Friday, January 23, 2015

Planning for security analysis of web resources

Specific material, is not designed for a wide audience due to the low level of interest in covering the topic. The article can be useful specialists regularly review the security of web servers. Proposed methods should help ordering data on the structure and characteristics of the resource, to create something like a list of steps to perform the test.

Procedures and recordkeeping selected by the author on the basis of personal preference (and in many ways, inspired by the guidelines OWASP (2), etc.), any practitioner can (and most likely will want to) use your own set of techniques and methods of "logbook ". So, many of these online tools are not unique, someone can create their analogs or prefer ready.

A little bit about leadership OWASP Testing Guide: currently on the official website offers a version 3 (349 pages); whereas previously there had to download a OWASP_Testing_Guide_v3.full.pdf (374 pages). By cons leadership can be attributed to some redundancy, part of the described scenarios seem unlikely or extremely rare.

However, tips for organizing tests and risk classification system is definitely helpful. Other materials may be mentioned Common Criteria for Information Technology Security Evaluation and OSSTMM (Open Source Security Testing Methodology Manual).

For demonstration purposes, select the resources of a certain service center, spoiling technique customers instead of repair.


The procedure for analysis.

In my case, the data are entered in the table Excel, prepared on the basis of the template that includes a list of the information collected in the course of the safety analysis. Table is organized as follows: type of data assigned to the symbols that help shorthand - what action is possible to obtain specific information. There is space for a mark to hold each action, and to record the results of the field (including, and abbreviations). It looks like this:

______________________________________________
[RDNS] | Reverse DNS | x | Reverse DNS data
----------------------------------------------
One of the first steps is to identify the main resource identifiers (IP, hosting, web server). To do this, it seems to me the most convenient service combined Domain Dossier (3). It also helps in the identification of the server software add-on for Firefox - Server Spy (4).

simservice.ru = 213.189.197.165 (axx165.distributed.zenon.net)
samsungremont.ru = 89.111.176.12 (fe16.hc.ru)
Both sites are located on the shared-hosting "Zeno" and "Hosting Center", used by web server nginx and engine shop OSCommerce. We found simservice.ru version PHP / 5.2.17. Used widget feedback livetex.ru

Reverse DNS for said use online services Robtex (5) and BGP Looking Glass (6), thereby defining - whether it is a dedicated server or shared hosting. (In this case, to obtain data on other resources on the shared-hosting).

Then to visit the study resource using HTTP / HTTPS-sniffer implemented as add-on for Firefox - Foxmeter (7), which generally provides insight into the structure of the site, cross site scripting / widgets, etc. Get a list of available commands HTTP request OPTIONS (addon Poster (8), or curl). In this case, both the server did not answer the OPTIONS. You can also ask about the details of SSL-certificate, if any. Online tool, among others, is available on serversniff.net (10) In some cases, the search query of the form "victim.com" site: victim.com brings unexpected results: the files with incorrectly specified rights, service pages, etc. samsungremont.ru responded to an appeal to the .htaccess error 403 on behalf of the Apache / 1.3.42 (masking).

At this stage, it is already possible to get an idea about the server and CMS. Additional information can be found in the standard robots.txt file and sitemap.xml (sitemap.xml.gz). In case of shortage sitemap.xml can fill the gap with the help of online generator (9), and then the client application. Studied resources issued by robots.txt standard OSCommerce, sitemap.xml had to generate. In some cases it may be valuable information about the designer (companies or individuals) - many people use the typical solutions, such as some of the design studio emphatically refuse to recognize .htaccess, with the result that all products have the types of vulnerabilities - directory listing (OWASP-AZ-001) . In our case, the design is executed design bureau pella.ru, without any errors (given the ugly background image)

To get an idea of hosting, and last but not least on the used GIS are encouraged to investigate the official website of the host. Not to repeat this step once again, the data are recorded in a separate table for hosters (hardware, OS, address ranges, customer-specific domains). In this case, interest was information about the modem pool "Zeno": test access: demo: demo

745-7171 - Cisco Systems Access Server 5300
251-1030 - USRobotics MP16
After identifying CMS it is desirable to obtain a copy of the analysis. In most cases, even the big companies are using free engines like Wordpress / Drupal / Joomla !. Almost all paid engines can also be downloaded as a trial version that allows to study the structure and possible security problems. Common engines often suffer from errors, such as listing Wordpress or forced registration in Joomla !, allowing the use of a number of official functions.

In the study of the structure of the web resource paid special attention to the location of data and administrative interfaces. Available administrative input is risk classification OWASP-CM-007. In this case, the input is in the administrative / admin

Any error messages from the server can also carry useful information, such as physical file paths and service logins. In some cases it is necessary to look at the cookies: there may also disclose information about the server. In the studied sites - standard cookies OSCommerce and livetex. The presence of an internal search engine also adds information, and any shaper - potetsialny attack vector. Found the search engine.

No comments:

Post a Comment