Vulnerability scanning project
-
Upload
chirag-dhamecha -
Category
Technology
-
view
343 -
download
5
Transcript of Vulnerability scanning project
MISY367 Security Tool Project
Matthew Coyle
Hunter Crozier
Chirag Dhamecha
Joshua Vogel
Vulnerability Scanning: An IntroductionEvery night before leaving his store to go home, a business owner makes sure that his
valuable assets are properly secured, money is put away in a safe, all windows and doors are
closed and locked, and the alarm system is turned on. These precautions are put into place to
minimize the threat of a person breaking into the building. If a vandal were to gain access to the
store after hours, the likelihood or him or her being able to steal or damage precious assets is
greatly reduced due to the established safeguards. This business owner is aware of threats and
vulnerabilities that could be present in his store (i.e. leaving money is an unlocked cash register
overnight) and minimizes them in order to prevent others from taking advantage of them.
Similarly, to this scenario, information security professionals should be aware of the weaknesses
that exist within their organization so that they can fix them and significantly reduce the
possibility of damage being caused to their organizations. One way to find weaknesses in an IT
environment is to utilize a vulnerability scanner.
A vulnerability scanner is a program that checks computers, networks, applications, and
websites for weaknesses and problems. It utilizes a database of known security flaws to find if
and where a system can be exploited. By uncovering these vulnerabilities, information security
professionals can remediate them in order to prevent them from being exploited by threat sources
(i.e. malware). While typically used to scan systems that are connected in some way to the
Internet, vulnerability scanners can also be used as to a tool to audit internal systems that do not
utilize the Internet (“What Is Vulnerability Scanning?”). Businesses of all sizes should run
vulnerability scans on a regular basis, as all organizations run the risk of being attacked.
Multiple studies have shown that over 75 percent of information securities professionals know of
and use vulnerability scanners, however many organizations are using old scanner programs or
do not make scanning a part of their regular routine (Robinson).
Vulnerability scanners have several benefits and drawbacks. By regularly scanning,
organizations can easily identify security vulnerabilities and find a solution to fix them before
1
MISY367 Security Tool Project
any problems occur. Vulnerability scanners also enable information security professionals to
take inventory of all systems on a network and verify that these systems are properly updated and
configured (“An Overview of Vulnerability Scanners”). On the other hand, vulnerability
scanners can only find and report vulnerabilities based upon scanner databases. These scanning
tools are unable to determine whether the results are accurate, or if they are false positives or
false negatives, which means that people must be able properly read and analyze these reports.
Additionally, vulnerability scanners are only able to provide results as a certain period of time
when a system is scanned (“An Overview of Vulnerability Systems”). Being that systems are
often updated and reconfigured, which can introduce new security weaknesses and holes,
vulnerability scanners must be used often in order for information to remain accurate and up to
date.
Qualys FreeScanQualys is a company based out of Redwood City, CA that bills itself as the leading
provider of cloud solutions for compliance and information security. The company attempts to
keep information security simple and make it available at a low cost by delivering each of its
services and systems individually on demand. Whereas many other information security
companies require that users download software and computer programs, Qualys offers its
services online. According to its website, Qualys solutions include “continuous monitoring,
vulnerability management, policy compliance, PCI compliance, security assessment
questionnaire, web application scanning, web application firewall, malware detection and
SECURE Seal for security testing of websites” (“Company Overview & About Qualys”).
Qualys FreeScan provides information security professionals with a way to scan their
networks, servers, and websites for security vulnerabilities. It is available as a free trial to
display its services that can be purchased for a nominal cost. FreeScan users are given the ability
to scan up to 10 different systems within this trial. This online platform is automated and very
simple of someone to use. All one must do is create an account, provide a URL or IP address to
scan, and choose a type of scan (either Vulnerability Scan, OWASP Risk Scan, Patch Tuesday
Authenticated Scan, or SCAP Compliance Scan). During the scan, Qualys devotes its efforts
within three main areas: vulnerability scan, malware detection, and web application scan. Once
Qualys FreeScan has completed its scan, it will provide the user with a report of found security
2
MISY367 Security Tool Project
vulnerabilities on the system. The report can be printed, exported, or viewed online within the
interactive platform. Vulnerabilities are grouped as either high risk, medium risk, low risk, or
just as an informative tidbit that the user should know about based on the severity of the
vulnerability. For each vulnerability, Qualys FreeScan provides detailed information about the
threat, impact, and solutions to fix the vulnerability. Within the scan report, users can also
available patches and vulnerabilities grouped by OWASP category.
Getting Started with the Program
Qualys FreeScan is one of the best online vulnerability scanning tools available out there.
It helps companies audit and protect their networks and websites from security vulnerabilities
and malware infections. While performing the vulnerability scan, the tool goes through Network
Vulnerability Scans for servers and applications, patch PC audit, OWASP web application audit,
as well as a SCAP compliance audit.
Learning to use the program is a very clear and straightforward process, and also very
user friendly, we did not need any prior experience/training to get hang of the program. As broke
students, we chose to make a free account which allows for up-to ten free scans. The free trial
version and the subscribed version provide exactly the same results, they only difference is that
the free version limits the user to only ten scans. Below are some of the key steps illustrated of
how to use the program:
1. Make a free account and login (IMG 01)
2. Enter the URL or the IP address of the website you’d like to perform the test on, and
choose the type of scan you’d like to perform. If you do not choose a scan, it performs all four
types of scans on the website
3. Once the scan is complete, proceed to “view” under the “scan results” to take a look at
the outcomes. The results are categorized based on the type vulnerability scan – OWASP Report,
Patch Report, or Threat Report.
3
MISY367 Security Tool Project
4
MISY367 Security Tool Project
Common Vulnerabilities Protection on WebsitesMany of the popular websites that we scanned, such as LinkedIn and Amazon had a
significant number low risks. One of these risks was something Qualys refers to as “Sensitive
form field has not been disabled.” What this risk is essentially saying is that when a website
allows you to auto-complete what you are typing, this could be a security risk as it could allow
5
MISY367 Security Tool Project
for someone to have access to information they might not have known. Many websites could
easily block this from happening, but have determined that it is more convenient for users to
have this feature, that the customer satisfaction outweighs the risk. The following is a direct copy
of what Qualys says about this vulnerability:
Threat:
An HTML form that collects sensitive information (such as a password field) does not prevent
the browser from prompting the user to save the populated values for later reuse. Stored
credentials should not be available to anyone but their owner.
Impact:
If the browser is used in a shared computing environment where more than one person may use
the browser, then "autocomplete" values may be submitted by an unauthorized user. For
example, if a browser saves the login name and password for a form, then anyone with access to
the browser may submit the form and authenticate to the site without having to know the victim's
password.
Solution:
Add the following attribute to the form or input element: autocomplete="off" This attribute
prevents the browser from prompting the user to save the populated form values for later reuse.
Another low risk vulnerability that occurred often was that the “Cookie does not contain
the ‘Secure’ attribute.” What was interesting about this vulnerability was that it is based off the
latest release of the PCI-DSS requirements. This means that this tool is constantly being updated
to help find new vulnerabilities that other downloadable tools may not. The following is a copy
of what Qualys says about this vulnerability:
Threat:
The cookie does not contain the "secure" attribute.
Based on the latest release of the PCI-DSS, this vulnerability is a PCI Fail.
PCI-DSSv3.1 requirement 6.5.10 is focused on secure session management, and refers to session
cookies needing to have the "secure" attribute set within the Cardholder Data Environment.
6
MISY367 Security Tool Project
Refer to PCI-DSSv3.1 for details.
Impact:
Cookies with the "secure" attribute are only permitted to be sent via HTTPS. Session cookies
sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user
impersonation or compromise of the application account.
Solution:
If the associated risk of a compromised account is high, apply the "secure" attribute to cookies
and force all sensitive requests to be sent via HTTPS.
The final low level security vulnerability that was common throughout many of the
websites was one labeled as “Cookie does not contain the HTTPOnly attribute.” The
consequence of this is that someone could easily access the information in the cookies using
Javascript or a XSS attack. The following is a copy from the Qualys site:
Threat:
The cookie does not contain the "HTTPOnly" attribute.
Impact:
Cookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-
site scripting attacks can steal cookies which could lead to user impersonation or compromise of
the application account.
Solution:
If the associated risk of a compromised account is high, apply the "HTTPOnly" attribute to
cookies.
One of the less common vulnerabilities was something called a Blind SQL Injection. This
is similar to a standard SQL injection attack, however it is different in the sense that it does not
rely on error messages, so it is more difficult to detect. I have included the detailed description
below, example included:
7
MISY367 Security Tool Project
Threat:
Blind SQL injection is a specialized type of SQL injection that enables an attacker to modify the
syntax of a SQL query in order to retrieve, corrupt or delete data. A successful exploit
manipulates query criteria in a manner that affects the query's logic. The typical causes of this
vulnerability are lack of input validation and insecure construction of the SQL query.
Queries created by concatenating strings with SQL syntax and user-supplied data are prone to
this vulnerability. When any part of the string concatenation can be modified, an attacker has the
ability to change the meaning of the query.
Typical detection techniques for SQL injection vulnerabilities use a payload that attempts to
produce an error response from the web application. Detection based on blind SQL injection uses
inference based on the differences among the application's responses to various payloads. Blind
SQL does not rely on error messages, which is beneficial when testing web applications that trap
errors.
How It Works:
The WAS scanning engine uses a well-known methodology called "True and False" inference to
determine if there is a blind SQL injection vulnerability. Basically, it uses two payloads: one
with a "True condition" and another with a "False condition". If there is a blind SQL injection
vulnerability, the query with the "True condition" payload will cause the web application to
return a different response than the "False condition".
A good example of a "True condition" payload would be ' AND 1=1 . Since 1 always equals 1,
the condition is true. An example of a "False condition" payload would be ' AND 1=2 . Since 1
does not equal 2, the condition is false.
For example, let's say there is a web application with a textbox that searches for customer names
and displays the results inside a table. Let's assume that if someone searches for John there is
one result only. When scanning for the blind SQL injection vulnerability, the WAS scanning
engine uses two payloads:
8
MISY367 Security Tool Project
- True condition payload: This injects the string John' AND 1=1 to issue the query "return John
only if 1=1". Since 1 always equals 1 the condition is true. The result is John, which is the same
result as using the string John.
- False condition payload: This injects the string John' AND 1=2 to issue the query "return John
only if 1=2". Since 1 is never equal to 2, the condition is false. The result is nothing or "No
results found".
With the results from the two payloads, the WAS scanning engine draws the conclusion that
there is a blind SQL injection vulnerability. Even though there is no one called "John' AND
1=1" in the database, web application displays information for "John" if a search is done with
that query string.
Example:
These few lines demonstrate an insecure query that is created by appending user-supplied data
(name):
On Error Resume Next ' Page traps error and do not display it
Set oRSu = oCONv.Execute("SELECT fname, name FROM customers WHERE name = '" &
Request("txtSearch") & "'")
If oRSu.BOF Or Err.Number <> 0 Then
Response.Write "No results found!"
End If
If no checks are performed against the name parameter, then the query may be arbitrarily
modified and sent to database as shown in these two examples of a completed query:
SELECT fname, name FROM customers WHERE name='John' AND 1=1
SELECT fname, name FROM customers WHERE name= 'John'; SHUTDOWN WITH
NOWAIT
In the first case the database will return "John" since the condition AND 1=1 is always true.
9
MISY367 Security Tool Project
Impact:
The scope of a SQL injection exploit varies greatly. If any SQL statement can be injected into
the query, then the attacker has the equivalent access of a database administrator. This access
could lead to theft of data, malicious corruption of data, or deletion of data.
Solution:
SQL injection vulnerabilities can be addressed in three areas: input validation, query creation,
and database security.
All input received from the web client should be validated for correct content. If a value's type or
content range is known beforehand, then stricter filters should be applied. For example, an email
address should be in a specific format and only contain characters that make it a valid address; or
numeric fields like a USA zip code should be limited to five digit values.
Prepared statements (sometimes referred to as parameterized statements) provide strong
protection from SQL injection. Prepared statements are precompiled SQL queries whose
parameters can be modified when the query is executed. Prepared statements enforce the logic of
the query and will fail if the query cannot be compiled correctly. Programming languages that
support prepared statements provide specific functions for creating queries. These functions are
more secure than string concatenation for assigning user-supplied data to a query.
Stored procedures are precompiled queries that reside in the database. Like prepared statements,
they also enforce separation of query data and logic. SQL statements that call stored procedures
should not be created via string concatenation, otherwise their security benefits are negated.
SQL injection exploits can be mitigated by the use of Access Control Lists or role-based access
within the database. For example, a read-only account would prevent an attacker from modifying
data, but would not prevent the user from viewing unauthorized data. Table and row-based
access controls potentially minimize the scope of a compromise, but they do not prevent exploits.
Example of a secure query created with a prepared statement:
PreparedStatement ps = "SELECT name,email FROM users WHERE userid=?"; ps.setInt(1,
userid);
10
MISY367 Security Tool Project
The final High risk vulnerability that was common in the websites with high
vulnerabilities was one called “Reflected Cross Site Scripting.” There was another type of XSS
called Persistent XSS, but they were only slightly different in their definitions. So the reflected
XSS allows the user to edit the HTML to allow for the access sensitive information. The
information from Qualys on this vulnerability is included below:
Threat:
XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML
response sent to the Web browser. For example, a Web application might include the user's name
as part of a welcome message or display a home address when confirming a shipping destination.
If the user-supplied data contain characters that are interpreted as part of an HTML element
instead of literal text, then an attacker can modify the HTML that is received by the victim's Web
browser.
The XSS payload is echoed in HTML document returned by the request. An XSS payload may
consist of HTML, JavaScript or other content that will be rendered by the browser. In order to
exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL
with the XSS payload.
Impact:
XSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits
target the users of a Web application rather than the Web application itself. An exploit can lead
to theft of the user's credentials and personal or financial information. Complex exploits and
attack scenarios are possible via XSS because it enables an attacker to execute dynamic code.
Consequently, any capability or feature available to the Web browser (for example HTML,
JavaScript, Flash and Java applets) can be used to as a part of a compromise.
Solution:
Filter all data collected from the client including user-supplied content and browser content such
as Referrer and User-Agent headers.
Any data collected from the client and displayed in a Web page should be HTML-encoded to
ensure the content is rendered as text instead of an HTML element or JavaScript.
11
MISY367 Security Tool Project
Websites We Scanned and Breakdown ReportsAs a group, we scanned a variety of websites ranging from Amazon to a small home
security business, to see which sites would be the most vulnerable to attacks from threat agents.
Little did we know that most of the smaller businesses had more secure websites compared to the
larger e-commerce websites such as Amazon. Some of the reasons why that statement is true is
because many smaller business’ websites are hosted by larger companies, such as Google and
GoDaddy. These smaller websites also do not offer as many credit and goods that hackers are
after due to the smaller customer base. All in all, we scanned eight websites and out of those
eight we chose to breakdown the vulnerability reports of the University of Delaware’s website,
Amazon’s website, International Association of NLP Institute’s website and Preferred Security
Inc’s website. Let's start by analyzing the University of Delaware’s website.
University of Delaware’s Diagnostic Report
After being scanned by Qualys FreeScan, www.udel.edu seems pretty secure and well
maintained. According to the results of the University of Delaware's website, there were only
two medium risks and one low risk to the website. The two medium risks are that the services
12
MISY367 Security Tool Project
listening on certain ports will stop listening for TCP requests. This can be problematic because
all the connection attempts to the server failed making the system open to a DDoS attack as the
TCP requests are being ignored taking up more and more resources from actual users. This can
slow down and even crash and knock the site offline if a DDoS attack would occur. The
solutions to help resolve this issue are check to see if your Qualys scanner crashed and call
technology support, if it’s a bandwidth problem lower Qualys bandwidth settings or the port
ignoring the traffic is dynamic. The low threat was that there was scan interference because of
Udel’s IDS and antivirus software. This interference exists because the scanner is scanning the
website and packets being processed by it. IDS and antivirus software can distort and change the
packets, which affects the accuracy of the scanner to detect vulnerabilities. The solution to this
problem is to whitelist Qualys FreeScan in the IDS and antivirus software.
Amazon’s Diagnostic Report
After scanning Amazon.com, the group was shocked to see that it was highly vulnerable
compared to the website of Preferred Security Inc. People would assume this larger e-commerce
site would be more secure than a small security business. Amazon had ten high risks, three
medium risks and forty-four low risks on their website. This was shocking to the group because
the highest risk was cross-site scripting, which is when a hacker tries to directly communicate
with the web server in order to get the customer's transaction information. This style of attack
goes after the customer instead of the web page itself in order to gain personal information and
credit card numbers. The solution for this is to filter all traffic coming from user supplied content
and this information should be encrypted in order protect the privacy of the user. Another
13
MISY367 Security Tool Project
vulnerability is a predictable web server session id, which means that the session key for the SSL
are easy for a program to break down the algorithm and gain access to the purchase session. The
solution to this problem is to use stronger cryptographic algorithms to encrypt the data with.
Preferred Security Inc.’s Diagnostic Report
After scanning Preferred Security Inc.’s website, our group was surprised to see that a
website for such a small mom and pop business is very secure compared to an e-commerce giant
like Amazon.com. Preferred Security Inc. had only one medium security risk and two low risks.
The medium risk, TCP port pass firewall, occurs when certain requests can pass through the
firewall in this case, ports 20 and 1027. These are the ports used for File Transfer Protocol,
which is unencrypted when being sent out over the Internet. The solution to fix this risk is to
close that port on the firewall and block all traffic coming to port 20. The other vulnerabilities
are related to insecure cookies used by the web server. One can fix this by only allowing the
cookies to gather information on certain fields of data.
14
MISY367 Security Tool Project
International Association of NLP Institute’s Diagnostic Report
After scanning International Association of NLP Institute’s website, the group was
shocked to see just how vulnerable it was. This website had thirty-one high risk vulnerabilities,
nineteen medium risk vulnerabilities and twenty-nine low risk vulnerabilities. The most
interesting high risk vulnerabilities to the group were blind sql injection and cross-site scripting.
A blind sql injection is when a hacker is able to modify the database attached to the website in
order to delete and add records. The solution to this issue is to have input validation, query
creation and database security. Input validation is when you make inputs have certain length and
types of characters can be entered. An example of input validation would be limiting a zip code
to only 5 numbers and verifying that the zip code meets this criteria. Query creation should be
pre-created and have a catch statement to make them false if someone tries to edit the query from
the outside. Database security includes strong passwords and credentials to edit or use the
database. Cross-site scripting as the group has mentioned before is when a hacker targets the user
by communicating with the web server in order to gain credit cards and personal information.
15
MISY367 Security Tool Project
One way to resolve this issue is to have the user input traffic monitored for suspicious behavior
and that data should be encrypted.
16
MISY367 Security Tool Project
Resources (Scanned Sites)
● www.google.com
● http://old.cageprisoners.com/articles.php?id=22926
● http://www.nlp-institutes.net/show.php?id=620
● http://www.tunesoman.com/product.php?id=200
● http://coda.cc/product/product.php?id=4
● http://www.dipintoguitars.com/product.php?id=2
● http://www.ampak.com.tw/product.php?id=21
● http://store7.geomerx.com/mayflower/index.cfm?fuseaction=
● http://www.preferredsecurityinc.com/
Is the Tool Worth the Money?Based on results from the scans, we would strongly recommend the tool. One of the best aspects
is that it’s web based, and therefore the user does not have to be on site while performing the
scans, you could get the scan started and get back to it later to check on its progress or check on
the results if it has completed the scan. Having said that the tool is online based greatly benefits
the user since all the protocols will always be up-to-date hence the user doesn’t have to manually
keep checking for new protocols. The “subscription” to Qualys is based on the type of business
and the specifics needs on what the business will primarily be using the tool for. Once you
submit an application for a subscription to the tool, the subscription fees are calculated and the
business receives a quote from them. The tools embedded in Qualys pay off for themselves,
since it breaks down the scans into what the threats, impacts, solutions, and results are.
17
MISY367 Security Tool Project
Works Cited
"An Overview of Vulnerability Scanners." GovHK: Information Security. The Government of the
Hong Kong Special Administrative Region, Feb. 2008. Web. 8 May 2016.
<http://www.infosec.gov.hk/english/technical/files/vulnerability.pdf>.
"Company Overview & About Qualys." Qualys. Qualys, Inc., 2016. Web. 8 May 2016.
<https://www.qualys.com/company/>.
Robinson, Brian. "Vulnerability Scanning for Business." IT Security. PCMag Digital Group, 2016.
Web. 8 May 2016. <http://www.itsecurity.com/interviews/amer-deeba-interview-qualsys-
040507/>.
"What Is Vulnerability Scanning?" Webopedia. QuinStreet Inc., 2016. Web. 8 May 2016.
<http://www.webopedia.com/TERM/V/vulnerability_scanning.html>.
18