ebook img

IT Audit - Security Beyond the Checklist PDF

57 Pages·2016·0.575 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview IT Audit - Security Beyond the Checklist

IT Audit: Security Beyond the Checklist This paper is from the SANS IT Audit site. Reposting is not permited without express written permission. Copyright SANS Institute Author Retains Full Rights Interested in learning more? Check out the list of upcoming events offering "IT Security Audit and Control Essentials (Audit 410)" at http://it-audit.sans.orghttp://it-audit.sans.org/events/ . s t h g Audit of a Small LAMP (Linux, Apache, MySiQL, and PHP) r Web Application l l u f s n i a t e r SANS GIAC Systems and Networrk Auditor (GSNA) practical o h Version 3.1 —t Option One u A , 4 0 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 0 2 e t u t i t s n I S N A S © Herschel Gelman May 2, 2004 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Herschel Gelman SANS GSNA Practical Assignment Version 3.1 — Option 1 2 ABSTRACT This paper contains an audit of a web application available on the Internet that is run on PHP, MySQL, Apache, and Linux—a combination commonly known as a LAMP system. As a web hosting company hosts the application, the scope of . s the audit encompasses only those components available to the developer: the t h PHP source code and any site configuration options available to the developer. g In the first section, the paper will cover initial research into the system, risks to i r the system, and current practices regarding web application security. Part two l contains the audit checklist, with testing procedures alnd compliance criteria. u Part three gives the results of the audit. Part four contfains the audit report, listing the findings and recommendations. s n i a t e r r o h t u A , 4 0 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 0 2 e t u t i t s n I S N A S © © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Herschel Gelman SANS GSNA Practical Assignment Version 3.1 — Option 1 3 TABLE OF CONTENTS ABSTRACT..........................................................................................2 TABLE OF CONTENTS...................................................s.....................3 t h g 1 Research in Audit, Measurement Practice, anid Control .........6 r l 1.1 SYSTEM IDENTIFICATION.....................................u.l................................. 6 f 1.2 MOST SIGNIFICANT RISKS TO THE SYSTEM......s. ...................................... 7 n 1.2.1 Threats to the System...............................................................................7 i a 1.2.2 Information Assets Affected by Audited Device.....................................8 t 1.2.3 Major Vulnerabilities of the Web Apeplication........................................9 r 1.3 CURRENT STATE OF PRACTICE..........r.................................................. 11 o 1.3.1 Articles, Papers, and Mailing Lhists.........................................................11 t 1.3.2 Tools......................................u...................................................................13 A 2 Audit Checklist................. .........................................................16 , 4 0 Ke2y. 1finCgeHrpErCinKt F= OARF 1H9I DFDAE2N7 2CFO9M40 M99E8NDT SF DINB H5 TDME3LD. .F..8..B..5. .0..6..E..4. .A...1.6..9.. 4..E..4..6......... 16 2 2.2 SESSION HIJACKING VeI A COOKIE MANIPULATION................................. 17 t u 2.3 SQL INJECTION................................................................................. 18 t i t 2.4 TEST FOR ADEQsUATE SAFEGUARDS AGAINST BANDWIDTH THEFT ......... 19 n I 2.5 SCAN FOR S AMPLE FILES OR SCRIPTS.................................................. 21 S N 2.6 TEST BACKUP PROCEDURES............................................................... 23 A 2.7 UNSAFSE HIDDEN FORM ELEMENTS...................................................... 24 © 2.8 ENSURE DIRECTORY BROWSING SETTINGS ARE CORRECT.................... 26 2.9 ATTEMPT TO BRUTE FORCE ADMINISTRATIVE ACCOUNT....................... 27 2.10 VERIFY SECURITY OF ANY CLIENT-SIDE JAVASCRIPT.......................... 29 3 Audit Testing, Evidence, and Findings ...................................32 3.1 CHECK FOR HIDDEN COMMENTS IN HTML......................................... 32 3.1.1 Evidence...................................................................................................32 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Herschel Gelman SANS GSNA Practical Assignment Version 3.1 — Option 1 4 3.1.2 Findings....................................................................................................33 3.2 SESSION HIJACKING VIA COOKIE MANIPULATION................................. 33 3.2.1 Evidence...................................................................................................33 3.2.2 Findings....................................................................................................34 3.3 SQL INJECTION................................................................................. 34 3.3.1 Evidence...................................................................................................34 . 3.3.2 Findings............................................................................s........................36 t h 3.4 TEST FOR ADEQUATE SAFEGUARDS AGAINST BANDWIDgTH THEFT ......... 37 i 3.4.1 Evidence..................................................................r.................................37 3.4.2 Findings...............................................................l.....................................38 l u 3.5 SCAN FOR SAMPLE FILES OR SCRIPTS...............f................................... 38 s 3.5.1 Evidence...................................................................................................38 n 3.5.2 Findings....................................................i................................................39 a t 3.6 TEST BACKUP PROCEDURES..................e............................................. 39 r 3.6.1 Evidence......................................... ..........................................................39 r 3.6.2 Findings.......................................o.............................................................40 h 3.7 UNSAFE HIDDEN FORM ELEMENTSt...................................................... 41 u 3.7.1 Evidence.............................A......................................................................41 3.7.2 Findings........................... .........................................................................42 , 4 3.8 ENSURE DIRECTORY BROW0SING SETTINGS ARE CORRECT.................... 42 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 0 3.8.1 Evidence.................2..................................................................................42 3.8.2 Findings...............e. ....................................................................................43 t u 3.9 ATTEMPT TO BRUTE FORCE ADMINISTRATIVE ACCOUNT....................... 43 t 3.9.1 Evidence.....t.i.............................................................................................44 s 3.9.2 Findings...n.................................................................................................44 I 3.10 VERIFY SSE CURITY OF ANY CLIENT-SIDE JAVASCRIPT.......................... 45 3.10.1 EvideNnce...................................................................................................45 3.10.2 FindAings....................................................................................................46 S 4 Audit© Report..............................................................................47 4.1 EXECUTIVE SUMMARY ........................................................................ 47 4.2 AUDIT FINDINGS................................................................................ 47 4.2.1 Check For Hidden Comments in HTML ...............................................47 4.2.2 Session Hijacking Via Cookie Manipulation.........................................48 4.2.3 SQL Injection...........................................................................................48 4.2.4 Test for Adequate Safeguards Against Bandwidth Theft.....................48 4.2.5 Scan for Sample Files or Scripts............................................................48 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Herschel Gelman SANS GSNA Practical Assignment Version 3.1 — Option 1 5 4.2.6 Test Backup Procedures........................................................................49 4.2.7 Unsafe Hidden Form Elements.............................................................49 4.2.8 Ensure Directory Browsing Settings Are Correct..................................49 4.2.9 Attempt to Brute Force Administrative Account..................................49 4.2.10 Verify Security of any Client-Side Javascript.........................................50 4.3 AUDIT RECOMMENDATIONS................................................................ 51 4.3.1 Highly Recommended Actions..............................................................51 . s 4.3.1.1 Protect Against Bandwidth Theft...............................................t................................51 h 4.3.1.1.1 Description..........................................................................................................51 g 4.3.1.1.2 Costs....................................................................................................................51 i 4.3.1.1.3 Compensating Controls............................................r.........................................52 4.3.2 Lower Priority Recommendations...................l.....................................52 l u 4.3.2.1 SQL Injection...............................................................................................................52 f 4.3.2.2 Hidden form elements........................................... .....................................................52 s 4.3.2.3 Future password safety.....................................n.........................................................52 i a References...............................................t........................................54 e r r o h t u A , 4 0 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 0 2 e t u t i t s n I S N A S © © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Herschel Gelman SANS GSNA Practical Assignment Version 3.1 — Option 1 6 1 Research in Audit, Measurement Practice, and Control 1.1 System Identification The system to be audited is a database-driven web application .that is available s on the Internet. It allows the public to create free accounts, stearch the review h database, submit new votes and reviews on items in the database, and add new g items to the database. It also has administrative functioniality, so those users r who are granted the appropriate rights can perform admi nistrative tasks through l the same web interface. ul f s For the purposes of this document, we will refer to thne application as AuditApp. i a t The application design and development wase a one-man effort, and therefore r only this single developer has reviewed the system. This is also this developer’s r first time using PHP and SQL, which increases the likelihood that potential secu- o rity holes have made their way into the hcode. The web application was made available to the public via the Internet twith no comprehensive security review. u The goal of this audit is to provide an Aindependent security evaluation of the web application. , 4 0 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 The application is powered by w0hat is known as a “LAMP” system. This acronym 2 refers to the open source combination of Linux as the operating system, Apache e as the web server, MySQL as the backend database server, and PHP, Perl, or t u Python as the scripting language. In this specific case, the system is running t Debian Linux 3.0r2, Apaiche 1.3.29, MySQL 4.0.17, and PHP 4.2.3. A large web t hosting company runs sthe web and database servers. n I The scope of this Saudit encompasses the web application level of this system: N the PHP code itself. It also covers the customer’s workflow and interactions with A the web hosting server, as potential vulnerabilities could be introduced in that S way as well. In addition, it covers any configuration options for the web site that © are available to the developer, but not options that are set by the web hosting company that the customer has no control over. The MySQL database, Apache server, and the operating system itself are outside the scope of this audit. The customer has no control over any of these components, as the web hosting com- pany manages these portions of the system. Ideally, these aspects should also be examined in a separate audit. However, any obvious security issues with the web host’s configurations that are discovered during the course of the audit will be reported, as the choice of a web hosting company is still within the developer’s control. If it turns out that this web © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Herschel Gelman SANS GSNA Practical Assignment Version 3.1 — Option 1 7 host uses poor security practices, the developer has the option of switching to a company with tighter security. 1.2 Most Significant Risks to the System 1.2.1 Threats to the System . Because of the single owner and developer of this web site, instentional internal t threats are not an issue; there are no disgruntled employeehs that may be at- g tempting to damage the site. The system administrators at the web hosting i r company are considered external in this case, because our audit scope is focus- l ing on the web application code itself. l u f The data stored on the web server is all drawn frosm a combination of publicly n available sources and input from visitors to the weib site. The only data stored on a the site that may be of possible interest to an outside party would be the collec- t e tion of e-mail address in the database, as all users who sign up on the site are r required to include a valid e-mail address. Those addresses could be sold to r spammers, and therefore might have someo small value to an intruder. h t u The following table details some of the possible threats to this system: A Threat Effect , 4 Accidental program- Web site0 visitors receive error messages or see im- Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 0 ming error by applica- proper site operation. Could divulge sensitive informa- 2 tion developer tion (database table names, directory paths, user- e natmes). Loss of confidence in site by the public, lead- u itng to possible loss in revenue. Could also give admin- i tistrative access to the web application to all visitors. s n Exploit against pro- Attacker could gain access to user-level account on web I gramming error in w eb host, full access to customer’s database on database S application codeN server. That gives full access to all e-mail addresses A stored in the database, plus access to modify or delete S any information in the database. The net effect is a loss of privacy for users of the site, and possible loss in © revenue due to public’s loss in confidence of the site, and/or due to loss of data. Loss of data by web If the web hosting company lost all the data for the web hosting company— site—application code and database contents—then the this could be due to customer would need to fall back to his own backups. If an attack on their sys- there were no backups, or if the backups were not func- tems, environmental tional, the developer would need to build the web site threats, etc. from scratch, including all code and data, and all users would need to register again. This would be a cata © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Herschel Gelman SANS GSNA Practical Assignment Version 3.1 — Option 1 8 Threat Effect strophic loss, and it is possible that the site simply would not recover from this, due to the large amount of data that would need to be re-entered. It would also be im- possible to retrieve all user-submitted reviews in this case. . 1.2.2 Information Assets Affected by Audited Device s t h g As this one-person “organization” exists entirely to create and support this web i site, the audited web application directly affects practicallry every aspect of the organization. This includes all data owned by the organllization, and all services u provided by the organization. E-mail is the only function which is used by the site f owner which is unaffected by changes to this applicast ion. n Information Asset Description i a t Source code to the The web application reepresents a significant amount of web application development work, andr may be used as a basis for future r commercial work by the developer. o Disclosure of the hcode to the public could also compro- t mise the securituy of the site, as any security holes in the code would becAome public knowledge. If the code is well- written, thou,g h, this would not be a concern. 4 Public data stored in Most of th0e information stored in the database is publicly Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 0 the database available through the web application, and therefore con- 2 fidentia lity is not a requirement. e t Howuever, AuditApp would be useless without this data, antd therefore its availability is critical to the successful i ftunctioning of the web site. s n The data integrity is also important, arguably as important I as availability. The reason that the public visits the web S N site is to access this data; if the data they were viewing on A the web site was inaccurate, and they realized this, they S would be less likely to return in the future. Private da©ta stored While most of the database stores publicly available in- in the database formation, some data in it is not accessible to the public. This data includes: • Real names of users who have accounts on the site (only usernames are visible to other users, which may or may not have anything to do with the users’ real names.) • MD5 hashes of all users’ passwords • All users’ e-mail addresses © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Herschel Gelman SANS GSNA Practical Assignment Version 3.1 — Option 1 9 Information Asset Description • Date that each user registered for their account • Date and time of each users’ last login to the web ap- plication • Access levels of each user on the system: most users have the most basic access levels, but some have ad- ditional rights to perform administrativ.e tasks on the s site. t h Bandwidth The web host limits the bandwidth agvailable to the site. i Usage of bandwidth over that limit—rwhether through le- gitimate web traffic or “theft” of lbandwidth by another l u site—would result in additional costs or the temporary f shutdown of the web site. s n Service provided by The web site provides a vast amount of data to the public. i a web site This information consists of information available at other t web sites in other formeats, as well as large amounts of r unique content contrib uted by visitors to the site as well as r the owner of the sitoe. The value of the web site mostly h relies on this data plus the code that powers the applica- t tion. u A 1.2.3 Major Vulnerabilities of t,he Web Application 4 0 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 0 The major potential vulnerabilities in this web application are listed below. For 2 each vulnerability we will list the likelihood of it being exploited on a scale of one e through five, with one beingt low and five being high. In addition, the impact of a u successful exploitation of the vulnerability on the web site is also listed using the t same rating scale. ti s n Vulnerability Likelihood Impact I (exposure) S N 1. Programming error in application leaves site vul- 3 4 A nerable for an attacker to get administrative access S to the web site, through the application’s own web interface to© the public. 2. Malicious attacker exploits programming error in 3 4 application to get full access to the site’s database. 3. Catastrophic loss of data at web hosting company. 1 5 This could be due to environmental causes, mali- cious attackers, hardware failures, etc. As the cus- tomer has no control over any of these, they are all treated together from this audit’s point of view. 4. Cross-site scripting attack. This could yield ad 3 4 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.