WebSec 101 Configuration Presented By Mike Andrews [email protected] [email protected] Copyright © 2009, McAfee, Inc. Intro Music by DoKashiteru via CCMixter Nothing in isolation Application Libraries Operating System Network Attack Surface ► Attack surface is the total number of possible attack vectors ► Think of a house, with doors and windows as the attack vectors ► Minimize surface area - want to make sure all doors and windows are locked and secure From the bottom ► Each running network service is a door or window ► Generally on a WebApp only want external users to access ports 80 and 443 ● Turn off services like Telnet, FTP, SMTP, etc ● Some may be necessary - filter at firewall ► Some servers can be administered via web pages on administrative ports ● http://servername:5842 nMap ► nMap – “Network Mapper” ► Look for high-level TCP ports Connect to them and send HTTP request ► ● HEAD / HTTP/1.0 Checking for known vulnerabilities ► Need to know the type and version of the software ● From an internal/white-box point of view this is easy! ► Can be done for both OS and webserver ● nmap -O ● HEAD request --> Server Header They Lie! ► Sometimes no SERVER: header, sometimes it lies! ● Fingerprint on response differences How does HTTPrint work out the server type? Join the dots ► Given a webserver type/version, sometimes the OS can be determined ● IIS/6.0  Windows box ● Sun ONE  Solaris ● Apache  ??? With information comes power! ► What to do with this info? ● Lookup known vulnerabilities for the platform Changing the SERVER header ► Smells of “security by obscurity” ► I believe that … Apache/1.3.0 (Unix) PHP/3.0 SomeMod/9.3 … …is too much info ► Apache (>1.3) ● ServerTokens Prod[uctOnly] ► IIS ● IISLockdown/URLScan + RemoveServerHeader ● Remember the X-POWERED-BY header as well! Scanning products ► Various products available to scan machines/networks to look for known vulns ► Network scanning vs Application scanning Rest of the stack ► What about vulns in the rest of the stack? ● Issues with the app, framework and libraries will be addressed in future webcasts ● In terms of configuration, we want to remove unnecessary features/components and secure the ones that are left ► Left over files, samples, demos, etc ► Weak server configuration Reviewing the web root ► Much easier to do if you have local access ► Look for all the places that are mapped ● Apache - httpd.conf  DocumentRoot ● IIS - IIS Manager  Web Sites + Virtual Directories ► Review files and directories - remove those that are not necessary to running the application ● If in doubt, move the file/directory out of the web root(s) and see if the application functions normally (VM clones?) ► Also look for installed applications - does anyone really need MSOffice on the web server? Games? CS Server? Nikto/Wikto ► Example of a (free) tool which scans for potentially vulnerable files/settings ► Can generate a lot of false positives ● HTTP Codes (404’s etc) ● 200 OK problem ► Not necessarily security problems, but should be verified ● Left-over installation files / example scripts ● Known vulnerabilities / old versions ● Use –update to get most current signatures − Can also add your own custom ones Identifying resources Request “bad” resource Does it exist? Custom response? No vulnerability [y] [y] Positive vulnerability Recognize? False Positive [y] No vulnerability WebDAV ► WebDAV is a CVS system for web servers ● Allows for editing/modification/creation of web pages without have access to files on the server ● Uses normal HTTP auth – Basic, Digest, NTLM, etc ► Generally users do not need WebDAV for production servers, so turn it off (or secure it) ► Connect to the server and use the HTTP OPTIONS method to see if it’s enabled ● Test with tools like DAVExplorer, DAVE, PerlDAV, (FrontPage?) ● Turn off methods other than GET, POST, and HEAD HTTP Options Turning off HTTP verbs ► Apache ● Uninstall/disable Mod_DAV (or variants) − Look for DAV On in webconf file(s) ● Mod_Rewrite + RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|…|…) RewriteRule .* - [F] ► IIS ● Web Service Extensions Manager (in IIS Manager MMC) ● (4.0 + 5.0) URLScan + DenyVerbs HTTPS ► HTTPS (HTTP over SSL) is a requirements on a lot of websites ● Provides Confidentially − Not only for PII or credit card info, but also for session tokens (more later) ● Provides Integrity − MITM attacks ● Authentication as well, but leave that for another time ► Strength of the SSL cipher used is important depending on the information being protected ● “weak” ciphers can be broken in as little as 4 hours SSL Negotiation ► SSL selects the best cipher to use by negotiation between the server and browser ● Select the highest common available cipher ► SSLv2 Downgrade Attack ● Force a weaker cipher than is available ● Only allow “strong” ciphers ► Use SSLDigger and OpenSSL to check ciphers and versions Removing SSL Ciphers ► Apache ● Mod_SSL + − SSLCipherSuite HIGH:+MEDIUM:!LOW:!SSLv2 − ‘+’ adds a cipher, ‘!’ removes a cipher − Can select specific ciphers instead of aliases − SSLCipherSuite !AES256-SHA:+RC2-CBC-MD5 ► IIS ● Site PropertiesDirectory Security Require 128 Bits ● Can remove ciphers via RegEdit Conclusion/wrap-up ► Ensure that machine is as “clean” as possible ● Stop unnecessary services and close the ports ● Remove all unnecessary pages / scripts / interfaces ► Disable HTTP methods ► Use SSLv3/TLS ► Remove all SSL ciphers other than “strong” or above ► See… ● LAMP - http://www.apachesecurity.net/ ● WISA - http://msdn2.microsoft.com/enus/library/ms994921.aspx Next Up: Authentication Credits/references ► NetCat ● http://netcat.sourceforge.net/ ● (also available in Cygwin - http://www.cygwin.com/) ► SecurityFocus.com, Secunia.com, OSVDB.org ► HTTPrint ● http://net-square.com/httprint/ ► nMap ● http://insecure.org/nmap/ ► Apache documentation ● http://httpd.apache.org/docs/1.3/mod/core.html#servertokens ● http://httpd.apache.org/docs/2.0/mod/mod_ssl.html ► IISLockdown ● http://www.microsoft.com/downloads/details.aspx?FamilyID=DDE9E FC0-BB30-47EB-9A61-FD755D23CDEC ► URLScan ● http://www.microsoft.com/technet/security/tools/urlscan.mspx ► Brute force weak SSL ciphers ● http://www.cl.cam.ac.uk/~rnc1/brute.html ► IIS SSL Ciphers registry hack ● http://support.microsoft.com/kb/216482 ● http://support.microsoft.com/kb/187498