Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 Before You Begin Welcome! The Virtual Security Cloud Labs are your opportunity to gain valuable hands-on experience with professional-grade tools and techniques as you work through the guided lab exercises provided in the on-screen lab manual. The use of virtualization enables you to perform all of the tasks in the lab manual in a live environment without putting your personal device or institution's assets at risk. Before you begin the guided lab exercises, please review the following preparation checklist. 1. Run the System Checker. The System Checker will confirm that your browser and network connection are ready to support virtual labs. 2. Review the Common Lab Tasks document. This document provides an overview of the virtual lab environment and outlines several of the recurring tasks you may need to complete your lab exercise. 3. When you've finished, use the Disconnect button to end your session and create a StateSave. To end your lab session and save your work, click the Disconnect button in the upper-right corner of the Lab View toolbar. When prompted, assign a name for your StateSave (we recommend using the Section, Part, and Step number where you stopped) and click Continue. Please note that a StateSave will preserve any changes written to disk in your lab session. A StateSave will not preserve any open windows or active processes, similar to restarting your computer. If you close your browser window without disconnecting, your lab session will automatically end after 5 minutes. 4. Technical Support is here to help! Our technical support team is available 24/7 to help troubleshoot common issues. Please note that the 24/7 support team is Level 1 only, and cannot assist with questions about lab content or the array of software used in the labs. If you believe you’ve identified an error in the lab guide or a problem with the lab environment, your ticket will be escalated to the Jones & Bartlett Learning product team for review. In the meantime, we recommend resetting the lab (Options > Reset) or reaching out to your instructor for assistance. Page 1 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 Introduction Just as installing intrusion detection systems (IDS) can help administrators determine when an attack occurs, regular vulnerability assessment of a Web application can help administrators determine where an attack might occur. Web applications can be tested with a dynamic assessment or a static analysis. Dynamic testing tools, such as skipfish, will monitor the system while it is operating to find problems with system memory behavior, runtime, and performance. Static code analysis involves analyzing the code for possible flaws without its physical execution. In this lab, you will use skipfish, a dynamic testing tool, to identify vulnerabilities in the Damn Vulnerable Web Application (DVWA). The DVWA is a Web application that is made purposefully vulnerable. It is installed on a local Web server to allow security analysts a safe place to test the security of their applications. You also will use RATS (Rough Auditing Tool for Security) to perform static analysis testing on the DVWA. You will use the vi Editor to review the source code for a part of the DVWA to identify exactly where the software code is most vulnerable. Finally, you will compare the results of both skipfish and RATS reports. Learning Objectives Upon completing this lab, you will be able to: 1. Identify tools and techniques commonly used for website and Web application software code testing 2. Use various techniques and tools to help provide the most comprehensive testing for software code and Web applications 3. Dynamically test software for vulnerabilities in the code and understand the concepts and benefits of manual code reviews using the open source tool skipfish 4. Perform static analysis testing on software source code and evaluate the advantages and disadvantages of various testing methods 5. Compare and analyze the Web application source code using skipfish and RATS to help identify vulnerabilities and insecure coding tactics Lab Overview Each section of this lab is assigned at your instructor’s discretion. Please consult your instructor to confirm which sections you are required to complete for your lab assignment. Page 2 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 SECTION 1 of this lab has two parts which should be completed in the order specified. 1. In the first part of the lab, you will test web application code to identify vulnerabilities and report of your findings. 2. In the second part, you will analyze source code to identify insecure coding tactics and report your findings. SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will also explore some PHP coding vulnerabilities. Finally, you will explore the virtual environment on your own in SECTION 3 of this lab to answer a set of questions and challenges that allow you to use the skills you learned in the lab to conduct independent, unguided work, similar to what you will encounter in a real-world situation. Topology This lab contains the following virtual machines. Please refer to the network topology diagram below. vWorkstation (Windows Server 2016) TargetLinux01 (Debian Linux) Tools and Software Page 3 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 The following software is required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab. Damn Vulnerable Web Application (DVWA) PuTTY RATS skipfish vi Editor Deliverables Upon completion of this lab, you are required to provide the following deliverables to your instructor: SECTION 1: 1. Lab Report file including screen captures of the following; none; 2. Files downloaded from the virtual environment: yourname_S1_skipfish; yourname_S1_rats; 3. Any additional information as directed by the lab: summarize the differences in the source code for these two security levels; compare the results of both the RATS and Skipfish reports; Page 4 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 4. Lab Assessment (worksheet or quiz - see instructor for guidance). SECTION 2: 1. Lab Report file including screen captures of the following: the location of the //noauth code; 2. Files downloaded from the virtual environment: yourname_S2_skipfish; yourname_S2_rats; 3. Any additional information as directed by the lab; describe how the change affected the dvwaPage.inc.php file; summarize the differences in the source code for these three security levels; compare the results of both the RATS and Skipfish reports; SECTION 3: 1. Analysis and Discussion 2. Tools and Commands 3. Challenge Exercise Page 5 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 Page 6 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 Section 1: Hands-On Demonstration Note: In this section of the lab, you will follow a step-by-step walk-through of the objectives for this lab to produce the expected deliverable(s). 1. On your local computer, create the Lab Report file. Frequently performed tasks, such as how to create the Lab Report file, make screen captures, and download files from the lab, are explained in the Common Lab Tasks document. You should review these tasks before starting the lab. 2. Proceed with Part 1. Part 1: Skipfish Security Scan Note: In this part of the lab, you will use skipfish to perform a dynamic scan for vulnerabilities on the Damn Vulnerable Web Application (DVWA). Skipfish has mostly predefined rules for testing common vulnerabilities. It is fast and can provide a good overview of the state of the Web application. Once it is configured, skipfish can be scheduled to run at predetermined intervals and doesn’t require human intervention to do its job. First you will need use PuTTY to create a remote connection to the lab’s web server, TargetLinux01, and disable the login authentication requirement for the DVWA so that skipfish will be able to scan the application for vulnerabilities. 1. On the vWorkstation desktop, double-click the Connections folder. 2. In the Connections folder, double-click the putty icon to launch the PuTTY application. PuTTY is a free utility that can open secure remote connections over the Internet via Telnet or SSH (secure shell). 3. In the PuTTY application window, type 172.30.0.11 in the Host Name field, then click the Page 7 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 Open button to start the connection. PuTTY will launch a terminal console window. If prompted with a Putty Security Alert pop-up window, click Yes to continue. PuTTY connection to Linux 4. In the terminal window, type the following credentials at the login prompt and press Enter to log in to the server hosting the Damn Vulnerable Web Application (DVWA). login as: student student@172.30.0.11’s password: student For security reasons, your password input will not appear on screen. Page 8 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 PuTTY terminal console window 5. At the command prompt, type su and press Enter to switch user accounts (su) and log in as the root user. 6. When prompted for a password, type toor, the root user’s password, and press Enter. 7. At the command prompt, type sed -i 's#dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT.# //noauth #' /var/www/DVWA/dvwa/includes/dvwaPage.inc.php and press Enter to disable the login authentication for the DVWA. This command ensures that the DVWA is available to skipfish without requiring the login credentials. Page 9 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 Disable login authentication 8. Minimize the PuTTY terminal window. 9. On the vWorkstation desktop, double-click the Mozilla Firefox icon to open the Firefox browser. You could access the DVWA tool using any Internet browser, but the steps in this lab will use the Firefox browser. 10. In the browser’s address box, type http://172.30.0.11/DVWA and press Enter to open the Welcome page of the Damn Vulnerable Web Application, bypassing the login screen. If you were directed to the login screen, close the browser, restore the PuTTY terminal window, and repeat steps 4-10. Page 10 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 DVWA Welcome page 11. Restore the PuTTY terminal window. Note: In the next steps, you will use skipfish commands to perform a dynamic scan on the DVWA. You will review the skipfish report and save a copy to submit as a deliverable for this lab. Skipfish has mostly predefined rules for testing common vulnerabilities. It is fast and can provide a good overview of the state of the Web application. Once it is configured, skipfish can be scheduled to run at predetermined intervals and doesn’t require human intervention to do its job. 12. At the command prompt type cd skipfish and press Enter to change directories. 13. At the command prompt, type skipfish -h and press Enter to view the different skipfish command line options. Use the scrollbar to explore the skipfish options. Page 11 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 14. At the command prompt, type cd /var/www and press Enter to change the directory to /var/www. 15. At the command prompt, type mkdir -p html/scan and press Enter to make new directories for the coming steps. 16. At the command prompt, type cd /home/student/skipfish and press Enter to go back to skipfish directory. 17. At the command prompt, type skipfish -I "DVWA" -W /dev/null -b i -o /var/www/html/scan -C "security=low" -C "PHPSESSID=1234test" -r 50000 http://172.30.0.11/DVWA/vulnerabilities and press Enter, then press any key to start a skipfish scan that will send 50,000 requests to the DVWA website and write an HTML version of the scan results to a new directory (scan). Skipfish scan command This scan takes several minutes and the terminal window will display the progress throughout the scan. You may press Enter when prompted to continue or wait for the command to process on its own. The reappearance of the command prompt indicates that the scan is completed. If you receive an error message, repeat step 17. Page 12 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 Skipfish vulnerability scan completed 18. Minimize the PuTTY terminal window. 19. In the browser window, click the + button to open a new tab. 20. In the browser’s address box, type http://172.30.0.11/html/scan and press Enter to open the scan results from the new directory created by skipfish. Your results may not match the scan results in the following figure. View the skipfish report 21. In the browser, use the scrollbar to locate the Issue type overview portion of the report, then click each issue to expand it and explore the links within each category to familiarize yourself with the content of the report. Page 13 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 Hover over the icons (red, yellow, blue, gray, and green circles) in the Issue type overview section to discover skipfish categorization levels. 22. From the browser toolbar, click the menu icon, then click the Save Page icon to open the Save As dialog box. Save web page 23. In the Save As dialog box, navigate to Desktop folder, then type yourname_S1_skipfish in the File name field, replacing yourname with your own name, and click Save to the save the skipfish report to the vWorkstation desktop. Page 14 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 Save skipfish report 24. Minimize the browser window. Part 2: RATS Security Scan of Code Note: RATS (Rough Auditing Tool for Security), part of the HP Fortify Software Security Center, is a static analysis tool used for scanning C, C++, Perl, PHP, Python (and soon Ruby) source code and flagging common security related programming errors, such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. RATS is a free tool that scans source code and flags common security related programming errors, such as buffer overflows. As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool. RATS can provide an offline analysis of an application’s source code. It requires direct access to the source code and will flag unsafe coding practices and/or functions and methods used. It is useful to help steer developers away from unsafe development practices that could be used as a means to exploit the software. In the next steps, you will use RATS commands to perform a static analysis scan on the DVWA source code. You will review the RATS report and submit it as a deliverable for this lab. Page 15 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 1. Restore the PuTTY terminal window. 2. At the command prompt, type rats --html /var/www/DVWA > /home/student/rats.html and press Enter to start a RATS scan of the DVWA source code and write a report to the student directory. 3. At the command prompt, type cp /home/student/rats.html /var/www/html/scan/rats.html and press Enter to copy the RATS report to the same directory as the skipfish results. Execute the RATS static analysis 4. Minimize the PuTTY terminal window. 5. Restore the browser window and open a new tab. 6. In the new browser tab, type http://172.30.0.11/html/scan/rats.html and press Enter in the browser’s address box to open the scan directory created by skipfish. Page 16 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 RATS file 7. In the browser window, use the scrollbar to locate the RATS results portion of the report and review each issue identified by RATS to familiarize yourself with the content of the report. Page 17 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 RATS results 8. From the browser toolbar, click the menu icon, then click the Save Page icon to open the Save As dialog box. 9. In the Save As dialog box, navigate to Desktop folder, then type yourname_S1_rats in the File name field, replacing yourname with your own name, and click Save to the save the skipfish report to the vWorkstation desktop. Page 18 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 Save RATS report 10. Minimize the browser window and restore the PuTTY terminal window. 11. At the command prompt, type cd /var/www/DVWA/vulnerabilities/xss_r/source and press Enter to change the directory to the source code for DVWA’s Reflected Cross-site Scripting (xss_r) tests. 12. At the command prompt, type ls and press Enter to list the files in the current. The system should display three files: high.php, medium.php, and low.php. These files contain the source code for the XSS tests when the DVWA security is set to high, medium, or low. Page 19 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 XSS test files 13. At the command prompt, type vi high.php and press Enter to open the high.php file in the vi Editor and review the code. Page 20 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 View the high.php file Note: This code uses a function to escape malicious content (htmlspecialcharacters). The htmlspecialcharacters code is a PHP function that transforms special characters to display according to XHTML standards and reduces the risk of reflecting malicious code back to the user. According to the manual page for this function on the php.net website, the characters translated are: ‘&’ (ampersand) becomes ‘&amp;’ ‘ “ ‘(double quote) becomes ‘&quot;’ when ENT_NOQUOTES is not set. “ ‘ “ (single quote) becomes ‘&#039;’ only when ENT_QUOTES is set. ‘<’ (less than) becomes ‘&lt;’ ‘>’ (greater than) becomes ‘&gt; 14. In the vi Editor, press Esc, then type :q and press Enter to close the editor without making any changes and return to the command prompt. 15. Repeat steps 13-14 to review the code in the low.php file. 16. In the Lab Report file, summarize the differences in the source code for these two security Page 21 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 levels. 17. Restore the browser window. 18. In the browser window, review the Skipfish and RATS results. 19. In the Lab Report file, compare the results of both the RATS and Skipfish reports. Note: Both dynamic and static analysis tools are necessary for a complete picture of an application’s vulnerabilities. As a dynamic analysis tool, skipfish doesn’t have access to the source code. It simply follows links and attempts to find vulnerabilities, such as XSS and SQL injection, which can be exploited by an attacker. RATS doesn’t specifically test for these common vulnerabilities. Instead, as a static analysis tool, it looks for risky coding practices that could lead to a vulnerabilities a hacker could exploit. RATS, for example, identifies where the eval() function is used in the source code because someone performing white-box testing could attempt to inject arbitrary commands into the eval() function. WebScarab is another penetration-testing tool, not covered in this series, which can be used as a complement to skipfish. WebScarab is used as an intercepting proxy to the web browser, which means all requests from the client browser and responses from the server can be intercepted and manipulated by WebScarab. For an experienced penetration tester, this can be advantageous, as he/she can further examine areas of interest and attempt to exploit them. As new web vulnerabilities are discovered, a user of WebScarab can use this tool to exploit them and prepare for remediation more quickly. 20. Restore the PuTTY terminal window. 21. At the command prompt, type sed -i 's# //noauth # dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT. #' /var/www/DVWA/dvwa/includes/dvwaPage.inc.php and press Enter to re-enable the login authentication for DVWA. Page 22 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 Restore the login authentication 22. At the command prompt, type exit and press Enter to close the PuTTY terminal window. 23. Minimize the PuTTY terminal window and restore the browser window. 24. In the browser, click the Damn Vulnerable Web App (DVWA) tab and click the browser’s Refresh button to reload the Damn Vulnerable Web Application. The DVWA should open to the login screen indicating that the login authentication has been reenabled for this application. If you do not see this login screen, maximize the PuTTY terminal window and repeat steps 17-19. Page 23 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 DVWA login screen 25. At the login screen, enter the following credentials click Login to verify that the authentication has been restored properly. Username: admin Password: password If you are not able to login using the login credentials above, use the following alternate credentials. Username: pablo Password: letmein The DVWA should open to the Welcome screen. If it does not open, repeat steps 20-25. Note: This completes Section 1 of this lab. In the next steps, you will use the File Transfer folder to move any files from the vWorkstation to your local system that are to be submitted as part of your lab deliverables. Refer to the instructions in the Common Lab Tasks document for more information on how to use this function. Page 24 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 26. On the vWorkstation desktop, drag the deliverable files into the File Transfer folder and click the link text to complete the download to your local computer. yourname_S1_skipfish.html yourname_S1_rats.html Page 25 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 Section 2: Applied Learning Note: SECTION 2 of this lab allows you to apply what you learned in SECTION 1 with less guidance and different deliverables, as well as some expanded tasks and alternative methods. You will also explore some PHP coding vulnerabilities. Please confirm with your instructor that you have been assigned Section 2 before proceeding. 1. On your local computer, create the Lab Report file. Frequently performed tasks, such as how to create the Lab Report file, make screen captures, and download files from the lab, are explained in the Common Lab Tasks document. You should review these tasks before starting the lab. 2. If you already completed Section 1 of this lab, you will need to reset the virtual environment before beginning Section To reset the virtual environment, complete one of the following options. a. Click Options > Reset Lab to restore all virtual machines to their base state. This will take several minutes to complete. If you do not see the vWorkstation desktop after five minutes, click Options > Reload Lab to reload your lab connection. b. Click Disconnect, then select Discard Changes to end your lab session without creating a StateSave. If you previously created a StateSave, delete the StateSave at the launch page, then start a new lab session. 3. Proceed with Part 1. Part 1: Skipfish Security Scan Note: In this part of the lab, you will use skipfish to perform a dynamic scan for vulnerabilities on the Damn Vulnerable Web Application (DVWA). Skipfish has mostly predefined rules for testing common vulnerabilities. It is fast and can provide a good overview of the state of the Web application. Once it is configured, skipfish can be scheduled to run at predetermined intervals and doesn’t require human intervention to do its job. Page 26 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 First, you will run a batch file that will prepare the lab environment, and then you will use PuTTY to create a remote connection to the lab’s web server, TargetLinux01 (DVWA), and disable the login authentication requirement for the DVWA so that skipfish will be able to scan the application for vulnerabilities. 1. Open a PuTTY session to DVWA, the Linux server hosting the Damn Vulnerable Web Application (DVWA). If prompted, login to the server using the following credentials. Username: root Password: toor 2. At the command prompt, execute cd /var/www/DVWA/dvwa/includes to navigate to the /var/www/DVWA/dvwa/includes directory. 3. At the command prompt, execute cp dvwaPage.inc.php /var/www/DVWA/dvwa/includes/dvwaPage.inc.php.bk to make a backup copy (dvwaPage.inc.php.bk) of the dvwaPage.inc.php file. 4. At the command prompt, execute ls to list the files in the directory. Page 27 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 List files 5. At the command prompt, execute sed -i 's#dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT.# //noauth #' /var/www/DVWA/dvwa/includes/dvwaPage.inc.php to disable authentication for the DVWA. This command ensures that the DVWA is available to skipfish without requiring the login credentials. Disable authentication Page 28 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 6. Minimize the PuTTY session, then launch the Firefox browser and navigate to http://172.30.0.11/DVWA. You should arrive at the Damn Vulnerable Web Application’s Welcome page, bypassing the login screen. If the Welcome screen does not appear, repeat steps 5-6, correcting any errors you find. DVWA Welcome page 7. Restore the PuTTY terminal window and execute vi dvwaPage.inc.php to open the file you just altered, then scroll down to locate the //noauth code. 8. Make a screen capture showing the location of //noauth code and paste it into the Lab Report file. 9. In the vi Editor, type :q and press Enter to exit the vi Editor without saving any changes and return to the command prompt. Page 29 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 10. At the command prompt, execute vi dvwaPage.inc.php.bk to open the backup file, then scroll down to the location of the //noauth code in the altered file. This file shows the code before it was altered by the change in step 5. 11. In the vi Editor, type :q and press Enter to exit the vi Editor without saving any changes and return to the command prompt. 12. In the Lab Report file, describe how the change affected the dvwaPage.inc.php file. Note: In the next steps, you will use skipfish commands to perform a dynamic scan on the DVWA. You will review the skipfish report and save a copy to submit it as a deliverable for this lab. Skipfish has mostly predefined rules for testing common vulnerabilities. It is fast and can provide a good overview of the state of the Web application. Once it is configured, skipfish can be scheduled to run at predetermined intervals and doesn’t require human intervention to do its job. 13. At the command prompt, execute skipfish -h to review the skipfish command line options. Use the scrollbar to explore the skipfish options. 14. At the command prompt, execute mkdir -p /var/www/html/high to make a new directory. The -p option will make parent directories as needed and ignore error messages if directories already exist. 15. At the command prompt, execute cd /home/student/skipfish to navigate to the /home/student/skipfish directory. 16. At the command prompt, execute skipfish -I "DVWA" -W /dev/null -b i -o /var/www/html/high -C "security=high" -C "PHPSESSID=1234test" -r 50000 http://172.30.0.11/DVWA/vulnerabilities to start a skipfish scan that will send 50,000 requests to the DVWA website and write an HTML version of the report in the new scan directory. Page 30 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 When prompted, press Enter to continue or wait for the command to process on its own. This scan takes several minutes and the terminal window will display the progress throughout the scan. Skipfish scan command 17. When the scan is completed, minimize the PuTTY terminal window. Skipfish vulnerability scan completed Page 31 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 18. In the browser window, open a new tab and navigate to http://172.30.0.11/html/high to review the scan created by skipfish. Your scan may not match the scan in the following figure. View the skipfish report 19. Locate the Issue type overview portion of the report, then click each issue to expand it and explore the links within each category to familiarize yourself with the content of the report. Hover over the icons (red, yellow, blue, gray, and green circles) in the Issue type overview section to discover skipfish categorization levels. 20. As you review the skipfish report, click the phpinfo.php link in the Incorrect or missing charset (low risk) category to view the page. Note: When reviewing the phpinfo page, you will see that it displays the operating system, hostname, Page 32 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 the packages installed on the server, and more. This information can be used to formulate an attack against the server. It is important to be aware of the information on your servers. Even an off-the-shelf product, such as DVWA, can contain information hazardous to your security profile. Running your own security scans can identify harmful information before it is discovered by someone else. If you were to review the code in this file, you would see only three lines of code. <?php phpinfo() ?> PHPInfo page Page 33 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 21. Close the phpinfo.php tab and save the skipfish scan results to the vWorkstation desktop as yourname_S2_skipfish, replacing yourname with your own name. Part 2: RATS Security Scan of Code Note: RATS (Rough Auditing Tool for Security), part of the HP Fortify Software Security Center, is a static analysis tool used for scanning C, C++, Perl, PHP, Python (and soon Ruby) source code and flagging common security related programming errors, such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. RATS is a free tool that scans source code and flags common security related programming errors, such as buffer overflows. As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool. RATS can provide an offline analysis of an application’s source code. It requires direct access to the source code and will flag unsafe coding practices and/or functions and methods used. It is useful to help steer developers away from unsafe development practices that could be used as a means to exploit the software. In the next steps, you will use RATS commands to perform a static analysis scan on the DVWA source code. You will review the RATS report and submit it as a deliverable for this lab. 1. Restore the PuTTY terminal window. 2. At the command prompt, execute rats --html /var/www/DVWA > /home/student/rats.html to start a RATS scan of the DVWA source code and then write a report to the student directory. 3. At the command prompt, execute cp /home/student/rats.html /var/www/html/high/rats.html to copy the RATS report to the same directory as the skipfish results. 4. Restore the browser window, open a new tab, and navigate to http://172.30.0.11/html/high/rats.html to open the scan results created by RATS. 5. In the browser window, locate the RATS results portion of the report and review each issue identified by RATS to familiarize yourself with the content of the report. Page 34 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 RATS results 6. Save the RATS report to the vWorkstation desktop as yourname_S2_rats, replacing yourname with your own name. 7. Restore the PuTTY terminal window. 8. At the command prompt, execute cd /var/www/DVWA/vulnerabilities/xss_r/source to change the directory to the source code for DVWA’s Reflected Cross-site Scripting (xss_r) tests. This directory contains three files: high.php, medium.php, and low.php. These files contain the source code for the XSS tests when the DVWA security is set to high, medium, or low. 9. At the command prompt, execute vi high.php to open the high.php file in the vi Editor and review the code. Page 35 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 View the high.php file Note: This code uses a function to escape malicious content (htmlspecialcharacters). The htmlspecialcharacters code is a PHP function that transforms special characters to display according to XHTML standards and reduces the risk of reflecting malicious code back to the user. According to the manual page for this function on the php.net website, the characters translated are: ‘&’ (ampersand) becomes ‘&amp;’ ‘ “ ‘(double quote) becomes ‘&quot;’ when ENT_NOQUOTES is not set. “ ‘ “ (single quote) becomes ‘&#039;’ only when ENT_QUOTES is set. ‘<’ (less than) becomes ‘&lt;’ ‘>’ (greater than) becomes ‘&gt; 10. Close the vi Editor without making any changes and return to the command prompt. 11. Repeat steps 9-10 to review the code in the medium.php file. 12. Repeat steps 9-10 to review the code in the low.php file. Page 36 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 13. In the Lab Report file, summarize the differences in the source code for these three security levels. Use the internet to research php functions as needed. 14. Restore the browser window. 15. In the browser, review the Skipfish and RATS results. 16. In the Lab Report file, compare the results of both the RATS and Skipfish reports. Note: Both dynamic and static analysis tools are necessary for a complete picture of an application’s vulnerabilities. As a dynamic analysis tool, skipfish doesn’t have access to the source code. It simply follows links and attempts to find vulnerabilities, such as XSS and SQL injection, which can be exploited by an attacker. RATS doesn’t specifically test for these common vulnerabilities. Instead, as a static analysis tool, it looks for risky coding practices that could lead to vulnerabilities a hacker could exploit. RATS, for example, identifies where the eval() function is used in the source code because someone performing white-box testing could attempt to inject arbitrary commands into the eval() function. WebScarab is another penetration-testing tool, not covered in this series, which can be used as a complement to skipfish. WebScarab is used as an intercepting proxy to the Web browser, which means all requests from the client browser and responses from the server can be intercepted and manipulated by WebScarab. For an experienced penetration tester, this can be advantageous, as he/she can further examine areas of interest and attempt to exploit them. As new Web vulnerabilities are discovered, a user of WebScarab can use this tool to exploit them and prepare for remediation more quickly. 17. Restore the PuTTY terminal window. 18. At the command prompt, execute sed -i 's# //noauth # dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT. #' /var/www/DVWA/dvwa/includes/dvwaPage.inc.php to re-enable the login authentication for DVWA. 19. Close the PuTTY terminal window and restore the browser window. 20. In the browser, click the Damn Vulnerable Web App (DVWA) tab and refresh the page. Page 37 of 39 Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 The DVWA should open to the login screen indicating that the login authentication has been reenabled for this application. If you do not see this login screen, maximize the PuTTY terminal window and repeat steps 18-20. 21. Log in to the application with the following credentials to verify that the authentication has been restored properly. Username: admin Password: password If you are not able to login using the login credentials above, use the following alternate credentials. Username: pablo Password: letmein The DVWA should open the Welcome screen. If it does not open properly, repeat steps 16-20. Note: This completes Section 2 of this lab. In the next steps, you will use the File Transfer folder to move any files from the vWorkstation to your local system that are to be submitted as part of your lab deliverables. Refer to the instructions in the Common Lab Tasks document for more information on how to use this function. 22. On the vWorkstation desktop, drag the deliverable files into the File Transfer folder and click the link text to complete the download to your local computer. yourname_S2_skipfish.html yourname_S2_rats.html Page 38 of 39 Powered by TCPDF (www.tcpdf.org) Performing Dynamic and Static Quality Control Testing Internet Security: How to Defend Against Attackers on the Web, Second Edition - Lab 07 Section 3: Lab Challenge and Analysis Note: The following challenge questions are provided to allow independent, unguided work, similar to what you will encounter in a real situation. You should aim to improve your skills by getting the correct answer in as few steps as possible. Use screen captures in your lab document where possible to illustrate your answers. Part 1: Analysis and Discussion Why is RATS a valuable tool for analyzing web code? Part 2: Tools and Commands Using the skipfish -h command, describe the purpose of the skipfish command used in this lab: skipfish -I "DVWA" -W /dev/null -b i -o /var/www/html/scan -C "security=low" -C "PHPSESSID=1234test" -r 50000 http://localhost/DVWA/vulnerabilities Part 3: Challenge Exercise Run a skipfish report against the website at www.corporationtechs.com. Save the results as yourname_corptech, replacing yourname with your own name, and submit it as a deliverable for this lab. Page 39 of 39