Transcript Õis arendusversiooni turvatestimine

Security testing of
study information
system
Security team:
Matis Alliksoo
Alo Konno
Urmo Lihten
Taavi Podzuks
Sander Saarm
Current situation
 Our study information
system is developed
inhouse.
 This is used by 10
applied universities.
 There are more than
14 000 active users and
more than 28000 can log
in.
Current situation (2)
 Technical information
 Php5 zend framework
 Mysql batabase
 Linux operating system
 There are 3 servers
 Live system Web frontend
 Live system database
 Development server (Web frontend and database)
Problem
 Study information systems security has been tested only
by developers , this is not a good practice. This should
be done by external testers.
Goals
1. Study what web vulnerabilitis are and how to use them,
because we did not have any experience in pen-testing.
2. Learn about web tesing framework environments and
how to use them.
3. Find out best tools to work with and test on Damn
Vulnerable Web Application and later on the study
information system.
4. Finding vulnerabilities in the study infromation system.
5. Document our work.
Top 10 Web Vulnerabilities
 A1: Injection (SQL, PHP, ….)
 A2: Cross-Site Scripting (XSS)
 A3: Broken Authentication and Session Management
 A4: Insecure Direct Object References
 A5: Cross-Site Request Forgery (CSRF)
 A6: Security Misconfiguration
 A7: Insecure Cryptographic Storage
 A8: Failure to Restrict URL Access
 A9: Insufficient Transport Layer Protection
 A10: Unvalidated Redirects and Forwards
Used/tested web testing frameworks
Samurai Web Testing Framework
1. BurpSuite
2. Fireforce
3. Cookie editor
4. Dvwa (redirected to BackTrack 5 R2)
Backtrack 5 R2
1. BurpSuite
2. Subgraph Vega
3. Wapiti
4. W3af
5. Nessus
6. Owasp-zap
Windows tools
 Acunetix Web Vulnerability Scanner
Cross Site Request Forgery
We started with generating html POST request to change
authenticated user language.
Cross Site Request Forgery (2)
Next we made a html POST request what uses USER_ID to change
authenticated users password.
Changing Administator password
1. Found out USER_ID of the administator by checking
administators picture URL in study information system.
2. We created html request and uploaded it to a trusted
webserver as .jpg, to fool the administator.
3. Tricked administrator to log into the study information
system by telling something is wrong in study
information system.
4. For explanation of the problem we told him to check the
fake screenshot (sent him the infected URL)
5. As he opened it his password changed automatically and
he was kicked out of the system.
6. Issue was obviously very quickly fixed.
Failure to Restrict URL Access
 Found vulnerability in URL, where students can see other
students’ grades just by changing USER_ID in PDF
download URL.
 This failure was found knowing the vulnerabilitys and by
randomly testing all pages.
 This data is very sensitive and it was fixed immidiately.
Results
 Got overview of most commonly used vulnerabilities and
how to use them in testing.
 Learned how to use different pen-testing tools and web
test environments.
 Study information system is now free of couple critical
bugs.
 Documentation:
https://wiki.itcollege.ee/index.php/Security_team
Thank you for listening!
Questions?