Security testing of study information system

1. Security testing of study information system Security team: MatisAlliksoo Alo Konno UrmoLihten TaaviPodzuks Sander Saarm

2. Current situation • Our study information system is developed inhouse. • This is used by 10 applied universities. • There are more than14 000 active users and more than 28000 can log in.

3. Current situation (2) • Technical information • Php5 zend framework • Mysql batabase • Linux operating system • There are 3 servers • Live system Web frontend • Live system database • Development server (Web frontend and database)

4. Problem • Study information systems security has been tested only by developers , this is not a good practice.This should be done by external testers.

5. Goals • Study what web vulnerabilitis are and how to use them, because we did not have any experience in pen-testing. • Learn about web tesing framework environments and how to use them. • Find out best tools to work with and test on Damn Vulnerable Web Application and later on the study information system. • Finding vulnerabilities in the study infromation system. • Document our work.

6. Top 10 Web Vulnerabilities • A1: Injection (SQL, PHP, ….) • A2: Cross-Site Scripting (XSS) • A3: Broken Authentication and Session Management • A4: Insecure Direct Object References • A5: Cross-Site Request Forgery (CSRF) • A6: Security Misconfiguration • A7: Insecure Cryptographic Storage • A8: Failure to Restrict URL Access • A9: Insufficient Transport Layer Protection • A10: Unvalidated Redirects and Forwards

7. Used/testedwebtestingframeworks Samurai Web Testing Framework • BurpSuite • Fireforce • Cookie editor • Dvwa(redirectedtoBackTrack 5 R2) Backtrack 5 R2 • BurpSuite • Subgraph Vega • Wapiti • W3af • Nessus • Owasp-zap

10. Windows tools • Acunetix Web Vulnerability Scanner

11. Cross Site Request Forgery We started with generating html POST request to change authenticated user language.

12. Cross Site Request Forgery (2) Nextwe made a html POST requestwhatuses USER_ID tochangeauthenticateduserspassword.

13. Changing Administator password • Found out USER_ID of the administator by checking administators picture URL in study information system. • We created html request and uploaded it to a trusted webserver as .jpg, to fool the administator. • Tricked administrator to log into the study information system by telling something is wrong in study information system. • For explanation of the problem we told him to check the fake screenshot (sent him the infected URL) • As he opened it his password changed automatically and he was kicked out of the system. • Issue was obviously very quickly fixed.

14. PROOF!

15. Fixed!

16. Failure to Restrict URL Access • Found vulnerability in URL, where students can see other students’ grades just by changing USER_ID in PDF download URL. • This failure was found knowing the vulnerabilitys and by randomly testing all pages. • This data is very sensitive and it was fixed immidiately.

18. Results • Got overview of most commonly used vulnerabilities and how to use them in testing. • Learned how to use different pen-testing tools and web test environments. • Study information system is now free of couple critical bugs. • Documentation: https://wiki.itcollege.ee/index.php/Security_team

19. Thank you for listening! Questions?