Design and Develop Web Application Security

Student ID Number (Do not include student name as anonymous marking is implemented) XXXXXXXXXProgramme Title Computing Technologies (QA) Module Title Web Application Security Module Code (listed on Moodle and in LTAFP) QAC020N256S Module Convenor Shahbaz Ahmad Coursework Title Design and Develop Web Application Security Testing Academic Declaration: Students are reminded that the electronic copy of their essay may be checked, at any point during their degree, with Turnitin or other plagiarism detection software for plagiarised material. Word Count 2237 Date Submitted 06/03/2020 Table of Contents: 1. Introduction3 2. Set up a fully functioning Web Applications4 2.1. Configuration details of the environment setup Virtual Box 4 2.2. Configuration details of the environment setup XAMPP/WAMP 9 2.3. Web/application and back-end database 15 3. Web Application Security Testing 20 3.1. Nmap scanning20 3.2. Wireshark Sniffing26 3.3. SQL Injection using SQLMAP 30 4. Design and Implement a web security model35 4.1. Firewall 35 4.2. IDS/IPS 36 4.3. Antivirus 37 4.4. Encryption 38 5. Referencing and Bibliography 39 Introduction Security means the process of maintaining an acceptable level of risk. As Mitch Kabay said “Security is a process, not an end state.” For modern businesses, web applications have become the main vulnerability. Currently, the activities of each company depend on the web and cloud technologies. Gartner reports that most attacks are for web applications, overall 80%. Usually, these interventions the vulnerabilities of moderated in the application code. The factors that lead to the vulnerability of web applications are: low security of web applications; public accessibility of the internet, which allows external attackers to reach the confidential data of companies; increasing complexity. Figure1. Web Applications Security Risk (source: www.owasp.org ) For the following assignment, it was offered a scenario which will give opportunity to explain what a security analysis means, as our role is a trainee Web Application Security Analyst. Our responsibilities are to deliver the web/application security testing, as our client web site contains possible security vulnerabilities, and deliver answers that might give responsible assumptions. Set up a fully functioning Web ApplicationsConfiguration details of the environment setup (XAMPP/WAMP, Virtual Box etc.)Go to www.virtualbox.orgOnce the home page is open Click on Downloads button located to the left side of the screen Figure2. VirtualBox webpage Under the VirtualBox binaries we are looking the correct version of VirtualBox depending of what operate system we are using. Because I use Windows, I will choose Windows hosts. Web page will provide the last version for downloading day. Figure3. VirtualBox webpage Once the downloading is completed, lunch the downloading file to start the installation, and follow the required steps. Figure4. Download VirtualBox Figure4.1. VirtualBox Installation Figure4.2. VirtualBox Installation Figure4.3. VirtualBox Installation Figure4.4. VirtualBox Installation Figure4.5. VirtualBox Installation Figure4.6. VirtualBox Installation Once the installation is complete press Finish and the VirtualBox Machine will be open. Figure5. VirtualBox Machine Click Start button to open VirtualBox application window. Click Change Network Settings to set Bridged Adapter. Figure6. Possible error when VirtualBox will run When the process will be completed, we have to set up username and password, for our project we will use: Figure7. VirtualBox main screen Configuration details of the environment setup XAMPP/WAMP Figure8. XAMPP download Figure8.1. XAMPP download Figure8.2. XAMPP download Figure9. XAMPP installation Figure9.1. XAMPP installation Figure9.2. XAMPP installation Figure9.3. XAMPP installation Figure9.4. XAMPP installation Figure9.5. XAMPP installation Figure9.6. XAMPP installation Figure9.10. XAMPP installation Figure9.11. XAMPP installation Web/application and back-end database Figure10. Back-end database illustration Figure11. Lunch XAMPP application Figure12. Start running MySQL Database Figure13. Lunching 127.0.0.1 to test XAMPP Figure14. Lunching localhost to check XAMPP Mutillidae Installation Go to following link address http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10%20 and download Mutillidae ZIP folder. Figure15. Download mutillidae Figure16. Unzip Mutillidae folder Next step copy folder in XAMPP folder location /htdocs/ Figure17. Mutillidae installation Go to browser open localhost/mutillidae/ and will be open Figure18. Lunching localhost/mutilidae web site Figure19. Page screen for user Lookup (SQL) 3. Web Application Security Testing 3.1. Nmap scanning To install Nmap scanning in VirtualBox open the link www.nmap.org into browser. Figure20. Nmap download Figure21. Nmap download To open Nmap scanning go to Terminal insert sudo nmap → Enter→ Password cybercops, system will provide all the option available with Nmap which we can use them for different methods of scanning. Figure22. Nmap options for scanning Figure. Nmap example for scaning In the example section it shown an example what a basic Nmap run will look like, it got Nmap command after that it go parameter -v -A that will bring results depending on what we want out of those results. -v prints the version number, the address name, -A prints operating system detection, version detection, script scanning. Before to get that Nmap scanning is giving a free testing scanning machine that they will allow you to scan this scanme.nmap.org. This web site is giving permission to scan an IP address Figure23. Nmap website for scanning Second example: nmap -v -sn 192.168.0.0/16 10.0.0.0/8, show the range of IP addresses. Figure24. Result for scanning an IP address Scanning Open Ports To scan open ports, open the terminal and enter nmap -A -T4 localhost. The scan will take from few seconds to a few minutes, that’s depends on your local network and device. Figure25. Result for scanning open ports From the above picture can be notice that we have got only one open port. Scan your network Enter ifconfig to determine the IP address in terminal screen and we will fiend as well subnet mask for this host. In the following example, the IP address is 127.0.0.1 and the subnet mask is 255.0.0.0. Figure26. Ifconfig command Enter nmap -A -T4 network address/prefix to locate the host from the LAN. The last octet of the IP address will be replaced with a zero. Therefore, the network address is 127.0.0.1 The /8 is the prefix and netmask are 255.0.0.0. Figure27. nmap -A -T4 command Scan a remote server Enter nmap -A -T4 scanme.nmap.org in the terminal screen. Figure28. nmap -A -T4 command Can be noticed that after scanning website scanme.nmap.org in 53.34 second it was found 256 IP addresses, and the operating system for it is Linux. To access the vulnerable ports of the hacker, use the Nmap application. You just need to run Nmap on a target system to successfully access it and find out the weaknesses and plan how it can be exploited. 3.2. Wireshark Sniffing To run Wireshark, we have 2 options: First is to lunch it from terminal screen with option sudo wireshark-gtk and second is to Start the CyberOps from Workstation VM: Applications → CyberOPS → Wireshark. Figure29. Launching Wireshark Figure30. Wireshark network screen Open SQL_Lab.pcap file, in the lab.suport.files from /home/analyst: Figure31. Source of lab.suport.files Figure32. Open lab.suport.files With Wireshark I will choose to attack line 16 because it has HTTP request. Figure33. HTTP Request. Source traffic is in red color, blue color is the device destination which respond back to source: Figure34. HTTP Stream I will register a query (1’ or 1=1 union select database (), user () #) into a UserID exploration box on the target 10.0.2.15, as a result, we will receive an error message as a failure to identify: Figure35. HTTP Stream 3.3. SQL Injection using SQLMAP One of the most widespread and critical vulnerabilities existing so far in enterprise security is SQL injection. The popular tool that helps penetration testing to automatically detect and exploit SQL injection flaws is SQLmap. To install SQLMap: 1. Open browser go to www.sqlmal.org , download zip folder 2. Unzip the folder, and install the program. Figure36. Lunching SQLMap The simple command to injection is Sqlmap.py -u Opening mutillidae localhost, I will copy the URL which I will use for injection, to keep my injection legal. Figure37. Localhost URL for mutillidae Testing Localhost mutillidae Figure38. Insert command in VirtualBox for testing mutillidae URL Figure39. Result mutillidae URL Scan database Obtain the names of available databases we will use the command: Figure40. Insert command in VirtualBox for testing mutillidae databases In the following picture ca can notice that after scanning it was found 6 databases: Figure41. Result for testing mutillidae URL Scan table To specify the wanted database use –D and tell SQLmap to show the tables following –tables command: Figure42. Insert command in VirtualBox to list the tables Figure43. Result for mutillidae tables In figure xx SQLmap found 13 tables for MariaDB fork, after that in the next step I will try to enter in on of table. As usual, I will use –D for database, -T for table and –dump for data: Scan database table entries Figure44. Insert command in VirtualBox to open a table Figure45. Result for table credit card Scanning the table credit_card from mutillidae database we have got 5 cards, with their details. 4. Design and Implement a web security model Firewall Being designed as a system to prevent unauthorized access to a private network, Firewall creates a security barrier between the public internet and a private network, because hackers and malicious traffic will always appear in the private Network. The firewall is the principal component to block this and is very essential for big organizations that have plenty of workstations and servers on them because they don’t want hackers to swap totally their organization. Firewall operates by filter incoming network data and has some laws to allow or deny traffic using an access control list (ACL). Figure46. Firewall code setup IDS/IPS These two systems, one intrusion detection (IDS) and the other intrusion prevention (IPS) are part of the network infrastructure. Those systems compare network packets to a database called cyberthreat, which contains cyberattacks signatures – and marks any fitting packets. Figure47. IDS vs IPS (source: www.varonis.com ) An intrusion detection system (IDS) it is essentially an ad-hoc security solution which aims to protect vulnerable computing systems. Major tasks of a detection system a intrusions (IDS) are those to collect data from to a system, to analyse this data to discover relevant security and security events to present the results of the analysis to the system administrator. IPS is built to react to suspicious activity by shutting down the connection or by reprogramming the firewall to stop any traffic from the doubted malicious source. This can be done at the command of an operator or automatically. Antivirus The antivirus program detects applications and documents from infection. Usually, running as a background process, antivirus software scans computers, servers or mobile devices to detect and restrict the spread of viruses. Antivirus software programs include real-time threat detection and protection, protecting the private network from potential vulnerabilities, regularly scanning device files and looking for potential risks. Figure48. Codes to install Sophos Anti-Virus Encryption Encryption represent the process of encoding a message so that its meaning is not obvious. First step or encryption is to create a new key. When encrypting data, it is highly recommended to use a different key for each piece of data. Fortunately, Ionic makes creating new keys very simple with a single line of code. Second step is initializing AES cipher. In order to initialize an AES cipher, we need to provide a key. In this example we are using the newly created key. After the AES cipher has been initialized, encryption is simply a matter of calling encrypt. After data has been encrypted, it is typically encoded into a payload that includes both the data and the key ID. Remember, the recipient of the data must have the key ID, or an external ID, in order to request to correct key from the Ionic platform. Before encrypted data can be stored or transmitted, it needs to be packaged with the keyId. Keeping the ciphertext and the keyId together is critical. Without the keyId, it would be impossible to determine which key is needed to decrypt the data. Figure49. Example for Encryption Referencing and Bibliography Bryan Sullivan, V. L. (2011). Web Application Security, A Beginner’s Guide. McGraw Hill Professional. Carlos Serrao, V. A. (2010). Web Application Security: Iberic Web Application Security Conference, IBWAS 2009, Madrid, Spain, December 10-11, 2009. Revised Selected Papers. Springer. Clarke-Salt, J. (2009). SQL Injection Attacks and Defense. Syngress. Cross, M. (2007). Developer’s Guide to Web Application Security. Syngress Publishing. Dafydd Stuttard, M. P. (2011). The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws. John Wiley & Sons. Hoffman, A. (2020). Web Application Security: Exploitation and Countermeasures for Modern Web Applications. O’Reilly Media, Incorporated. Joel Scambray, M. S. (2006). Hacking Exposed Web App. McGraw-Hill Education (India) Pvt Limited. Joel Scambray, V. L. (2010). Hacking Exposed Web Applications, Third Edition. McGraw Hill Professional. Khawaja, G. (2018). Practical Web Penetration Testing: Secure web applications using Burp Suite, Nmap, Metasploit, and more. Packt Publishing Ltd. Kim, P. (2018). The Hacker Playbook 3: Practical Guide to Penetration Testing. Independently Published. Lepofsky, R. (2014). The Manager’s Guide to Web Application Security: A Concise Guide to the Weaker Side of the Web. Apress. Prasad, P. (2016). Mastering Modern Web Penetration Testing. Packt Publishing Ltd. Shema, M. (2010). Seven Deadliest Web Application Attacks. Syngress. Splaine, S. (2002). Testing Web Security: Assessing the Security of Web Sites and Applications. Wiley. Varonis. (n.d.). Retrieved from https://www.varonis.com/blog/ids-vs-ips/ Vittie, L. M. (2015). Web Application Security is a Stack: How to CYA. IT Governance Ltd. Zalewski, M. (2011). The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press.