Assessment and countermeasures of security vulnerabilities in web-based applications by Makame Hamza

The University of Dodoma

College of Informatics and Virtual education Department of Computer Technologies and Applications

Assessment and countermeasures of security vulnerabilities in web-based applications A case study of Public Higher Learning Institutions in Tanzania By MAKAME, MAKAME H

T/UDOM/2010/00410

SEMKIWA, HARUNA

T/UDOM/2010/00437

DENNIS, CHIGONA

T/UDOM/2010/00389

MWOMBEKI, JUDITH TWALIB, MOHAMED A

T/UDOM/2010/00428 T/UDOM/2010/00441

A project report submitted in partial fulfillment of the requirements for B. Sc. in Computer and Information Security June, 2013

DECLARATION We MAKAME, MAKAME H, CHIGONA, DENNIS,

SEMKIWA, HARUNA,

MWOMBEKI, JUDITH, and TWALIB, MOHAMED A are hereby declare that the project report entitled “Assessment and countermeasures of security vulnerabilities in web-based applications” Submitted in partial fulfillment of the requirements for the course of B Sc. in Computer and Information Security to the College of Informatics and Virtual Education, is our original work and not submitted for the award of any other degree, diploma, fellowship, or any other similar title or prizes.

MAKAME, MAKAME H

………………………

SEMKIWA, HARUNA

………………………

CHIGONA, DENNIS

………………………

MWOMBEKI, JUDITH TWALIB, MOHAMED A

……………………… ………………………

Date: ……………………………… ii

CERTIFICATION Assessment and countermeasures of security vulnerabilities in web-based applications Submitted in partial fulfillment of the requirements for the course of B Sc. In Computer and Information Security of the College of Informatics and Virtual Education by MAKAME,

MAKAME

CHIGONA,

DENNIS,

SEMKIWA,

HARUNA,

MWOMBEKI, JUDITH, and TWALIB, MOHAMED A, has worked under my supervision and guidance.

Signature: ……………………… Name: ………………………….. (SUPERVISOR) Date: …………………………..

iii

EXAMINER’S CERTIFICATION The project report of MAKAME, MAKAME H, CHIGONA, DENNIS, SEMKIWA, HARUNA, MWOMBEKI, JUDITH, and TWALIB, MOHAMED A, with project title Assessment and countermeasures of security vulnerabilities in web-based applications is approved and is acceptable in quality and form.

Internal Examiner

External Examiner

Name: …………………...........

Name: …………………………..

Signature: ……………………

Signature: ………………………

Date: …………………………

Date: …………………………….

ABSTRACT Web applications are important, as they allow service providers and clients to share and manipulate information in a platform-independent manner through internet .Recently web applications have been subjected to different kinds of attacks due to the vulnerabilities existing in them. The purpose of this project is to assess vulnerabilities in web based application of public higher learning institutions in Tanzania. A total of thirty websites were assessed using different tools and techniques, where each website passed through information gathering, vulnerability assessment and where applicable penetration testing phases. The results shows that low vulnerabilities risk level have higher occurrence followed by medium risk level vulnerabilities and last high vulnerabilities. Out of these, several types of vulnerabilities were successfully exploited. This project gives an insight of the current threatening situation on web based application security and raise awareness and suggest appropriate countermeasure to developers, trainers and other stakeholders.

ACKNOWLEDGMENTS First and fore most we would like to thank Almighty God for keeping all of us healthy though out the project period. We like to deeply thank our beloved supervisor Mr. Jabhera Matogoro for his fatherly guidance, help, support and his willing to spend his valuable time assisting us in all issues raised in our project. Special thanks to Madam Khadija Khamis from Office of Chief Government Statistician Zanzibar for her expert guidance on data evaluation and representation with Microsoft Excel. Also we would like to thank Mr. Sanga Bahati and other CIVE staffs for their direction, encouragement, and contributions on this project. Our sincere acknowledgements should go to BackTrack OS developing team for their advanced collection of security tools which simplify our project and to Offensive Security for funding them to be freely available. Finally we would like to thank all those whom in one way or another did contribute to our project but not mentioned by names, we canâ&#x20AC;&#x2122;t repay the favor but we gratefully say, thank you all.

CONTENTS DECLARATION ................................................................................................................ii CERTIFICATION .............................................................................................................iii EXAMINER’S CERTIFICATION ................................................................................... iv ABSTRACT ....................................................................................................................... v ACKNOWLEDGMENTS ................................................................................................ vi LIST OF FIGURES .......................................................................................................... ix LIST OF SYMBOLS AND ABBREVIATIONS ............................................................... x CHAPTER ONE ................................................................................................................ 1 INTRODUCTION ......................................................................................................... 1 1.1

Overview.......................................................................................................... 1

1.2

Problem justification........................................................................................ 1

1.3

Objectives ........................................................................................................ 2

CHAPTER TWO ............................................................................................................... 3 LITERATURE REVIEW ............................................................................................... 3 2.1

Theoretical literature review ............................................................................ 3

2.2

Knowledge gap ................................................................................................ 5

2.3

Conceptual framework..................................................................................... 5

CHAPTER THREE............................................................................................................ 6 METHODOLOGY ........................................................................................................ 6 3.1

Sample selection .............................................................................................. 6

3.2

Information gathering ...................................................................................... 6

3.3

Penetration testing ........................................................................................... 8

3.4

Result presentation......................................................................................... 22

3.5

Suggestions and Countermeasures ................................................................ 26

vii

CHAPTER FOUR ............................................................................................................ 29 Conclusion and recommendation ................................................................................. 29 4.1

Conclusion ..................................................................................................... 29

4.2

Recommendation ........................................................................................... 30

REFERENCES ................................................................................................................ 31 APPENDICES ................................................................................................................. 32 Appendix A: Selected Samples web sites ................................................................ 32 Appendix B: NetCraft results summary ................................................................... 33 Appendix C: WhatWeb result summary .................................................................. 34 Appendix D: W3af configuration commands .......................................................... 35

viii

LIST OF FIGURES Figure 1. Vulnerability exploitation framework ................................................................ 5 Figure 2. Netcraft site report for Udom ............................................................................. 6 Figure 3. WhatWeb results for Udom ................................................................................ 7 Figure 4. Owasp main interface ......................................................................................... 9 Figure 5. Paert of Owasp Zap scanning report ................................................................ 12 Figure 6. Owasp Zap in action ......................................................................................... 12 Figure 7. W3af sample output .......................................................................................... 13 Figure 8. Vega scan alert summary .................................................................................. 14 Figure 9. Owasp Zap results statistics for 20 websites .................................................... 15 Figure 10. Vega results statistics from 10 websites ......................................................... 16 Figure 11. Joomscan vulnerabilities statisticas from 12 websites.................................... 17 Figure 12. An illustration of stored Cross Site Scripting attack on DVWA..................... 19 Figure 13. Database fingerprinting with sqlmap .............................................................. 20 Figure 14. Retrieved DBMS users with their password hashes ....................................... 21 Figure 15. Target sql-shell access with sqlmap ................................................................ 21 Figure 16. Database table dump with sqlmap .................................................................. 22 Figure 17. Vulnerability occurrence per website ............................................................. 23 Figure 18. Top six vulnerabilities by risk level ................................................................ 24 Figure 19. Likelihood of websites having vulnerabilities by risk level ........................... 25

LIST OF SYMBOLS AND ABBREVIATIONS CMS

Contents Management System

CRLF

Carriage Return and Line Feed

DBMS

Database Management System

DNS

Domain Name Server

DVWA

Damn Vulnerable Web Application

HTTP

Hypertext Transfer Protocol

Identification

Internet Protocol

NIST

National Institute of Standards and Technology

NVD

National Vulnerability Database

Operating System

OWASP

Web Application Security Project

PHP

Hyper-text Preprocessor

SQL

Structural Query Language

TCU

Tanzania Commission for Universities

UDF

User Defined Functions

XML

Extensible Markup Language

XSS

Cross-Site Scripting

WASC

Web Application Security Consortium

ZAP

Zed Application Proxy

CHAPTER ONE INTRODUCTION 1.1

Overview

In Tanzania most organizations have been adopting the use of web applications to expand and ease the provision of services as well as increase efficiency and ease accessibility of services. The use of information and communication technology is an essential part of any contemporary higher level educational system. Web applications that are accessed via web browsers such as internet or intranet are dominant in almost all higher education systems, such as universities, training and research institutions. In particular web based systems are used as informative or interactive web pages. Since these web pages contain critical information, securing educational systems is as important as securing any banking system, Mohamed. H. Al-Ibrahim (2012). Web applications provide an interface between end users and web servers through a set of web pages that are generated at the server-end or contain script code to be executed dynamically within the client web browser. An increase in the usage of web based applications is directly related to an increase in number of security incidents. Web based application security is finally a prominent attention, Simos East Africa (2012). The application space has now become a new playground for attackers. Because web applications in educational sector hold sensitive information such as passwords and grades that need to be secured from non- authorized users, the mission of securing web applications in educational sector is of high importance and unfortunately have not get great attention from the academicians. 1.2

Problem justification

A number of explanations for the abundance exploitable web based applications exist in Tanzania. One of the most arguable is that developing web base application is far simpler today than it has ever been, Haroon Meer (2005). With the use of CMS, one can develop 1

a web based application with some mouse clicks and few lines of codes. This has resulted in large supply of developers with little or no understanding of secure coding practices. This project will enlighten of our nation on security as we are moving to e-government where there are a number of security challenges in this transition. On the other side this project will suggest necessary preventive measures. Objectives

1.3

The general objective of this project is to perform assessment of vulnerabilities to web applications belonging to public higher learning institutions in Tanzania. 1.3.1

Specific objectives

1. To conduct information gathering 2. To conduct vulnerabilities assessment 3. To suggest appropriate countermeasures to overcome the vulnerabilities

CHAPTER TWO LITERATURE REVIEW 2.1

Theoretical literature review

Insecure software is threat to our financial, healthcare, defense, education, and other critical infrastructure. As our digital infrastructure gets increasingly complex and interconnected the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems like those presented in the OWASP Top 10, OWASP (2010). WASC (2008), released Web Application Security Statistics which includes data about 12186 web applications with 97554 detected vulnerabilities of different risk levels. The analysis shows that more than 13% of all reviewed sites can be compromised completely, about 49% of web applications contain vulnerabilities of high risk level detected during automatic scanning. Web Applications with Brute force attack, Buffer Overflow, OS commanding, Path Traversal, Remote File Inclusion, SSI injection, Session Fixation, SSL injection, Insufficient Authentication, Insufficient Authorization vulnerabilities detected by automatic scanning. According to Elizabeth Fong et al (2007), new security vulnerabilities are discovered every day in commonly used applications. In the recent years, web applications have become primary targets of attacks. The National Vulnerability Database (NVD) maintained by The National Institute of Standards and Technology (NIST) has over 18,500 vulnerabilities as of August 18, 2006. Andrey Petukhov and Dmitry Kozlov (2010) observed that the number of reported web application vulnerabilities is increasing dramatically. Most of vulnerabilities result from improper input validation. Thus the task of securing web applications is one of the most urgent for now. According to Ulfar Erlingsson et al (2005), most web applications aim to enforce simple, intuitive security policies, such as, for web based email, disallowing any scripts in untrusted email messages. Even so, Web applications are currently subjected to plethora 3

of successful attacks such as cross site scripting, cookie theft, session riding, browser hijacking, and the recent self-propagating worms in web based email and social networking sites. Indeed according to surveys, security issues in web applications are the most commonly reported vulnerabilities on the internet. Vulnerability scanning tools search network segments for IP-enabled devices and enumerate systems’ OS, and applications. Additionally vulnerability scanners can identify common security configuration mistakes, test systems and network devices for exposure to common security attacks. Vulnerability scanning software is limited in its ability to detect vulnerabilities at a given point in time. Penetration testing assesses the security model of the organization as a whole. A penetration tester is differentiated from a hacker only by his intent and lack of malice, it reveals potential consequences of a real attacker breaking into a network. Arbitrary command execution on the back-end DBMS underlying operating system can be achieved with Oracle, MSSQL and MySQL database software. The requirements are: high privileged session user and batched queries support on the web application. By exploiting a SQL injection flaw it is possible to upload a shared library which contains two user-defined functions. sys_eval(cmd)

- executes an arbitrary command, and returns it's standard output.

sys_exec(cmd)

- executes an arbitrary command, and returns it's exit code.

After uploading the binary file on a path where the back-end DBMS looks for shared libraries, the attacker can create the two user-defined functions from it: this would be UDF injection, Bernardo Damele Assumpção Guimarães (2009). Since the internet is an open system, the security is a main concern of the web applications, especially when the web application is interactive and requires the exchange of sensitive information such as financial, health, government, military, or personal information. Therefore, a great effort in both research and industry is needed to provide secure services to web applications Mohamed H. Al-Ibrahim (2012).

2.2

Knowledge gap

The gap existing is that, in Tanzania there is a scarcity of published projects done related to this field of study. This project will help the web application developers and other stakeholders to know the importance of considering security issues before, during, and after the development of web based applications in Tanzania. 2.3

Conceptual framework

Figure 1. Vulnerability exploitation framework

Figure 1 above demonstrate the sequence for vulnerability exploitation, a threat agent performs different attacks to the target system using various attacking vectors and techniques. The attacking vectors exploit weaknesses existing in the system which then allows the attacker to bypass security controls of the system. At this stage the attacker gains access to systemâ&#x20AC;&#x2122;s functions which when abused may result to business impacts.

CHAPTER THREE METHODOLOGY 3.1

Sample selection

For the scope of this project we picked our sample sites as those belong to higher learning public institutions and registered to the TCU by the year 2013/2014, this gave a total of 30 websites for our project. The full list of the websites with their respective owning institutions names is available on Appendix A. 3.2

Information gathering

This phase included collection of every possible information available about the target web applications. NetCraft, WhatWeb and Dmitry tools were used for performing an effective fingerprinting. Netcraft provide web server and web hosting market analysis, including web server and OS detection, see Figure 2. It also provides security testing and publishes news releases about the state of various networks that makes up the Internet. A summarized list of the outputs for each target are to be found in Appendix B.

Figure 2. Netcraft site report for Udom

WhatWeb recognizes web technologies including CMS, blogging platforms, statistics or analysis packages, JavaScript libraries, webservers and embedded devices as illustrated on Figure 3. WhatWeb also identifies version numbers, emails addresses account IDs and web framework modules. The tabulated results for all targets are to be found on Appendix C.

Figure 3. WhatWeb results for Udom

Dmitry this tool has the ability to gather as much information as possible about the host. It may be used to perform internet number Who Is looks up, possibly to retrieve uptime system and server data. Also has the ability to perform port scanning, subdomain searches and email searches on target. Due to massive output of this tool, the result are not printed within this report and are to be found included in the CD submitted with this report. Among all the gathered information, the following are those information which, based on our needs, were effectively utilized in the penetration phase of the project. Web server type with their versions gave details on the level of security they can achieve, while back end programming language with their version reveals the available functions that can be abused, these two information together helped in guessing the back end DBMS used by 7

the target, for example with Apache web server and PHP gives a high probability of DBMS being MySQL. We were able to find out with high precision the DBMS of the targets with their versions from the collected Database burners; these are the requirement of SQL injection attacks. Most importantly, detected target OS allow us to know if whether we were dealing with shells or command prompts, also helped in knowing the file system structure of the target. The gathered information were utilized as primary input of the scanning stage of the penetration testing phase, while some of them reached far to the exploitation stage. 3.3

Penetration testing

3.3.1

Scanning

Vulnerability assessment is the process of identifying and quantifying vulnerabilities in a web application using scanning and testing methods. In this phase we have managed to scan 30 websites for vulnerabilities using different vulnerability assessment tools and techniques available. The tools include OWASP ZAP, W3af and Vega. All the tools used are open source that makes them reliable and trust worthy for undertaking this task, and are available as free software for downloads. 3.3.1.1 3.3.1.1.1

Tools Descriptions OWASP ZAP

Our aim was to study configure and implement Owasp Zap to perform vulnerability assessment. The tool is available for free downloads from its official website and also come integrated in BackTrack 5 OS. The Tool consists of three sections, the site section, the Request-Response-Break section and the Activity section, as shown in Figure 4 below. The site section displays a list of sites accessed through the Owasp Zap proxy, from which can a target site can be selected for scanning. The Request-Response-Break section displays request response data for a selected activity so that the user can confirm the existence of vulnerabilities by studying the

response data to avoid false negative. And requests can be monitored and modified on the fly using the break tab. The activity section has eleven tabs representing possible services that the tool can perform and their respective current states. The information about all packets generated by different activities are available on the history tab, here the requests are labeled with blue, yellow, orange and red colors to indicate information, low vulnerability, medium vulnerability and high vulnerability respectively.

Figure 4. Owasp main interface

User can search for any request/response using the search tab. The Spider service allow users to select site from those listed on the site section, the spider scan the site for all available links on it to get the site structure. The spider is limited to only links available on the web site, to discover hidden links such as the one for administrator login, the brute force service is used, it guess to find possible links that cannot be accessed through the web application interface. 9

To scan for vulnerabilities in the specified web application, Active scan service is where comes to handy, it scan it to discover points of injection which it then display the parameters on the Params tab with their respective abused values which it has use them in testing for existing vulnerabilities. To detect open ports, the Port Scan service is used, it scan the website for open ports and list the results. All the scan servicers contribute their findings to the Alert section which then provide statistics, description, ranking, solutions and references to them. 3.3.1.1.2

W3af

W3af is an open-source web application security scanner. The tool provides a vulnerability scanner and exploitation plugins for web applications. It provides information about security vulnerabilities and aids in penetration testing efforts. This cross-platform tool is available in all of the popular operating systems such as Microsoft Windows, Linux, Mac OS X, FreeBSD and OpenBSD and is written in the Python programming language. Users have the choice between a graphic user interface and a command-line interface. W3af identifies most web application vulnerabilities using more than 130 plug-ins. After identification, vulnerabilities like Blind SQL injections, OS commanding, remote file inclusions, XSS, and unsafe file uploads, can be exploited in order to gain different types of access to the remote system. The framework has three types of plugins, namely discovery, audit and attack. Discovery plugins have only one responsibility, finding new URLs, forms, and other injection points. A classic example of a discovery plugin is the web spider. This plugin takes a URL as input and returns one or more injection points. Audit plugins take the injection points found by discovery plugins and send specially crafted data to all of them in order to find vulnerabilities. A classic example of an audit plugin is one that searches for SQL injection vulnerabilities. Attack plugins objective is to exploit vulnerabilities found by audit plugins. They usually return a shell on the remote server, or a dump of remote tables in the case of SQL injections exploits.

3.3.1.1.3

Vega

Vega is a freeware web application vulnerability scanner, the tool provide some unique scanning capabilities that are usually omitted by most of the tools presented, and these include HTTP PUT detection and XML injection. 3.3.1.1.4

Joomscan

Joomscan is a Perl script that detects file inclusion, SQL injection, command execution, and other vulnerabilities of a target website that uses the Joomla! CMS. The tool was added to the project after findings that were made from the Information gathering phase which shows that some of the target web applications were developed using Joomla! CMS. 3.3.1.2 3.3.1.2.1

Implementation OWASP ZAP

First we configured browser connection setting to use manual proxy configuration settings, and then set the HTTP Proxy value to 127.0.0.1 so it direct its request to our machine and set the proxy server port number to 8080 which is the default port used by Owasp zap. We then open the Owasp zap application, which listening though port 8080 for all requests generated by and response directed to the browser. We open the web site to be scanned on the browser and visited all available links, fill forms and login where available so that the tool can acquire user access privileges. On the Owasp zap menu we configured plugins on the scan policy using the Analyse tool menu strip. We then selected the website on the sites list, right click it to select Spider, Active Scan, Port Scan, or Brute Force. Start all the listed services one at a time or simultaneously depending on the tool configuration and internet speed. As the scan proceeded we focused on the Alert tab to view the detected vulnerabilities, see Figure 5. Finally when all services completed, we generated the report using the Report tool strip on the menu and choose the document type of our report. Figure 6 show a summary part of HTML report.

Figure 6. Owasp Zap in action

Figure 5. Paert of Owasp Zap scanning report

3.3.1.2.2

W3af

Our aim was to study, configure and implement W3af to use it for scanning on targeted web applications, we started running the application and configure necessary plugins for scanning, as we have mentioned above there are three plugins categories and for the case of scanning we configured only the Discovery and Audit plugins. With the discovery plugins we enabled the webSpider so that it discover all targets links and points of injections. In the Audit plugins we enabled that were common and may lead to exploitation, a careful selection was made to ensure that a reasonable balance between time constraints and result efficiency was met. We then configured the Output plugin to set the location and the file format of our result, we used the text and html formats.

Figure 7. W3af sample output

To minimize the risk of being found suspicious on the target administratorâ&#x20AC;&#x2122;s server log, we configured the user agent value of the Http-settting module to a normal browser userAgent string. Finally we set the target whole utilizing information gathered during information gathering phase we were able to set the OS and framework of the target. We then started the scan using Start command. The sample implementation procedures 13

commands can be found in Appendix D and Figure 7 above illustrate the output of the tool after on vulnerability detection. 3.3.1.2.3

Vega

As it is the unique tool we have used, Vega is a friendly and easy to use vulnerability scanning tool, we started by configuring the connection setting of the browser to use manual proxy configuration settings and then set the HTTP proxy value to 127.0.0.1 so that it directs its requests to the localhost and set the server port number to 8888 which is the default port used by Vega. On Vega we configure the tool to run as proxy and set the target URL and cookie values where necessary, we then stared the scan. The short coming of this version of Vega is that it does not print report to external life. The tool provide a scan summaries as shown by the Figure 8 below.

Figure 8. Vega scan alert summary

3.3.1.2.4

Joomscan

Having a list of sites that were developed using Joomla! CMS, we studied and configure the tool to scan for existing vulnerabilities. The tool was easily configured using a single line of command. root@bt:/pentest/web/joomscan# ./joomscan -u www.example.ac.tz -ot example.txt

A complete output for Joomscan is available on supporting CD submitted with this report. 3.3.1.3 3.3.1.3.1

Findings OWASP ZAP

Owasp zap is the most efficient among the tools we have used in scanning, it works even with low speed internet connections and has varieties of scanning options, the tool suffers from known false negative with which it label them as â&#x20AC;&#x153;suspiciousâ&#x20AC;? and has a tendency of multiplications of vulnerabilities caused by the same injection point by relating it to different back end platforms due to zero knowledge to the true back end platform of the target web application. The tool was able to reveal six types of vulnerability from the targets, these includes SQL Injection, Cross Site scripting, Cross Site Request Forgery, Directory Browsing, Content-Type header missing, Cross-domain JavaScript source file inclusion, X-Content-Type-Options header missing. Figure 9 illustrates the statistics.

1.2

6.2

sqli

xss

xsrf

dirBrows

pathTravasal

Figure 9. Owasp Zap results statistics for 20 websites

pwdAutocomplete

3.3.1.3.2

W3af

W3af is the most focused among the three tools we have used, using it repository of plugins its scans the target carefully that renders it time consuming and less efficient for time limited projects. This make us to reduce the implementation of the tool below it was expected, the tool was instead mostly used to confirm the existence of vulnerabilities to detect false negative where it was necessary. 3.3.1.3.3

Vega

Vega happen to be a stable tool among the three, it has a few list of important vulnerability scanning plugins. This tool went further in detecting unique vulnerabilities among the three tools we have used, with this tool, we were able to discover six types of vulnerabilities in our target web applications which include Directory Traversals, SQL Injection, Integer Overflow, Local File System exposure, HTTP PUT file upload, and XML injection. Figure 10 shows a summary Vega results statistics.

10%

sqli

33% 19%

xss xmli dirTraversal httpPut

intOverflow sourceCodeDisclosure

10% 5%

Figure 10. Vega results statistics from 10 websites

localFilePath

3.3.1.3.4

Joomscan

Using this tool we were able to discover various Joomla! based vulnerabilities including Unprotected Administrator directory, Admin Backend Cross Site Request Forgery vulnerability, TinyMCE TinyBrowser addon multiple vulnerabilities such as TinyBrowser File Upload Code Execution [CVE-2011-4908] and un-renamed htaccess.txt files.

Joomla based vulnerabilities 31% 25%

14% 11%

11% 8%

HTACCESS

ADMIN DIRBROWS

TINYBROWSER ADMIN BACKEND ADDON CSRF

BLIND SQL INJECTION

COM_MAILTO TIMEOUT

Vulnerabilities Figure 11. Joomscan vulnerabilities statisticas from 12 websites

3.3.1.4

Scan summary

The scanning phase reveal 23 types of vulnerabilities existing among 30 target we have tested, the number is huge, some of the vulnerabilities we were aware of before the project and others were new to us. We carried on with these vulnerabilities to the exploitation stage. A complete vulnerability result summary for each target in the sample has been included in the submitted with this report.

3.3.2

Exploitation

At this stage of our project we used information from previous phases, Information gathering and Scanning phase to exploits the detected vulnerabilities. Different vulnerabilities were detected and presented as exploitation scenarios. The following scenarios were met. 3.3.2.1

Exploitation Scenario I

The target provides login services for authorized users only through the login portal. The portal is well protected from SQL injection, we had no way with our zero knowledge of target structure, we prepared a list of possible usernames and passwords stored them in a text file called pwdFile.txt (see the subordinating report CD), after which we run the following hydra command. hydra

www.target.ac.tz

http-post-form

/directoryPath/authenticate.php:

username=^USER^&password=^PASS^&search=Login:Please Login:H Cookie cookieValue

-C

/root/Documents/FYP/supplimentaries/pwdFile.txt -V -o /root/Desktop/output.txt

We brute forced the login form and we successively managed to get six valid usernames passwords pairs of least privileged users. At this stage we had authorized user access to the target, we login to the site and scanned target internally, the scan results found directory browsing capability. We were able to see but not read the code files presented in the system. After that we crafted the URL that lead to the one of the code file, with a success we were able to intrude into the system without user ID. Later on we guessed the â&#x20AC;&#x153;01â&#x20AC;? as user ID and gave us administrator privileges to the target. The impact of this exploitation is that we were able to access the administrator page with full privileges on user management including; activating user, deactivating user, password reset, assigning and modifying user roles. As the attack contains security relevant information, the snapshots for the attack are included in the CD submitted with this report.

3.3.2.2

Exploitation Scenario II

From the scanning phase, the target site was addressed to have cross site scripting, after that we manually inject a script to the target URL and succeeded to reflect a picture on the target page as evidence by Figure 12 and bellow is the URL that was used for the attack. www.example.ac.tz/index.php/policies-and-regulations/cartegory/4-downloads?start=1->">'>'<<a href='http://postimage.org/' target='_blank'><img src='http://s1.postimage.org/ihlbw73rf/Screenshort_2.png' border='0' alt="Screenshot 2" /></a>"<vvv00386v921006>

Figure 12. An illustration of stored Cross Site Scripting attack on DVWA

This attack can be further exploited to inject a malicious script on the user browser which will then redirect to the attackerâ&#x20AC;&#x2122;s website through Cross site request forgery.

3.3.2.3

Exploitation Scenario III

An SQL injection vulnerability was detected using Owasp Zap vulnerability scanning tool, using w3af we tested the same injection point to confirm the existence of vulnerability, the result was positive as shown by Figure 8. Using sqlmap we ran the bellow command to exploit the vulnerability, the command requires first the fingerprinting of the back end database as demonstrated in Figure 13 bellow. sqlmap -u "http://www.example.ac.tz/main/index.php?page=2" --dbms=mysql --randomagent -o --fingerprint

Figure 13. Database fingerprinting with sqlmap

The vulnerability was further exploited to list DBMS users and successfully retrieve their passwords hashes as shown in Figure 14.

Figure 14. Retrieved DBMS users with their password hashes

Using dictionary attack we brute force the user table to retrieve passwords from the user with their respective hashes, Figure 16 illustrate the facts. With these passwords you can then login as legitimate user of the system. At the moment we had control of the DBMS as we could access the sql-shell as in Figure 15, retrieve any database and its contents get and set users privileges which for ethical reasons we did not temper to avoid any modification of contents.

Figure 15. Target sql-shell access with sqlmap

Figure 16. Database table dump with sqlmap

In conclusive words, the exploitation phase expanded our imagination on the possibilities and seriousness of the existing vulnerabilities, from brute force, failure to restrict URL access, XSS, SQL injection to password cracking. Penetration of the systems to their backend DBMS was possible. 3.4

Result presentation

Though out this project we performed rigorous and ongoing vulnerability assessment on 30 public-facing higher learning institutionsâ&#x20AC;&#x2122; web applications. Our work gave us a perspective into website vulnerability trends across public higher learning institutions in Tanzania. Security scans can accurately identify which issues are currently the most prevalent and severe. We are hereby presenting our findings to provide organizations, developers, trainers and other stakeholders with a clear picture of vulnerability management issues affecting the websites in Tanzania.

Our black-box assessment methodology was efficient, thorough and consistence. We utilize the OWASP threat classification of Top 10 web application vulnerabilities as our standard. This baseline ensures complete coverage of known types of vulnerabilities. Top vulnerabilities

3.4.1

The number of instance of individual vulnerability classes varies greatly across web application. For instance, one site may possess some while others may possess different ones. We calculated the percentage likelihood of vulnerability to occur in the website as illustrated by Figure 17.

25 20 15 10

Directory List …

content type …

Password…

X – content type-…

cross domain …

Cookie set …

PHP Error Detected

Possible XML …

Possible Source …

Possible HTTP…

Parameter…

Local filesystem …

Local file system …

Cross site request …

Directory browsing

Possible SQL …

Shell Injection

xss

integer overflow

Possible Directory …

5 sql injection

% OF OCCURANCE

Likelihood of vulnerability occurance in 30 websites

VULNERABILITIES Figure 17. Vulnerability occurrence per website

3.4.2

The top six vulnerabilities described

Sql Injection Occurs when untrusted data is sent to an interpreter as part of a command or query, the vulnerability rank is high as it can lead to executing unintended commands or accessing unauthorized data, This vulnerability occurred in once in every five websites in our sample.

Cross-Site Scripting XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. The vulnerability is ranked high as it can allows attackers to execute scripts in the victimâ&#x20AC;&#x2122;s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. The vulnerability covers 8.14% of the sample websites. Directory Browsing Allows view of directory listing, this may reveal hidden scripts, include files backup source files which be assessed to read sensitive information. This is a Medium rank vulnerability which covers 20.69% of our sample sites. Cross-Site Request Forgery This is a type of malicious exploit of a website where by unauthorized commands are transmitted from a user that the website trusts. This Medium ranked vulnerability existed in 6.9% of the sample site. Figure 18 below shows the likelihood of occurrence of the top six vulnerabilities.

Likelihood of Top six vulnerability 25 20

20.88

19.78

15 14.29 10 5

7.69

sql injection

xss

6.59

Directory browsing

Cross site request forgery

Figure 18. Top six vulnerabilities by risk level

Cookie set Password without Http- autocomplate only flag in browser

Cookies set without HTTP only flags Enables cookies to be accessed by JavaScript, if malicious script run on the page then the cookie will be accessible and can be transmitted to another site, appearing in 19.54% of the total sample space the vulnerability is ranked low. Password auto complete in browser Occurred when AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element containing password type input. Password may be stored in browsers and retrieved, the vulnerability covered 13.79% of the sample targets. 3.4.3

Vulnerabilities by their risk level

Using OWASP severity system (High, Medium and Low) as a base line, we ranked vulnerability risk based on the impact if the issue were to be exploited. The vast majority of website have at least one high risk vulnerability, at slightly 42.86% have one or more high vulnerabilities, Figure 19. Medium level vulnerabilities was frequent, they appeared in 89.29% of the total scanned sample websites. The remained low level vulnerabilities takes 78.57% of the sample websites.

L I K E LY H O O D O F V U L N R R A B IL I T I ES BY RISK LEVELS 100 90 Medium, 89.29

Low, 78.57

70 60 50 40 30

High, 42.86

20 10 0 High

Medium

Figure 19. Likelihood of websites having vulnerabilities by risk level

Low

3.5

Suggestions and Countermeasures

The result presentation phase revealed a list of top six vulnerabilities involving leading pairs vulnerabilities form each risk level. Below are the suggested preventive measures with their appropriately patches scripts where applicable. The scripts are PHP based since about 93.3% of the website in the sample developed with PHP scripting language. SQL injection Impact: May result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover. Prevention: White list input validation with appropriate canonicalization is also recommended, but is not a complete defense as many applications require special characters in their input. To prevent SQL injection add the following line in your code file.

$data = $GET[‘data’]; $data = stripslashes($data); $data = mysql_real_escape_string($data);

XSS Impact: Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware. Prevention: requires keeping untrusted data separate from active browser content, the preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. Developers need to include this escaping in their applications unless their UI framework does thisfor them. To sanitize inputs from xss the following patch may be used for each parameter.

$data=$GET[â&#x20AC;&#x2DC;dataâ&#x20AC;&#x2122;]; $data=stripslashes($data); $data=mysql_real_escape_string($data); $data=htmlspecialchars($data);

Directory browsing Impact: A user can view a list of all files from the directory possibly exposing sensitive information. Prevention: Make sure the directory does not contain sensitive information or restrict directory listings from the web server configuration. The easiest way to disable directory listing is to create an index file redirecting to the authorized page. The name of the index file depends on the web server configuration. On Apache is called index.htm, index.html. On IIS is named default.asp, default.aspx, default.htm or configure .htaccess file by adding in it the bellow line of command.

IndexIgnore *

Cross site request forgery Impact: can be used to perform an action against a target site using the victim's privileges, furthermore it can be exploited to disclose information by gaining access to the response. Prevention: The implementation of the code should allow for the check for HTTP Referer header to see if the request originated from an expected page. Care should be taken as this could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons. Password auto complete in browser Impact: Passwords may be stored in browsers and retrieved.

Prevention: The AUTOCOMPLETE attribute in form or individual input elements containing password should be turned off by using AUTOCOMPLETE='OFF' as shown below.

Cookies set without HTTP only flags Impact: If a malicious script can be run on the page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible. Prevention: Ensure that the HttpOnly flag is set for all cookies Therefore based on the suggested countermeasure and the patches above website may be kept securely when applied correctly.

CHAPTER FOUR Conclusion and recommendation 4.1

Conclusion

The use of Web technology to manage academics and business as whole is becoming inescapable. The ever expanding use of the Internet for educational operations has alerted the threat landscape. Attackers are now targeting the application layer, especially the Web application layer, because it is outward facing and a breach in this layer will get attackers directly to the data they want. We believes that organizations must strengthen their Web applications at the application level. The applications must be designed to limit software flaws and vulnerabilities. Our findings showed that in 30 web based application more than 4678 vulnerabilities were found, consisting 92 high risk vulnerabilities, 389 medium risk vulnerabilities, and 4197 low risk vulnerabilities. The current situation is critical as these vulnerabilities in collaboration may result into total penetration to the affected system, in this project we have successfully exploit several types of vulnerabilities including SQL injection, XSS, security misconfiguration (brute force), URL crafting and Directory browsing. The result also shows that 42% of the sample contain high risk level vulnerabilities that allow easy exploitation and 89.29% have medium risk level vulnerabilities which can be used as stager or in combination to facilitate high level attack. Despite the fact that some of these web applications host sensitive information such as students results and other human resource information, the security of these web sites have not been implemented to the level we expected, higher learning institutions were to be exemplary on the implementation of secure web applications. During implementation of our project we have witnessed several sites among our targets hacked by being attached with invalid web links of pornography or worse defaced. Most of these web applications were developed by trusted vendors in the country but still they are not secure. It is time that our country need to shift to secure Web applications 29

development and there should emerge vendors providing vulnerability assessment and penetration testing services. 4.2

Recommendation

Based on result findings made from our project, we recommend that security of web based application should start as far as the development phases, that is, application vulnerability scanning be included as part of software development life cycle. Care should be taken on the trust of web application developers vending encrypted codes to retain their ownership, a proof of correctness on the codes should be carried out before purchase of the code. More so we recommend separation of different system services to different machines, as we have found that a secure systemâ&#x20AC;&#x2122;s database can be exploited just because it exist in the same server as that of insecure systemâ&#x20AC;&#x2122;s database. Maintaining least system userâ&#x20AC;&#x2122;s privileges is much more recommended, database users should be granted with desired least privileges on time of system operation. Some of our attack fail before our eyes just because system users have no enough privileges. There is considerable variety among the CMS products on the market used to build web Applications, we recommend that security concerns should not left relied on these tools and present updated versions must be used. To be successful in this space, proper scanning and penetration testing must be well integrated into a software development life cycle, and most important, accurately. We believes that the best way to strengthen the security is by the use of vulnerability scanning and existing penetration testing techniques though out the systems life cycle.

REFERENCES [1] Al-Ibrahim H. M (2006). International Journal of Innovation Management and Technology, Vol.3, No.3. [2] Simos.

(2012).

Security

Assessment

Services.

Available:

http://www.simoseastafrica.com/security-assessment-services.html#webapplicationsecurity-assessment. Last accessed 14th Dec 2012 [3] Meer . H (2005). Hacking Web applications: South Africa. Sansport. [4] OWASP (2010). OWASP Top 10 - The Ten Most Critical Web Application Security Risks release. OWASP: The Open Web Application Security Project (OWASP). [5] The Web Application Security Consortium (WASC). (2008). Web Application Security

Statistics.

13246989/Web

Available:

Application

http://projects.webappsec.org/w/page/

Security Statistics. Last accessed 14th Dec 2012

[6] Wai. C (2002). Conducting a Penetration Test on an Organization. SANS: SANS Institute InfoSec Reading Room BiztechAfrica. (2012). Africaâ&#x20AC;&#x2122;s biggest cyber threats. Available:

http://www.biztechafrica.com/article/africas-biggest-cyberthreats/4595/.

Last accessed 18th Dec 2012. [7]

Robert Abela (2007). Network World Side-steps Challenge: Acunetix Reveals the Data!.

Available:

http://www.acunetix.com/blog/news/network-world-side-

stepschallenge-acunetix-reveals-the-data/. Last accessed 14th Dec 2012. [8] Demele . B(2010). Advanced SQL Injection to operating systems full control, page 12,26 RedHut. [9] Fong.E et al(2007). Web Application Scanners: Definitions and functions. Hawaii Int'l Conf. on system sciences. [10] Petukhov.A (2010),Detecting Security Vulnerabilities in Web Application Using Dynamic Analysis with Penetration Testing.Computing Systems Lab,Department of Computer Science,Mosco State University. [11]Erlingsson.U et al(2005).End -to â&#x20AC;&#x201C;end Web Application Security 31

APPENDICES Appendix A: Selected Samples web sites A list of selected samples web sites from public higher learning institutions registered by TCU by the year 2013/2014. S/N 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

The Names of Public High Learning Institution Ardhi University(ARU) Arusha Technical College College of Business Education (CBE) DSM College of Business Education (CBE) MWANZA Community Development Training Institute Tengeru (CDTI) Dar es salaam Institute of Technology(DIT) Dar es salaam University College of Education(DUCE) Eastern Africa Statistical Training Center(EASTC) Institute of Accountancy Arusha(IAA) Institute of Adult Education(IAE) Institute of Finance Management(IFM) Institute of Rural Development Planning(IRDP) Institute of Social Work(ISW) Institute of Tax Administration(ITA) Moshi University College of Cooperative and Business Studies (MUCCoBS) Muhimbili University of Health and Allied Sciences (MUHAS Mbeya University of Science and Technology(MUST) Mzumbe University (MU) National Institute of Transport (NIT) Open University of Tanzania (OUT) Sokoine University of Agriculture (SUA) State University of Zanzibar(SUZA) Tanzania Institute of Accountancy (TIA) University of Dar es Salaam (UDSM) University of Dodoma (UDOM) Water Development Management Institute (WDMI) Zanzibar Institute of Financial Administration (ZIFA) Dar es salaam Maritime Institute (DMI) Mwalimu Nyerere Memorial Academy (MNMA) DSM Mzumbe University â&#x20AC;&#x201C; Mbeya College (MUMCo)

URL Address www.aru.ac.tz www.atc.ac.tz www.cbe.ac.tz www.cbemwanza.ac.tz www.cdti.ac.tz www.dit.ac.tz www.duce.ac.tz www.eastc.ac.tz www.iaa.ac.tz www.iae.ac.tz www.ifm.ac.tz www.irdp.ac.tz www.isw.ac.tz www.ita.ac.tz www.muccobs.ac.tz www.muhas.ac.tz www.must.ac.tz www.mzumbe.ac.tz www.nit.ac.tz www.out.ac.tz www.suanet.ac.tz www.suza.ac.tz www.tia.ac.tz www.udsm.ac.tz www.udom.ac.tz www.wdmi.ac.tz www.zifa.ac.tz www.dmi.ac.tz www.mnma.ac.tz www.mumco.ac.tz

Appendix B: NetCraft results summary The table below summarizes the information that were gathered using NetCraft tool. URL ADDRESS

IP ADDRESS

WebSERVER

DNSAdmin

www.aru.ac.tz

41.93.30.26

Linux

Apache/2.2.3 CentOS

hostmaster@tznic.or.tz

www.atc.ac.tz

41.220.128.13

hostmaster@tznic.or.tz

www.cbe.ac.tz

41.221.41.61

hostmaster@tznic.or.tz

www.cbemwanza.ac.tz

216.246.124.96

hostmaster@tznic.or.tz

www.cdti.ac.tz

41.220.128.3

hostmaster@tznic.or.tz

www.dit.ac.tz

64.118.86.41

Linux

Apache/1.3.33 Unix

hostmaster@tznic.or.tz

www.dmi.ac.tz

216.147.64.212

Linux

Apache/1.3.35 Unix

hostmaster@tznic.or.tz

www.eastc.ac.tz

174.120.28.254

hostmaster@tznic.or.tz

www.iaa.ac.tz

216.198.246.100

Linux

Apache/1.3.42 Unix

hostmaster@tznic.or.tz

www.iae.ac.tz

69.167.143.223

hostmaster@tznic.or.tz

www.ifm.ac.tz

198.154.219.120

Linux

Apache/2.2.23 Unix

hostmaster@tznic.or.tz

www.irdp.ac.tz

142.4.4.174

hostmaster@tznic.or.tz

www.ita.ac.tz

66.96.145.103

hostmaster@tznic.or.tz

www.must.ac.tz

142.4.4.174

hostmaster@tznic.or.tz

www.nit.ac.tz

173.201.63.1

hostmaster@tznic.or.tz

www.out.ac.tz

41.93.35.4

hostmaster@tznic.or.tz

main.mzumbe.ac.tz

hostmaster@tznic.or.tz

muce.udsm.ac.tz

41.86.162.27

hostmaster@tznic.or.tz

www.duce.ac.tz

72.167.232.40

www.isw.ac.tz

hostmaster@tznic.or.tz

www.muhas.ac.tz

hostmaster@tznic.or.tz

www.mumco.ac.tz

hostmaster@tznic.or.tz

www.suanet.ac.tz

41.73.194.141

Linux

Apache/2.2.22 ubuntu

hostmaster@tznic.or.tz

www.ita.ac.tz

142.4.4.174

hostmaster@tznic.or.tz

www.udom.ac.tz

196.43.67.98

Apache/2.2.17 ubuntu

hostmaster@tznic.or.tz

www.udsm.ac.tz

142.4.4.174

Linux

Apache/2.2.15 CentOS

hostmaster@tznic.or.tz

www.wdmi.ac.tz

174.120.139.34

hostmaster@tznic.or.tz

www.zifa.ac.tz

5.77.48.180

hostmaster@tznic.or.tz

www.mnma.ac.tz

www.muccobs.ac.tz

www.suza.ac.tz

Appendix C: WhatWeb result summary The table below summarizes the information that were gathered using WhatWeb tool. S/N

IP Address

Server version

CMS

Language

41.93.30.26

Apache v.2.2.3

Mambo/Joomla

PHP v.5.1.6

41.220.128.13

Apache

PHP v.5.3.2

41.221.41.61

Apache

Joomla

PHP v.5.3.21

216.246.124.96

PHP v5.3.22

41.220.128.3

Apache

Joomla

PHP v5.3.24

64.118.86.41

Apache 2.2.23

72.167.232.40

Apache

PHP v5.3.22

174.120.28.254

Apache

Joomla

PHP v5.3.22

216.198.246.100

Joomla

69.167.143.223

PHP v5.3.22

198.154.219.120

Apache 2.2.23

Joomla

PHP v5.3.23

142.4.4.174

Apache 2.2.24

Joomla

PHP v5.3.22

142.4.4.174

Apache 2.2.24

66.96.145.103

Apache

Joomla

142.4.4.174

Apache 2.2.24

Joomla

41.223.231.40

Apache 2.2.3

Joomla

142.4.4.174

Apache 2.2.3

Joomla

142.4.4.174

Apache 2.2.3

173.201.63.1

Apache

Mambo

41.93.35.4

Apache 2.2.3

Joomla

PHP v5.1.6

41.73.194.141

Apache 2.2.3

Mambo

41.204.150.67

Apache 2.2.3

142.4.4.174

Apache 2.2.17

Joomla

196.43.67.98

Apache 2.2.24

Joomla

142.4.4.174

PHP v5.3.5

174.120.139.34

Apache

5.77.48.180

Apache 2.2.24

PHP v5.1.6

Appendix D: W3af configuration commands Below are W3af configuration commands used for performing vulnerability scanning. w3af>>> plugins w3af/plugins>>> discovery webSpider w3af/plugins>>> list discovery enabled w3af/plugins>>> audit xss,xsrf,sqli,fileUpload,eval,osCommanding w3af/plugins>>> list audit enabled w3af/plugins>>> output console,htmlFile w3af/plugins>>> list output enabled w3af/plugins>>> output config htmlFile w3af/plugins/output/config:htmlFile>>> set fileName example.html w3af/plugins/output/config:htmlFile>>> back w3af/plugins>>> back w3af>>> http-settings w3af/config:http-settings>>> set userAgent Mozilla/5.0 (X11; Linux i686 on x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1 w3af/config:http-settings>>> back w3af>>> target w3af/config:target>>> set target www.example.ac.tz w3af/config:target>>> set targetOS windows w3af/config:target>>> set targetFramework php w3af/config:target>>> back w3af>>> start