Академический Документы
Профессиональный Документы
Культура Документы
Submitted by Ashish Sharma B.tech( I.T) Guru Gobind Singh Indraprastha University Under the guidance of
Mr. Kapil Kr. Sharma
Page | 1
ACKNOWLEDGEMENT
We take this opportunity to acknowledge the guidance , cooperation and inspiration of all those who in one way or other helped us in any endeavour to complete this research and prepare meaningful report on eBudget security testing Our project is unique in the way that we were fortunate enough to be associated with a prestigious professional institute Among the many people, who have been there enormously helpful and have been there both mentally and physically in the preparation of this project, it becomes very difficult to categorize who was of great support. We would like to thanks Mr. Kapil Kr. Sharma our industry guide for providing us the inspiration for undertaking this project and his continuous support, encouragement and guiding us at all stages.
Page | 2
DECLARATION
I, ASHISH SHARMA, student of 3rd year B.Tech - IT, Amity School Of Engineering And Technology Guru Gobind Singh Indraprastha University have completed the project on Security Testing of E-Budget for the academic year 2010-2011 from National Informatics Centre(Ministry of Finance), New Delhi.
The Training was imparted for a period of 6 weeks which helped me understand the working of a high end organization such as National Informatics Centre. The information given in this project is true to the best of
Ashish Sharma 0911043108 B.Tech (Information Technology) Amity School of Engineering and Technology
Page | 3
ABSTRACT
This report describes the various types of flaws or bugs present in the eBudget, an application developed by NIC. This application was developed for management of various budgets in ministries and to implement a green approach in our government offices by removing the current file systems in which lots of paper is wasted. This application also gives a easier tracking system of various types budgets. This application was tested by various tools such as Burpsuite and Firebug for various security risks such as injection, cross side scripting, URL Access etc. with security objectives of Authorization, Authentication, Integrity and confidentiality. The application was also tested for various vulnerabilities and threats such as checking constraints given in the white list, brute force attack. This report also provides the measures that can be taken to fix the various flaws that are discovered during the testing phase.
Page | 4
Contents
Introduction about NIC Application security Difference between vulnerabilities, threats and risks Top 10 Application Security Risk Security objectives Vulnerabilities Threats Web applications End To End deployment scenario Roles and key scenarios Technologies Vulnerabilities found in eBudget 1. Insecure cryptographic storage 2. Broken authentication and session management. 3. Cross site scripting 4. Cross site request forgery 5. Injection flaws 6. Same sessionid for two users 7. Server information displayed to the user
Glossary
Cookie Browser cache SSL Get and Post method Web server Salted MD5 hashing scheme
Cryptography
Page | 6
Milestones
Central Government Informatics Development Programme a strategic decision to overcome Digital Divide in Central Government Departments during the Fifth Plan Period (i.e. 1972-77); Page | 7
NICNET - A first of its kind in developing countries, using state-of-the-art VSAT technology. Gateway for Internet/Intranet Access and Resources Sharing in Central Government Ministries and Departments during 1980s and 1990s;
IT in Social Applications and Public Administration; State Government Informatics Development Programme a strategic decision to overcome Digital Divide in Central and State Governments/UT Administrations, during the Seventh Plan Period (i.e. 1985-1990);
DISNIC A NICNET based District Government Informatics Programme a strategic decision in 1985 to overcome the Digital Divide in the District Administrations;
Reaching out into India during 1985-90, even before the arrival of Internet Technology, to all the districts of the country, which is a land of diversity and different types of terrain, various Agro-climatic conditions, different levels of socio-economic conditions, and varied levels of regional development etc.
Video-Conferencing operations first commenced in the early 90s and now connect 490 locations
National Informatics Centre Services Inc. (NICSI) was set up in 1995, as a section 25 Company under National Informatics Centre. NICSI is preferred by government departments for outsourcing the entire range of IT solutions and services.
India Image Portal is a gateway to the Indian government information with a mission to extend comprehensive WWW services to Government Ministries and Departments Under this project, over 5000 Government of India websites are being hosted.
A significant outcome of India Image Portal, which came about in the early years of the millennium, is the GOI Directory, a first of its kind comprehensive directory providing information about websites of the Indian government at all levels.
Page | 8
Also, in late 2005, all the services and websites in India Image Portal were brought under one interface to provide single- window access to citizens. This is the National Portal accessible at http://india.gov.in.
Integrated Network Operations Centre (I-NOC) was established in 2002 for round the clock monitoring of all the WAN links across the country.
NIC Data Centre, established in 2002, hosts over 5000 websites & portals. Data Centres which have been established at State capitals for their local storage needs, have storage capacity from 2-10 Tera Bytes.
NIC has been licensed to function as Certifying Authority (CA) in the G2G domain and CA services commenced in 2002.
NIC set up the Right to Information Portal in order to provide support to the Government for speedy and effective implementation of the Right to Information Act 2005.
Over the years NIC has extended the satellite based Wide Area Network to more than 3000 nodes and well over 60,000 nodes of Local Area Networks in all the Central Government offices and State Government Secretariats.
As a major step in ushering in e-Governance, NIC implements the following minimum agenda as announced by the Central Government:
Internet/Intranet Infrastructure (PCs, Office Productivity Tools, Portals on Business of Allocation and Office Procedures)
IT empowerment of officers/officials through Training IT enabled Services including G2G, G2B, G2C, G2E portals IT Plans for Sectoral Development Business Process Re-engineering
NIC provides a rich and varied range of ICT services delineated below.
Page | 9
Digital Archiving and Management Digital Library E-Commerce E-Governance Geographical Information System IT Training for Government Employees Network Services (Internet, Intranet) Video Conferencing Web Services General Informatics Services Medical Informatics Bibliographic Services Intellectual Property and Know-How Informatics Services Setting up of Data Centres Building Gigabit Backbone IT Consultancy Services Turnkey IT Solutions
Thus, NIC, a small program started by the external stimulus of an UNDP project, in the early 1970s, became fully functional in 1977 and since then has grown with tremendous momentum to become one of India's major S&T; organizations promoting informatics led development. This has helped to usher in the required transformation in government to ably meet the challenges of the new millennium.
Page | 10
Application security:
Application security is the use of software, hardware, and procedural methods to protect applications from external threats. Security measures built into applications and a sound application security routine minimize the likelihood that hackers will be able to manipulate applications and access, steal, modify, or delete sensitive data. Once an afterthought in software design, security is becoming an increasingly important concern during development as applications become more frequently accessible over networks and are, as a result, vulnerable to a wide variety of threats. Actions taken to ensure application security are sometimes called countermeasures. The most basic software countermeasure is an application firewall that limits the execution of files or the handling of data by specific installed programs. The most common hardware countermeasure is a router that can prevent the IP address of an individual computer from being directly visible on the Internet. Other countermeasures include conventional firewalls, encryption /decryption programs, anti-virus programs, spyware detection/removal programs, and biometric authentication systems. Application security can be enhanced by rigorously defining enterprise assets, identifying what each application does (or will do) with respect to these assets, creating a security profile for each application, identifying and prioritizing potential threats, and documenting adverse events and the actions taken in each case. This process is known as threat modelling. In this context, a threat is any potential or actual adverse event that can compromise the assets of an enterprise, including both malicious events, such as a denial-of-service(DoS) attack, and unplanned events, such as the failure of a storage device.
Threat Anything that can exploit vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. A threat is what were trying to protect against. Vulnerability Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset. Vulnerability is a weakness or gap in our protection efforts. Risk The potential for loss, damage or destruction of an asset as a result of a threat exploiting vulnerability. Risk is the intersection of assets, threats, and vulnerabilities.
A1-Injection - Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted
data is sent to an interpreter as part of a command or query. The attackers hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.
A2-Cross site scripting- XSS flaws occur whenever an application takes untrusted data and
sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victims browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Page | 12
attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users identities.
A4-Insecure Direct Object References- A direct object reference occurs when a developer
exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
A5-Cross site request forgery- A CSRF attack forces a logged-on victims browser to
send a forged HTTP request, including the victims session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victims browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
A7- Insecure Cryptographic Storage- Many web applications do not properly protect
sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.
A8-Failure To Restrict URL Access- Many web applications check URL access rights
before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.
Page | 13
Security objectives:
When you create and carry out a security policy, you must have clear objectives. Security objectives fall into one or more of the following five categories:
Authorization: Assurance that the person or computer at the other end of the session has permission to carry out the request.
Authentication: Assurance or verification that the resource (human or machine) at the other end of the session really is what it claims to be.
Integrity: Assurance that arriving information is the same as that sent. Non-repudiation: Assurance (accountability) that any transaction that takes place can subsequently be proven to have taken place. Both the sender and the receiver agree that the exchange took place.
Confidentiality: Assurance that sensitive information remains private and is not visible to an eavesdropper, usually achieved by using encryption.
Page | 14
Vulnerabilities:
The application vulnerabilities are:
Missing or weak input validation at the server. Checking constraints given in the white list (e.g. size, type etc.) before uploading the photograph.
Failure to protect database from SQL injection. Failure to encode output leading to potential cross-site scripting issues. Exposing an administration function through the Web (CSRF).
Threats:
The following threats could affect the application:
Brute force attacks occur for certain fields if size and type constraints are not put on them.
Network eavesdropping occurs between the browser and Web server to capture client credentials.
SQL injection occurs, enabling an attacker to exploit an input validation vulnerability to execute commands in the database and thereby access and/or modify data.
Cross-site scripting occurs when an attacker succeeds in injecting script code. Cookie replay or capture occurs, allowing an attacker to spoof identity and access the application as another user.
Page | 15
Web Applications:
A web application is any application that uses a web browser as a client. The application can be as simple as a message board or a guest sign-in book on a website, or as complex as a word processor or a spreadsheet.
Page | 16
WEB SERVER
DATABASE SERVER
APACHE BROWSE R
HTTP
EMPLOYEE DATABASE
TCP/IP WEB APPLICATION IDENTITY
LDAP
FORM AUTHENTICATION
Roles:
Application roles are:
Key Scenarios
Important application scenarios are: An Employee/Administrator enters his credentials to log into his account. Page | 17
An Employee/Administrator is authenticated through LDAP. After authentication, admin can update ministries, manager module details, financial year, and a employee can upload different doc files to different financial years. An Employee submits the filled form. Administrator can make changes An Employee/Administrator must log out of his account after signing in.
Technologies
The application is developed and deployed using following technologies:
Web Server
: Apache
Application Server : Tomcat 1.6 Presentation logic : JavaScript and html Business logic Data access logic Database Server Framework : Java : HQL : Postgres database : Wicket, Spring, Hibernate
Page | 18
Page | 19
Step 2: User enters his user name and password and press login button. When we check through testing tool Burpsuite then all the login details including password are visible and not encrypted .Hence the password may be easily stolen by the attackers making the application insecure.
Page | 20
Recommendations: 1. Clear the text area once user selects the login button. Or send the credentials in encrypted format 2. Use Salt MD5 hashing scheme to encrypt the password.
Page | 21
Step 2: Login from another users account in our case username-so and password-so.
Page | 22
Page | 23
Page | 24
Step 5- Passed it to the sessionid parameter of the admins account and we logged into the account of the user so.
Page | 25
Page | 26
Page | 27
Recommendations: 1. The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. Developers need to include this escaping in their applications unless their UI framework does this for them 2. Positive or whitelist input validation is also recommended as it helps protect against XSS.
Page | 28
Page | 29
Step3: Pasting that url in the address bar after logging out.
Page | 30
User is able to login directly by just copying the URL as shown below
Page | 31
5. INJECTION FLAWS
Step 1: Logged in into the admin account. Step 2: Clicked on the account master tab and clicked on the add button. Step3 : Added SQl injection in the account head description and clicked save and the SQl query is saved.
Page | 32
Recommendations: 1. The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. 2. If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter 3. Positive or "whitelist" input validation with appropriate canonicalization also helps protect against injection, but is not a complete defense as many applications require special characters in their input
Step 3: Using Burpsuite we intercept the requests and noticed that the sessionid for two different sessions are same.
Page | 34
Page | 35
Page | 36
Page | 37
Page | 38
Glossary
Cookie:
A message given to a Web Browsers by a Web Server. The browser stores the message in a Text Files. The message is then sent back to the server each time the browser requests a page from the server. The main purpose of cookies is to identify users and possibly prepare customized Web pages for them. When you enter a Web site using cookies, you may be asked to fill out a form providing such information as your name and interests. This information is packaged into a cookie and sent to your Web browser which stores it for later use. The next time you go to the same Web site, your browser will send the cookie to the Web server. The server can use this information to present you with custom Web pages. So, for example, instead of seeing just a generic welcome page you might see a welcome page with your name on it. The name cookie derives from unix objects called magic cookies. These are Tokens that are attached to a user or program and change depending on the areas entered by the user or program.
Browser cache:
Your browser (Netscape, Internet Explorer, etc.whatever application you use to surf the web) has a folder in which certain items that have been downloaded are stored for future access. Graphic images (such as buttons, banners, icons, advertising, graphs, and color bars), photographs, and even entire web pages are examples of cache items. When going to a page on a website, your computer will check its cache folder first to see if it already has those images and, if so, it won't take the time to download them again. This makes for a faster loading of the page.
Page | 39
The get method: When you specify method="get" in your <form> tag, the information that enter into your form will be tacked on to the end of the action= address. For example, go to Yahoo! and type computers in the search area. After you click the Search button, look at the Location area near the top of your browser window. It shows: http://search.yahoo.com/bin/search?p=computers Page | 40
The first part in red is the action address. The part in green includes the word you typed. The neat part of the get method is that you don't have to even use a form to send the data.
Post method:
In computing, POST is one of many request methods supported by the HTTP protocol used by the World Wide Web . The POST request method is used when the client needs to send data to the server as part of the request, such as when uploading a file or submitting a completed form. In contrast to the GET request method where only a URL and headers are sent to the server, POST requests also include a message body. This allows for arbitrary length data of any type to be sent to the server.
WEB SERVER:
A web server is a computer program that delivers (serves) content, such as web pages, using the Hypertext Transfer Protocol (HTTP), over the World Wide Web. The term web server can also refer to the computer or virtual machine running the program. In large commercial deployments, a server computer running a web server can be rack-mounted with other servers to operate a web farm.
The following are the various tasks performed by the Web server Virtual hosting to serve many Web sites using one IP address. Large file support to be able to serve files whose size is greater than 2 GB on 32 bit OS. Bandwidth throttling to limit the speed of responses in order to not saturate the network and to be able to serve more clients. Server-side scripting to generate dynamic Web pages, but still keeping Web server and Web site implementations separate from each other.
Page | 41
hash of the submitted password is generated, this can be copied and pasted repeatedly ). Hence salted MD5 hash of the password can be submitted. In this case the password will not be same every time the salted md5 password is submitted to the server since the salt ( which is a random numbe) changes every time, the salted hashed password also changes every time. The pre-requisite to this is that the backend database stores a MD5 hash of the password. When a client requests for the login page, the server generates a random number, the salt, and sends it to the client along with the page. A JavaScript code on the client computes the MD5 hash of the password entered by the user. It then concatenates the salt to the hash and re-computes the MD5 hash. This result is then sent to the server. The server picks the hash of the password from its database, concatenates the salt and computes the MD5 hash. If the user entered the correct password these two hashes should match. The server compares the two and if they match, the user is authenticated. MD5 is not suitable for applications like SSL certificates or digital signatures that rely on this property. An MD5 hash is typically expressed as a 32-digit hexadecimal number. MD5 Hash Properties The MD5 hash consists of a small amount of binary data, typically no more than 128 bits. All hash values share the following properties: 1.Hash length :The length of the hash value is determined by the type of the used algorithm, and its length does not depend on the size of the file. The most common hash value lengths are either 128 or 160 bits. 2. Non-discoverability: Every pair of non identical files will translate into a completely different hash value, even if the two files differ only by a single bit. 3. Repeatability: Each time a particular file is hashed using the same algorithm; the exact same hash value will be produced.
Page | 43
4. Irreversibility: All hashing algorithms are one-way. Given a checksum value, it is infeasible to discover the password.
Cryptography
Cryptography can be defined as the conversion of data into a scrambled code that can be deciphered and sent across a public or private network. Cryptography uses two main styles or forms of encrypting data; symmetrical and asymmetrical. Symmetric encryptions, or algorithms, use the same key for encryption as they do for decryption. Other names for this type of encryption are secret-key, shared-key, and private-key. The encryption key can be loosely related to the decryption key; it does not necessarily need to be an exact copy. Symmetric cryptography is susceptible to plain text attacks and linear cryptanalysis meaning that they are hackable and at times simple to decode. With careful planning of the coding and functions of the cryptographic process these threats can be greatly reduced. Asymmetric cryptography uses different encryption keys for encryption and decryption. In this case an end user on a network, public or private, has a pair of keys; one for encryption and one for decryption. These keys are labeled or known as a public and a private key; in this instance the private key cannot be derived from the public key. The asymmetrical cryptography method has been proven to be secure against computationally limited intruders. The security is a mathematical definition based upon the application of said encryption. Essentially, asymmetric encryption is as good as its applied use; this is defined by the method in which the data is encrypted and for what use. The most common form of asymmetrical encryption is in the application of sending messages where the sender encodes and the receiving party decodes the message by using a random key generated by the public key of the sender. Page | 44
Burp Suite:
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-theart automation, to make your work faster, more effective, and more fun. Burp Suite contains the following key components:
An intercepting proxy, which lets you inspect and modify traffic between your browser and the target application.
An application-aware spider, for crawling content and functionality. An advanced web application scanner, for automating the detection of numerous types of vulnerability.
An intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
A repeater tool, for manipulating and resending individual requests. A sequencer tool, for testing the randomness of session tokens. The ability to save your work and resume working later. Extensibility, allowing you to easily write your own plug-in, to perform complex and highly customized tasks within Burp.
Page | 45
Burp is easy to use and intuitive, allowing new users to begin working right away. Burp is also highly configurable, and contains numerous powerful features to assist the most experienced testers with their work.
Page | 46
Page | 47