Uploaded by stevephen09

Performing Dynamic and Static Quality Control Testing

advertisement
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
Before You Begin
Welcome! The Virtual Security Cloud Labs are your opportunity to gain valuable hands-on experience
with professional-grade tools and techniques as you work through the guided lab exercises provided in
the on-screen lab manual. The use of virtualization enables you to perform all of the tasks in the lab
manual in a live environment without putting your personal device or institution's assets at risk.
Before you begin the guided lab exercises, please review the following preparation checklist.
1. Run the System Checker. The System Checker will confirm that your browser and network
connection are ready to support virtual labs.
2. Review the Common Lab Tasks document. This document provides an overview of the virtual
lab environment and outlines several of the recurring tasks you may need to complete your lab
exercise.
3. When you've finished, use the Disconnect button to end your session and create a
StateSave. To end your lab session and save your work, click the Disconnect button in the
upper-right corner of the Lab View toolbar. When prompted, assign a name for your StateSave
(we recommend using the Section, Part, and Step number where you stopped) and click
Continue. Please note that a StateSave will preserve any changes written to disk in your lab
session. A StateSave will not preserve any open windows or active processes, similar to
restarting your computer.
If you close your browser window without disconnecting, your lab session will automatically
end after 5 minutes.
4. Technical Support is here to help! Our technical support team is available 24/7 to help
troubleshoot common issues.
Please note that the 24/7 support team is Level 1 only, and cannot assist with questions about
lab content or the array of software used in the labs. If you believe you’ve identified an error in
the lab guide or a problem with the lab environment, your ticket will be escalated to the Jones
& Bartlett Learning product team for review. In the meantime, we recommend resetting the lab
(Options > Reset) or reaching out to your instructor for assistance.
Page 1 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
Introduction
Just as installing intrusion detection systems (IDS) can help administrators determine when an attack
occurs, regular vulnerability assessment of a Web application can help administrators determine
where an attack might occur. Web applications can be tested with a dynamic assessment or a static
analysis. Dynamic testing tools, such as skipfish, will monitor the system while it is operating to find
problems with system memory behavior, runtime, and performance. Static code analysis involves
analyzing the code for possible flaws without its physical execution.
In this lab, you will use skipfish, a dynamic testing tool, to identify vulnerabilities in the Damn
Vulnerable Web Application (DVWA). The DVWA is a Web application that is made purposefully
vulnerable. It is installed on a local Web server to allow security analysts a safe place to test the
security of their applications. You also will use RATS (Rough Auditing Tool for Security) to perform
static analysis testing on the DVWA. You will use the vi Editor to review the source code for a part of
the DVWA to identify exactly where the software code is most vulnerable. Finally, you will compare the
results of both skipfish and RATS reports.
Learning Objectives
Upon completing this lab, you will be able to:
1. Identify tools and techniques commonly used for website and Web application software code
testing
2. Use various techniques and tools to help provide the most comprehensive testing for software
code and Web applications
3. Dynamically test software for vulnerabilities in the code and understand the concepts and
benefits of manual code reviews using the open source tool skipfish
4. Perform static analysis testing on software source code and evaluate the advantages and
disadvantages of various testing methods
5. Compare and analyze the Web application source code using skipfish and RATS to help
identify vulnerabilities and insecure coding tactics
Lab Overview
Each section of this lab is assigned at your instructor’s discretion. Please consult your
instructor to confirm which sections you are required to complete for your lab assignment.
Page 2 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
SECTION 1 of this lab has two parts which should be completed in the order specified.
1. In the first part of the lab, you will test web application code to identify vulnerabilities and report
of your findings.
2. In the second part, you will analyze source code to identify insecure coding tactics and report
your findings.
SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and
different deliverables, as well as some expanded tasks and alternative methods. You will also explore
some PHP coding vulnerabilities.
Finally, you will explore the virtual environment on your own in SECTION 3 of this lab to answer a set
of questions and challenges that allow you to use the skills you learned in the lab to conduct
independent, unguided work, similar to what you will encounter in a real-world situation.
Topology
This lab contains the following virtual machines. Please refer to the network topology diagram below.
vWorkstation (Windows Server 2016)
TargetLinux01 (Debian Linux)
Tools and Software
Page 3 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
The following software is required to complete this lab. Students are encouraged to explore the
Internet to learn more about the products and tools used in this lab.
Damn Vulnerable Web Application (DVWA)
PuTTY
RATS
skipfish
vi Editor
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your instructor:
SECTION 1:
1. Lab Report file including screen captures of the following;
none;
2. Files downloaded from the virtual environment:
yourname_S1_skipfish;
yourname_S1_rats;
3. Any additional information as directed by the lab:
summarize the differences in the source code for these two security levels;
compare the results of both the RATS and Skipfish reports;
Page 4 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
4. Lab Assessment (worksheet or quiz - see instructor for guidance).
SECTION 2:
1. Lab Report file including screen captures of the following:
the location of the //noauth code;
2. Files downloaded from the virtual environment:
yourname_S2_skipfish;
yourname_S2_rats;
3. Any additional information as directed by the lab;
describe how the change affected the dvwaPage.inc.php file;
summarize the differences in the source code for these three security levels;
compare the results of both the RATS and Skipfish reports;
SECTION 3:
1. Analysis and Discussion
2. Tools and Commands
3. Challenge Exercise
Page 5 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
Page 6 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
Section 1: Hands-On Demonstration
Note: In this section of the lab, you will follow a step-by-step walk-through of the objectives for this lab
to produce the expected deliverable(s).
1. On your local computer, create the Lab Report file.
Frequently performed tasks, such as how to create the Lab Report file, make screen captures,
and download files from the lab, are explained in the Common Lab Tasks document. You
should review these tasks before starting the lab.
2. Proceed with Part 1.
Part 1: Skipfish Security Scan
Note: In this part of the lab, you will use skipfish to perform a dynamic scan for vulnerabilities on the
Damn Vulnerable Web Application (DVWA). Skipfish has mostly predefined rules for testing common
vulnerabilities. It is fast and can provide a good overview of the state of the Web application. Once it is
configured, skipfish can be scheduled to run at predetermined intervals and doesn’t require human
intervention to do its job.
First you will need use PuTTY to create a remote connection to the lab’s web server, TargetLinux01,
and disable the login authentication requirement for the DVWA so that skipfish will be able to scan the
application for vulnerabilities.
1. On the vWorkstation desktop, double-click the Connections folder.
2. In the Connections folder, double-click the putty icon to launch the PuTTY application.
PuTTY is a free utility that can open secure remote connections over the Internet via Telnet or
SSH (secure shell).
3. In the PuTTY application window, type 172.30.0.11 in the Host Name field, then click the
Page 7 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
Open button to start the connection.
PuTTY will launch a terminal console window. If prompted with a Putty Security Alert pop-up
window, click Yes to continue.
PuTTY connection to Linux
4. In the terminal window, type the following credentials at the login prompt and press Enter to
log in to the server hosting the Damn Vulnerable Web Application (DVWA).
login as: student
student@172.30.0.11’s password: student
For security reasons, your password input will not appear on screen.
Page 8 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
PuTTY terminal console window
5. At the command prompt, type su and press Enter to switch user accounts (su) and log in as
the root user.
6. When prompted for a password, type toor, the root user’s password, and press Enter.
7. At the command prompt, type sed -i 's#dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT.#
//noauth #' /var/www/DVWA/dvwa/includes/dvwaPage.inc.php and press Enter
to disable the login authentication for the DVWA.
This command ensures that the DVWA is available to skipfish without requiring the login
credentials.
Page 9 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
Disable login authentication
8. Minimize the PuTTY terminal window.
9. On the vWorkstation desktop, double-click the Mozilla Firefox icon to open the Firefox
browser.
You could access the DVWA tool using any Internet browser, but the steps in this lab will use
the Firefox browser.
10. In the browser’s address box, type http://172.30.0.11/DVWA and press Enter to open
the Welcome page of the Damn Vulnerable Web Application, bypassing the login screen.
If you were directed to the login screen, close the browser, restore the PuTTY terminal
window, and repeat steps 4-10.
Page 10 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
DVWA Welcome page
11. Restore the PuTTY terminal window.
Note: In the next steps, you will use skipfish commands to perform a dynamic scan on the DVWA.
You will review the skipfish report and save a copy to submit as a deliverable for this lab. Skipfish has
mostly predefined rules for testing common vulnerabilities. It is fast and can provide a good overview
of the state of the Web application. Once it is configured, skipfish can be scheduled to run at
predetermined intervals and doesn’t require human intervention to do its job.
12. At the command prompt type cd skipfish and press Enter to change directories.
13. At the command prompt, type skipfish -h and press Enter to view the different skipfish
command line options.
Use the scrollbar to explore the skipfish options.
Page 11 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
14. At the command prompt, type cd /var/www and press Enter to change the directory to
/var/www.
15. At the command prompt, type mkdir -p html/scan and press Enter to make new
directories for the coming steps.
16. At the command prompt, type cd /home/student/skipfish and press Enter to go back
to skipfish directory.
17. At the command prompt, type skipfish -I "DVWA" -W /dev/null -b i -o
/var/www/html/scan -C "security=low" -C "PHPSESSID=1234test" -r 50000
http://172.30.0.11/DVWA/vulnerabilities and press Enter, then press any key to
start a skipfish scan that will send 50,000 requests to the DVWA website and write an HTML
version of the scan results to a new directory (scan).
Skipfish scan command
This scan takes several minutes and the terminal window will display the progress throughout
the scan. You may press Enter when prompted to continue or wait for the command to process
on its own. The reappearance of the command prompt indicates that the scan is completed. If
you receive an error message, repeat step 17.
Page 12 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
Skipfish vulnerability scan completed
18. Minimize the PuTTY terminal window.
19. In the browser window, click the + button to open a new tab.
20. In the browser’s address box, type http://172.30.0.11/html/scan and press Enter to
open the scan results from the new directory created by skipfish.
Your results may not match the scan results in the following figure.
View the skipfish report
21. In the browser, use the scrollbar to locate the Issue type overview portion of the report,
then click each issue to expand it and explore the links within each category to familiarize
yourself with the content of the report.
Page 13 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
Hover over the icons (red, yellow, blue, gray, and green circles) in the Issue type overview
section to discover skipfish categorization levels.
22. From the browser toolbar, click the menu icon, then click the Save Page icon to open the
Save As dialog box.
Save web page
23. In the Save As dialog box, navigate to Desktop folder,
then type yourname_S1_skipfish in the File name field, replacing yourname with your own
name, and click Save to the save the skipfish report to the vWorkstation desktop.
Page 14 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
Save skipfish report
24. Minimize the browser window.
Part 2: RATS Security Scan of Code
Note: RATS (Rough Auditing Tool for Security), part of the HP Fortify Software Security Center, is a
static analysis tool used for scanning C, C++, Perl, PHP, Python (and soon Ruby) source code and
flagging common security related programming errors, such as buffer overflows and TOCTOU (Time
Of Check, Time Of Use) race conditions. RATS is a free tool that scans source code and flags
common security related programming errors, such as buffer overflows. As its name implies, the tool
performs only a rough analysis of source code. It will not find every error and will also find things that
are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool. RATS
can provide an offline analysis of an application’s source code. It requires direct access to the source
code and will flag unsafe coding practices and/or functions and methods used. It is useful to help steer
developers away from unsafe development practices that could be used as a means to exploit the
software.
In the next steps, you will use RATS commands to perform a static analysis scan on the DVWA
source code. You will review the RATS report and submit it as a deliverable for this lab.
Page 15 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
1. Restore the PuTTY terminal window.
2. At the command prompt, type rats --html /var/www/DVWA >
/home/student/rats.html and press Enter to start a RATS scan of the DVWA source
code and write a report to the student directory.
3. At the command prompt, type cp /home/student/rats.html
/var/www/html/scan/rats.html and press Enter to copy the RATS report to the same
directory as the skipfish results.
Execute the RATS static analysis
4. Minimize the PuTTY terminal window.
5. Restore the browser window and open a new tab.
6. In the new browser tab, type http://172.30.0.11/html/scan/rats.html and press
Enter in the browser’s address box to open the scan directory created by skipfish.
Page 16 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
RATS file
7. In the browser window, use the scrollbar to locate the RATS results portion of the report and
review each issue identified by RATS to familiarize yourself with the content of the report.
Page 17 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
RATS results
8. From the browser toolbar, click the menu icon, then click the Save Page icon to open the
Save As dialog box.
9. In the Save As dialog box, navigate to Desktop folder, then type yourname_S1_rats in the
File name field, replacing yourname with your own name, and click Save to the save the
skipfish report to the vWorkstation desktop.
Page 18 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
Save RATS report
10. Minimize the browser window and restore the PuTTY terminal window.
11. At the command prompt, type cd
/var/www/DVWA/vulnerabilities/xss_r/source and press Enter to change the
directory to the source code for DVWA’s Reflected Cross-site Scripting (xss_r) tests.
12. At the command prompt, type ls and press Enter to list the files in the current.
The system should display three files: high.php, medium.php, and low.php. These files contain
the source code for the XSS tests when the DVWA security is set to high, medium, or low.
Page 19 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
XSS test files
13. At the command prompt, type vi high.php and press Enter to open the high.php file in the
vi Editor and review the code.
Page 20 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
View the high.php file
Note: This code uses a function to escape malicious content (htmlspecialcharacters). The
htmlspecialcharacters code is a PHP function that transforms special characters to display according
to XHTML standards and reduces the risk of reflecting malicious code back to the user.
According to the manual page for this function on the php.net website, the characters translated are:
‘&’ (ampersand) becomes ‘&’
‘ “ ‘(double quote) becomes ‘"’ when ENT_NOQUOTES is not set.
“ ‘ “ (single quote) becomes ‘'’ only when ENT_QUOTES is set.
‘<’ (less than) becomes ‘<’
‘>’ (greater than) becomes ‘>
14. In the vi Editor, press Esc, then type :q and press Enter to close the editor without making
any changes and return to the command prompt.
15. Repeat steps 13-14 to review the code in the low.php file.
16. In the Lab Report file, summarize the differences in the source code for these two security
Page 21 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
levels.
17. Restore the browser window.
18. In the browser window, review the Skipfish and RATS results.
19. In the Lab Report file, compare the results of both the RATS and Skipfish reports.
Note: Both dynamic and static analysis tools are necessary for a complete picture of an application’s
vulnerabilities. As a dynamic analysis tool, skipfish doesn’t have access to the source code. It simply
follows links and attempts to find vulnerabilities, such as XSS and SQL injection, which can be
exploited by an attacker.
RATS doesn’t specifically test for these common vulnerabilities. Instead, as a static analysis tool, it
looks for risky coding practices that could lead to a vulnerabilities a hacker could exploit. RATS, for
example, identifies where the eval() function is used in the source code because someone performing
white-box testing could attempt to inject arbitrary commands into the eval() function.
WebScarab is another penetration-testing tool, not covered in this series, which can be used as a
complement to skipfish. WebScarab is used as an intercepting proxy to the web browser, which
means all requests from the client browser and responses from the server can be intercepted and
manipulated by WebScarab. For an experienced penetration tester, this can be advantageous, as
he/she can further examine areas of interest and attempt to exploit them. As new web vulnerabilities
are discovered, a user of WebScarab can use this tool to exploit them and prepare for remediation
more quickly.
20. Restore the PuTTY terminal window.
21. At the command prompt, type sed -i 's# //noauth # dvwaRedirect(
DVWA_WEB_PAGE_TO_ROOT. #'
/var/www/DVWA/dvwa/includes/dvwaPage.inc.php and press Enter to re-enable the
login authentication for DVWA.
Page 22 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
Restore the login authentication
22. At the command prompt, type exit and press Enter to close the PuTTY terminal window.
23. Minimize the PuTTY terminal window and restore the browser window.
24. In the browser, click the Damn Vulnerable Web App (DVWA) tab and click the browser’s
Refresh button to reload the Damn Vulnerable Web Application.
The DVWA should open to the login screen indicating that the login authentication has been reenabled for this application. If you do not see this login screen, maximize the PuTTY terminal
window and repeat steps 17-19.
Page 23 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
DVWA login screen
25. At the login screen, enter the following credentials click Login to verify that the authentication
has been restored properly.
Username: admin
Password: password
If you are not able to login using the login credentials above, use the following alternate
credentials.
Username: pablo
Password: letmein
The DVWA should open to the Welcome screen. If it does not open, repeat steps 20-25.
Note: This completes Section 1 of this lab. In the next steps, you will use the File Transfer folder to
move any files from the vWorkstation to your local system that are to be submitted as part of your lab
deliverables. Refer to the instructions in the Common Lab Tasks document for more information on
how to use this function.
Page 24 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
26. On the vWorkstation desktop, drag the deliverable files into the File Transfer folder and click
the link text to complete the download to your local computer.
yourname_S1_skipfish.html
yourname_S1_rats.html
Page 25 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
Section 2: Applied Learning
Note: SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance
and different deliverables, as well as some expanded tasks and alternative methods. You will also
explore some PHP coding vulnerabilities.
Please confirm with your instructor that you have been assigned Section 2 before proceeding.
1. On your local computer, create the Lab Report file.
Frequently performed tasks, such as how to create the Lab Report file, make screen captures,
and download files from the lab, are explained in the Common Lab Tasks document. You
should review these tasks before starting the lab.
2. If you already completed Section 1 of this lab, you will need to reset the virtual environment
before beginning Section To reset the virtual environment, complete one of the following
options.
a. Click Options > Reset Lab to restore all virtual machines to their base state. This will take
several minutes to complete. If you do not see the vWorkstation desktop after five minutes,
click Options > Reload Lab to reload your lab connection.
b. Click Disconnect, then select Discard Changes to end your lab session without creating a
StateSave. If you previously created a StateSave, delete the StateSave at the launch page,
then start a new lab session.
3. Proceed with Part 1.
Part 1: Skipfish Security Scan
Note: In this part of the lab, you will use skipfish to perform a dynamic scan for vulnerabilities on the
Damn Vulnerable Web Application (DVWA). Skipfish has mostly predefined rules for testing common
vulnerabilities. It is fast and can provide a good overview of the state of the Web application. Once it is
configured, skipfish can be scheduled to run at predetermined intervals and doesn’t require human
intervention to do its job.
Page 26 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
First, you will run a batch file that will prepare the lab environment, and then you will use PuTTY to
create a remote connection to the lab’s web server, TargetLinux01 (DVWA), and disable the login
authentication requirement for the DVWA so that skipfish will be able to scan the application for
vulnerabilities.
1. Open a PuTTY session to DVWA, the Linux server hosting the Damn Vulnerable Web
Application (DVWA).
If prompted, login to the server using the following credentials.
Username: root
Password: toor
2. At the command prompt, execute cd /var/www/DVWA/dvwa/includes to navigate to the
/var/www/DVWA/dvwa/includes directory.
3. At the command prompt, execute cp dvwaPage.inc.php
/var/www/DVWA/dvwa/includes/dvwaPage.inc.php.bk to make a backup copy
(dvwaPage.inc.php.bk) of the dvwaPage.inc.php file.
4. At the command prompt, execute ls to list the files in the directory.
Page 27 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
List files
5. At the command prompt, execute sed -i 's#dvwaRedirect(
DVWA_WEB_PAGE_TO_ROOT.# //noauth #'
/var/www/DVWA/dvwa/includes/dvwaPage.inc.php to disable authentication for the
DVWA.
This command ensures that the DVWA is available to skipfish without requiring the login
credentials.
Disable authentication
Page 28 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
6. Minimize the PuTTY session, then launch the Firefox browser and navigate to
http://172.30.0.11/DVWA.
You should arrive at the Damn Vulnerable Web Application’s Welcome page, bypassing the
login screen. If the Welcome screen does not appear, repeat steps 5-6, correcting any errors
you find.
DVWA Welcome page
7. Restore the PuTTY terminal window and execute vi dvwaPage.inc.php to open the file
you just altered, then scroll down to locate the //noauth code.
8. Make a screen capture showing the location of //noauth code and paste it into the Lab
Report file.
9. In the vi Editor, type :q and press Enter to exit the vi Editor without saving any changes and
return to the command prompt.
Page 29 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
10. At the command prompt, execute vi dvwaPage.inc.php.bk to open the backup file, then
scroll down to the location of the //noauth code in the altered file.
This file shows the code before it was altered by the change in step 5.
11. In the vi Editor, type :q and press Enter to exit the vi Editor without saving any changes and
return to the command prompt.
12. In the Lab Report file, describe how the change affected the dvwaPage.inc.php file.
Note: In the next steps, you will use skipfish commands to perform a dynamic scan on the DVWA.
You will review the skipfish report and save a copy to submit it as a deliverable for this lab. Skipfish
has mostly predefined rules for testing common vulnerabilities. It is fast and can provide a good
overview of the state of the Web application. Once it is configured, skipfish can be scheduled to run at
predetermined intervals and doesn’t require human intervention to do its job.
13. At the command prompt, execute skipfish -h to review the skipfish command line options.
Use the scrollbar to explore the skipfish options.
14. At the command prompt, execute mkdir -p /var/www/html/high to make a new
directory.
The -p option will make parent directories as needed and ignore error messages if directories
already exist.
15. At the command prompt, execute cd /home/student/skipfish to navigate to the
/home/student/skipfish directory.
16. At the command prompt, execute skipfish -I "DVWA" -W /dev/null -b i -o
/var/www/html/high -C "security=high" -C "PHPSESSID=1234test" -r
50000 http://172.30.0.11/DVWA/vulnerabilities to start a skipfish scan that will
send 50,000 requests to the DVWA website and write an HTML version of the report in the
new scan directory.
Page 30 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
When prompted, press Enter to continue or wait for the command to process on its own. This
scan takes several minutes and the terminal window will display the progress throughout the
scan.
Skipfish scan command
17. When the scan is completed, minimize the PuTTY terminal window.
Skipfish vulnerability scan completed
Page 31 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
18. In the browser window, open a new tab and navigate to
http://172.30.0.11/html/high to review the scan created by skipfish.
Your scan may not match the scan in the following figure.
View the skipfish report
19. Locate the Issue type overview portion of the report, then click each issue to expand it and
explore the links within each category to familiarize yourself with the content of the report.
Hover over the icons (red, yellow, blue, gray, and green circles) in the Issue type overview
section to discover skipfish categorization levels.
20. As you review the skipfish report, click the phpinfo.php link in the Incorrect or missing
charset (low risk) category to view the page.
Note: When reviewing the phpinfo page, you will see that it displays the operating system, hostname,
Page 32 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
the packages installed on the server, and more. This information can be used to formulate an attack
against the server. It is important to be aware of the information on your servers. Even an off-the-shelf
product, such as DVWA, can contain information hazardous to your security profile. Running your own
security scans can identify harmful information before it is discovered by someone else.
If you were to review the code in this file, you would see only three lines of code.
<?php
phpinfo()
?>
PHPInfo page
Page 33 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
21. Close the phpinfo.php tab and save the skipfish scan results to the vWorkstation desktop as
yourname_S2_skipfish, replacing yourname with your own name.
Part 2: RATS Security Scan of Code
Note: RATS (Rough Auditing Tool for Security), part of the HP Fortify Software Security Center, is a
static analysis tool used for scanning C, C++, Perl, PHP, Python (and soon Ruby) source code and
flagging common security related programming errors, such as buffer overflows and TOCTOU (Time
Of Check, Time Of Use) race conditions. RATS is a free tool that scans source code and flags
common security related programming errors, such as buffer overflows. As its name implies, the tool
performs only a rough analysis of source code. It will not find every error and will also find things that
are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool. RATS
can provide an offline analysis of an application’s source code. It requires direct access to the source
code and will flag unsafe coding practices and/or functions and methods used. It is useful to help steer
developers away from unsafe development practices that could be used as a means to exploit the
software.
In the next steps, you will use RATS commands to perform a static analysis scan on the DVWA
source code. You will review the RATS report and submit it as a deliverable for this lab.
1. Restore the PuTTY terminal window.
2. At the command prompt, execute rats --html /var/www/DVWA >
/home/student/rats.html to start a RATS scan of the DVWA source code and then write
a report to the student directory.
3. At the command prompt, execute cp /home/student/rats.html
/var/www/html/high/rats.html to copy the RATS report to the same directory as the
skipfish results.
4. Restore the browser window, open a new tab, and navigate to
http://172.30.0.11/html/high/rats.html to open the scan results created by RATS.
5. In the browser window, locate the RATS results portion of the report and review each issue
identified by RATS to familiarize yourself with the content of the report.
Page 34 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
RATS results
6. Save the RATS report to the vWorkstation desktop as yourname_S2_rats, replacing
yourname with your own name.
7. Restore the PuTTY terminal window.
8. At the command prompt, execute cd
/var/www/DVWA/vulnerabilities/xss_r/source to change the directory to the source
code for DVWA’s Reflected Cross-site Scripting (xss_r) tests.
This directory contains three files: high.php, medium.php, and low.php. These files contain the
source code for the XSS tests when the DVWA security is set to high, medium, or low.
9. At the command prompt, execute vi high.php to open the high.php file in the vi Editor and
review the code.
Page 35 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
View the high.php file
Note: This code uses a function to escape malicious content (htmlspecialcharacters). The
htmlspecialcharacters code is a PHP function that transforms special characters to display according
to XHTML standards and reduces the risk of reflecting malicious code back to the user.
According to the manual page for this function on the php.net website, the characters translated are:
‘&’ (ampersand) becomes ‘&’
‘ “ ‘(double quote) becomes ‘"’ when ENT_NOQUOTES is not set.
“ ‘ “ (single quote) becomes ‘'’ only when ENT_QUOTES is set.
‘<’ (less than) becomes ‘<’
‘>’ (greater than) becomes ‘>
10. Close the vi Editor without making any changes and return to the command prompt.
11. Repeat steps 9-10 to review the code in the medium.php file.
12. Repeat steps 9-10 to review the code in the low.php file.
Page 36 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
13. In the Lab Report file, summarize the differences in the source code for these three security
levels. Use the internet to research php functions as needed.
14. Restore the browser window.
15. In the browser, review the Skipfish and RATS results.
16. In the Lab Report file, compare the results of both the RATS and Skipfish reports.
Note: Both dynamic and static analysis tools are necessary for a complete picture of an application’s
vulnerabilities. As a dynamic analysis tool, skipfish doesn’t have access to the source code. It simply
follows links and attempts to find vulnerabilities, such as XSS and SQL injection, which can be
exploited by an attacker.
RATS doesn’t specifically test for these common vulnerabilities. Instead, as a static analysis tool, it
looks for risky coding practices that could lead to vulnerabilities a hacker could exploit. RATS, for
example, identifies where the eval() function is used in the source code because someone performing
white-box testing could attempt to inject arbitrary commands into the eval() function.
WebScarab is another penetration-testing tool, not covered in this series, which can be used as a
complement to skipfish. WebScarab is used as an intercepting proxy to the Web browser, which
means all requests from the client browser and responses from the server can be intercepted and
manipulated by WebScarab. For an experienced penetration tester, this can be advantageous, as
he/she can further examine areas of interest and attempt to exploit them. As new Web vulnerabilities
are discovered, a user of WebScarab can use this tool to exploit them and prepare for remediation
more quickly.
17. Restore the PuTTY terminal window.
18. At the command prompt, execute sed -i 's# //noauth # dvwaRedirect(
DVWA_WEB_PAGE_TO_ROOT. #'
/var/www/DVWA/dvwa/includes/dvwaPage.inc.php to re-enable the login
authentication for DVWA.
19. Close the PuTTY terminal window and restore the browser window.
20. In the browser, click the Damn Vulnerable Web App (DVWA) tab and refresh the page.
Page 37 of 39
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
The DVWA should open to the login screen indicating that the login authentication has been reenabled for this application. If you do not see this login screen, maximize the PuTTY terminal
window and repeat steps 18-20.
21. Log in to the application with the following credentials to verify that the authentication has
been restored properly.
Username: admin
Password: password
If you are not able to login using the login credentials above, use the following alternate
credentials.
Username: pablo
Password: letmein
The DVWA should open the Welcome screen. If it does not open properly, repeat steps 16-20.
Note: This completes Section 2 of this lab. In the next steps, you will use the File Transfer folder to
move any files from the vWorkstation to your local system that are to be submitted as part of your lab
deliverables. Refer to the instructions in the Common Lab Tasks document for more information on
how to use this function.
22. On the vWorkstation desktop, drag the deliverable files into the File Transfer folder and click
the link text to complete the download to your local computer.
yourname_S2_skipfish.html
yourname_S2_rats.html
Page 38 of 39
Powered by TCPDF (www.tcpdf.org)
Performing Dynamic and Static Quality Control Testing
Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07
Section 3: Lab Challenge and Analysis
Note: The following challenge questions are provided to allow independent, unguided work, similar to
what you will encounter in a real situation. You should aim to improve your skills by getting the correct
answer in as few steps as possible. Use screen captures in your lab document where possible to
illustrate your answers.
Part 1: Analysis and Discussion
Why is RATS a valuable tool for analyzing web code?
Part 2: Tools and Commands
Using the skipfish -h command, describe the purpose of the skipfish command used in this lab:
skipfish -I "DVWA" -W /dev/null -b i -o /var/www/html/scan -C
"security=low" -C "PHPSESSID=1234test" -r 50000
http://localhost/DVWA/vulnerabilities
Part 3: Challenge Exercise
Run a skipfish report against the website at www.corporationtechs.com. Save the results as
yourname_corptech, replacing yourname with your own name, and submit it as a deliverable for this
lab.
Page 39 of 39
Download