to you at your door, well

not actually the same product since in the price we do not include the cost for the

salesman, the time taken for him to come and find you and your house, the

precious time lost to discover your needs and certainly it does not ring your bell.

This may sounds funny but it isn’t. It’s the reality. The Internet minimizes costs,

risks, time, and human resources and automates even the billing procedures. The

most usual ways of payment is by credit card, either by an e-banking system

utilizing SSL based encryption and server certification or by integrating a special

purpose payment service such as PayPal [3].

At a first glance it seems that the web applications are capable to offer many

services to clients at a low cost and with a low risk. But, is this true? Well this is

not totally true and that is what this research is going to present through a series of

tests in a demo web server running a typical web application. Due to hackers and

unnumbered deceptions, which have been publicly known over the last years, it is

now common sense that the underlying technologies of every web application or

e-platform must rely on secure infrastructures, technologies and must be based on

secure computing techniques, in order, to protect all critical information.

Furthermore, as new exploits and vulnerabilities continuously arise, the

infrastructures need to be continuously and extensively tested and verified [3], [4].

In the next chapters we will discuss and analyze a scenario where a demo web

application that acts as a profile manager is assessed from a security point of

view. We will design and develop the test web application and we will perform a

vulnerability assessment throughout all the technologies applied, in order to

identify possible security weaknesses and exploits.

The rest of this thesis is organized as follows:

In the second chapter, we will discuss and choose all the underlying technologies

and features that will support our application. In section 2.1, we will present

possible alternatives in order to setup the virtual machine that will host our web

application. We will explore possible technologies for the web server, the

application server and the database server. In section 2.2, after explaining and

describing the configurations we will setup a typical Windows 2003 server

enterprise edition. After the setup we will explain and configure basic subjects

and we will move on the setting up of the Apache web server (section 2.3), the

PHP interpreter (section 2.4) and the MySQL database management system

(section 2.5). In section 2.6, we will describe the basic configurations and we will

finalize the setup. In section 2.7, we will discuss the engineering behind the web

application. In this chapter we will develop the web application mainly in PHP

and JavaScript. The web application will be based on a custom made CMS, called

ALPHA CMS [11], developed by the author. More specifically we will discuss

the design, the development concepts and the software architecture, in sections

2.7.1 and 2.7.2 respectively.

In the third chapter, we will assess the web server for possible vulnerabilities and

we will discuss and analyze the system based on the results or the produced

reports. In section 3.1 a few vulnerability scanners such as Nessus [19] will be

used. In section 3.2, a few port scanners such as NMap [20] and Super Scan [21]

will scan the server for unsafe ports. In section 3.3, packets sniffers and analyzers

such as Wire Shark [22] will check the integrity and security of the information

that flows through the system. In section 3.4, the Snort [23], an intrusion detection

system, will be setup in order to protect the server from intruders and will be

tested through simulated attacks against the system. In section 3.5, we will test the

strength of the passwords that are used in the Windows system. In section 3.6, we

will try to discover any exploits and we will inject the exploits to investigate

existing bugs that may crash the application. In section 3.7 we will analyze and

discuss the results.

The fourth chapter will propose security measures and will provide solutions for

each corresponding layer of the Internet stack model, based on the vulnerabilities

indicated in the previous chapter. More specifically the solutions will be divided

into the IP layer, the TCP/UDP layer and the application layer. In section 4.1, we

will propose firewall solutions. In section 4.2, we will discuss a solution based on

Secure Socket Layer. In section 4.3, we will propose some advanced hardening

configurations, in order, to make the system more secure by following well known

security best practices. In section 4.4, we will analyze and assess the web

application. More specifically, our analysis will be targeted to the software

architecture, the interconnections with the database and the database itself [1].

Finally, the fifth chapter will conclude this thesis by summarizing the findings and

the lessons learned throughout the development and security assessment of the

test web application.

2. Setting up and test environment

In this chapter we will present the procedure of setting up of the test environment

and will explicitly analyze the choices and the reasoning behind our selection of

specific technologies. The second chapter is divided into seven parts. Each part

discusses a vital part of the infrastructure that will host our web application. Part

2.7 is also divided in other two subparts in order to separate the design from the

development or in other words the view from the actual code and the inner

architecture. Each part will also include some useful terminologies and a typical

technical analysis of the corresponding software.

2.1. The virtual machine

This part discusses the concepts of choosing a virtual machine to host the web

server and analyzes the pros and cons in contrast to a physical system. First of all

we need to define what a virtual machine is.

A virtual machine (VM) is a software implementation of a physical machine, a

computer, which executes programs as if it were the real machine. Today VMs are

used everywhere because they cut down costs and provide easier disaster

recovery. Popular VMs are Microsoft Virtual PC [24], VMware Workstation [25],

Xen [26], Oracle VirtualBox [5] and Parallels Workstation [27]. With

virtualization a server can host more than one Operating Systems (O/S) at the

same time. In our scenario the host machine is running a Linux O/S that has a VM

that hosts our virtual web server. We have selected Linux for the physical

machine because it offers advanced administration and flexibility. Also, Linux

systems are usually more efficient and faster than a system running a typical

Windows O/S. We have chosen Oracle VirtualBox as the VM because it is free,

Oracle offers support though, it supports Linux and Windows hosts either as host

or operating systems, it is reliable and has very good performance that reaches

almost 99% of the real system utilization when it uses Intel VT-x or AMD-V

extensions.

The procedure for the installation is pretty simple. First of all we open a terminal

and make sure that our setup executable has the executable permission bit

enabled. To do so, we use the command: “chmod +x vm_setup_name.bin”

Then we just run it through the following command: “./vm_setup_name.bin”.

The rest of the installation is wizard based with on screen instructions. A restart

may be required if our Linux distribution requests it. Otherwise we can

immediately start the virtual machine by typing: “./virtualbox”.

We are now ready to configure the options in order to run our guest operating

systems.

Our VM has the following options:

Dynamically use the real machine C.P.U

Consume 256 MB of RAM from host O/S

Consume 32 MB from Super VGA for graphics

Use 10.0 GB of space as a virtual hard disk

Use real machines’ DVD drive

Use a virtual NIC to enable network support for the guest O/S using

Host-Only virtual interface to interconnect the host and the guest O/S

(Intel PRO/1000 T Server 82543GC)

Enable VRDP for remote administration

VM name: MyWebServer

The VM has been optimized to host a Windows Server 2003 Enterprise Edition

(x86) with NTFS (32 bit) as file system.

Figure 1. The virtual machine interface

2.2. The Windows 2003 server

This part discusses the concepts of choosing the guest O/S that will be hosted in

the virtual machine. For the purposes of our web application we had unnumbered

choices. We could choose among many provided O/S such as Linux [28], IBM

AIX [29], Solaris [30], BSD [31] or any Windows [32] version. However,

according to the market and statistics we have seen that the operating system that

is more popular as a web server is Windows Server 2003 [6]. This means that

such a popular O/S is being continuously threatened by hackers and certainly has

exploits, vulnerabilities and bugs. So this is the most productive and suitable O/S

to run a demo web application and assess it. The setup of the Windows 2003

server will not have extra features or advanced configurations. The purpose is to

assess a typical standardized installation, which unfortunately is commonly

applied by non skillful web administrators or web developers.

The procedure for a Windows 2003 installation is more or less known and all we

have to do is to follow the installation wizard. When finished we may install the

VM Tools that will provide us with better interface experience. The VM Tools

will install drivers for mouse acceleration, display drivers and a few disk

acceleration drivers that will enable better hard disk caching and speed

optimizations. Finally we will configure a few options.

The actual configuration of Windows 2003 Server setup is as follows:

Server name: “MYWEBSERVER”

SP1

R2 Add-ons

DHCP assigned IP address

NTFS file system (32 bit)

No updates

No firewall

No antivirus

No optimizations enabled

No extra features

No advanced configurations

Detailed information for the credentials used, can be found on table 1.

Figure 2. The server desktop

2.3. The Apache web server

This part discusses the installation and configuration of the web server. A web

server is a piece of software that serves web data to web clients through an HTTP

stream. The web server has to be installed on a physical machine that hosts a web

page. Every time a user (web client) requests a page on the Internet the web server

replies to the request by forwarding the web page data to the client. The user must

have a typical web client interface (e. g. Internet Explorer [33], Mozilla Firefox

[34], Google Chrome [35]) in order to render the data into something meaningful.

For our purposes we have chosen the Apache web sever [7]. Apache is the most

popular web server software that offers many features and supports all the cutting

edge technologies on the web. Apache is stable, reliable and fast. It can handle

many simultaneous connections and offers many useful features for web

administrators. It runs either on Linux, UNIX or Windows. In comparison to

Microsoft IIS [36], Apache is more and extensible with lots of modules and that is

the basic reason that the Apache web server will be the base for our web

application.

In order to install apache we just double click the executable and follow the

instructions of the setup wizard. It is important to note that we would better install

all the features and modules included in the installation plus the SSL support.

Apache is a smart software. So even if we install all features we will not be forced

to use them at the same time. Instead we will be able to configure and enable each

and every option separately.

Figure 3. The Apache web server

2.4. The PHP interpreter and Smarty engine

This part discusses the installation and configuration of the PHP interpreter [8].

PHP is an acronym form Hypertext Pre-Processor. PHP is a widely used general

purpose scripting language that is especially suited for web development and can

be embedded into HTML. PHP is the de facto scripting language for dynamic web

pages. PHP runs on server side and that offers safety and speed to web

applications. PHP offers object oriented programming, a rich suite of instructions,

helping functions and a smart cashing engine that speeds up web page rendering.

Smarty engine [9] is a template engine and a scripting language written in PHP.

Smarty is used to design web sites programmatically. It offers fine tuned operators

and is useful for web designers. It also supports an advanced caching engine that

extends the PHP caching capabilities.

PHP and Smarty, together, result to a strong tool that divides design from code.

Using Smarty to design the layout of the web page and PHP to program it, we

enable a smart and convenient architecture for easy manageability and

extensibility.

To install the PHP interpreter we double click the executable and follow the on

screen instructions of the wizard. We have to install most of the supported

modules and among them the most important ones are the MySQL, MySQLi and

PECL.

Finally we will install the ALPHA CMS. To install it we just copy the

“alpha_cms” folder extracted by the “ALPHA_CMS.zip” file and change the

permissions of the following folders to 777:

1. /smarty/templates_c

2. /smarty/cache

3. /conf

4. /admin/ewcfg.php

ALPHA CMS which will be the base of our web application. ALPHA CMS

supports a combination of AJAX and Model - View – Controller (MVC)

architecture [2].

2.5. The MySQL RDBMS

This part discusses the installation and configuration of MySQL DB Server [10].

A SQL server is a piece of software that serves user queries that ask for data

formatted in various ways. The SQL server also hosts the actual data in a data

base. A data base in simple words is a system that organizes data in structures that

offer either hierarchical or semantic ways of combining these data.

For our purposes we have used Oracle’s MySQL [10]. We install the MySQL

server by simply double clicking the executable and following the wizard screens.

The most important step is when the wizard asks us to choose the best usage type

of the database. Among the options we will choose a general usage database and

the database type to be MyISAM.

Oracle’s MySQL Relational Data Base Management System is a very popular,

fast and reliable RDBMS that is supported by the vast majority of scripting

languages on the web including PHP. MySQL supports ANSI SQL 99 and many

useful features such as SSL support for encrypted remote connections, query

caching and two fast storage engines MyISAM, InnoDB and Falcon which is still

in a beta phase.

Detailed information for the credentials used, can be found on table 1.

Figure 4. The MySQL server

2.6. Other configurations and options

We can have advanced configurations that affect more than one parts of our

system. The following configuration affects the way that Apache and PHP

manage the URLs and handle them internally.

The Apache web server offers numerous configurations to optimize and secure the

infrastructure. One of the most useful Apache modules is the Rewrite Engine.

A rewrite engine is a software that modifies a web URL's appearance. Rewritten

URL's are used to provide shorter and more relevant-looking links to web pages.

The technique adds a degree of separation between the files used to generate a

web page and the URL that is presented to the world [7].

A rewrite engine can be used in conjunction with a hypertext access file

(.htaccess) that configures the web server on demand only for the local directory.

Hypertext access files can be used for:

Authorization and authentication. Apache provides a framework and a

set of modules for authorization and authentication. The administrator

can enable these modules and configure specific options in the .htaccess

file.

Customized error responses. Apache provides a way to customize the

error responses. The administrator can enable, disable, redirect or even

choose what the error pages would look like through the .htaccess file.

Rewriting URLs. Apache provides a framework and a set of modules for

URL rewriting through the .htaccess file. The administrator can enable

these modules and define how any URL would look like in the web

client’s explorer address bar.

Cache control. Apache provides commands for simple cache

configuration through the .htaccess file. An administrator can set the

expiration dates or the amount of RAM that the web server will use for

cache.

By configuring the web server this way the PHP “sees” the URLs in a more

human readable way and this is the way we should use them from now on. A good

example would be “/index.php?page=test” which would be transformed to “/test”.

It is important to note that the usage of a hypertext file is not always the best

choice because we can make our server inconsistent and act differently for

different directories. The best scenario though is to configure globally the web

server with httpd.conf and add any extra options to .htaccess.

2.7. Design and development of a demo web application

This part discusses and refers to general concepts of the demo web application.

We will implement this demo web application using the technologies that were

referred in the previous parts and we will design it based on a clean-cut

architecture. The base of our web application will be ALPHA CMS 3.8, an

advanced A.P.I-free open source CMS written in PHP and Smarty by the author.

The web application we are going to implement is a demo of a Customer

Relationship Management (CRM) system. Our web application implements only

the profile manager for the contacts. The subparts that follow discuss all the

design concepts and the development concepts.

2.7.1. Design concepts

In this part we will discuss the web application design concepts. The web

application needs to be straightforward and easy to use and understand. The main

screen will provide a simple login form with two input texts and a submit button.

The home page should give the ability to the users to alter basic information plus

extra features for categorization based on the company needs. To do so, the home

page should offer a simple environment including text boxes, text areas, option

boxes and two buttons for saving or cancellation. The back-end is going to be the

ALPHA CMS administration panel which will enable us to add dynamic HTML,

labels, boxes etc.

Figure 5. The demo web application (Login screen)

Figure 6. The demo web application (Home screen)

2.7.2. Development concepts

In this part we will discuss the web application development concepts. The web

application will be based on ALPHA CMS 3.8 and will be developed mainly in

PHP, Smarty, and MySQL. Some useful code of JavaScript and AJAX may be

needed too. The code architecture will follow that of ALPHA CMS, since the web

application will be based on that platform. The Model – View – Controller (MVC)

architecture divides the design from the coding and thus helping us to aim on the

development of functions rather than aiming on the design concepts [2].

Our web application needs to be fast, reliable, easily extensible, offering smart

and easy deployment, easily maintainable, dependable and of course error free. To

be able to provide all the above characteristics, the MVC architecture is the most

suitable choice. MVC enables the views, the web page and their functionality, to

be completely separated from what the code does and how the real model, the

database, is designed. The controller is actually one or more files that acts as the

interface among the views, dynamically generated web pages, and the actual

database [2].

It is important now, to explain a few things about the code and the usage of its

language in our web application. First of all, PHP is the body of the application.

PHP is a very useful server side technology for dynamic web content.

PHP has the following important features which make it useful and very easy for

server side development:

PHP can run either autonomously either embedded in an HTML

PHP code always runs only inside the “<?php” and “?>” delimiters.

PHP has no data types. Each variable is assigned to a data type

automatically according to the data that is going to store. Also there is no

declaration of variables. Each variable is self declared upon its first usage.

PHP offers hundreds of functions and thousands through extensions.

PHP has an automatic garbage collector which keeps memory clean.

PHP is both functional and object oriented.

PHP is secure.

PHP is very fast.

PHP is a scripting language and thus very easy to learn and use.

JavaScript is useful too for client side options, such as the system that changes the

locality. Smarty template engine gives us a fine grade of control to alter the design

and MySQL offers great SQL support to interact with the database through PHP.

The MySQL database name that we will use is: ALPHA. A detailed description for

the most significant code segments of PHP, Javascript and MySQL code

developed for the project can be found on the Appendix A. For the full source

code please see the directories: “/WebApp” and “WebApp - Optimized”.

Finally, the back-end will be the tool that will enable us to administer all the

HTML entities in the front-end at design time. The back-end will be secured and

would need a username and password. For information on the credentials see the

table 1.

The above will be the core and the basis for a solid implementation.

Figure 7. The demo web application back-end (Administration panel)

System/Application/User Credentials

Windows Server 2003 Username: Administrator

Password: 1234567890

MySQL Username: root

Password: 1234567890

ALPHA CMS - Admin panel Username: admin

Password: admin

George Delaportas Username: test1

Password: test12345678

Other user Username: test2


Table 1. System, applications and users credentials

3. Vulnerability assessment

In this chapter we will discuss the vulnerability assessment process, we will refer

to the most well known vulnerability detection tools and we will run tests and

produce reports.

In general vulnerability assessment is a process that identifies, quantifies and

ranks the security vulnerabilities in a system.

Vulnerability assessment has many things in common with risk assessment.

Vulnerability assessment performs the following steps:

1. Cataloging assets and resources in a system.

2. Assigning importance to those resources.

3. Identifying the vulnerabilities or potential threats to each resource.

4. Mitigating or eliminating the most serious vulnerabilities for the most

valuable resources.

So, into the next parts we will use tools that will identify risks and threats, we will

discuss on their causes and produce reports for them. We will open these reports

with Notepad++ [37]. Notepad++ is a universal editor that can handle various file

types. We are going to use Notepad++ because each report has been produced by

various tools thus having different structure.

Finally we will discuss and comment on the results in order to be able to propose

solutions in the next chapter.

3.1. Vulnerability scanners

Vulnerability scanners are tools that scan for problems on a host machine. They

also check usual cases for misconfigurations and security risks.

In this part we will scan our test web server with a very well known and proven

vulnerability scanner, the Nessus scanner [19]. There are numerous vulnerability

scanners on the Internet and the market but Nessus has a huge and updated

database of the most recent and risky threats. We will also use the Microsoft

Baseline Security Analyzer (MBSA) [38] to investigate for Microsoft specific

vulnerabilities and security issues.

Figure 8. Nessus

Figure 9. MBSA

First of all we need to install Nessus. The procedure is very simple and mostly

automated. We just double click the setup program and all we have to do is to

follow the instructions of the setup wizard. After the installation takes place it is

important to update the vulnerabilities database. After the update we run Nessus

we got back a very long report on many vulnerabilities. As you may notice, the

Nessus categorizes the vulnerabilities in groups of low, medium and high risk.

The full report is in HTML format into the folder: “Reports\VM Simple\Tenable”

and the configuration used, in folder: “Reports\VM Simple\Tenable\Nessus

Client”.

Then, we will install the MBSA. The installation of MBSA is even simpler. We

run the installer and it automatically downloads all the current updates. Then we

run the executable and wait till the scan stops. To see the MBSA report, go to

folder: “Reports\VM Simple\MBSA”.

Table 2 summarizes the most common vulnerabilities and risks found by both

Nessus and MBSA. More detailed reports of Nessus and MBSA can be found on

Appendix B.

According to the reports we have:

1. 5 open ports

2. 35 low severity risks

3. 8 medium severity risks

4. 30 high severity risks

System Risk Severity

Windows Server

2003

The remote host listens on TCP port

445 and replies to SMB requests. By

sending an NTLMSSP authentication

request it is possible to obtain the

name of the remote system and the

name of its domain.

LOW

Windows Server

2003

The remote host is running one of the

Microsoft Windows operating

systems. It is possible to log into it

using one of the following accounts:

- NULL session

- Guest account

- Given Credentials

LOW

Windows Server

2003

The remote version of Windows

contains a version of the RPC library

protocol which is vulnerable to a

Denial of Service attack in the NTLM

authentication field.

HIGH

An attacker may exploit this flaw to

crash the remote RPC server and the

remote system.

Windows Server

2003

The remote host contains a version of

the Win32 API which is vulnerable to

a security flaw which may allow a

local user to elevate his privileges and

might allow a remote attacker to

execute arbitrary code on this host. To

exploit this flaw, an attacker would

need to find a way to misuse the

Win32 API. One way of doing so

would be to lure a user on the remote

host into visiting a specially crafted

web page.

HIGH

Windows Server

2003

The remote version of Windows

contains a version of the TCP/IP

protocol which does not properly parse

IGMPv3, MLDv2 and ICMP structure.

An attacker may exploit these flaws to

execute code on the remote host.

HIGH

Apache web server

The remote web server supports the

TRACE and/or TRACK methods.

TRACE

and TRACK are HTTP methods which

are used to debug web server

connections.

In addition, it has been shown that

servers supporting the TRACE method

are subject to cross-site scripting

MEDIUM

attacks, dubbed XST for "Cross-Site

Tracing", when used in conjunction

with various weaknesses in browsers.

An attacker may use this flaw to trick

your legitimate

web users to give him their

credentials.

Apache web server

Attempted to determine the presence

of various common dirs on the remote

web server.

The following directories were

discovered:

/cgi-bin, /config, /doc,and /mysql

LOW

PHP

According to the change log of

http://www.php.net the PHP 5.2.9-1

has several security flaws. The most

important have to do with the

intercommunication of PHP and

MySQL subsystem and the OpenSSL

library.

HIGH

MySQL

No vulnerabilities found.

Just a slight decrease of performance.

LOW

Table 2. Common vulnerabilities for the test web application

We are not going to analyze all the risks – though we should in a real scenario –

but we will choose among them the most important that affect directly our web

application. So, first of all we need to search for vulnerabilities that affect our test

web server. Then we need to see what causes problems and security risks to the

Apache web server, the PHP interpreter, the MySQL database and look for

security holes in their intercommunication.

Lastly, among the open ports, two TCP ports, 80 and 443 are the most important

and should remain opened in order to be able to communicate with the web

server. Port 443 (HTTPS) is not used in the default configuration but it’s going to

be used to the optimized one later on.

3.2. Port scanners

In this part we will scan our test web with a port scanner. A port scanner, simply

put, is a piece of software that probes a network host for open ports. There are

thousands of port scanners but we will use two very good and informative

scanners called SuperScan [21] and ZenMap [39] (Nmap’s GUI).

Port scanners in general categorize found ports in groups.

Such groups most frequently are:

Open or Accepted ports

Closed or Denied ports

Filtered or Blocked ports

There are many port scanning types but among them, the most widely used are:

TCP scanning

UDP scanning

SYN scanning

ACK scanning

FIN scanning

Window scanning

Figure 10. SuperScan

Figure 11. ZenMap

The next table shows a sub list of the scanned ports and their services. We have

scanned the web server with ZenMap in intense mode. The intense mode scans

both the most common and the best known vulnerable ports and does O/S

detection. The issued command is:

“nmap –T4 –A –v –PE –PS 22,25,80 –PA 21,23,80,3389 192.168.56.101”, where

PE, PS and PA is scan for ports that are enabled, that have a session open and are

alive respectively.

Then we have scanned the web server with SuperScan with all the options

enabled. These options enable scan for common port scanning, NetBIOS

information, user and group accounts, network shares, trusted domains and

Windows services.

The full report of SuperScan is in the directory: “Reports\VM Simple\SuperScan”

and the full report of ZenMap is in the directory: “Reports\VM Simple\ZenMap”.

Apache2.2 Running Apache2.2 (80)

MySQL Running MySQL (3306)

LmHosts Running TCP/IP NetBIOS Helper (139)

RemoteRegistry Running Remote Registry (445)

RpcSs Running Remote Procedure Call (135)

Table 3. Port scanner report (subset)

At a first glance the report does not show anything suspicious. For an experienced

administrator though, this subset of the report should raise an alarm. First of all

the MySQL service should not be reachable from the outside world but only

inside the web server since any attacker could connect through the Internet and

destroy the data base. This is a very serious mistake that most administrators

underestimate. Also the RPC and Remote Registry should not be open because it

would allow an intruder to exploit a possible vulnerability and connect remotively

to the system or even worse, to erase critical information such as the registry.

Finally, the “LmHosts” service should be filtered with a firewall because an

attacker can fetch the NTLM hashes and crack them locally.

3.3. Packet sniffers and analyzers

In this part we will use a packet sniffer and analyzer to analyze the traffic and the

requests and responses of our web application. A packet sniffer - analyzer is a

software programs that intercepts and logs traffic passing over a digital network.

The most widely used packet analyzer is WireShark.

Packet analyzers are most commonly used for:

Analyzing network problems

Detect network intrusion attempts

Monitor traffic

Gather and report network statistics

Filter suspect content from network traffic

Figure 12. WireShark

As we can see in figure 12, the packet analyzer has resolved our web application

user credentials in clear text. This is a very critical vulnerability and requires

further security measures to be taken!

A full inspection of the captured packets can be found on the directory:

“Reports\VM Simple\WireShark”.

3.4. Intrusion detection systems

In this part we will configure an intrusion detection system (IDS). Intrusion

detection systems are hardware or software applications that monitor system and

network activity for malicious activities or policy violations according to a

predefined set of rules. They also produce reports and log each action. The next

generation of intrusion detection systems, are known as intrusion prevention

systems (IPS). An IPS is also able to block or deny any unauthorized actions.

The IDS/IPS we are going to use is the Snort. Snort IDS [23] is one of the most

known open-source IDS/IPS. In order to install an configure Snort we followed

the on-screen instructions of the setup wizard. Then we run the Snort through the

Windows command line.

Figure 13. Snort IDS/IPS

We have scanned with ZenMap, in intense scan mode, our web server and Snort

caught all the packets in all ports according to a rule set we have downloaded

from its web site. The full report of Snort is in the directory: “Reports\VM

Simple\Snort”.

3.5. Passwords strength tests

Password auditors/crackers are software that can test and verify the strength of a

given password. In this part we will apply a password auditor and a password

cracker in order to verify the passwords used in the test system. For the purpose of

our tests we are going to use the Cain and Abel [40]. Cain and Abel, password

cracking suite, which is the de-facto tool for password auditing, cracking and

recovery.

Figure 14. Cain and Abel

As we can see from figure 14, Cain and Abel cracked the web server 2003

Administrator password. In order to crack it instantly we have used two methods

supported by the Cain and Abel suite. The first method we used is the dictionary

attack. The suite tried thousands of combinations in a sample dictionary and found

a match. The cracking time was a few minutes. The second method we used is a

far more advanced and fast technique, known as rainbow tables attack and is

based on rainbow tables. Rainbow tables are tables of Giga Bytes of data

containing the hash values of keywords generated by a generator. The generator

we have used is called WinRTGen [41] it is shown in figure 15.

Figure 15. WinRTGen

The cracking time with the rainbow table was just a few seconds. Unfortunately,

the Cain and Abel suite does not export any reports or logs but you may test it

again in the VM.

3.6. Exploits of the web application

In this part we will use special software to exploit our web application. The

software is Wikto [42]. Wikto is one of the best auditing and exploitation open

source platforms and offers numerous capabilities.

Figure 16. Wikto

Wikto has scanned our web application and found many exploits. The most

significant of them are the fact that many configuration directories and files are

exposed to the public. Also the password files are readable by anyone and the

sessions are not encrypted so each time a user logs in the credentials are

transferred as clear text over the Internet. The full report of Wikto is in the

directory: “Reports\VM Simple\Wikto”.

3.7. Comments on results

In this part we will review and comment the security assessment results.

According to our plan, we shall successfully design and setup a secure web

application. The application currently seems to be working though it suffers from

various vulnerabilities, risks, threats and exploits. Table 4 shows a list of the most

important security vulnerabilities identified in all steps of our assessment.

# Vulnerability Description Security Level Tool

1 Multiple

vulnerabilities that

enable attackers to

penetrate into the

system.

Multiple security

updates were not

installed. Also a very

important malicious

software removal tool

is missing.

Critical

MBSA

2 Telnet and time

server attacks.

Some potentially

unnecessary services

are installed.

High

MBSA

3 Possible O/S

detection.

An attacker may be

able to detect the

exact O/S version and

exploit certain

Medium

ZenMap

services.

4 Windows RPC port

is open.

An attacker may

exploit the Windows

RPC and gain full

access to the remote

system.

Critical

Nessus

5 MySQL port 3306

is open.

An attacker may

connect to the remote

MySQL server and

destroy the data base.

Critical

Nessus

6 Users password

never expires.

It is possible to

retrieve users whose

password never

expires using

the supplied

credentials.

Medium

Nessus

7 Vulnerabilities in

Windows TCP/IP

Could Allow

Remote Code

Execution.

The remote version of

Windows contains a

version of the TCP/IP

protocol which does

not properly parse

IGMPv3, MLDv2 and

ICMP

structure. An attacker

may exploit these

flaws to execute code

on the remote host.

High

Nessus

8 Remote Registry is

on.

At attacker may

connect to the remote

system and delete the

registry or change

critical information.

High SuperScan

9 The time

synchronization

service is running.

This could allow to a

remote attacker to

penetrate the system

by exploiting flaws of

this service.

Medium

SuperScan

Table 4. Summary of the most important vulnerabilities identified.

According to the previous reports our web application is mostly vulnerable to

external network attacks rather than to the inside ones. This is though a critical

point since the web applications need to be accessible from the Internet and thus

the potential attacks could be hundreds per second.

We would rather secure our web server in a bottom up process covering all the

interaction layers. First of all we need to secure TCP and IP layers by employing a

firewall, and then we need to eliminate the web application exploits by optimizing

the code and possibly by enabling SSL. Finally we could fine tune the system

with a few extra configurations.

Our goal is to be as protected as possible from an unexpected external attacker

that is continuously scanning the system. In the next chapter, we will analyze the

identified vulnerabilities and we will propose effective security solutions to

counter them.

4. Proposed solutions, security measures and configurations

In this chapter we will first discuss general solutions to deal with the

vulnerabilities identified in the previous chapter. These solutions are mostly

security related. We will also reconfigure the system in order to optimize the

application for supporting a high capacity of load and truly fast responses. Then

we will propose more specific solutions and countermeasures, mainly for the

firewall and the SSL configuration. There will also be a more advanced

configuration overview which might be considered as extreme measures for a

critical scenario. Finally, we will go through a Quality Assurance (QA) of the

source code and the user interface of the web application. This is the last part of

our analysis. After that we should have a full featured optimized web server that

will be able to support our web application on high loads with no obvious security

risks.

4.1. General solutions

In this part we will discuss general security solutions. According to the results of

chapter 3 we need to focus on external access while covering exploits. Before this,

as a first step we should seek for solutions in the O/S layer of the server that hosts

our web application. Then we will focus on the external threats.

The examined server runs a quite large set of programs, applications and services

that interact with each other, many of which are not required. Obviously, flaws

and occasional instability issues might arise. So we have to make sure that only

the necessary programs are running.

The list that follows describes the basic O/S security hardening actions:

Password Policy: First of all we need to setup a password policy and to

reset the credentials into a new and more secure combination according to

the chosen policy. This can be applied by configuring the local security

policy: “Control Panel Administrative Tools Local Security

Policy”. From there we can set the minimum accepted password length,

the accepted vocabulary, size limits and finally a policy for expiration.

Then we have to reset the old password and enter a new and stronger one.

The policy we have set requires at least 10 characters length for the user

password, at least 1 number and does not let you to use the username as a

password. See Table 5 below for details.

System/Application/User Credentials

Windows Server 2003 Username: Administrator

Password: #4dm1n@myw3b53rver!

MySQL Username: root

Password: my5ql

ALPHA CMS - Admin panel Username: admin

Password: 4dm1n@b4ckp4n3l#!

George Delaportas Username: test1


Other user Username: test2


Table 5. Optimized credentials

As you may have noticed form table 4, the users passwords left unchanged since

the users themselves have to protect their sensitive information. The MySQL

password remains less secure but still more complex than the initial one. This is

because the database is being accessed only internally and there is no need of a

more secure policy. Finally, the ALPHA CMS – Administration panel password is

being changed to something more scrambled in order to remain secure since it can

be seen from anyone with internet access.

Figure 17. Cain and Abel – Optimized

Windows Services Optimization: The second action is to deactivate all the

Windows services that we will not need for our web application. To do so

we need to go to: “Control Panel Administrative Tools Services”.

The list that follows shows the services that can and should be deactivated:

o Application Experience Lookup Service

o Help and Support

o Print Spooler

o Remote Registry

o Telephony

o Windows Audio

o Windows Time

o Wireless Configuration

Remove Irrelevant Applications: After that, we would need to make sure

that any applications that are irrelevant to our web application will be

removed. Once we are ready we should install all security related and

critical updates of Windows Server 2003. Finally, it would be a good idea

to install a lightweight anti virus such as AVG Free [12].

Cleanup Caches and Disks: Finally, we have cleared all the previous

caches and cleaned up the disk from any junk – temp data or unneeded

files and defragged the hard disk for maximum performance.

We run the MBSA again after the optimizations and the report is now clean. We

have managed to eliminate the most critical security vulnerabilities. Among all we

have updated the Windows 2003 server. The full report of MBSA is in the

directory: “Reports\VM Optimized\MBSA”.

Figure 18. MBSA – Optimized

4.2. Firewalls

This part is dedicated to firewalls. If all the general configuration where

successfully applied then we should configure an external and dedicated firewall

in order to protect our server from XSS and DoS attacks.

The vast majority of dedicated firewalls today offer a great list of ready made

configurations for different scenarios. Our approach is to use a very basic but

wide adapted configuration methodology that will protect the web server and

won’t push the firewall to its limits.

There is one gold rule, among others, for the least needed basic configuration of a

good firewall and this is to deny access of all inbound or outbound ports.

Proposed steps:

1. The first step is to deny any inbound and outbound connections by default.

2. Secondly we should decide which ports should be left free to bypass the

firewall according to the web services we use and the server services. In

our case we should only leave port 80 (HTTP) and port 443 (HTTPS) to be

left opened. To be more specific we should filter data that come through

port 80 and we should redirect all traffic to port 443 in order to offer

secure transfers between clients and the server.

3. Then we may add a few options for IP packets such as fragmentation

limits in order to avoid IP fragmentation attacks.

We run the Nessus scanner again and the report only shows low and medium

security risks of which only one is significant. The full report of Nessus is in the

directory: “Reports\VM Optimized\Nessus”.

Figure 19. Nessus – Optimized

4.3. SSL

This part discusses the need of SSL and its importance to our web application.

Secure Sockets Layer (SSL) is a cryptographic protocol which provides secure

connections between entities over the Internet. SSL uses symmetric cryptography

to protect data being transferred over the Internet.

A good way to secure our users so that their username and passwords or their

personal data will never be available to the public, we need to connect them to the

server through an encrypted connection. In order to do so we will setup an SSL

certificate to the web server and we will enable SSL functionality and SSL over

HTTP (HTTPS). After this configuration all the data being transferred from or to

the server and the client will be encrypted and integrity protected.

In order to use the SSL we generate a certificate with PuTTYGen [43]. Then we

put this certificate in the Apache configuration and enable the SSL support

through the “httpd-conf” file. If we call the server with the https protocol then our

connection will be encrypted with SSL.

4.4. Advanced configurations

This part is dedicated to a set of more advanced configurations that will automate

a few procedures and will give to the users and administrations a more secure and

consistent environment.

We may optionally do the three following steps:

1. Make sure that users who reach port 80 (HTTP) will automatically be

redirected to port 443 (HTTPS). We can easily do that my editing the

.htaccess file which can be found in the root directory of our web

application and adding the following lines:

Options +FollowSymLinks

IndexIgnore *

DirectorySlash on

DirectoryIndex index.php

RewriteEngine On

RewriteBase /

RewriteCond %{SERVER_PORT} ^80$

RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI}

[R,L]

2. Also, we can protect the file that has the configurations inside by writing:

# Prevent viewing of .htaccess

<Files .htaccess>

order allow,deny

deny from all

</Files>

3. Finally, we may enable compression of the HTTP headers so that HTTP

requests will get to the server more quickly. This can be done by adding:

<IfModule mod_deflate.c>

AddOutputFilterByType DEFLATE application/javascript

application/x-javascript text/css text/javascript text/html text/x-js

</IfModule>

For all the other reports see the directory: “Reports\VM Optimized”.

4.5. Quality Assurance of the web application

In this part we will discuss the web application design and a few issues on the

source code. Then we will analyze it and we will try to assure its quality with

various criteria the logic and functioning behind the application.

The quality assurance can be divided into two subsections. The first subsection is

the web interface – user interface and the second subsection is the source code

performance, stability and effectiveness.

See the subsections below.

1. Web Interface

The user interface is lightweight, simple and straightforward. The point is to

enable users to edit their profiles in seconds with almost no effort. The interface

of this sample demo is pretty small and so we do not have to do an extensive

analysis, but in a real case scenario we should have a consultation by a team of

usability expertise.

2. Code performance

The code is optimized in order to support many simultaneous connections and this

is supported by the ALPHA Framework and ALPHA CMS A.P.I. ALPHA CMS

provides consistent, stable and fast connections. To be more specific we can check

our test site with the internationally accepted W3C HTML and CSS validators

[13], [14].

According to the results the web interface and the code is sufficient and works

well.

5. Conclusions

In this thesis we have conducted an extensive vulnerability analysis of a test web

application. We have analyzed its components and all its parameters. We have run

vulnerability assessments and proposed solutions. We have optimized the initial

web application and its set up environment and we have tried to make it as fast

and secure as possible. We have used tools to verify and validate the web

application against international protocols and logged all of our actions for any

future needs.

More specifically, we have analyzed the most common security vulnerabilities for

web applications. The most important of them are related to remote attacks and

were critical. Among them, the most significant where the ports that might be left

open and the server side services that the administrators, usually, forget to be shut

down. Thus, we show that the human factor is also a high risk too. We have also

used a set of tools for auditing and we were able to investigate vulnerabilities

from many aspects. We have seen that vulnerability scanners are categorized and

can detect different types of vulnerabilities. There were numerous options and

many exploits that we had to check for and so we have evaluated the web

application with a bottom-up philosophy starting from the IP layer to the

application layer. We have used WireShark to capture Ethernet frames, IP packets

and TCP segments. We have scanned for security vulnerabilities in the application

layer with Nessus, SuperScan and MBSA. Finally, we have investigated the web

services and their interconnections. After that, we proposed solutions and

optimized the system based on the reports. We run the tests again and we have

found that our actions and configurations did have a significant impact to the final

results. We also show that a system needs to be checked periodically for new

vulnerabilities.

In conclusion we have seen that a web application, in order to be considered

secure, needs an extensive analysis and advanced configuration need to be

applied. No system can be considered secure forever but only for a short period of

time. Thus, a regular test in fixed time intervals would minimize the risk.

References

[1] Douglas E. Comer (2004), “Networks and Internetworks”, Prentice Hall.

[2] Trygve Reenskaug (1979), MVC architecture,

“MODELS – VIEWS – CONTROLLERS”, Technical note, Xerox PARC.

[3] Security Focus, http://www.securityfocus.net/ (Accessed: 11-26-2010).

[4] Insecure, http://www.insecure.org/ (Accessed: 11-26-2010).

[5] VirtualBox, http://www.virtualbox.org/ (Accessed: 11-26-2010).

[6] Microsoft – Windows Server 2003,

http://www.microsoft.com/windowsserver2003/default.mspx

(Accessed: 11-26-2010).

[7] Apache foundation – HTTP server, http://www.apache.org/ (Accessed: 11-

26-2010).

[8] PHP.net, http://www.php.net/ (Accessed: 11-26-2010).

[9] Smarty.net, http://www.smarty.net/ (Accessed: 11-26-2010).

[10] Oracle – MySQL, http://www.mysql.org/ (Accessed: 11-26-2010).

[11] ALPHA CMS, http://www.sourceforge.net/projects/alpha-cms/

(Accessed: 11-26-2010)

[12] AVG Free Edition, http://free.avg.com/ww-en/homepage/ (Accessed: 11-28-

2010)

[13] W3C HTML Validator, http://validator.w3.org/ (Accessed: 11-29-2010)

[14] W3C CSS Validator, http://jigsaw.w3.org/css-validator/ (Accessed: 11-29-

2010)

[15] Joomla! CMS, http://www.joomla.org/ (Accessed: 01-05-2011)

[16] Drupal CMS, http://www.drupal.org/ (Accessed: 01-05-2011)

[17] OS Commerce, http://www.ocommerce.com/ (Accessed: 01-05-2011)

[18] Zen Cart, http://www.zen-cart.com/ (Accessed: 01-05-2011)

[19] Nessus vulnerability scanner, http://www.nessus.org/ (Accessed: 01-05-

2011)

[20] NMap security scanner, http://www.nmap.org/ (Accessed: 01-05-2011)

[21] SuperScan 4.0, http://www.mcafee.com/us/downloads/free-

tools/superscan.aspx

(Accessed: 01-05-2011)

[22] WireShark, http://www.wireshark.org/ (Accessed: 01-05-2011)

[23] Snort IDS/IPS, http://www.snort.org/ (Accessed: 01-05-2011)

[24] Virtual PC, http://www.microsoft.com/windows/virtual-pc/ (Accessed: 01-

05-2011)

[25] VMware Workstation, http://www.vmware.com/products/workstation/

(Accessed: 01-05-2011)

[26] Xen, http://www.xen.org/ (Accessed: 01-05-2011)

[27] Parallels Workstation, http://www.parallels.com/eu/products/desktop/pd4wl/

(Accessed: 01-05-2011)

[28] Linux, http://www.linux.org/ (Accessed: 01-05-2011)

[29] IBM AIX, http://www-03.ibm.com/systems/power/software/aix/index.html

(Accessed: 01-05-2011)

[30] Solaris, http://www.oracle.com/us/products/servers-

storage/solaris/index.html

(Accessed: 01-05-2011)

[31] BSD, http://www.freebsd.org/ (Accessed: 01-05-2011)

[32] Windows, http://www.microsoft.com/windows/ (Accessed: 01-05-2011)

[33] Internet Explorer,

http://windows.microsoft.com/en-US/internet-explorer/products/ie-9/home

(Accessed: 01-05-2011)

[34] Mozilla Firefox, http://www.mozilla.com/en-US/firefox/ (Accessed: 01-05-

2011)

[35] Google Chrome,

http://www.google.com/chrome/intl/en/landing_chrome.html?hl=en

(Accessed: 01-05-2011)

[36] Microsoft IIS, http://www.iis.net/overview (Accessed: 01-05-2011)

[37] Notepad++, http://notepad-plus-plus.org/ (Accessed: 01-05-2011)

[38] MBSA, http://technet.microsoft.com/en-us/security/cc184924

(Accessed: 01-05-2011)

[39] ZenMap, http://nmap.org/ZenMap/ (Accessed: 01-05-2011)

[40] Cain and Abel, http://www.oxid.it/cain.html (Accessed: 01-05-2011)

[41] WinRTGen, http://www.oxid.it/projects.html (Accessed: 01-05-2011)

[42] Wikto, http://www.sensepost.com/labs/tools/pentest/wikto (Accessed: 01-05-

2011)

[43] PuTTYGen,

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

(Accessed: 01-05-2011)

Appendix A – Source code

In this appendix we are presenting a few important code segments. The appendix

is separated into 2 sections. The first one shows the vulnerable code and the

second one the optimized one.

1. Code segments of initial vulnerable code for the test web application

Dynamic HTML:

if (!defined('ALPHA'))

die('ERROR: Unable to load ALPHA CMS!');

// Current language

$this_lang = $new_alpha->Get_Language();

echo '<center>';

echo '<div id="logo">OMEGA Web-CRM</div>';

// Create a Smarty instance;

$new_smarty = $new_alpha->Smarty_Object();

// Languages

echo '<div id="all_langs">';

$languages = $new_alpha->Load_Language('*');

$new_smarty->assign('languages', $languages);

$new_smarty->display('lang.tpl');

echo '</div>';

$new_alpha->Load_Extension('login_form', php);

echo '</center>';

Home:



// Current language


echo '<center>';

echo '<div id="logo">OMEGA Web-CRM <br/>Home</div>';



// Languages





echo '</div>';

session_start();

$save = $new_alpha->Load_Content('save', 'content', $this_lang);

$reset = $new_alpha->Load_Content('reset', 'content', $this_lang);

$logout = $new_alpha->Load_Content('logout', 'content', $this_lang);

$name = $new_alpha->Load_Content('name', 'content', $this_lang);

$surname = $new_alpha->Load_Content('surname', 'content', $this_lang);

$company = $new_alpha->Load_Content('company', 'content', $this_lang);

$rel_type = $new_alpha->Load_Content('relation_type', 'content', $this_lang);

$imm = $new_alpha->Load_Content('immediate', 'content', $this_lang);

$aff = $new_alpha->Load_Content('affiliate', 'content', $this_lang);

$status = $new_alpha->Load_Content('status', 'content', $this_lang);

$active = $new_alpha->Load_Content('active', 'content', $this_lang);

$descr = $new_alpha->Load_Content('description', 'content', $this_lang);

// Open a connection to the DB

$db_con = $new_alpha->Use_DB();

$sql_com = 'SELECT `name` FROM omega_users_data

WHERE (`user_id` = ' . $_SESSION['OMEGA_UID'] . ')';

$result = $new_alpha->Exec_SQL($sql_com, 'name');

$name_data = $result;

$sql_com = 'SELECT `surname` FROM omega_users_data


$result = $new_alpha->Exec_SQL($sql_com, 'surname');

$surname_data = $result;

$sql_com = 'SELECT `company` FROM omega_users_data


$result = $new_alpha->Exec_SQL($sql_com, 'company');

$company_data = $result;

$sql_com = 'SELECT `relation_type` FROM omega_users_data


$result = $new_alpha->Exec_SQL($sql_com, 'relation_type');

$rel_data = $result;

$sql_com = 'SELECT `status` FROM omega_users_data


$result = $new_alpha->Exec_SQL($sql_com, 'status');

$status_data = $result;

$sql_com = 'SELECT `description` FROM omega_users_data


$result = $new_alpha->Exec_SQL($sql_com, 'description');

$desc_data = $result;

echo '<div id="logout">';

echo '<a href="javascript:void(0);" onmousedown="AJAX_Log_Out(' . $_SESSION['OMEGA_UID'] . ');

window.location=' . '\'' . '\'' . '">';

echo $logout;

echo '</a>';

echo '</div>';

echo '<div id="user_data" style="clear: both; margin-top: 50px; border-style: solid; width: 300px; height: 208px;

padding: 5px;">

<div style="float: left;">';

echo $name;

echo '</div> <input id="text_name" type="text" value="'; echo $name_data; echo '" style="float: left; margin-

left:60px;"/>

<div style="float: left; clear: both;">';

echo $surname;

echo '</div> <input id="text_surname" type="text" value="'; echo $surname_data; echo '" style="float: left; margin-

left:39px;"/>


echo $company;

echo '</div> <input id="text_company" type="text" value="'; echo $company_data; echo '" style="float: left; margin-

left:35px;"/>


echo $rel_type;

echo '</div>

<div style="float: left; margin-left: 7px;">';

echo $imm;

echo '</div>';

if ($rel_data == 1)

{

echo '<input id="radio_1" style="float: left; margin-left: 7px;" type="radio" name="rel_choice" checked="true"

value="1" />


echo $aff;

echo '</div>

<input id="radio_2" style="float: left; margin-left: 7px;" type="radio" name="rel_choice" value="0" />';

}

if ($rel_data == 2)

{

echo '<input id="radio_1" style="float: left; margin-left: 7px;" type="radio" name="rel_choice" value="0" />


echo $aff;

echo '</div>

<input id="radio_2" style="float: left; margin-left: 7px;" type="radio" name="rel_choice" checked="true"

value="1" />';

}

Login form:

// Create a new ALPHA CMS object

$new_login = new ALPHA;

// Current language

$this_lang = $new_login->Get_Language();

$login_username = $new_login->Load_Content('login_username', 'content', $this_lang);

$login_password = $new_login->Load_Content('login_password', 'content', $this_lang);

$login = $new_login->Load_Content('login', 'content', $this_lang);

$new_login->Load_Extension('forms_manager', 'ajax');

?>

<script type="text/javascript" src="extensions/ajax/forms_manager/input_controler.js"></script>

<script type="text/javascript" src="extensions/ajax/forms_manager/form_validator.js"></script>

<script type="text/javascript">

var login_form_elements = new Array();

login_form_elements[0] = 'login_username_text';

login_form_elements[1] = 'login_password_text';

</script>

<div id="login_controls">

<div id="login_username">

<div id="login_username_label">

<?php echo $login_username; ?>

</div>

<input id="login_username_text" type="text" maxlength="16" onkeypress="Input_Controler(this);"

onkeyup="Input_Controler(this);" />

</div>

<div id="login_password">

<div id="login_password_label">

<?php echo $login_password; ?>

</div>

<input id="login_password_text" type="password" maxlength="16" onkeypress="Input_Controler(this);"


</div>

<div id="login_button" style="margin-top: 10px" >

<a id="login" class="class_buttons_white_links" href="JavaScript:void(0);" onclick="Form_Validator('login_form',

login_form_elements);">

<?php echo $login; ?>

</a>

</div>

<div id="login_error" class="class_errors"></div>

</div>

2. Code segments of the optimized code for the test web application

Dynamic HTML:



// Current language


echo '<center>';

echo '<div id="logo">OMEGA Web-CRM</div>';



// Languages





echo '</div>';

$new_alpha->Load_Extension('login_form', php);

echo '</center>';

Home:



// Current language


echo '<center>';

echo '<div id="logo">OMEGA Web-CRM <br/>Home</div>';



// Languages





echo '</div>';

session_start();

$save = $new_alpha->Load_Content('save', 'content', $this_lang);

$reset = $new_alpha->Load_Content('reset', 'content', $this_lang);

$logout = $new_alpha->Load_Content('logout', 'content', $this_lang);

$name = $new_alpha->Load_Content('name', 'content', $this_lang);

$surname = $new_alpha->Load_Content('surname', 'content', $this_lang);

$company = $new_alpha->Load_Content('company', 'content', $this_lang);

$rel_type = $new_alpha->Load_Content('relation_type', 'content', $this_lang);

$imm = $new_alpha->Load_Content('immediate', 'content', $this_lang);

$aff = $new_alpha->Load_Content('affiliate', 'content', $this_lang);

$status = $new_alpha->Load_Content('status', 'content', $this_lang);

$active = $new_alpha->Load_Content('active', 'content', $this_lang);

$descr = $new_alpha->Load_Content('description', 'content', $this_lang);

// Open a connection to the DB

$db_con = $new_alpha->Use_DB();

$sql_com = 'SELECT `name` FROM omega_users_data


$result = $new_alpha->Exec_SQL($sql_com, 'name');

$name_data = $result;

$sql_com = 'SELECT `surname` FROM omega_users_data


$result = $new_alpha->Exec_SQL($sql_com, 'surname');

$surname_data = $result;

$sql_com = 'SELECT `company` FROM omega_users_data


$result = $new_alpha->Exec_SQL($sql_com, 'company');

$company_data = $result;

$sql_com = 'SELECT `relation_type` FROM omega_users_data


$result = $new_alpha->Exec_SQL($sql_com, 'relation_type');

$rel_data = $result;

$sql_com = 'SELECT `status` FROM omega_users_data


$result = $new_alpha->Exec_SQL($sql_com, 'status');

$status_data = $result;

$sql_com = 'SELECT `description` FROM omega_users_data


$result = $new_alpha->Exec_SQL($sql_com, 'description');

$desc_data = $result;

echo '<div id="logout">';

echo '<a href="javascript:void(0);" onmousedown="AJAX_Log_Out(' . $_SESSION['OMEGA_UID'] . ');

window.location=' . '\'' . '\'' . '">';

echo $logout;

echo '</a>';

echo '</div>';

echo '<div id="user_data" style="clear: both; margin-top: 50px; border-style: solid; width: 300px; height: auto; padding:

5px;">

<div style="float: left;">';

echo $name;

echo '</div> <input id="text_name" type="text" value="'; echo $name_data; echo '" style="float: left; margin-

left:60px;"/>


echo $surname;

echo '</div> <input id="text_surname" type="text" value="'; echo $surname_data; echo '" style="float: left; margin-

left:39px;"/>


echo $company;

echo '</div> <input id="text_company" type="text" value="'; echo $company_data; echo '" style="float: left; margin-

left:35px;"/>


echo $rel_type;

echo '</div>


echo $imm;

echo '</div>';

if ($rel_data == 1)

{

echo '<input id="radio_1" style="float: left; margin-left: 7px;" type="radio" name="rel_choice" checked="true"

value="1" />


echo $aff;

echo '</div>

<input id="radio_2" style="float: left; margin-left: 7px;" type="radio" name="rel_choice" value="0" />';

}

if ($rel_data == 2)

{

echo '<input id="radio_1" style="float: left; margin-left: 7px;" type="radio" name="rel_choice" value="0" />


echo $aff;

echo '</div>

<input id="radio_2" style="float: left; margin-left: 7px;" type="radio" name="rel_choice" checked="true"

value="1" />';

}

Login form:

// Create a new ALPHA CMS object

$new_login = new ALPHA;

// Current language

$this_lang = $new_login->Get_Language();

$login_username = $new_login->Load_Content('login_username', 'content', $this_lang);

$login_password = $new_login->Load_Content('login_password', 'content', $this_lang);

$login = $new_login->Load_Content('login', 'content', $this_lang);

$new_login->Load_Extension('forms_manager', 'ajax');

?>

<script type="text/javascript" src="extensions/ajax/forms_manager/input_controler.js"></script>

<script type="text/javascript" src="extensions/ajax/forms_manager/form_validator.js"></script>

<script type="text/javascript">

var login_form_elements = new Array();

login_form_elements[0] = 'login_username_text';

login_form_elements[1] = 'login_password_text';

</script>

<div id="login_controls">

<div id="login_username">

<div id="login_username_label">

<?php echo $login_username; ?>

</div>

Appendix B – Detailed security reports

In this appendix we are presenting the most significant reports. The appendix is

separated into 2 sections. The first one shows the reports of the initial vulnerable

application and the second one the optimized one.

1. Reports of the initial test web application

MBSA:

Security assessment: Severe Risk

Computer name: MYNET\MYWEBSERVER

IP address: 10.0.2.15

Security report name: MYNET - MYWEBSERVER (24-8-2010 5-35 μμ)

Scan date: 24/8/2010 5:35 μμ

Scanned with MBSA version: 2.2.2170.0

Catalog synchronization date:

Security update catalog: Microsoft Update

Security Updates Scan Results

Issue: Developer Tools, Runtimes, and Redistributables Security Updates

Score: Check failed (critical)

Result: 1 security updates are missing.

Security Updates

| MS09-035 | Missing | Security Update for Microsoft Visual C++

2008 Redistributable Package (KB973924) | Moderate |

Issue: Windows Security Updates

| boinc_project |

| SUPPORT_388945a0 |

Issue: Guest Account

Score: Check passed

Result: The Guest account is disabled on this computer.

Issue: Autologon

Score: Check passed

Result: Autologon is not configured on this computer.

Issue: Restrict Anonymous

Score: Check passed

Result: Computer is properly restricting anonymous access.

Snort:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/07-14:39:12.966819 8:0:27:0:4:91 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x5C

192.168.56.1:137 -> 192.168.56.255:137 UDP TTL:128 TOS:0x0 ID:1258 IpLen:20 DgmL

en:78

Len: 50

FE 78 01 10 00 01 00 00 00 00 00 00 20 46 48 46 .x.......... FHF

41 45 42 45 45 43 41 43 41 43 41 43 41 43 41 43 AEBEECACACACACAC

41 43 41 43 41 43 41 43 41 43 41 41 41 00 00 20 ACACACACACAAA..

00 01 ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/07-14:41:24.668805 8:0:27:8A:8:9C -> FF:FF:FF:FF:FF:FF type:0x800 len:0xFE

192.168.56.101:138 -> 192.168.56.255:138 UDP TTL:128 TOS:0x0 ID:2001 IpLen:20 Dg

mLen:240

Len: 212

11 02 80 2F C0 A8 38 65 00 8A 00 C6 00 00 20 45 .../..8e...... E

4E 46 4A 46 48 45 46 45 43 46 44 45 46 46 43 46 NFJFHEFECFDEFFCF

47 45 46 46 43 43 41 43 41 43 41 43 41 41 41 00 GEFFCCACACACAAA.

20 41 42 41 43 46 50 46 50 45 4E 46 44 45 43 46 ABACFPFPENFDECF

43 45 50 46 48 46 44 45 46 46 50 46 50 41 43 41 CEPFHFDEFFPFPACA

42 00 FF 53 4D 42 25 00 00 00 00 00 00 00 00 00 B..SMB%.........

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 11 00 00 2C 00 00 00 00 00 00 00 00 00 E8 .....,..........

03 00 00 00 00 00 00 00 00 2C 00 56 00 03 00 01 .........,.V....

00 01 00 02 00 3D 00 5C 4D 41 49 4C 53 4C 4F 54 .....=.\MAILSLOT

5C 42 52 4F 57 53 45 00 0C 00 A0 BB 0D 00 4D 59 \BROWSE.......MY

4E 45 54 00 00 00 00 00 97 20 E6 77 FF FF 03 0A NET...... .w....

00 10 00 80 FF FF FF FF 4D 59 57 45 42 53 45 52 ........MYWEBSER

56 45 52 00 VER.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

SuperScan:

Apache2.2 Running Apache2.2

BITS Running Background Intelligent Transfer Service

Browser Running Computer Browser

CiSvc Stopped Indexing Service

CryptSvc Running Cryptographic Services

DcomLaunch Running DCOM Server Process Launcher

Dfs Stopped Distributed File System

Dhcp Running DHCP Client

dmadmin Stopped Logical Disk Manager Administrative Service

dmserver Running Logical Disk Manager

Dnscache Running DNS Client

ERSvc Running Error Reporting Service

Eventlog Running Event Log

EventSystem Running COM+ Event System

HidServ Stopped Human Interface Device Access

HTTPFilter Stopped HTTP SSL

ImapiService Stopped IMAPI CD-Burning COM Service

IsmServ Stopped Intersite Messaging

JavaQuickStarterService Running Java Quick Starter

kdc Stopped Kerberos Key Distribution Center

lanmanserver Running Server

lanmanworkstation Running Workstation

LicenseService Stopped License Logging

LmHosts Running TCP/IP NetBIOS Helper

Messenger Stopped Messenger

mnmsrvc Stopped NetMeeting Remote Desktop Sharing

MSDTC Running Distributed Transaction Coordinator

MSIServer Stopped Windows Installer

MySQL Running MySQL

NetDDE Stopped Network DDE

NetDDEdsdm Stopped Network DDE DSDM

Netlogon Stopped Net Logon

Netman Running Network Connections

Nla Running Network Location Awareness (NLA)

NtFrs Stopped File Replication

NtLmSsp Stopped NT LM Security Support Provider

NtmsSvc Stopped Removable Storage

PlugPlay Running Plug and Play

PolicyAgent Running IPSEC Services

ProtectedStorage Running Protected Storage

RasAuto Stopped Remote Access Auto Connection Manager

RasMan Running Remote Access Connection Manager

RDSessMgr Stopped Remote Desktop Help Session Manager

RemoteAccess Stopped Routing and Remote Access

RemoteRegistry Running Remote Registry

rpcapd Stopped Remote Packet Capture Protocol v.0 (experimental)

RpcLocator Stopped Remote Procedure Call (RPC) Locator

RpcSs Running Remote Procedure Call (RPC)

RSoPProv Stopped Resultant Set of Policy Provider

sacsvr Stopped Special Administration Console Helper

SamSs Running Security Accounts Manager

SCardSvr Stopped Smart Card

Schedule Running Task Scheduler

seclogon Running Secondary Logon

Tenable Nessus Running Tenable Nessus

TermService Running Terminal Services

Themes Stopped Themes

TlntSvr Stopped Telnet

TrkSvr Stopped Distributed Link Tracking Server

TrkWks Running Distributed Link Tracking Client

Tssdis Stopped Terminal Services Session Directory

W32Time Running Windows Time

WebClient Stopped WebClient

WinHttpAutoProxySvc Stopped WinHTTP Web Proxy Auto-Discovery Service

winmgmt Running Windows Management Instrumentation

WmdmPmSN Stopped Portable Media Serial Number Service

Wmi Stopped Windows Management Instrumentation Driver Extensions

Nessus:

List of hosts

localhost High Severity problem(s) found

localhost

Scan time :

Start time : Mon Sep 06 14:52:47 2010

End time : Mon Sep 06 15:05:29 2010

Number of vulnerabilities :

Open ports : 5

Low : 35

Medium : 8

High : 30

Information about the remote host :

Operating system : Microsoft Windows Server 2003, Enterprise Edition (English)

NetBIOS name : MYWEBSERVER

DNS name : localhost.

Cumulative Security Update for Internet Explorer (942615)

Synopsis : Arbitrary code can be executed on the remote host through the web client. Description : The remote host is missing the IE cumulative security update 942615. The remote version of IE is vulnerable to several flaws which may allow an attacker to execute arbitrary code on the remote host. Solution : Microsoft has released a set of patches for Windows 2000, XP, 2003 and Vista : http://www.microsoft.com/technet/security/Bulletin/MS07-069.mspx Risk factor : High / CVSS Base Score : 9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C) Plugin output : - C:\WINDOWS\system32\Mshtml.dll has not been patched Remote version : 6.0.3790.3959 Should be : 6.0.3790.4186 CVE : CVE-2007-0322, CVE-2007-3902, CVE-2007-3903, CVE-2007-4471, CVE-2007-5344, CVE-2007-5347, CVE-2007-6387 BID : 25544, 26427, 26506, 26815, 26816, 26817, 26819 Nessus ID : 29313

Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275)

Synopsis : Arbitrary code can be executed on the remote host through the Media File Format. Description : The remote host is running Windows Media Player/Service. There is a vulnerability in the remote version of this software which may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, one attacker would need to set up a rogue ASF file and send it to a victim on the remote host.

Solution : Microsoft has released a set of patches for Windows 2000, XP, 2003 and Vista: http://www.microsoft.com/technet/security/bulletin/ms07-068.mspx Risk factor : High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) Plugin output : - C:\WINDOWS\system32\wmasf.dll has not been patched Remote version : 10.0.0.3997 Should be : 10.0.0.4000 CVE : CVE-2007-0064 BID : 26776 Other references : OSVDB:39122 Nessus ID : 29312

Vulnerability in RPC Could Allow Denial of Service (933729)

Synopsis : It is possible to crash the remote server. Description : The remote version of Windows contains a version of the RPC library protocol which is vulnerable to a Denial of Service attack in the NTLM authentication field. An attacker may exploit this flaw to crash the remote RPC server (and the remote system). Solution : Microsoft has released a set of patches for Windows 2000, XP, 2003 and Vista : http://www.microsoft.com/technet/security/bulletin/ms07-058.mspx Risk factor : High / CVSS Base Score : 7.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C) Plugin output : - C:\WINDOWS\system32\Rpcrt4.dll has not been patched Remote version : 5.2.3790.3959 Should be : 5.2.3790.4115 CVE : CVE-2007-2228 BID : 25974 Nessus ID : 26964

Wikto:

localhost,/,TRACE / HTTP/1.,generic,TRACE option appears to allow XSS or credential theft.

See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details

localhost,/config/,Index of ,generic,This might be interesting...

localhost,/pix/,200,generic,This might be interesting...

localhost,/admin/login.php?action=insert&username=test&password=test,200,generic,php.

Auction may allow user admin accounts to be inserted without proper authentication.

Attempt to log in with user 'test' password 'test' to verify.

localhost,/config/,200,generic,Configuration information may be available remotely.

localhost,/doc/,200,generic,The /doc directory is browsable. This may be /usr/doc.

localhost,/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000,200,generic,PHP reveals potentially

sensitive information via certain HTTP requests which contain specific QUERY strings. OSVDB-12184.

localhost,/index.php?module=My_eGallery,200,generic,My_eGallery prior to 3.1.1.g are

vulnerable to a remote execution bug via SQL command injection.

localhost,/perl/-e%20print%20Hello,200,novell,The PERL interpreter on the novell

system may allow any command to be executed. See BID-5520. Installing Perl 5.6 might fix this issue.

localhost,@CGIDIRSscripts/*%0a.pl,200,generic,This might be interesting...

has been seen in web logs from a scanner.















#Directories

localhost,ListViewItem: { / }

localhost,ListViewItem: { /admin/ }

localhost,ListViewItem: { /cgi-bin/ }

localhost,ListViewItem: { /config/ }

localhost,ListViewItem: { /doc/ }

localhost,ListViewItem: { /admin/images/ }

localhost,ListViewItem: { /admin/js/ }

#Indexable

localhost,ListViewItem: { /config/ }


localhost,ListViewItem: { /admin/images/ }

localhost,ListViewItem: { /admin/js/ }

#Files

localhost,ListViewItem: { /index.php }

localhost,ListViewItem: { /main.php }

localhost,ListViewItem: { /admin/index.php }

localhost,ListViewItem: { /admin/login.php }

ZenMap:

<?xml-stylesheet href="file:///C:/Program Files/Nmap/nmap.xsl" type="text/xsl"?>

<nmaprun start="1283859237" profile_name="Intense scan" xmloutputversion="1.03" scanner="nmap" version="5.21"

startstr="Tue Sep 07 14:33:57 2010" args="nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 192.168.56.101">

<verbose level="1"/>

<debugging level="0"/>

<output type="interactive">

Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-07 14:33 GTB Daylight Time NSE: Loaded 36 scripts for scanning.

Initiating ARP Ping Scan at 14:33 Scanning 192.168.56.101 [1 port] Completed ARP Ping Scan at 14:34, 0.41s elapsed (1

total hosts) Initiating Parallel DNS resolution of 1 host. at 14:34 Completed Parallel DNS resolution of 1 host. at 14:34,

0.03s elapsed Initiating SYN Stealth Scan at 14:34 Scanning 192.168.56.101 [1000 ports] Discovered open port 1025/tcp

on 192.168.56.101 Discovered open port 139/tcp on 192.168.56.101 Discovered open port 135/tcp on 192.168.56.101

Discovered open port 80/tcp on 192.168.56.101 Discovered open port 3306/tcp on 192.168.56.101 Discovered open port

445/tcp on 192.168.56.101 Completed SYN Stealth Scan at 14:34, 1.18s elapsed (1000 total ports) Initiating Service scan at

14:34 Scanning 6 services on 192.168.56.101 Completed Service scan at 14:34, 9.19s elapsed (6 services on 1 host)

Initiating OS detection (try #1) against 192.168.56.101 NSE: Script scanning 192.168.56.101. NSE: Starting runlevel 1 (of

1) scan. Initiating NSE at 14:34 Completed NSE at 14:34, 32.14s elapsed NSE: Script Scanning completed. Nmap scan

report for 192.168.56.101 Host is up (0.017s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.2.11 ((Win32) PHP/5.2.9-1) |_html-title: OMEGA CRM |_http-favicon: Unknown favicon

MD5: E7D1FD0921C450F8FFD638F578D1D043 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn

445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds 1025/tcp open msrpc Microsoft Windows RPC

3306/tcp open mysql MySQL 5.1.35-community | mysql-info: Protocol: 10 | Version: 5.1.35-community | Thread ID: 9 |

Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection | Status:

Autocommit |_Salt: oS/3Pw+l`zemt}8=j|Tl MAC Address: 08:00:27:8A:08:9C (Cadmus Computer Systems) Device type:

general purpose Running: Microsoft Windows 2003 OS details: Microsoft Windows Server 2003 SP1 or SP2 Network

Distance: 1 hop TCP Sequence Prediction: Difficulty=255 (Good luck!) IP ID Sequence Generation: Incremental Service

Info: OS: Windows Host script results: | nbstat: | NetBIOS name: MYWEBSERVER, NetBIOS user: <unknown>,

NetBIOS MAC: 08:00:27:8a:08:9c | Names | MYWEBSERVER<00> Flags: <unique><active> | MYNET<00> Flags:

<group><active> | MYWEBSERVER<20> Flags: <unique><active> | MYNET<1e> Flags: <group><active> |

MYNET<1d> Flags: <unique><active> |_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | smb-os-

discovery: | OS: Windows Server 2003 R2 3790 Service Pack 2 (Windows Server 2003 R2 5.2) | Name:

MYNET\MYWEBSERVER |_ System time: 2010-09-07 14:34:12 UTC+3 |_smbv2-enabled: Server doesn't support

SMBv2 protocol HOP RTT ADDRESS 1 17.02 ms 192.168.56.101 Read data files from: C:\Program Files\Nmap OS and

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1

host up) scanned in 47.85 seconds Raw packets sent: 1038 (46.384KB) | Rcvd: 1017 (41.260KB)

</output>

<host comment="">

<status state="up"/>

<address addrtype="ipv4" vendor="" addr="192.168.56.101"/>

<address addrtype="mac" vendor="Cadmus Computer Systems" addr="08:00:27:8A:08:9C"/>

<hostnames/>

<ports>

<extraports count="994" state="closed"/>

<port protocol="tcp" portid="80">

<state reason="syn-ack" state="open" reason_ttl="128"/>

<service product="Apache httpd" name="http" extrainfo="(Win32) PHP/5.2.9-1" version="2.2.11" conf="10"

method="probed"/>

</port>



<service product="Microsoft Windows RPC" method="probed" conf="10" name="msrpc"/>

</port>



<service method="probed" conf="10" name="netbios-ssn"/>

</port>



<service product="Microsoft Windows 2003 or 2008 microsoft-ds" method="probed" conf="10" name="microsoft-ds"/>

</port>



<service product="Microsoft Windows RPC" method="probed" conf="10" name="msrpc"/>

</port>



<service product="MySQL" version="5.1.35-community" method="probed" conf="10" name="mysql"/>

</port>

</ports>

<os>

<portused state="open" portid="80" proto="tcp"/>

<portused state="closed" portid="1" proto="tcp"/>

<portused state="closed" portid="42061" proto="udp"/>

<osclass type="general purpose" osfamily="Windows" vendor="Microsoft" osgen="2003" accuracy="100"/>

<osmatch line="27651" name="Microsoft Windows Server 2003 SP1 or SP2" accuracy="100"/>

</os>

2. Reports of the optimized test web application

MBSA:

Report Details for MYNET - MYWEBSERVER (2010-09-08 14:05:25) Security assessment:

Severe Risk (One or more critical checks failed.)

--------------------------------------------------------------------------------

Computer name: MYNET\MYWEBSERVER

IP address: 192.168.56.101

Security report name: MYNET - MYWEBSERVER (8-9-2010 2-05 μμ)

Scan date: 8/9/2010 2:05 μμ *** This report is 3 days old. ***

Scanned with MBSA version: 2.2.2170.0

Catalog synchronization date: 2010-08-09T22:13:59Z

Security update catalog: Microsoft Update (offline)

--------------------------------------------------------------------------------

Sort Order: Issue name Score (worst first) Score (best first)

Security Update Scan Results

Score Issue Result

Developer Tools, Runtimes, and Redistributables Security Updates

No security updates are missing.

What was scanned Result details

SQL Server Security Updates



Silverlight Security Updates



Windows Security Updates



Windows Scan Results


Score Issue Result

Incomplete Updates

No incomplete software update installations were found.

What was scanned

Windows Firewall

Windows Firewall is enabled and has exceptions configured. Windows Firewall is enabled on all network connections.

What was scanned Result details How to correct this

Local Account Password Test

Some user accounts (1 of 4) have blank or simple passwords, or could not be analyzed.


Automatic Updates

Updates are automatically downloaded and installed on this computer.

What was scanned

File System

All hard drives (1) are using the NTFS file system.


Autologon

Autologon is not configured on this computer.

What was scanned

Guest Account

The Guest account is disabled on this computer.

Windows Version

Computer is running Microsoft Windows Server 2003.

What was scanned

Internet Information Services (IIS) Scan Results

Score Issue Result

IIS Status

IIS is not running on this computer.

SQL Server Scan Results

Score Issue Result

SQL Server/MSDE Status

SQL Server and/or MSDE is not installed on this computer.

Desktop Application Scan Results


Score Issue Result

IE Zones

Internet Explorer zones do not have secure settings for some users.

What was scanned Result details How to correct this

IE Enhanced Security Configuration for Administrators

The use of Internet Explorer is restricted for administrators on this server.

What was scanned

IE Enhanced Security Configuration for Non-Administrators

The use of Internet Explorer is restricted for non-administrators on this server.

What was scanned

Macro Security

No supported Microsoft Office products are installed.

Snort:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/11-16:26:46.822854 8:0:27:8A:8:9C -> 8:0:27:0:4:91 type:0x800 len:0x1A0

192.168.56.101:443 -> 192.168.56.1:7251 TCP TTL:128 TOS:0x0 ID:11838 IpLen:20 Dg

mLen:402 DF

***AP*** Seq: 0xA79A1524 Ack: 0x6EEE6BB5 Win: 0xF7C6 TcpLen: 20

17 03 01 01 40 1C A5 F8 B8 AA 83 4E E3 A4 05 E3 [email protected]....

00 F0 E3 8C 1B CD 8C 16 D4 CA E9 4E 1C EE 3E E9 ...........N..>.

74 3F 74 D7 3D 33 DA 84 A9 DC E5 B0 F8 98 EA 49 t?t.=3.........I

0B 7E F6 2F D6 D4 DE EE C4 FB BD 82 2C C0 6B 46 .~./........,.kF

25 A3 7F 8F D2 35 69 04 04 CF 85 B9 17 61 51 F8 %....5i......aQ.

EF 28 86 BD AE 56 FA 5D B1 6D 1A F5 00 11 BF 57 .(...V.].m.....W

13 03 3E 9B 2E D9 A5 7F 66 55 A1 85 F3 B4 E8 E7 ..>.....fU......

11 88 08 5A A5 B9 CE A3 C1 BF 14 BE D5 FF 3B 1E ...Z..........;.

D6 5F 2F 5A 1E C0 62 54 86 D9 9C 85 00 50 7A 77 ._/Z..bT.....Pzw

8E CA 31 E7 34 76 93 F1 CB 04 D3 2E 43 4D AA DE ..1.4v......CM..

D7 A6 93 3D F3 3C C1 12 BB 73 54 23 E1 40 B0 B0 ...=.<...sT#.@..

7C C4 E3 E8 A3 D7 BC FB 25 B8 3D E3 91 86 9F 41 |.......%.=....A

5B 78 72 10 13 CD 3B A8 0C 42 A3 E4 36 86 AE 0E [xr...;..B..6...

28 EF 5D 0D 93 02 09 0A 3B 8B A1 A2 9D 60 30 EE (.].....;....`0.

12 92 96 E1 43 8B 24 DA BC 44 C6 47 28 F0 88 33 ....C.$..D.G(..3

1B 3F 9D 31 64 8E 7D E4 66 C3 22 0E 9A 3F D4 3C .?.1d.}.f."..?.<

84 C7 FC D1 F2 FE C9 C2 B3 E6 07 8E DB 80 DF 32 ...............2

D4 C6 6D 2A A6 E7 8E 8C 6A D8 74 F7 6F 52 4C 32 ..m*....j.t.oRL2

26 DC 1A 26 90 44 07 E4 E7 8C 1B ED 9B 0C 29 75 &..&.D........)u

6E 21 05 C9 74 2D 11 5D 9F 3E 53 3C 29 3C C7 72 n!..t-.].>S<)<.r

03 6C 94 DF 6D 17 03 01 00 20 63 4D 0C 15 BC 8C .l..m.... cM....

E6 FD A7 FE 2B 4D 69 88 C4 40 EC B5 88 24 93 D9 ....+Mi..@...$..

CD 2F 28 3D 51 15 CD AC 43 42 ./(=Q...CB

SuperScan:

NetBIOS information on 127.0.0.1

Attempting a NULL session connection on 127.0.0.1

NULL session successful to \\127.0.0.1\IPC$

MAC addresses on 127.0.0.1

Trusted Domains on 127.0.0.1

Account Domain: MYWEBSERVER

Primary Domain: MYNET

Remote services on 127.0.0.1

Apache2.2 Running Apache2.2

AppMgmt Stopped Application Management

aspnet_state Stopped ASP.NET State Service

AudioSrv Running Windows Audio

BITS Stopped Background Intelligent Transfer Service

Browser Stopped Computer Browser

CiSvc Stopped Indexing Service

ClipSrv Stopped ClipBook

clr_optimization_v2.0.50727_32 Stopped .NET Runtime Optimization Service v2.0.50727_X86

clr_optimization_v4.0.30319_32 Stopped Microsoft .NET Framework NGEN v4.0.30319_X86

COMSysApp Stopped COM+ System Application

CryptSvc Running Cryptographic Services

DcomLaunch Running DCOM Server Process Launcher

Dfs Stopped Distributed File System

HidServ Stopped Human Interface Device Access

HTTPFilter Running HTTP SSL

idsvc Stopped Windows CardSpace

ImapiService Stopped IMAPI CD-Burning COM Service

IsmServ Stopped Intersite Messaging

JavaQuickStarterService Running Java Quick Starter

kdc Stopped Kerberos Key Distribution Center

lanmanserver Running Server

lanmanworkstation Running Workstation

LicenseService Stopped License Logging

LmHosts Running TCP/IP NetBIOS Helper

mnmsrvc Stopped NetMeeting Remote Desktop Sharing

MSDTC Running Distributed Transaction Coordinator

MSIServer Stopped Windows Installer

MySQL Running MySQL

NetDDE Stopped Network DDE

NetDDEdsdm Stopped Network DDE DSDM

Netlogon Stopped Net Logon

Netman Running Network Connections

NetTcpPortSharing Stopped Net.Tcp Port Sharing Service

Nla Running Network Location Awareness (NLA)

NtFrs Stopped File Replication

NtLmSsp Stopped NT LM Security Support Provider

NtmsSvc Stopped Removable Storage

PlugPlay Running Plug and Play

PolicyAgent Running IPSEC Services

ProtectedStorage Running Protected Storage

RasAuto Stopped Remote Access Auto Connection Manager

RasMan Running Remote Access Connection Manager

RDSessMgr Stopped Remote Desktop Help Session Manager

RemoteAccess Stopped Routing and Remote Access

rpcapd Stopped Remote Packet Capture Protocol v.0 (experimental)

RpcLocator Stopped Remote Procedure Call (RPC) Locator

SamSs Running Security Accounts Manager

Schedule Running Task Scheduler

seclogon Running Secondary Logon

SharedAccess Running Windows Firewall/Internet Connection Sharing (ICS)

stisvc Stopped Windows Image Acquisition (WIA)

swprv Stopped Microsoft Software Shadow Copy Provider

SysmonLog Stopped Performance Logs and Alerts

Tenable Nessus Running Tenable Nessus

TermService Running Terminal Services

Nessus:

List of hosts

localhost Medium Severity problem(s) found

localhost

Scan time :

Start time : Mon Sep 06 21:26:00 2010

End time : Mon Sep 06 21:42:23 2010

Number of vulnerabilities :

Open ports : 8

Low : 45

Medium : 9

High : 0

Information about the remote host :

Operating system : Microsoft Windows Server 2003, Enterprise Edition (English)

NetBIOS name : MYWEBSERVER

DNS name : localhost.

HTTP TRACE / TRACK Methods

Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the 'TraceEnable' directive.

Plugin output : The server response from a TRACE request is : TRACE /Nessus3210.html HTTP/1.1 Connection: Close Host: localhost Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 CVE : CVE-2004-2320 BID : 9506, 9561, 11604 Other references : OSVDB:877, OSVDB:3726 Nessus ID : 11213

/doc directory browsable ?

The /doc directory is browsable. /doc shows the content of the /usr/doc directory and therefore it shows which programs and - important! - the version of the installed programs. Solution : Use access restrictions for the /doc directory. If you use Apache you might use this in your access.conf: <Directory /usr/doc> AllowOverride None order deny,allow deny from all allow from localhost </Directory> Risk factor : High CVE : CVE-1999-0678 BID : 318 Nessus ID : 10056

Wikto:

localhost,/_vti_inf.html,200,iis,FrontPage may be installed.

localhost,/stats.html,200,generic,Just found this log file...

localhost,/wwwstats.html,200,generic,Just found this log file...

localhost,/index.php?base=test%20,200,generic,This might be interesting...

has been seen in web logs from an unknown scanner.

localhost,/index.php?IDAdmin=test,200,generic,This might be interesting...


localhost,/index.php?pymembs=admin,200,generic,This might be interesting...


localhost,/index.php?SqlQuery=test%20,200,generic,This might be interesting...


localhost,/index.php?tampon=test%20,200,generic,This might be interesting...


localhost,/mlog.html,200,generic,This might be interesting...


#Directories

localhost,ListViewItem: { / }

localhost,ListViewItem: { /admin/ }


localhost,ListViewItem: { /pix/ }

#Indexable

0

#Files

0

ZenMap:

<?xml-stylesheet href="file:///C:/Program Files/Nmap/nmap.xsl" type="text/xsl"?>

<nmaprun start="1284213324" profile_name="Intense scan" xmloutputversion="1.03" scanner="nmap" version="5.21"

startstr="Sat Sep 11 16:55:24 2010" args="nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 192.168.56.101">

<verbose level="1"/>

<debugging level="0"/>

<output type="interactive">

Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-11 16:55 GTB Daylight Time NSE: Loaded 36 scripts for scanning.

Initiating ARP Ping Scan at 16:55 Scanning 192.168.56.101 [1 port] Completed ARP Ping Scan at 16:55, 0.72s elapsed (1

total hosts) Initiating Parallel DNS resolution of 1 host. at 16:55 Completed Parallel DNS resolution of 1 host. at 16:55,

0.04s elapsed Initiating SYN Stealth Scan at 16:55 Scanning 192.168.56.101 [1000 ports] Discovered open port 80/tcp on

192.168.56.101 Discovered open port 443/tcp on 192.168.56.101 Discovered open port 3306/tcp on 192.168.56.101

Completed SYN Stealth Scan at 16:55, 4.76s elapsed (1000 total ports) Initiating Service scan at 16:55 Scanning 3 services

on 192.168.56.101 Completed Service scan at 16:55, 14.23s elapsed (3 services on 1 host) Initiating OS detection (try #1)

against 192.168.56.101 NSE: Script scanning 192.168.56.101. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 16:55

Completed NSE at 16:55, 6.58s elapsed NSE: Script Scanning completed. Nmap scan report for 192.168.56.101 Host is up

(0.0043s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.16

((Win32) mod_ssl/2.2.16 OpenSSL/0.9.8o PHP/5.3.3) | html-title: OMEGA CRM |_Did not follow redirect to

https://localhost/ 443/tcp open ssl/http Apache httpd 2.2.16 ((Win32) mod_ssl/2.2.16 OpenSSL/0.9.8o PHP/5.3.3) |_sslv2:

server still supports SSLv2 |_html-title: OMEGA CRM MAC Address: 08:00:27:8A:08:9C (Cadmus Computer Systems)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type:

general purpose Running: Microsoft Windows 2003 OS details: Microsoft Windows Server 2003 SP1 or SP2, Microsoft

Windows Server 2003 SP2 Network Distance: 1 hop TCP Sequence Prediction: Difficulty=259 (Good luck!) IP ID

Sequence Generation: Busy server or unknown class HOP RTT ADDRESS 1 4.27 ms 192.168.56.101 Read data files from:

C:\Program Files\Nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/

. Nmap done: 1 IP address (1 host up) scanned in 34.57 seconds Raw packets sent: 2040 (92.278KB) | Rcvd: 17 (862B)

</output>

<host comment="">

<status state="up"/>

<address addrtype="ipv4" vendor="" addr="192.168.56.101"/>

<address addrtype="mac" vendor="Cadmus Computer Systems" addr="08:00:27:8A:08:9C"/>

<hostnames/>

<ports>

<extraports count="997" state="filtered"/>



<service product="Apache httpd" name="http" extrainfo="(Win32) mod_ssl/2.2.16 OpenSSL/0.9.8o PHP/5.3.3"

version="2.2.16" conf="10" method="probed"/>

</port>



<service product="Apache httpd" name="http" extrainfo="(Win32) mod_ssl/2.2.16 OpenSSL/0.9.8o PHP/5.3.3"

version="2.2.16" conf="10" method="probed"/>

</port>

</ports>

<os>

<portused state="open" portid="80" proto="tcp"/>

kingston university thesis - design and implementation of a secure web application

Internet

demo web application

world wide web

apache web server

social network applications

design concepts

content management

world wide market

complex systems