Software security vulnerability analysis

    Software security vulnerability analysis by use case

    You are hired as a penetration tester for a company with many branches. Their web application allows their potential customers to do online search,upload information. The application stores personal information for the customers. Users credentials are stored in the database. 
    Questions and answers based on the use case 
    A- Information gathering – Social engineering and nmap  
    (1) Identify the ports you found running on the server machine and briefly explain what threats those open ports bring to your scenario. 
    Response   -Below are the ports with numbers and the risks involved, 
    FTP – 21 - Since FTP is unencrypted, man-in-the-middle attacks can and have been used to inject malware into software downloaded using FTP. FTP servers carry numerous vulnerabilities such as anonymous authentication capabilities, directory traversals, and cross-site scripting, making port 21 an ideal target. 
    TELNET – 23 - Telnet sends data completely unmasked in clear text. Attackers can listen in, watch for credentials, inject commands via man-in-the-middle attacks, and ultimately perform Remote Code Executions. 
     HTTP – 80 - attacks on web clients that travel over port 80 include SQL injections, cross-site     request forgeries, cross-site scripting, and buffer overruns. The daemon that is listing on a port, could be vulnerable to a buffer overflow, or another remotely exploitable vulnerability. 
    DNS -  53 – Brings attack such as amplification, reflection etc. If a DNS service goes down, network attached devices stop working. A company loses connectivity to the internet and hence cannot conduct business online. This leads to loss of revenue, customer defection and negative brand impact.

    (2) Identify two services running on the server machine that should be priority to protect. Document your security concerns if you have any and justify your answers 
    Response -  a) Cryptographic Service -  Provider (CSP) is a software library that implements the           Microsoft CryptoAPI (CAPI). CSPs implement encoding and decoding functions, which computer application programs may use, for example, to implement strong user authentication or for secure email. Cryptography protects your login passwords to your system as well. They are stored in an encrypted form as hashes and, if you can break the encryption, well, you’re in. 
    b) Security Service - Security Service handles unified device protection and health information. It can expose information like when your device was last scanned for threats, when was your definitions were last updated, when was the Device performance and health scan was run. This scan ensures your device is operating efficiently. 

    (3) Once you identify the services on your machine, research three internet vulnerabilities related to those services. (look for versions, number of users, etc..) 
    Response -  below are the three internet vulnerabilities, 
    a) SQL Injection - Attackers can use SQL Injection vulnerabilities to bypass application security measures. They can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database. An SQL Injection vulnerability may affect any website or web application that uses an SQL database such as MySQL, Oracle, SQL Server, or others. Criminals may use it to gain unauthorized access to your sensitive data: customer information, personal data, trade secrets, intellectual property, and more. 
    b) Broken Authentication - Broken authentication and session management has the potential to steal a user's login data, or forge session data, such as cookies, to gain unauthorized access to websites. 
    c) Server-Side Request Forgery - In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed. 

    (4) Pick the four least secure services running on the server machine and explain the danger posed by each of them. Document your security concerns if you have any. 
    a) Remote Desktop Services - Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service.  To prevent remote use of this computer, clear the checkboxes on the Remote tab of the System properties control panel item. 
    b) Geolocation Service - This service monitors the current location of the system and manages geofences (a geographical location with associated events).  If you turn off this service, applications will be unable to use or receive notifications for geolocation or geofences. 
    c) Network Setup Service - The Network Setup Service manages the installation of network drivers and permits the configuration of low-level network settings.  If this service is stopped, any driver installations that are inprogress may be cancelled. 
    d) Device Association Service  - Enables pairing between the system and wired or wireless devices. 
    B- Finding and exploiting vulnerabilities  
    (1) Identify if the application is vulnerable to data tampering and exploit it if possible.  
    Response -  
    Data tampering is that act of deliberately modifying, manipulating, or editing data through unauthorized channels. Data exists in two states: in transit or at rest. In both instances, data could be intercepted and tampered with. Digital Communications are all about data transmission. 
    Below is how it can be exploited , 
    Save the below python script as "custom_caesar.py" and place it inside SQLMAP's "tamper" directory. Then pass the name of the script to the -tamper argument. 
    python sqlmap.py -u "https://www.somewebsite.com

    QnnyBZ4_ZB6qvm=xxxTcTc&k3mK4_ZQ6v=6V9A&UQK4_ZQ6v=qVllgrr" -tamper=custom_caesar.py -dump 
     A few lines of custom Python code took this vulnerability from "an unexploitable false positive" to a significant vulnerability that requires immediate attention. After using the tamper script, we can access everything in the database with SQLMAP. 

    (2) Identify if the application is vulnerable to SQL injection and exploit it if possible  
    Response - Attackers can use SQL Injections to find the credentials of users in the database. They can then impersonate these users. The impersonated user may be a database administrator with all database privileges. 
    Below is how it can be exploited, 
    It is a simple example of authenticating with a username and a password. The example database has a table named users with the following columns: username and password. 
    # Define POST variables 
    uname = request.POST['username'] 
    passwd = request.POST['password'] 
    # SQL query vulnerable to SQLi 
    sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’” 
    # Execute the SQL statement 
    use a trick involving a single quote and set the passwd field to: 
    password' OR 1=1 
    database server runs the following SQL query now, 
    SELECT id FROM users WHERE username='username' AND password='password' OR 1=1' 
    Because of the OR 1=1 statement, the WHERE clause returns the first id from the users table no matter what the username and password are. The first user id in a database is very often the administrator. In this way, the attacker not only bypasses authentication but also gains administrator privileges. 
    (3) Identify if the application is vulnerable to XSS vulnerability and exploit it if possible.  
    Response -  
    Cross-Site Scripting (also known as XSS) is one of the most common application-layer web attacks. XSS vulnerabilities target scripts embedded in a page that are executed on the client-side (in the user’s web browser) rather than on the server-side. XSS in itself is a threat that is brought about by the internet security weaknesses of client-side scripting languages, such as HTML and JavaScript. The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a manipulation can embed a script in a page that can be executed every time the page is loaded, or whenever an associated event is performed. 
    Below is how it can be exploited ,  
    Through the vulnerable website’s field, the hacker injects the appropriate code. 
    <script type=”text/javascript”> 
    var test=’../example.php?cookie_data=’+escape(document.cookie); 

    (4) Can you identify any other vulnerability?  
    Response -  
    In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed. 
    How it can be exploited , 
          // Compliant Code 
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { 
    String urlWhiteListed = "https://example.com/"; 
    String str = req.getParameter("url"); 
    if (!str.startsWith(urlWhiteListed)) 
    throw new IOException(); 
    URL url2 = new URL(str); 
    HttpURLConnection conn2 = (HttpURLConnection) url2.openConnection(); 

    // Modify the code as below for a Noncompliant Script 
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { 
       URL url = new URL(req.getParameter("url")); 
       HttpURLConnection conn = (HttpURLConnection) url.openConnection();  
    C- Man in the middle attacks and social engineering  
    (1) If a client is connected to the server while you are testing the environment, identify what are the information that can be obtained from a packet capture of their communication.   
    Response - The full packet includes two things: a payload and a header. The payload is the actual contents of the packet, while the header contains extra information, including the packet's source and destination address. The information obtained can be some or all of the following: 
    a) Security Related: Data capturing is used to identify security flaws and breaches by determining the point of intrusion. 
    b) Data Leakage Related: Content analysis and monitoring helps to ascertain the leakage point and its sources. 
    c) Troubleshooting Related: Managed through data capturing, troubleshooting detects the occurrence of undesired events over a network and helps solve them. 
    d) Data/Packet Loss Related: When data is stolen, we can retrieve the stolen or lost information easily using data capturing techniques. 
    e) Forensics Related: Whenever viruses, worms or other intrusions are detected in computers, we can determine the extent of the problem. After initial analysis, we may block some segments and network traffic in order to save historical information and network data. 
    (2) Identify a method that lure a normal user of the server to your computer instead of the server machine. What information you can get from this?  
    Response – We can use honeypot method. A honeypot is a computer in a system that is set with vulnerabilities and is posed as the target for cyberattacks. Luring a hacker into your system is a high-risk game but if done right, it can produce results by catching your hacker. Honeypot is one of the oldest tricks used for luring out a hacker in the system where he/she interacts with the trap and one can gain important information about him/her. 
    3) If the server is protected, what can you do to penetrate the system from the client side?  
    Response – a ) One way to penetrate the system from client side is add a malware file from the upload option of the website and make sure it gets uploaded if the site is not properly whitelisted with file types.  
     b) Another way to penetrate a server for smtp related information are below, 
    telnet [server_ip] , use auxiliary/scanner/smtp/smtp_enum , perl smtp-user-enum , nmap –script smtp-enumusers.nse [server_ip] 
    D - Protecting your server: Now you have completed a first assessment of the network, what are your recommendation?  
    (1) Based on your results, you have identified that “Port knocking” method is important to implement on your server. Explain.  
    Response - The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed. Defeating port knocking protection requires large-scale brute force attacks in order to discover even simple sequences. An anonymous brute force attack against a threeknock TCP sequence would require an attacker to test every three port combination in the 1–65535 range and then scan each port between attacks to uncover any changes in port access on the target system. 
    (2) Hackers will attempt to scan a machine looking for suitable vulnerabilities to exploit. In your own words explain what false positives and false negatives are in relation to a Network Intrusion Detection System (NIDS). 
    Response –  
    A false positive occurs when an IDS reports as an intrusion an event that is in fact legitimate network activity. A false negative occurs when the IDS fails to detect malicious network activity. 
    Below are the false positives, 
    a) An IDS will only notify on the false positive and will not impact business functions while the security professional verifies the validity of the alert.For example ,if a customer of the real estate agency forgets his password to the portal and makes multiple attempts to login. 
    b)  About 91% of FP alerts, equal to about 85% of false cases, are not related to security issues, but to management policy 
    And the false negatives are , 
    Buffer overflow, SQL server attack and worm slammer attacks account for 93% of False Negatives, even though they are aged attacks.  
    (3) Explain the difference between Intrusion Detection System IDS and Intrusion prevention System IPS. Suggest a recommendation for the scenario you have in hand.   
    Response - The difference between a NIDS and a network intrusion prevention system (NIPS) is that the NIPS alters the flow of network traffic. The goal of a network intrusion detection system is to discover unauthorized access to a computer network by analyzing traffic on the network for signs of malicious activity. The intrusion detection task is to build a predictive model capable of distinguishing between intrusions or attacks, and normal network connections. 
    Recommendation - It is recommended for the Real estate company networks to use both a NIDS and a NIPS.NIPS provides defense-in-depth protection in addition to a firewall; it is not typically used as a replacement. Also, a false positive by a NIPS is more damaging than one by a NIDS: Legitimate traffic is denied, which may cause production problems. A NIPS usually has a smaller set of rules compared to a NIDS for this reason; only the most trustworthy rules are used. A NIPS is not a replacement for a NIDS for this reason.  

    (4) Evaluate the effectiveness of the following tools and specify which you will use. justify you answer. • Firewall • Snort • iptable  
    Response –  
    a) Firewall - When it comes to securing your business, firewall solutions are a great foundation to protect your network. However, they are no longer enough to mitigate bigger and more complex threats. Fighting off these risks require a considerable amount of skills, time, and resources. 
    b) Snort - Snort performs protocol analysis, content searching and matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, semantic URL attacks, buffer overflows, server message block probes, and stealth port scans. 
    c) Iptable - Iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it does not find one, it resorts to the default action. 
    Based on the above analysis , looking at the multiple functions that Snort supports , we will use this tool and that is also recommended.  
    (5) Based on your findings, document any other recommendation based on vulnerabilities and weaknesses. Your recommendations should be based on the scenario you are working on and the type of data and services they do.  
    Response –  Recommendations and Conclusions for the web application are as below, 
    Step #1: Install security plugins – As this web application has lot of searchable content and is built on content management system (CMS), we can enhance our website with security plugins that actively prevent website hacking attempts.  
    Step #2: Use HTTPS  - As a consumer, you may already know to always look for the green lock image and https in your browser bar any time you provide sensitive information to a website. They signal that it’s safe to provide financial information on that particular webpage. 
    Step #3: Keep your website platform and software up-to-date - Always make sure your content management system, plugins, apps, and any scripts you’ve installed are up-to-date. 
    Step #4: Make sure your passwords are secure - It’s tempting to go with a password you know will always be easy for you to remember. That’s why the most common password is still 123456. Recommend users to use complicated password using at least one letter with CAPS, one small and a special character. 
    Step #5: Invest in automatic backups - While a data breach will be stressful no matter what, when you have a current backup, recovering is much easier.  
    Step #6: Take precautions when accepting file uploads through your site - Create a whitelist of allowed file extensions. By specifying which types of files you’ll accept, you keep suspicious file types out. 
    Step #7: Use parameterized queries - Using parameterized queries ensures your code has specific enough parameters so that there’s no room for a hacker to mess with them. 
    Step #8: Use CSP - CSP allows you to specify which domains a browser should consider valid sources of executable scripts when on your page. The browser will then know not to pay attention to any malicious script or malware that might infect your site visitor’s computer. 
    Step #9: Lock down your directory and file permissions - All websites can be boiled down to a series of files and folders that are stored on your web hosting account. Make sure all these files and directories are assigned correct permissions. 
    #10 Keep your error messages simple - Detailed error messages can be helpful internally to help you identify what’s going wrong so you know how to fix it. But when those error messages are displayed to outside visitors, they can reveal sensitive information.

    Author - Aniruddha biswas [https://www.linkedin.com/in/aniruddha-biswas-122838182/]



    John Karlsson says (Oct 19, 2020):

    Nice read

Post Comments