180 likes | 314 Views
IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE. Panagiotis Loumpardias Konstantinos Chimos. Introduction. Websites number rises constantly Websites are easy to build There are step by step guides for everything Many users are turning to CMSs like (Drupal, Joomla, etc.)
E N D
IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE Panagiotis Loumpardias Konstantinos Chimos
Introduction • Websites number rises constantly • Websites are easy to build • There are step by step guides for everything • Many users are turning to CMSs like (Drupal, Joomla, etc.) • Universities also use them
Are websites safe? • The answer should be “No one can really tell for sure!” • Searching for “Hack a website” returns 74 million results in Google • Website attacks in 2013 were 75% more than 2012
Securing a website • Design and deploy on a test server • Look for known vulnerabilities of the software you use • Check your site with security auditing tools • Fix vulnerabilities • Check again
Auditing Tools • Lots of options • Commercial • Open Source • Windows • Linux • With GUI • Command line
Tool 1 - Arachni • Open Source • Runs on Mac & Linux • Scalable resource usage combining more than one machines • User collaboration friendly • Can run on remote computer and access it from web with browser
Results evaluation • Cross Site Request Forgery could only be exploited when posting full HTML as administrator • Server backdoors where false results • Unencrypted password forms can lead to password interception • Backup files were also false results • Some common sensitive files existed but without sensitive information • Auto completed password fields could lead to password loss especially when there is physical access to user’s computer • Interesting responses were mostly the server denying access • E-mail addresses were public
Tool 2 – owasp zap • Open Source • Cross Platform (Windows – Linux) • Proposes solution for most results • User can rate and comment on results for help in troubleshooting
Results evaluation • Cross-domain JavaScript source file inclusion is true but all the files are coming from trusted sources • Password Autocomplete in browser can lead to password theft • X-Content-Type-Options header is missing and specific browsers can be tricked into treating malicious but cleverly named files to be executed • X-Frame-Options header is not set and can result to click jacking attacks
Tool 3 - w3af • Open Source • Runs Best on Linux • Can directly exploit some of the vulnerabilities it discovers • Does not display the result multiple times if found in all pages • It only exports the results in various formats but does not save the program session
Results Evaluation • Click Jacking was the only valid result • Discovery of virtual hosts may prove to be problematic if they are vulnerable
JSKY • Commercial • Runs on Windows • The only commercial program with a fully working and not limited trial • Describes the impact of vulnerabilities found • Gives recommendations for troubleshooting
Results evaluation • None of them proved to be threatening in our case
Conclusion • Auditing with only one program may not be enough • If on a budget, open source tools seem to give decent results • Using SSL should be the first thing to do if possible • Chose a CMS with strong community support for more help in troubleshooting • Run your own and try to find even more results if possible