Security
Team page for Deploying IT Infrastructure Solutions.
Team Members
- Sten Aus, Estonian Information Technology College
- Matis Palm, Estonian Information Technology College
- Sandra Suviste, Estonian Information Technology College
- Markus Rintamäki, Vaasa University of Applied Sciences
- Tomas Lepistö, Vaasa University of Applied Sciences
- Mika Salmela, Vaasa University of Applied Sciences
- Kęstutis Tautvydas, Vilnius University of Applied Sciences
- Jurij Lukjančikov, Vilnius University of Applied Sciences
Goal
- OWASP top 10
- HACK DVWA
- BackTrack, SamuraiCD (Last year experience)
- Scanning and testing tools - Qualys SSL Labs
- Acunetix Web Vulnerability Scanner v.8
- SubGraph Vega
- BEAST attack
- RC4
Activity
Monday - 25.03.13
Things what we did that day:
- Lectures
- Sumorobot programming
- Dinner @ St Patricks
Tuesday - 26.03.13
Things what we did that day:
- Documentation!
A1 Injection - Sandra
A2 Broken Authentication and Session Management (was formerly A3) - Kestutis
A3 Cross-Site Scripting (XSS) (was formerly A2) - Kestutis
A4 Insecure Direct Object References - Markus
A5 Security Misconfiguration (was formerly A6)- Tomas
A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) - Mika
A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) - Sten
A8 Cross-Site Request Forgery (CSRF) (was formerly A5) - Matis
A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) - Jurij
A10 Unvalidated Redirects and Forwards - Sten
Problems what we faced:
- Still need to get everyone a VM with DVWA running
Things what we plan to do:
- Copy Paste documentation tasks to Wiki :)
- Divide OWASP tasks
Wednesday - 27.03.13
Things what we did that day:
- Meeting with clients. It was very open-minded meeting. We got to know more about requirements.
- Analysing the user needs. We discussed face to face with our client and mentor (Margus Ernits) what needs to be done in order to perform security testing. Also, we found some tools from the Internet, which we can use for testing purposes.
- We divided roles and shared our areas of competences. Also, we agreed that one should not be doing always the same thing, so we can share our work with eachother.
- Estonian ICT Presentation and Wireshark practice. Wireshark was more-less known for everyone in our team. Despite that fact, we all found something enjoyable and new from Antti's presentation and Wireshark.
- Estonian members made Study Information System presentation to Finnish and Lithuanians. We talked about some potential vulnerabilities (such as VÕTA declaration, file upload, sending messages, voting system)
Problems what we faced:
- As none of us have done security testing before, we have a lot to learn before we can actually do something. But I think with such a team as we are, it's nothing.
Things what we plan to do:
- Estonian members are going to study last year's report and going to make a short overview to other members about it.
- We are going to study OWASP Top 10 vulnerabilities and everyone of us is going to make a short presentation to others about what they have learned.
- We are going to ask in demo (development) environment if they can open a new survey for us, new declaration period; Also we need teacher and demo accounts, in order to test teacher's side as well, because teachers have a little more access than students (grades, information about student etc).
- In demo environment we are going to test new functions (what haven't been included in main environment, yet) - as there's some new functionality.
Thursday - 28.03.13
Things what we did that day:
- OWASP TOP 10 presentations: Everybody presented on their subjects + discussion (slides)
- Discussed the schedule and to-do list for next days
- Discussed some potential vulnerabilities of SIS
- Made shared Googledoc to document the testing and to exchange information. Also we made Skype group in order to share files effectively and fast.
- Prepared software for testing (Backtrack, Kali)
Problems what we faced:
- There is a lot of information, we need to focus on something and just start. There is no such thing as start-line ("Start here and go this way"), we will just need to start and see what we will find.
Things what we plan to do:
- Find attack examples for the vulnerabilities
- Try them out on DVWA
- Get familiar with Tamper Data, Kali and Backtrack
- Familiarise ourselves with XSS, Injection, CSRF before testing SIS
- See how to get authentication info from POST and GET
Security threat of a day
- There are three environments of SIS. Live, demo and developer. We found out that developer environment is accesible with our live users and passwords. What's more -> developer environment has LIVE data!!! Like! Does that ring any bell to you? NEVER, we mean like NEVER use live data (data, grades, schedule, students, personal ID-s etc) in demo/developer environment!
Friday - 29.03.13
Things what we did that day:
- Learned how to perform attacks. We learned different attack methods and tried them out.
- Learned how to use different automated tools. Automated tools are not very efficient to SIS, but still - there might pop up something interesting from the results. Results are saved for later analysis.
- Talked about last year's experience. Tried if most of the security holes are patched or not.
Problems what we faced:
- We need student access to developer environment
- We need new survey and declaration period opened (we asked Margus, he promised to give our request to someone who can make it)
Things what we plan to do:
- Analysis of the results needs to be done
- Learn a little bit more about attacks
- Create some attacks
- Start to test simpler attacks to SIS
Security threats of the day:
- One can see other student's exam plan just by chaning student_id value in the URL (you don't need to be logged in). You cannot see his/her name directly, but according to security holes now: See the schedule, just change ID - you get the name. Or if you are logged in, then you can go to "My data" and just change ID from the URL again.
For example: https://itcollege.dev.ois.ee/en/schedule/agenda?student_id=2322
Saturday - 30.03.13
Things what we did that day:
- Visiting Tallinn TV Tower
- Visitinig The Seaplane Harbour
Sunday - 31.03.13
Free day
Monday - 01.04.13
NB! April fools' day! Beware!
Things what we did that day:
- We analyzed student information fields in "My data" section
- We test different sections and tried to change user IDs - luckily these are safe now.
- Tried to use HTTP for different areas in SIS. Luckily, everything is forced to HTTPS.
- Study materials testing. If study materials are available to everyone (public), then it is possible to download them from HTTP and/or HTTPS!
- Tried reflected XSS, most SIS areas escape "bad characters" out from input boxes.
- As the SIS allows academicians (lecturers) to change their picture, we tried to insert some malicious code into picture. Scenario was that when someone opens the picture, some bad things will happen. This did not work in SIS. Students are not allowed to change their picture due to security reasons (for example: other person taking exams claiming he/she is someone he/she is not)
Problems what we faced:
- Still no new declaration etc opened for us. Maybe tomorrow?
Things what we plan to do:
- We strongly hope that there will be new declaration period, survey, scolarship application and VÕTA opened for us for tomorrow morning, because we could test them as well and we don't have much time left.
- Go deeper with different attacks and methods.
Security threat's of the day:
- SIS (Study Information System) is vulnerable to BEAST attack, because it uses RC4 encryption algorithm in SSL. We as a test-team are not capable to perform this kind of attack, thus we cannot test how far can we go, but this is a threat to whole system. BEAST attack can sniff authorized user's cookies and then grant access to attacker.
- There's no character limit for input fields (search, names). This can lead to DOS-attack because attacker can send multiple requests with long URLs and then server freezes.
- Calendar: there's no limit or check if user have just typed numbers. Error is rendered back to user, but it is escaped.
- There are some developer's notes left in different SIS parts (not only in developer environment).
Tuesday - 02.04.13
Things what we did that day:
- Visiting Skype office.
- Learning the principles of good presentation to put into practice tomorrow and on Thursday.
- SIS is using a field called "security_key_sis_global". This form value does not change and is based on user data. We have found out that this does not change even on change of password, so that means, this has to be calculated from person's name and/or username and/or personal ID code and/or user_id value. We have assumption that this is a SHA1 hash, as it is 40 characters long. Maybe salted, maybe not? Anyway, this could be a threat to SIS in long term perspective.
- Studied the OWASP ASVS (Application Security Verification Standard) with SIS in mind. Marked the requirements we can not check for (because we do not have the source code etc), the requirements we believe are met and those that need further testing.
- Got the chance to insert a new VÕTA (APEL) request that also allows for uploading files. This is interesting because it might be possible to upload a file containing malicious code.
- The SIS does not ask for password when changing the personal e-mail address. This is a risk, because this is the mail address SIS sends a password reset link to if the user clicks on "Forgot my password".
Problems what we faced:
- Really would have liked to have more time to test.
Things what we plan to do:
- Prepare and rehearse the presentation
- Look further into the e-mail modification issue.
- Finalise ASVS review
Wednesday - 03.04.13
Things what we did that day:
- Studied and analysed ASVS. Went through requirements and aspects about web application security, analysed what applies to SIS and what not.
- We learned and practiced public presentation. Discussed structure and divided roles. Rehearsed presentation to "audience".
- SIS testing (security token), javascript upload, tried to find XSS vulnerabilities in APEL (VÕTA) application and file upload areas etc.
Problems what we faced:
- Lack of time. Doing presentation and rehersal took so much time which could be used for testing SIS. Also, testing SIS took so much time, which again could be have been used for rehearsal.
Things what we plan to do:
- We want to review and rehearse our final presentation.
- Update our documentation in Wiki.
- Upload and link presentations to persons and fill gaps in documentation.
Thursday - 04.04.13
Things what we did that day:
- Dress rehearsal. Updated presentation according to feedback and capabilities.
- Updated documentation to Wiki and uploaded missing presentations.
- Personal input section filling in Wiki.
- Went bowling. :)
Problems what we faced:
- Sometimes one minute feels like it is not a minute. :)
Things what we plan to do:
- Final documentation (link to Google docs).
- IP feedback
- Summarisation
Friday - 05.04.13
Things what we did that day:
Problems what we faced:
Things what we plan to do:
Saturday - 06.04.13
Departure! Bye bye!
Materials (slides etc)
- Slides about OWASP (Open Web Application Security Project) TOP 10 what we performed to eachother
- TOP 10 list Media:OWASP_Top_10_-_2013_-_RC1.pdf
- A1 Injection Media:2013_security_a1.pdf (Made by: Sandra)
- A2 Broken Authentication and Session Management Media:2013_security_a2.pdf (Made by: Kęstutis)
- A3 Cross-Site Scripting (XSS) Media:2013_security_a3.pdf (Made by: Kęstutis)
- A4 Insecure Direct Object References Media:2013_security_a4.pdf (Made by: Markus)
- A5 Security Misconfiguration Media:2013_security_a5.pdf (Made by: Tomas)
- A6 Sensitive Data Exposure Media:2013_security_a6.pdf (Made by: Mika)
- A7 Missing Function Level Access Control Media:2013_security_a7.pdf (Made by: Sten)
- A8 Cross-Site Request Forgery (CSRF) - was covered in A1
- A9 Using Known Vulnerable Components Media:2013_security_a9.pdf (Made by: Jurij)
- A10 Unvalidated Redirects and Forwards Media:2013_security_a10.pdf (Made by: Sten)
- Day summarisation:
- Slides presented on the 28th of March day summarization. Media:2013 security presentation 28 03.pdf
- Slides presented on the 01st of April day summarization. Media:2013_security_presentation_01_04.pdf
- Final presentation of project on the 4 April 2013 Media:2013_security_final_presentation.pdf (Made by whole team, structure by Sandra and Jurij)
- Security teamwork (whiteboard):
- Whiteboard 27.03 Media:Security team 2013-03-27.jpg
- Whiteboard 28.03 Media:security_2013_picture_2803.JPG
- Whiteboard 29.03 Media:security_2013_picture_2903.JPG
- Whiteboard 01.04 Media:security_2013_picture1.JPG
- Whiteboard 02.04 Media:security_2013_picture_0204.JPG
- Whiteboard 03.04 Media:2013_security_presentation_structure.jpg (Discussion about final presentation)
- Virtual Machines (VM VirtualBox .ova files):
Results
Summary of what we did and solution what we developed
Personal input
Sten Aus
- What I did:
- I was selected as a group leader (project manager) on the first day (25 March). We decided also that this is a democracy not a tyranny. :)
- Helped others to use different kind of tools (Apache, Linux, DVWA, Wordpress etc, as I have dealt with them before (subjects in college with Margus, pre-school experience).
- Presentations to each other about OWASP TOP 10 (A7 - Missing Function Level Access Control and A10 - Unvalidated Redirects and Forwards).
- Demos about SIS vulnerabilities in different presentations (to group members, other participants and audience).
- What I learned:
- How do do documentation? I have documented my work before as well, but in such a big group as we had, it was first time experience for me.
- I learned how big value "same day feedback and summarisation" has.
- What security threats are out there and how to protect yourself (and your systems) against them. I have already taken different security measures into account in many web applications what I am using (or administering).
Matis Palm
- What I did:
- Helped teaching Apache & Linux & DVWA to other participants (due to having some experience already from before).
- Helping with sumorobot programming (Being from the robotics club).
- I helped to push the team in some direction at start, because no-one had previous experience and I was here last year on the Intensive Programme with the previous Security team.
- What I learned:
- Learned alot about how to use and search information for security testing (XSS, CSRF and so on).
- I learned about ASVS and OWASP and a few tools used for testing (e.g. TamperData, InjectMe XSS and CSRF and so on).
Sandra Suviste
- What I did:
- Researched and presented vulnerability No 1 from the OWASP Top 10 list - Injection (A1 - Injections).
- Practised attacks on the DVWA.
- Went through the OWASP ASVS document for possible shortcomings of the SIS.
- Tested the SIS for vulnerabilities, mostly SQL and XSS injections - both in web forms and in the URL.
- Documented my own and others' work.
- Together with Jurij we were responsible for the final presentation structure (Final presentation slides).
- What I learned:
- A lot about web application vulnerabilities - from my own research & practice and from others' presentations and teachers' lectures.
- Became more experienced in working in a multinational group with English as the working language.
- I learned how to document my work in order to keep track of the work of the team.
- I also learned what are the issues connected to the preparing of and giving a presentation with several (>3) presenters.
Markus Rintamäki
- What I did:
- OWASP TOP 10 presentations to each other (A4 - Insecure Direct Object References).
- Different attacks on SIS, changing user ids, SQL injection and XSS.
- Tried to upload a picture (for a lecturer) infected with malicious .php code.
- I also used a tool in Backtrack to decrypt the token that we found. This was also unsuccessful.
- Googeled a lot
- What I learned:
- My knowledge in hacking a real system before this course was close to a zero. I had to learn the basic attack methods and so I did.
- Basic attack methods in DVWA: SQL injection, XSS and CSRF.
- What is SIS and how does it works?
- I also learned to program sumorobots, more about Linux and Wireshark.
- We made the presentation structure together.
- And also of course I learned to speak english more fluently. :)
Tomas Lepistö
- What I did:
- Tried to find out possible security holes from OIS site.
- Tested different attacking methods with DVWA
- SQL-injection tests into various places on OIS site.
- Tested some XSS methods
- OWASP TOP 10 presentation to each other (A5 - Misconfigured Configuration).
- Prepared our presentation with other group members
- Spoke in daily summary
- Studied a lot of information to know what is hacking about?
- What i learned:
- I learned how to use SQL-injection, XSS, Brute force, CSRF
- I learned also how to use Kali,Backtrack,Temper data, DVWA
- Working in international group
- How important documentation is
- Found out how important it is to make web-application secure
Mika Salmela
- What I did:
- I studied hacking methods
- Tried some hacking methods with DVWA
- Iscanned website, try to find if there is some security risks
- Tried some SQL and XSS injections
- OWASP TOP 10 presentations to each other A6 - Sensitive Data Exposure).
- What I learned:
- More than basics of how to hack?
- The most common hacking methods and how to use them.
- How to do SQL and XSS injections
- Basics of hacking tools
- How to find security risks
- How to work in international team.
- Learned much about what these are: DVWA, OWASP and ASVS.
Kęstutis Tautvydas
- What I did:
- OWASP TOP 10 presentations to each other (A2 - Broken Authentication and Session Management and A3 - Cross-Site Scripting (XSS)).
- Searched for security holes in OIS student information site.
- Used DVWA tool to test sql injections and xss scripting.
- Tried some sql injections and xss scripting on OIS page
- Made presentations about broken authentication and session management and cross-site scripting and introduced them to my team mates
- Prepared some slides for the main presentation
- What have I learned:
- Theory about OWASP TOP 10 threats
- How to do sql injections
- How to use Firefox tamperdata tool
- How to do cross-site scripting
- Completely understood what is use case and how to draw them
- How to monitor activities with Wireshark
- How to do a scan of web site vulnerability using Acunetix Web Vulnerability Scanner 8
Jurij Lukjančikov
- What I did:
- OWASP TOP 10 presentation to each other (A9 - Using Known Vulnerable Components)
- I and Sandra were responsible for the final presentation structure (Final presentation slides)
- XSS and injection attacks to SIS
- What have I learned:
- I have learned about security breaches on the web.
- I have tried different parts of web for vulnerabilities and injection.
- Together with team learned how to make injection and XSS attacks using Linux (Linux was unfamiliar for me before that).