1 / 18

IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE

IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE. Panagiotis Loumpardias Konstantinos Chimos. Introduction. Websites number rises constantly Websites are easy to build There are step by step guides for everything Many users are turning to CMSs like (Drupal, Joomla, etc.)

aristotle-graves
Télécharger la présentation

IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE Panagiotis Loumpardias Konstantinos Chimos

  2. Introduction • Websites number rises constantly • Websites are easy to build • There are step by step guides for everything • Many users are turning to CMSs like (Drupal, Joomla, etc.) • Universities also use them

  3. Are websites safe? • The answer should be “No one can really tell for sure!” • Searching for “Hack a website” returns 74 million results in Google • Website attacks in 2013 were 75% more than 2012

  4. Securing a website • Design and deploy on a test server • Look for known vulnerabilities of the software you use • Check your site with security auditing tools • Fix vulnerabilities • Check again

  5. Auditing Tools • Lots of options • Commercial • Open Source • Windows • Linux • With GUI • Command line

  6. Tool 1 - Arachni • Open Source • Runs on Mac & Linux • Scalable resource usage combining more than one machines • User collaboration friendly • Can run on remote computer and access it from web with browser

  7. Arachni results

  8. Results evaluation • Cross Site Request Forgery could only be exploited when posting full HTML as administrator • Server backdoors where false results • Unencrypted password forms can lead to password interception • Backup files were also false results • Some common sensitive files existed but without sensitive information • Auto completed password fields could lead to password loss especially when there is physical access to user’s computer • Interesting responses were mostly the server denying access • E-mail addresses were public

  9. Tool 2 – owasp zap • Open Source • Cross Platform (Windows – Linux) • Proposes solution for most results • User can rate and comment on results for help in troubleshooting

  10. OWASP ZED results

  11. Results evaluation • Cross-domain JavaScript source file inclusion is true but all the files are coming from trusted sources • Password Autocomplete in browser can lead to password theft • X-Content-Type-Options header is missing and specific browsers can be tricked into treating malicious but cleverly named files to be executed • X-Frame-Options header is not set and can result to click jacking attacks

  12. Tool 3 - w3af • Open Source • Runs Best on Linux • Can directly exploit some of the vulnerabilities it discovers • Does not display the result multiple times if found in all pages • It only exports the results in various formats but does not save the program session

  13. W3af – results

  14. Results Evaluation • Click Jacking was the only valid result • Discovery of virtual hosts may prove to be problematic if they are vulnerable

  15. JSKY • Commercial • Runs on Windows • The only commercial program with a fully working and not limited trial • Describes the impact of vulnerabilities found • Gives recommendations for troubleshooting

  16. Jsky - Results

  17. Results evaluation • None of them proved to be threatening in our case

  18. Conclusion • Auditing with only one program may not be enough • If on a budget, open source tools seem to give decent results • Using SSL should be the first thing to do if possible • Chose a CMS with strong community support for more help in troubleshooting • Run your own and try to find even more results if possible

More Related