security testing of study information system security team: matis alliksoo alo konno urmo lihten...
TRANSCRIPT
Security testing of study information system
Security team:Matis Alliksoo
Alo Konno
Urmo Lihten
Taavi Podzuks
Sander Saarm
Current situation
Our study information system is developed inhouse.
This is used by 10 applied universities.
There are more than14 000 active users and more than 28000 can log in.
Current situation (2)
Technical information
Php5 zend framework
Mysql batabase
Linux operating system
There are 3 servers
Live system Web frontend
Live system database
Development server (Web frontend and database)
Problem
Study information systems security has been tested only by developers , this is not a good practice. This should be done by external testers.
Goals
1. Study what web vulnerabilitis are and how to use them, because we did not have any experience in pen-testing.
2. Learn about web tesing framework environments and how to use them.
3. Find out best tools to work with and test on Damn Vulnerable Web Application and later on the study information system.
4. Finding vulnerabilities in the study infromation system.
5. Document our work.
Top 10 Web Vulnerabilities
A1: Injection (SQL, PHP, ….)
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
Used/tested web testing frameworks
Samurai Web Testing Framework
1.BurpSuite
2.Fireforce
3.Cookie editor
4.Dvwa (redirected to BackTrack 5 R2)
Backtrack 5 R2
1.BurpSuite
2.Subgraph Vega
3.Wapiti
4.W3af
5.Nessus
6.Owasp-zap
Windows tools
Acunetix Web Vulnerability Scanner
Cross Site Request Forgery
We started with generating html POST request to change authenticated user language.
Cross Site Request Forgery (2)
Next we made a html POST request what uses USER_ID to change authenticated users password.
Changing Administator password
1. Found out USER_ID of the administator by checking administators picture URL in study information system.
2. We created html request and uploaded it to a trusted webserver as .jpg, to fool the administator.
3. Tricked administrator to log into the study information system by telling something is wrong in study information system.
4. For explanation of the problem we told him to check the fake screenshot (sent him the infected URL)
5. As he opened it his password changed automatically and he was kicked out of the system.
6. Issue was obviously very quickly fixed.
Failure to Restrict URL Access
Found vulnerability in URL, where students can see other students’ grades just by changing USER_ID in PDF download URL.
This failure was found knowing the vulnerabilitys and by randomly testing all pages.
This data is very sensitive and it was fixed immidiately.
Results
Got overview of most commonly used vulnerabilities and how to use them in testing.
Learned how to use different pen-testing tools and web test environments.
Study information system is now free of couple critical bugs.
Documentation: https://wiki.itcollege.ee/index.php/Security_team
Thank you for listening!
Questions?