4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
52<br />
Web Application Penetration Testing<br />
ries can be simulated that will fill up the logs faster since, typically, a<br />
single request will cause only a small amount of data to be logged,<br />
such as date and time, source IP address, URI request, and server result.<br />
Log rotation<br />
Most servers (but few custom applications) will rotate logs in order<br />
to prevent them from filling up the file system they reside on. The<br />
assumption when rotating logs is that the information in them is only<br />
necessary for a limited amount of time.<br />
This feature should be tested in order to ensure that:<br />
• Logs are kept for the time defined in the security policy, not more<br />
and not less.<br />
• Logs are compressed once rotated (this is a convenience, since it will<br />
mean that more logs will be stored for the same available disk space).<br />
• File system permission of rotated log files are the same (or stricter)<br />
that those of the log files itself. For example, web servers will need<br />
to write to the logs they use but they don’t actually need to write<br />
to rotated logs, which means that the permissions of the files can<br />
be changed upon rotation to prevent the web server process from<br />
modifying these.<br />
Some servers might rotate logs when they reach a given size. If this<br />
happens, it must be ensured that an attacker cannot force logs to rotate<br />
in order to hide his tracks.<br />
Log Access Control<br />
Event log information should never be visible to end users. Even web<br />
administrators should not be able to see such logs since it breaks<br />
separation of duty controls. Ensure that any access control schema<br />
that is used to protect access to raw logs and any applications providing<br />
capabilities to view or search the logs is not linked with access<br />
control schemas for other application user roles. Neither should any<br />
log data be viewable by unauthenticated users.<br />
Log review<br />
Review of logs can be used for more than extraction of usage statistics<br />
of files in the web servers (which is typically what most log-based<br />
application will focus on), but also to determine if attacks take place<br />
at the web server.<br />
In order to analyze web server attacks the error log files of the server<br />
need to be analyzed. Review should concentrate on:<br />
• 40x (not found) error messages. A large amount of these from the<br />
same source might be indicative of a CGI scanner tool being used<br />
against the web server<br />
• 50x (server error) messages. These can be an indication of an<br />
attacker abusing parts of the application which fail unexpectedly.<br />
For example, the first phases of a SQL injection attack will produce<br />
these error message when the SQL query is not properly constructed<br />
and its execution fails on the back end database.<br />
Log statistics or analysis should not be generated, nor stored, in the<br />
same server that produces the logs. Otherwise, an attacker might,<br />
through a web server vulnerability or improper configuration, gain access<br />
to them and retrieve similar information as would be disclosed by<br />
log files themselves.<br />
References<br />
[1] Apache<br />
• Apache Security, by Ivan Ristic, O’reilly, March 2005.<br />
• Apache Security Secrets: Revealed (Again), Mark Cox, November<br />
2003 - http: /www.awe.com/mark/apcon2003/<br />
• Apache Security Secrets: Revealed, ApacheCon 2002, Las Vegas,<br />
Mark J Cox, October 2002 - http: /www.awe.com/mark/apcon2002<br />
• Performance Tuning - http: /httpd.apache.org/docs/misc/<br />
perf-tuning.html<br />
[2] Lotus Domino<br />
• Lotus Security Handbook, William Tworek et al., April 2004, available<br />
in the IBM Redbooks collection<br />
• Lotus Domino Security, an X-force white-paper, Internet Security<br />
Systems, December 2002<br />
• Hackproofing Lotus Domino Web Server, David Litchfield, October<br />
2001,<br />
• NGSSoftware Insight Security Research, available at http: /www.<br />
nextgenss.com<br />
[3] Microsoft IIS<br />
• IIS 6.0 Security, by Rohyt Belani, Michael Muckin, - http: /www.<br />
securityfocus.com/print/infocus/1765<br />
• IIS 7.0 Securing Configuration - http: /technet.microsoft.com/enus/library/dd163536.aspx<br />
• Securing Your Web Server (Patterns and Practices), Microsoft Corporation,<br />
January 2004<br />
• IIS Security and Programming Countermeasures, by Jason Coombs<br />
• From Blueprint to Fortress: A Guide to Securing IIS 5.0, by John<br />
Davis, Microsoft Corporation, June 2001<br />
• Secure Internet Information Services 5 Checklist, by Michael Howard,<br />
Microsoft Corporation, June 2000<br />
• “INFO: Using URLScan on IIS” - http: /support.microsoft.com/default.aspx?scid=307608<br />
[4] Red Hat’s (formerly Netscape’s) iPlanet<br />
• Guide to the Secure Configuration and Administration of iPlanet<br />
Web Server, Enterprise Edition 4.1, by James M Hayes, The Network<br />
Applications Team of the Systems and Network Attack Center<br />
(SNAC), NSA, January 2001<br />
[5] WebSphere<br />
• IBM WebSphere V5.0 Security, WebSphere Handbook Series, by<br />
Peter Kovari et al., IBM, December 2002.<br />
• IBM WebSphere V<strong>4.0</strong> Advanced Edition Security, by Peter Kovari<br />
et al., IBM, March 2002.<br />
[6] General<br />
• Logging Cheat Sheet, OWASP<br />
• SP 800-92 Guide to Computer Security Log Management, NIST<br />
• PCI DSS v2.0 Requirement 10 and PA-DSS v2.0 Requirement 4,<br />
PCI Security Standards Council<br />
[7] Generic:<br />
• CERT Security Improvement Modules: Securing Public Web Servers<br />
- http: /www.cert.org/security-improvement/<br />
• Apache Security Configuration Document, InterSect Alliance -<br />
http: /www.intersectalliance.com/projects/ApacheConfig/index.<br />
html<br />
• “How To: Use IISLockdown.exe” - http: /msdn.microsoft.com/library/en-us/secmod/html/secmod113.asp<br />
Test File Extensions Handling for Sensitive<br />
Information (OTG-CONFIG-003)<br />
Summary<br />
File extensions are commonly used in web servers to easily determine<br />
which technologies, languages and plugins must be used to fulfill the<br />
web request. While this behavior is consistent with RFCs and Web