Lab

Teacher Notes: Class, for Lab Assignment 8:  • In Section 1, Part 2, Step 4, "all" is referring to the high severity issues, not all of them in the report, and similarly for Section 2, Part 2, Step 3 • You can update what you build up in Section 1 with the additional risks in Section 2 • When complete, you should have documented for Skipfish: all the high risk issues (there's just 1); 2 medium risk issues, and 2 low risk issues • When complete, you should have documented for RATS: all the high severity issues (there are 3); and 3 medium risk issues • For Section 2, Part 3, Step 3 "all" refers to the (11) issues covered in the report • You can turn in one vulnerability assessment report (as written in the lab, one is done for Section 1 Part 3 and the other is done for Section 2 Part 3). This vulnerability report should be a combination of all of the issues • I strongly recommend that you use the given OWASP sample report format template to document your issues • Turn in a high quality, thorough Executive Summary, Summary of Testing Methods, and Findings and Recommendations. Do not skimp on this with a couple of low quality sentences. Also, this is in addition to the report template filled out for each issue. The OWASP sample report template is at the end of the lab.  If you are looking for it in the OWASP Code Review Guide it is in V1.1 of this document (p. 196).  V2.0 of this guide discusses a standard report template and its components page 21.  As you are documenting your findings I'm not looking for the extra items in the template like package etc. but I will look for the severity, finding description, risk description and recommendations.  You don't have to use or recreate this template, but it is how I expect your findings to be organized.  NOTE: I only have 4 vulnerabilities in total so I need 8 more. Student Lab 8 Dr. Glenn Hines CIS 542 In your Lab Report file, document the following information for each of the researched issues in the skipfish report. 1. Name of the issue, as described by skip fish 2. Description of the issue 3. Most likely causes of the vulnerability 4. Possible remediations or prevention methods Name of the issue: Shell Injection Vector A shell injection vector is an attack in which an attacker takes advantage of vulnerabilities of a web application and executes an arbitrary command on the server for malicious purposes. The main reason an application is vulnerable to shell injection vectors attacks is due to to incorrect or complete lack of input data validation. The most effective way to prevent shell injection vector attacks is to never call out to OS commands from application-layer code. If you can’t avoid to call out to OS commands then strong input validation must be performed. Name of issue: XSS vector via arbitrary URLs Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacher uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. The best way to find flaws is to perform a security review of the code and search for all places where input from an HTTP request could possibly make its way into the HTML output. The best way to protect against XSS is to sanitize your input. Your application code should never output data received as input directly to the browser without checking it for malicious code. In your Lab Report file, document the following information for each of the researched issues in the RATS report. 1. Name of the issue, as described by RATS 2. Description of the issue 3. Most likely causes of the vulnerability 4. Possible remediations or prevention methods RATS Results: Name of issue: fopen The fopen() function is a file open command used to open a file or URL and binds a named resource, specified by filename, to a stream. A null pointer value indicates an error. Search permission is denied on component of the path prefix, or the file exists and the permissions specified by mode are denied, or the file does not exist and write permission is denied for the parent directory of the file to be created. The named file is a directory and mode requires write access. A component of filename does not name an existing file or filename is an empty string. The way to prevent this issue is if the settings are stored in an array, it can serialize() them and write to a text file. Name of issue: eval The eval language build is exceptionally unsafe in light of the fact that it permits execution of discretionary PHP code. Its utilization in this manner is demoralized. On the off chance that you have painstakingly checked that there is no other choice than utilize this develop, give careful consideration not to pass any client gave information into it without appropriately approving it already. eval() returns Null unless return is called in the evaluated code, in which case the value passed to return is returned. As of PHP 7, if there is a parse error in the evaluated code, eval() throws a parseError exception. It is not possible to catch a parse error in eval() using set error handler(). Eval can be prevented by reconfiguring or reinstalling the core file. In this Lab Report file, create a vulnerability assessment report based on the OWASP documents and your analysis of all the issues researched in this lab. 1. Executive Summary (include a general overview of the security state of the DVWA based on the reports provided) 2. Summary of testing methods/tools used 3. Summary of findings (include all issues researched in this lab) 4. Recommendations (map the researched issues to recommendations outlined by the OWASP and Open SAMM models; cite your work properly) Executive Summary Well-informed organizations understand that their websites and applications are more than just an information service; they also represent the corporate image to their customers and the public. If a website or application has to be taken offline due to a security breach, this can result in loss of information, reputation, trust, and revenue. Ensuring the website or web application can dissuade most internet threats therefore, the organization can continue serving customers and not spend time and money reacting to a data loss or availability issues. Overview Internet-facing web applications, in particular, can create numerous opportunities for malicious individuals who may wish to compromise your organization’s data. To ensure a balanced level of preparedness and effective programming requires an understanding of risks Thoroughness is the key, as the undetected vulnerabilities could leave the organization most at risk. Damn Vulnerable Web Application (DVWA) is a vulnerable web application used to be an aid for security professionals to test their skills and tools, and better understand the processes of securing web applications in a controlled environment. This Web Application Security Assessment analyzes vulnerabilities found in the Damn Vulnerable Web Application (DVWA) as determined by the reports provided, and were assessed according to the OWASP guidelines. Recommendations outlined by the OWASP and Open SAMM models are provided to improve secure testing and coding of Web applications to prevent similar vulnerabilities such as these from happening in the future. All security issues that are discovered must be mitigated based upon the following risk levels. which are based on the OWASP Risk Rating Methodology. Mitigation strategies will be required to fix any discovered issues of medium risk level or greater. • High-Any high risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure. • Medium- Medium risk issues should be reviewed to determine what is required to mitigate based on the number of issues or increase the risk to an unacceptable level. Issues should be fixed with mitigation strategies that will limit exposure. • Low - Issue should be reviewed to determine what is required to correct the issue and scheduled accordingly. Tools Used for Analysis Dynamic analysis tools Skipfish, an active web application security reconnaissance tool and RATS, a rough auditing tool scan were used to identify vulnerabilities within the application. Skipfish prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active security checks. ◦