lab 5 identify threats and vulnerabilities in an it infrastructure

When the userperforms a dangerousoperation, send a separateconfirmation request to ensurethat the user intended toperform that operation.Note that this can be bypassedusing XSS.Use the E

Nguyen Ly Phuong Uyen

CE140422

LAB 5 Identify Threats and Vulnerabilities in an IT Infrastructure

1 Required Setup and Tools

Students will need access to the Internet to correlate found software vulnerabilities on the IT infrastructure with the Common Vulnerabilities and Exposures (CVE) online

listing located at: http://cve.mitre.org/

Using the online tool to find the vulnerabilities of OWASP

2 Part 1: Using online tool

In this part, student will use the online scanner tool to scan the vulnerabilities of website:

- Group 4: http://testasp.vulnweb.com

After scanning, student must fill the result into the below tables

Item Potential Risk

Exposire

1

X-Frame-Options

Header Not Set Medium

1 Send the content as an HTTP Header – the directive

is ignored if specified in a META tag

2 Use X-Frame-Options

on critical configuration pages or other pages that require an “authentic user click”

3 Don’t use

“sameorigin” if you have any page on your domain which accepts an arbitrary URL to frame

Medium

Most modern Webbrowser support the X-Frame-Options HTTPheader Ensure it’s set

on all web pagesreturned by your site(ifyou expect the page to

be framed only bypages on your serverthen you’ll want to useSAMEORIGIN,otherwise if you neverexpect the page to beframed, you should useDENY, ALLOW-FROM allows specificwebsites to framed theweb page in supportedweb browsers)

Medium Refer to your dataclassification standardfor proper handling ofdata and use of TCP/IPapplications Never useTCP/IP applicationsfor confidential data

Phase: ImplementationEnsure that your application isfree of cross-site scriptingissues, because most CSRFdefenses can be bypassedusing attacker-controlledscript

Phase: Architecture andDesignGenerate a unique nonce foreach form, place the nonceinto the form, and verify thenonce upon receipt of theform Be sure that the nonce isnot predictable (CWE-330)

Note that this can be bypassedusing XSS

Identify especially dangerousoperations When the userperforms a dangerousoperation, send a separateconfirmation request to ensurethat the user intended toperform that operation

Note that this can be bypassedusing XSS

Use the ESAPI SessionManagement control

This control includes acomponent for CSRF

Do not use the GET methodfor any request that triggers astate change

Phase: ImplementationCheck the HTTP Refererheader to see if the requestoriginated from an expectedpage This could breaklegitimate functionality,because users or proxies mayhave disabled sending theReferer for privacy reasons

encryption Create anetworkmanagement VLAN andisolate TFTP and SNMPtraffic used fornetwork management

Cookie No

 A server could helpmitigate this issue bysetting the HttpOnly flag

Low Ensure that the HttpOnlyflag is set for all cookies.

indicating the cookieshould not be accessible onthe client.

 Using Java to Set HttpOnly

 Using .NET to setHttpOnly

 Using PHP to set HttpOnly

4

Cookie Without

SameSite Attribute Low

Ensure that the SameSiteattribute is set to either 'lax'

or ideally 'strict' for allcookies

Low

Install and turn onSameSite to allows useragents tomitigate the risk ofcross-origin informationleakage, and providessome protection againstcross-site request forgeryattacks

headers

Medium

Implementers SHOULDmake the Server headerfield a configurableoption.It’s about mitigating risk

at each opportunity and

in the case of theseheaders, it’s dead easy toremove them thusproviding one small buttangible advantage

If possible, ensure that the enduser uses a standards-compliant and modern webbrowser that does not performMIME-sniffing at all, or thatcan be directed by the webapplication/web server to notperform MIME-sniffing

Low In the OctoberCumulative update, achange was made to CSShandling in IE6, IE7, andIE8 to block all cross-origin stylesheets unlessthey have been deliveredwith the proper HTTPresponse header: Content-Type: text/cssThis protection helpsensure that LINK and

@IMPORT cannot beused as a vector to stealcontent from anothersite.Internet Explorer 9 Betaalready included thisprotection Additionally,

shows the followingwarning message when across-origin stylesheetwith an incorrect MIME-type is encountered:

Use an intermediate disclaimer page that providesthe user with a clear warning that they are leaving your site Implement a long timeout before the redirect occurs, or force the user to click on the link Be careful

to avoid XSS problems whengenerating the disclaimer page

When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set

of fixed input values (such asnumeric IDs) to the actual filenames or URLs, and reject all other inputs

For example, ID 1 could map

to "/login.asp" and ID 2 could map to

"http://www.example.com/"

Features such as the ESAPI AccessReferenceMap provide this capability

Understand all the potential areas where untrusted inputs can enter your software:

parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, databases, and any external systems that provide data to the application Remember that such inputs may be obtained indirectly through API calls

high When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as

"red" or "blue."When employees access an unknown URL, the risk of malware being able to access the corporate computer is huge

programmer assumed thatcertain inputs could not bemodified, such as cookiesand hidden form fields.

If the application uses ASP, use ADO Command Objectswith strong type checking and parameterized queries

If database Stored Procedures can be used, usethem

Do not concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

Do not create dynamic SQLqueries using simple string concatenation

Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input

Apply the principle of least privilege by using the least privileged database user possible

In particular, avoid using the 'sa' or 'db-owner' database users This does not eliminate SQL injection,but minimizes its impact

Grant the minimumdatabase access that isnecessary for theapplication

high

Do not trust client side input, even if there is client side validation inplace

In general, type check all data on the server side

Escape all data received from the client

high The attacker may be able to specify arbitrary code to be executed from a remote location Alternatively, it may

be possible to use normal program behavior to insert php code into files on the local machine which can then

be included and force the

IDs) to the actual filenames

or URLs, and reject all

other inputs

For example, ID 1 could

map to "inbox.txt" and ID 2

could map to "profile.txt"

Features such as the ESAPI

AccessReferenceMap

provide this capability

Phases: Architecture and

Design; Operation

Run your code in a "jail" or

similar sandbox

environment that enforces

strict boundaries between

the process and the

operating system This may

effectively restrict which

files can be accessed in a

particular directory or

which commands can be

executed by your software

OS-level examples include

the Unix chroot jail,

AppArmor, and SELinux

In general, managed code

may provide some

protection For example,

java.io.FilePermission in

the Java SecurityManager

allows you to specify

restrictions on file

operations

This may not be a feasible

solution, and it only limits

the impact to the operating

system; the rest of your

application may still be

subject to compromise

Be careful to avoid

CWE-243 and other weaknesses

related to jails

For PHP, the interpreter

offers restrictions such as

open basedir or safe mode

which can make it more

difficult for an attacker to

escape out of the

application Also consider

code to execute since php ignores everything in the file except for the content between php specifier

Suhosin, a hardened PHP extension, which includes various options that disable some of the more dangerousPHP features.

Phase: ImplementationUse an "accept known good" input validation strategy, i.e Reject any input that does not strictly conform to specifications,

or transform it into

something that does

For filenames, use stringent whitelists that limit the character set to be used If feasible, only allow a single

"." character in the filename

to avoid weaknesses such asCWE-23, and exclude directory separators such as

"/" to avoid CWE-36 Use a whitelist of allowable file extensions, which will help

to prevent attackers from directly requesting them One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the

library/include file; if the constant does not exist, thenthe file was directly

requested, and it can exit immediately

Table 1: Web Application findings table.

X-Frame-is not included

in the HTTP response to protect against 'ClickJacking' attacks

Send the content as an HTTP Header – the directive is ignored if specified in a META tag

Use X-Frame-Options on critical configuration pages or other pages that require an

“authentic user click”Don’t use “sameorigin” if you have any page on your domain which accepts an arbitrary URL

in a HTML submission form

A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action

as the victim The underlying cause is application functionality using predictable URL/form actions

in a repeatable way

The nature of the attack is that CSRF exploits the trust that a web site has for a user By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site Like XSS,CSRF attacks are not necessarily cross-site, but they can be Cross-site request forgery is also known as

Phase: Architecture and DesignUse a vetted library orframework that does not allowthis weakness to occur orprovides constructs that makethis weakness easier to avoid.For example, use anti-CSRFpackages such as the OWASPCSRFGuard.Phase: ImplementationEnsure that your application isfree of cross-site scriptingissues, because most CSRFdefenses can be bypassed usingattacker-controlled script.Phase: Architecture and DesignGenerate a unique nonce foreach form, place the nonce intothe form, and verify the nonceupon receipt of the form Besure that the nonce is notpredictable (CWE-330).Note that this can be bypassedusing XSS.Identify especially dangerousoperations When the userperforms a dangerous operation,send a separate confirmationrequest to ensure that the userintended to perform thatoperation.Note that this can be bypassedusing XSS

ImpactLow Medium HighHigh

Low

riding, confused deputy, and sea surf.

CSRF attacks are effective in a number of situations, including:

* The victim has

an active session onthe target site

* The victim is authenticated via HTTP auth on the target site

* The victim is

on the same local network as the target site

CSRF has primarilybeen used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can beused as a platform for CSRF, allowing the attack to operatewithin the bounds

of the same-origin policy

This control includes acomponent for CSRF

Do not use the GET method forany request that triggers a state

change

Phase: ImplementationCheck the HTTP Referer header

to see if the request originated from an expected page This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons

 A server could help mitigatethis issue by setting theHttpOnly flag on a cookie itcreates, indicating the cookieshould not be accessible on

ImpactLow Medium HighHigh

Low

JavaScript If a malicious script can

be run on this page then the cookie will

be accessible and can be transmitted

to another site If this is a session cookie then session hijacking may be possible

 Using Java to Set HttpOnly

 Using NET to set HttpOnly

 Using PHP to set HttpOnly

as a result of a 'cross-site' request The SameSite attribute

is an effective counter measure

to cross-site request forgery, cross-site script inclusion, and timing attacks

Install and turn on SameSite toallows user agents tomitigate the risk of cross-origininformation leakage, andprovidessome protection against cross-site request forgery attacks

ImpactLow Medium HighHigh

Medium

HTTP response headers Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.

Implementers SHOULD makethe Server header field aconfigurable option.It’s about mitigating risk at eachopportunity and in the case ofthese headers, it’s dead easy toremove them thus providing onesmall but tangible advantage

Anti-MIME-This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causingthe response body

to be interpreted and displayed as a content type other than the declared content type

Current (early 2014) and legacy versions of Firefoxwill use the declared content type (if one is set), rather than performing MIME-sniffing

Ensure that the application/webserver sets the Content-Typeheader appropriately, and that itsets the X-Content-Type-Options header to 'nosniff' forall web pages

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing

ImpactLow MediumHighHigh

Mediu

m

*Low

ImpactLow Medium HighHigh

Low

an alternate resource This can

be done for a variety of reasons and is often done toallow resources to

be moved within the directory structure and to avoid breaking functionality for users that request the resource at its previous location

URL redirectors may also be used toimplement load balancing, leveraging abbreviated URLs

or recording outgoing links It is this last implementation which is often used

in phishing attacks

as described in the example below

URL redirectors do not necessarily represent a direct security vulnerability but can be abused by attackers trying to social engineer victims into believing that they are navigating to a site other than the true destination

Assume all input is malicious Use

an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications Reject any input that does not strictly conform to specifications,

or transform it into something that does Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely

on a blacklist) However, blacklistscan be useful for detecting potential attacks or determining which inputs are so malformed thatthey should be rejected outright.When performing input validation, consider all potentially relevant properties, including length, type

of input, the full range of acceptable values, missing or extrainputs, syntax, consistency across related fields, and conformance to business rules As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or

"blue."

Use a whitelist of approved URLs

or domains to be used for redirection

Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving your site Implement a long timeout before the redirect occurs,

or force the user to click on the link Be careful to avoid XSS problems when generating the disclaimer page

When the set of acceptable objects,such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to theactual filenames or URLs, and reject all other inputs

For example, ID 1 could map to

"/login.asp" and ID 2 could map to

ImpactLow Medium High

Medium

Low