Kingston University Thesis - Design and Implementation of a Secure Web Application

DESIGN AND IMPLEMENTATION OF A SECURE WEB APPLICATION
GEORGIOS DELAPORTAS
Master of Science in Networking and Data Communications
THESIS
Kingston University LondonKingston University London

Kingston University London
Thesis Title
Design and Implementation of a Secure Web Application
Dissertation submitted
for the Degree of Master of Science in Networking and Data
Communications
By
GEORGIOS DELAPORTAS
SUPERVISOR
DR. PANAGIOTIS KOTZANIKOLAOU
KINGSTON UNIVERSITY, SCHOOL OF COMPUTING AND
INFORMATION SYSTEMS
ΤEI OF PIRAEUS, DEPARTMENTS OF ELECTRONICS AND
AUTOMATION
JANUARY 2011

TABLE OF CONTENTS
1. Introduction …………………………………………………………………...5
2. Setting up and test environment ……………………………………...….……8
2.1. The virtual machine ……………………………………………….....8
2.2. The Windows 2003 server ………………………………………….10
2.3. The Apache web server ……………………………….…………….12
2.4. The PHP interpreter and Smarty engine …………………….………13
2.5. The MySQL RDBMS ……………………………………….……...14
2.6. Other configurations and options ………………………………...…16
2.7. Design and development of a demo web application ………............17
2.7.1. Design concepts …………………………………………..17
2.7.2. Development concepts ……………………………………19
3. Vulnerability assessment ……………………………………………………22
3.1. Vulnerability scanners ……………………………………………...22
3.2. Port scanners ……………………………………………………..…28
3.3. Packet sniffers and analyzers ……………………………………….31
3.4. Intrusion detection systems …………………………………………32
3.5. Passwords strength tests …………………………………………….33
3.6. Exploits of the web application ……………………………………..35
3.7. Comments on results ………………………………………………..36
4. Proposed solutions, security measures and configurations ………………….38
4.1. General solutions …………………………………………………...38
4.2. Firewalls ……………………............................................................43
4.3. SSL ………………………………………………………………....44

4.4. Advanced configurations ……………………...…….……….……45
4.5. Quality Assurance of the web application …………………..…….46
5. Conclusions ………………………………………………...………..…….48
References ………………………………………………………....…….…….49
Appendix A – Source code …………………….……………………...............52
Appendix B – Detailed security reports ………………………………….……61

1. Introduction
The Internet nowadays offers many applications on the web. Web applications can
handle and manage today what, only a few years ago, would be difficult if not
totally impossible. It is globally accepted that the Internet has tremendously
involved. The World Wide Web offers to the companies penetration to the world
wide market in more intelligent, efficient and instant ways. The new trends in e-
commerce the last decade and the need for instant advertising in many fashions all
over the world at the same time, marks the Internet as the most suitable tool in
comparison to the classic TV or radio broadcasts. As soon as the companies and
organizations realized this and that the Internet can host applications already
presented as individual programs for PCs then a new era has begun [3].
Web applications are today very popular indeed. They offer services all over the
globe simultaneously based on the web. This is critical due to the consumers’
needs and the speed of the e-marketing. These are the most superior reasons that
web applications had so shortly been accepted and adapted. Some of these web
applications are more complex systems that are preferred to be called platforms or
e-platforms and host other applications that rely on them. Well known paradigms
of global web applications are social network applications such as facebook and
mySpace. Other big categories of popular web applications are the Enterprise
Resource Planning (ERP), Content Relationship Management (CRM), and
Content Management System (CMS). Especially for Content Management
Systems the development the last 4 years is growing rapidly. Projects such as
Joomla! [15], Drupal [16], OSCommerce [17], Zen Cart [18] and other CMS have
given the ability to setup mini platforms not even to companies but also to end
users in order to develop personal web pages or even large-scale e-shops. An e-
shop sells through the web what the salesmen would sell to you at your door, well
not actually the same product since in the price we do not include the cost for the
salesman, the time taken for him to come and find you and your house, the
precious time lost to discover your needs and certainly it does not ring your bell.
This may sounds funny but it isn’t. It’s the reality. The Internet minimizes costs,
risks, time, and human resources and automates even the billing procedures. The

most usual ways of payment is by credit card, either by an e-banking system
utilizing SSL based encryption and server certification or by integrating a special
purpose payment service such as PayPal [3].
At a first glance it seems that the web applications are capable to offer many
services to clients at a low cost and with a low risk. But, is this true? Well this is
not totally true and that is what this research is going to present through a series of
tests in a demo web server running a typical web application. Due to hackers and
unnumbered deceptions, which have been publicly known over the last years, it is
now common sense that the underlying technologies of every web application or
e-platform must rely on secure infrastructures, technologies and must be based on
secure computing techniques, in order, to protect all critical information.
Furthermore, as new exploits and vulnerabilities continuously arise, the
infrastructures need to be continuously and extensively tested and verified [3], [4].
In the next chapters we will discuss and analyze a scenario where a demo web
application that acts as a profile manager is assessed from a security point of
view. We will design and develop the test web application and we will perform a
vulnerability assessment throughout all the technologies applied, in order to
identify possible security weaknesses and exploits.
The rest of this thesis is organized as follows:
In the second chapter, we will discuss and choose all the underlying technologies
and features that will support our application. In section 2.1, we will present
possible alternatives in order to setup the virtual machine that will host our web
application. We will explore possible technologies for the web server, the
application server and the database server. In section 2.2, after explaining and
describing the configurations we will setup a typical Windows 2003 server
enterprise edition. After the setup we will explain and configure basic subjects
and we will move on the setting up of the Apache web server (section 2.3), the
PHP interpreter (section 2.4) and the MySQL database management system
(section 2.5). In section 2.6, we will describe the basic configurations and we will
finalize the setup. In section 2.7, we will discuss the engineering behind the web

application. In this chapter we will develop the web application mainly in PHP
and JavaScript. The web application will be based on a custom made CMS, called
ALPHA CMS [11], developed by the author. More specifically we will discuss
the design, the development concepts and the software architecture, in sections
2.7.1 and 2.7.2 respectively.
In the third chapter, we will assess the web server for possible vulnerabilities and
we will discuss and analyze the system based on the results or the produced
reports. In section 3.1 a few vulnerability scanners such as Nessus [19] will be
used. In section 3.2, a few port scanners such as NMap [20] and Super Scan [21]
will scan the server for unsafe ports. In section 3.3, packets sniffers and analyzers
such as Wire Shark [22] will check the integrity and security of the information
that flows through the system. In section 3.4, the Snort [23], an intrusion detection
system, will be setup in order to protect the server from intruders and will be
tested through simulated attacks against the system. In section 3.5, we will test the
strength of the passwords that are used in the Windows system. In section 3.6, we
will try to discover any exploits and we will inject the exploits to investigate
existing bugs that may crash the application. In section 3.7 we will analyze and
discuss the results.
The fourth chapter will propose security measures and will provide solutions for
each corresponding layer of the Internet stack model, based on the vulnerabilities
indicated in the previous chapter. More specifically the solutions will be divided
into the IP layer, the TCP/UDP layer and the application layer. In section 4.1, we
will propose firewall solutions. In section 4.2, we will discuss a solution based on
Secure Socket Layer. In section 4.3, we will propose some advanced hardening
configurations, in order, to make the system more secure by following well known
security best practices. In section 4.4, we will analyze and assess the web
application. More specifically, our analysis will be targeted to the software
architecture, the interconnections with the database and the database itself [1].
Finally, the fifth chapter will conclude this thesis by summarizing the findings and
the lessons learned throughout the development and security assessment of the
test web application.

2. Setting up and test environment
In this chapter we will present the procedure of setting up of the test environment
and will explicitly analyze the choices and the reasoning behind our selection of
specific technologies. The second chapter is divided into seven parts. Each part
discusses a vital part of the infrastructure that will host our web application. Part
2.7 is also divided in other two subparts in order to separate the design from the
development or in other words the view from the actual code and the inner
architecture. Each part will also include some useful terminologies and a typical
technical analysis of the corresponding software.
2.1. The virtual machine
This part discusses the concepts of choosing a virtual machine to host the web
server and analyzes the pros and cons in contrast to a physical system. First of all
we need to define what a virtual machine is.
A virtual machine (VM) is a software implementation of a physical machine, a
computer, which executes programs as if it were the real machine. Today VMs are
used everywhere because they cut down costs and provide easier disaster
recovery. Popular VMs are Microsoft Virtual PC [24], VMware Workstation [25],
Xen [26], Oracle VirtualBox [5] and Parallels Workstation [27]. With
virtualization a server can host more than one Operating Systems (O/S) at the
same time. In our scenario the host machine is running a Linux O/S that has a VM
that hosts our virtual web server. We have selected Linux for the physical
machine because it offers advanced administration and flexibility. Also, Linux
systems are usually more efficient and faster than a system running a typical
Windows O/S. We have chosen Oracle VirtualBox as the VM because it is free,
Oracle offers support though, it supports Linux and Windows hosts either as host
or operating systems, it is reliable and has very good performance that reaches
almost 99% of the real system utilization when it uses Intel VT-x or AMD-V
extensions.

The procedure for the installation is pretty simple. First of all we open a terminal
and make sure that our setup executable has the executable permission bit
enabled. To do so, we use the command: “chmod +x vm_setup_name.bin”
Then we just run it through the following command: “./vm_setup_name.bin”.
The rest of the installation is wizard based with on screen instructions. A restart
may be required if our Linux distribution requests it. Otherwise we can
immediately start the virtual machine by typing: “./virtualbox”.
We are now ready to configure the options in order to run our guest operating
systems.
Our VM has the following options:
 Dynamically use the real machine C.P.U
 Consume 256 MB of RAM from host O/S
 Consume 32 MB from Super VGA for graphics
 Use 10.0 GB of space as a virtual hard disk
 Use real machines’ DVD drive
 Use a virtual NIC to enable network support for the guest O/S using
Host-Only virtual interface to interconnect the host and the guest O/S
(Intel PRO/1000 T Server 82543GC)
 Enable VRDP for remote administration
 VM name: MyWebServer
The VM has been optimized to host a Windows Server 2003 Enterprise Edition
(x86) with NTFS (32 bit) as file system.

Figure 1. The virtual machine interface
2.2. The Windows 2003 server
This part discusses the concepts of choosing the guest O/S that will be hosted in
the virtual machine. For the purposes of our web application we had unnumbered
choices. We could choose among many provided O/S such as Linux [28], IBM
AIX [29], Solaris [30], BSD [31] or any Windows [32] version. However,
according to the market and statistics we have seen that the operating system that
is more popular as a web server is Windows Server 2003 [6]. This means that
such a popular O/S is being continuously threatened by hackers and certainly has
exploits, vulnerabilities and bugs. So this is the most productive and suitable O/S
to run a demo web application and assess it. The setup of the Windows 2003
server will not have extra features or advanced configurations. The purpose is to
assess a typical standardized installation, which unfortunately is commonly
applied by non skillful web administrators or web developers.

The procedure for a Windows 2003 installation is more or less known and all we
have to do is to follow the installation wizard. When finished we may install the
VM Tools that will provide us with better interface experience. The VM Tools
will install drivers for mouse acceleration, display drivers and a few disk
acceleration drivers that will enable better hard disk caching and speed
optimizations. Finally we will configure a few options.
The actual configuration of Windows 2003 Server setup is as follows:
 Server name: “MYWEBSERVER”
 SP1
 R2 Add-ons
 DHCP assigned IP address
 NTFS file system (32 bit)
 No updates
 No firewall
 No antivirus
 No optimizations enabled
 No extra features
 No advanced configurations
Detailed information for the credentials used, can be found on table 1.

Figure 2. The server desktop
2.3. The Apache web server
This part discusses the installation and configuration of the web server. A web
server is a piece of software that serves web data to web clients through an HTTP
stream. The web server has to be installed on a physical machine that hosts a web
page. Every time a user (web client) requests a page on the Internet the web server
replies to the request by forwarding the web page data to the client. The user must
have a typical web client interface (e. g. Internet Explorer [33], Mozilla Firefox
[34], Google Chrome [35]) in order to render the data into something meaningful.
For our purposes we have chosen the Apache web sever [7]. Apache is the most
popular web server software that offers many features and supports all the cutting
edge technologies on the web. Apache is stable, reliable and fast. It can handle
many simultaneous connections and offers many useful features for web
administrators. It runs either on Linux, UNIX or Windows. In comparison to
Microsoft IIS [36], Apache is more and extensible with lots of modules and that is
the basic reason that the Apache web server will be the base for our web
application.

In order to install apache we just double click the executable and follow the
instructions of the setup wizard. It is important to note that we would better install
all the features and modules included in the installation plus the SSL support.
Apache is a smart software. So even if we install all features we will not be forced
to use them at the same time. Instead we will be able to configure and enable each
and every option separately.
Figure 3. The Apache web server
2.4. The PHP interpreter and Smarty engine
This part discusses the installation and configuration of the PHP interpreter [8].
PHP is an acronym form Hypertext Pre-Processor. PHP is a widely used general
purpose scripting language that is especially suited for web development and can
be embedded into HTML. PHP is the de facto scripting language for dynamic web
pages. PHP runs on server side and that offers safety and speed to web
applications. PHP offers object oriented programming, a rich suite of instructions,
helping functions and a smart cashing engine that speeds up web page rendering.

Smarty engine [9] is a template engine and a scripting language written in PHP.
Smarty is used to design web sites programmatically. It offers fine tuned operators
and is useful for web designers. It also supports an advanced caching engine that
extends the PHP caching capabilities.
PHP and Smarty, together, result to a strong tool that divides design from code.
Using Smarty to design the layout of the web page and PHP to program it, we
enable a smart and convenient architecture for easy manageability and
extensibility.
To install the PHP interpreter we double click the executable and follow the on
screen instructions of the wizard. We have to install most of the supported
modules and among them the most important ones are the MySQL, MySQLi and
PECL.
Finally we will install the ALPHA CMS. To install it we just copy the
“alpha_cms” folder extracted by the “ALPHA_CMS.zip” file and change the
permissions of the following folders to 777:
1. /smarty/templates_c
2. /smarty/cache
3. /conf
4. /admin/ewcfg.php
ALPHA CMS which will be the base of our web application. ALPHA CMS
supports a combination of AJAX and Model - View – Controller (MVC)
architecture [2].
2.5. The MySQL RDBMS
This part discusses the installation and configuration of MySQL DB Server [10].
A SQL server is a piece of software that serves user queries that ask for data
formatted in various ways. The SQL server also hosts the actual data in a data

base. A data base in simple words is a system that organizes data in structures that
offer either hierarchical or semantic ways of combining these data.
For our purposes we have used Oracle’s MySQL [10]. We install the MySQL
server by simply double clicking the executable and following the wizard screens.
The most important step is when the wizard asks us to choose the best usage type
of the database. Among the options we will choose a general usage database and
the database type to be MyISAM.
Oracle’s MySQL Relational Data Base Management System is a very popular,
fast and reliable RDBMS that is supported by the vast majority of scripting
languages on the web including PHP. MySQL supports ANSI SQL 99 and many
useful features such as SSL support for encrypted remote connections, query
caching and two fast storage engines MyISAM, InnoDB and Falcon which is still
in a beta phase.
Detailed information for the credentials used, can be found on table 1.
Figure 4. The MySQL server

2.6. Other configurations and options
We can have advanced configurations that affect more than one parts of our
system. The following configuration affects the way that Apache and PHP
manage the URLs and handle them internally.
The Apache web server offers numerous configurations to optimize and secure the
infrastructure. One of the most useful Apache modules is the Rewrite Engine.
A rewrite engine is a software that modifies a web URL's appearance. Rewritten
URL's are used to provide shorter and more relevant-looking links to web pages.
The technique adds a degree of separation between the files used to generate a
web page and the URL that is presented to the world [7].
A rewrite engine can be used in conjunction with a hypertext access file
(.htaccess) that configures the web server on demand only for the local directory.
Hypertext access files can be used for:
 Authorization and authentication. Apache provides a framework and a
set of modules for authorization and authentication. The administrator
can enable these modules and configure specific options in the .htaccess
file.
 Customized error responses. Apache provides a way to customize the
error responses. The administrator can enable, disable, redirect or even
choose what the error pages would look like through the .htaccess file.
 Rewriting URLs. Apache provides a framework and a set of modules for
URL rewriting through the .htaccess file. The administrator can enable
these modules and define how any URL would look like in the web
client’s explorer address bar.
 Cache control. Apache provides commands for simple cache
configuration through the .htaccess file. An administrator can set the
expiration dates or the amount of RAM that the web server will use for
cache.

By configuring the web server this way the PHP “sees” the URLs in a more
human readable way and this is the way we should use them from now on. A good
example would be “/index.php?page=test” which would be transformed to “/test”.
It is important to note that the usage of a hypertext file is not always the best
choice because we can make our server inconsistent and act differently for
different directories. The best scenario though is to configure globally the web
server with httpd.conf and add any extra options to .htaccess.
2.7. Design and development of a demo web application
This part discusses and refers to general concepts of the demo web application.
We will implement this demo web application using the technologies that were
referred in the previous parts and we will design it based on a clean-cut
architecture. The base of our web application will be ALPHA CMS 3.8, an
advanced A.P.I-free open source CMS written in PHP and Smarty by the author.
The web application we are going to implement is a demo of a Customer
Relationship Management (CRM) system. Our web application implements only
the profile manager for the contacts. The subparts that follow discuss all the
design concepts and the development concepts.
2.7.1. Design concepts
In this part we will discuss the web application design concepts. The web
application needs to be straightforward and easy to use and understand. The main
screen will provide a simple login form with two input texts and a submit button.
The home page should give the ability to the users to alter basic information plus
extra features for categorization based on the company needs. To do so, the home
page should offer a simple environment including text boxes, text areas, option
boxes and two buttons for saving or cancellation. The back-end is going to be the
ALPHA CMS administration panel which will enable us to add dynamic HTML,
labels, boxes etc.

Figure 5. The demo web application (Login screen)
Figure 6. The demo web application (Home screen)

2.7.2. Development concepts
In this part we will discuss the web application development concepts. The web
application will be based on ALPHA CMS 3.8 and will be developed mainly in
PHP, Smarty, and MySQL. Some useful code of JavaScript and AJAX may be
needed too. The code architecture will follow that of ALPHA CMS, since the web
application will be based on that platform. The Model – View – Controller (MVC)
architecture divides the design from the coding and thus helping us to aim on the
development of functions rather than aiming on the design concepts [2].
Our web application needs to be fast, reliable, easily extensible, offering smart
and easy deployment, easily maintainable, dependable and of course error free. To
be able to provide all the above characteristics, the MVC architecture is the most
suitable choice. MVC enables the views, the web page and their functionality, to
be completely separated from what the code does and how the real model, the
database, is designed. The controller is actually one or more files that acts as the
interface among the views, dynamically generated web pages, and the actual
database [2].
It is important now, to explain a few things about the code and the usage of its
language in our web application. First of all, PHP is the body of the application.
PHP is a very useful server side technology for dynamic web content.
PHP has the following important features which make it useful and very easy for
server side development:
 PHP can run either autonomously either embedded in an HTML
 PHP code always runs only inside the “<?php” and “?>” delimiters.
 PHP has no data types. Each variable is assigned to a data type
automatically according to the data that is going to store. Also there is no
declaration of variables. Each variable is self declared upon its first usage.
 PHP offers hundreds of functions and thousands through extensions.
 PHP has an automatic garbage collector which keeps memory clean.

 PHP is both functional and object oriented.
 PHP is secure.
 PHP is very fast.
 PHP is a scripting language and thus very easy to learn and use.
JavaScript is useful too for client side options, such as the system that changes the
locality. Smarty template engine gives us a fine grade of control to alter the design
and MySQL offers great SQL support to interact with the database through PHP.
The MySQL database name that we will use is: ALPHA. A detailed description for
the most significant code segments of PHP, Javascript and MySQL code
developed for the project can be found on the Appendix A. For the full source
code please see the directories: “/WebApp” and “WebApp - Optimized”.
Finally, the back-end will be the tool that will enable us to administer all the
HTML entities in the front-end at design time. The back-end will be secured and
would need a username and password. For information on the credentials see the
table 1.
The above will be the core and the basis for a solid implementation.
Figure 7. The demo web application back-end (Administration panel)

System/Application/User Credentials
Windows Server 2003 Username: Administrator
Password: 1234567890
MySQL Username: root
Password: 1234567890
ALPHA CMS - Admin panel Username: admin
Password: admin
George Delaportas Username: test1
Password: test12345678
Other user Username: test2
Table 1. System, applications and users credentials

3. Vulnerability assessment
In this chapter we will discuss the vulnerability assessment process, we will refer
to the most well known vulnerability detection tools and we will run tests and
produce reports.
In general vulnerability assessment is a process that identifies, quantifies and
ranks the security vulnerabilities in a system.
Vulnerability assessment has many things in common with risk assessment.
Vulnerability assessment performs the following steps:
1. Cataloging assets and resources in a system.
2. Assigning importance to those resources.
3. Identifying the vulnerabilities or potential threats to each resource.
4. Mitigating or eliminating the most serious vulnerabilities for the most
valuable resources.
So, into the next parts we will use tools that will identify risks and threats, we will
discuss on their causes and produce reports for them. We will open these reports
with Notepad++ [37]. Notepad++ is a universal editor that can handle various file
types. We are going to use Notepad++ because each report has been produced by
various tools thus having different structure.
Finally we will discuss and comment on the results in order to be able to propose
solutions in the next chapter.
3.1. Vulnerability scanners
Vulnerability scanners are tools that scan for problems on a host machine. They
also check usual cases for misconfigurations and security risks.

In this part we will scan our test web server with a very well known and proven
vulnerability scanner, the Nessus scanner [19]. There are numerous vulnerability
scanners on the Internet and the market but Nessus has a huge and updated
database of the most recent and risky threats. We will also use the Microsoft
Baseline Security Analyzer (MBSA) [38] to investigate for Microsoft specific
vulnerabilities and security issues.
Figure 8. Nessus

Figure 9. MBSA
First of all we need to install Nessus. The procedure is very simple and mostly
automated. We just double click the setup program and all we have to do is to
follow the instructions of the setup wizard. After the installation takes place it is
important to update the vulnerabilities database. After the update we run Nessus
we got back a very long report on many vulnerabilities. As you may notice, the
Nessus categorizes the vulnerabilities in groups of low, medium and high risk.
The full report is in HTML format into the folder: “ReportsVM SimpleTenable”
and the configuration used, in folder: “ReportsVM SimpleTenableNessus
Client”.
Then, we will install the MBSA. The installation of MBSA is even simpler. We
run the installer and it automatically downloads all the current updates. Then we
run the executable and wait till the scan stops. To see the MBSA report, go to
folder: “ReportsVM SimpleMBSA”.
Table 2 summarizes the most common vulnerabilities and risks found by both
Nessus and MBSA. More detailed reports of Nessus and MBSA can be found on
Appendix B.

According to the reports we have:
1. 5 open ports
2. 35 low severity risks
3. 8 medium severity risks
4. 30 high severity risks
System Risk Severity
Windows Server
2003
The remote host listens on TCP port
445 and replies to SMB requests. By
sending an NTLMSSP authentication
request it is possible to obtain the
name of the remote system and the
name of its domain.
LOW
Windows Server
2003
The remote host is running one of the
Microsoft Windows operating
systems. It is possible to log into it
using one of the following accounts:
- NULL session
- Guest account
- Given Credentials
LOW
Windows Server
2003
The remote version of Windows
contains a version of the RPC library
protocol which is vulnerable to a
Denial of Service attack in the NTLM
authentication field.
HIGH

An attacker may exploit this flaw to
crash the remote RPC server and the
remote system.
Windows Server
2003
The remote host contains a version of
the Win32 API which is vulnerable to
a security flaw which may allow a
local user to elevate his privileges and
might allow a remote attacker to
execute arbitrary code on this host. To
exploit this flaw, an attacker would
need to find a way to misuse the
Win32 API. One way of doing so
would be to lure a user on the remote
host into visiting a specially crafted
web page.
HIGH
Windows Server
2003
The remote version of Windows
contains a version of the TCP/IP
protocol which does not properly parse
IGMPv3, MLDv2 and ICMP structure.
An attacker may exploit these flaws to
execute code on the remote host.
HIGH
Apache web server
The remote web server supports the
TRACE and/or TRACK methods.
TRACE
and TRACK are HTTP methods which
are used to debug web server
connections.
In addition, it has been shown that
servers supporting the TRACE method
are subject to cross-site scripting
MEDIUM

attacks, dubbed XST for "Cross-Site
Tracing", when used in conjunction
with various weaknesses in browsers.
An attacker may use this flaw to trick
your legitimate
web users to give him their
credentials.
Apache web server
Attempted to determine the presence
of various common dirs on the remote
web server.
The following directories were
discovered:
/cgi-bin, /config, /doc,and /mysql
LOW
PHP
According to the change log of
http://www.php.net the PHP 5.2.9-1
has several security flaws. The most
important have to do with the
intercommunication of PHP and
MySQL subsystem and the OpenSSL
library.
HIGH
MySQL
No vulnerabilities found.
Just a slight decrease of performance. LOW
Table 2. Common vulnerabilities for the test web application
We are not going to analyze all the risks – though we should in a real scenario –
but we will choose among them the most important that affect directly our web
application. So, first of all we need to search for vulnerabilities that affect our test

web server. Then we need to see what causes problems and security risks to the
Apache web server, the PHP interpreter, the MySQL database and look for
security holes in their intercommunication.
Lastly, among the open ports, two TCP ports, 80 and 443 are the most important
and should remain opened in order to be able to communicate with the web
server. Port 443 (HTTPS) is not used in the default configuration but it’s going to
be used to the optimized one later on.
3.2. Port scanners
In this part we will scan our test web with a port scanner. A port scanner, simply
put, is a piece of software that probes a network host for open ports. There are
thousands of port scanners but we will use two very good and informative
scanners called SuperScan [21] and ZenMap [39] (Nmap’s GUI).
Port scanners in general categorize found ports in groups.
Such groups most frequently are:
 Open or Accepted ports
 Closed or Denied ports
 Filtered or Blocked ports
There are many port scanning types but among them, the most widely used are:
 TCP scanning
 UDP scanning
 SYN scanning
 ACK scanning

 FIN scanning
 Window scanning
Figure 10. SuperScan
Figure 11. ZenMap

The next table shows a sub list of the scanned ports and their services. We have
scanned the web server with ZenMap in intense mode. The intense mode scans
both the most common and the best known vulnerable ports and does O/S
detection. The issued command is:
“nmap –T4 –A –v –PE –PS 22,25,80 –PA 21,23,80,3389 192.168.56.101”, where
PE, PS and PA is scan for ports that are enabled, that have a session open and are
alive respectively.
Then we have scanned the web server with SuperScan with all the options
enabled. These options enable scan for common port scanning, NetBIOS
information, user and group accounts, network shares, trusted domains and
Windows services.
The full report of SuperScan is in the directory: “ReportsVM SimpleSuperScan”
and the full report of ZenMap is in the directory: “ReportsVM SimpleZenMap”.
Apache2.2 Running Apache2.2 (80)
MySQL Running MySQL (3306)
LmHosts Running TCP/IP NetBIOS Helper (139)
RemoteRegistry Running Remote Registry (445)
RpcSs Running Remote Procedure Call (135)
Table 3. Port scanner report (subset)
At a first glance the report does not show anything suspicious. For an experienced
administrator though, this subset of the report should raise an alarm. First of all
the MySQL service should not be reachable from the outside world but only
inside the web server since any attacker could connect through the Internet and
destroy the data base. This is a very serious mistake that most administrators
underestimate. Also the RPC and Remote Registry should not be open because it
would allow an intruder to exploit a possible vulnerability and connect remotively
to the system or even worse, to erase critical information such as the registry.

Finally, the “LmHosts” service should be filtered with a firewall because an
attacker can fetch the NTLM hashes and crack them locally.
3.3. Packet sniffers and analyzers
In this part we will use a packet sniffer and analyzer to analyze the traffic and the
requests and responses of our web application. A packet sniffer - analyzer is a
software programs that intercepts and logs traffic passing over a digital network.
The most widely used packet analyzer is WireShark.
Packet analyzers are most commonly used for:
 Analyzing network problems
 Detect network intrusion attempts
 Monitor traffic
 Gather and report network statistics
 Filter suspect content from network traffic
Figure 12. WireShark

As we can see in figure 12, the packet analyzer has resolved our web application
user credentials in clear text. This is a very critical vulnerability and requires
further security measures to be taken!
A full inspection of the captured packets can be found on the directory:
“ReportsVM SimpleWireShark”.
3.4. Intrusion detection systems
In this part we will configure an intrusion detection system (IDS). Intrusion
detection systems are hardware or software applications that monitor system and
network activity for malicious activities or policy violations according to a
predefined set of rules. They also produce reports and log each action. The next
generation of intrusion detection systems, are known as intrusion prevention
systems (IPS). An IPS is also able to block or deny any unauthorized actions.
The IDS/IPS we are going to use is the Snort. Snort IDS [23] is one of the most
known open-source IDS/IPS. In order to install an configure Snort we followed
the on-screen instructions of the setup wizard. Then we run the Snort through the
Windows command line.

Figure 13. Snort IDS/IPS
We have scanned with ZenMap, in intense scan mode, our web server and Snort
caught all the packets in all ports according to a rule set we have downloaded
from its web site. The full report of Snort is in the directory: “ReportsVM
SimpleSnort”.
3.5. Passwords strength tests
Password auditors/crackers are software that can test and verify the strength of a
given password. In this part we will apply a password auditor and a password
cracker in order to verify the passwords used in the test system. For the purpose of

our tests we are going to use the Cain and Abel [40]. Cain and Abel, password
cracking suite, which is the de-facto tool for password auditing, cracking and
recovery.
Figure 14. Cain and Abel
As we can see from figure 14, Cain and Abel cracked the web server 2003
Administrator password. In order to crack it instantly we have used two methods
supported by the Cain and Abel suite. The first method we used is the dictionary
attack. The suite tried thousands of combinations in a sample dictionary and found
a match. The cracking time was a few minutes. The second method we used is a
far more advanced and fast technique, known as rainbow tables attack and is
based on rainbow tables. Rainbow tables are tables of Giga Bytes of data
containing the hash values of keywords generated by a generator. The generator
we have used is called WinRTGen [41] it is shown in figure 15.

Figure 15. WinRTGen
The cracking time with the rainbow table was just a few seconds. Unfortunately,
the Cain and Abel suite does not export any reports or logs but you may test it
again in the VM.
3.6. Exploits of the web application
In this part we will use special software to exploit our web application. The
software is Wikto [42]. Wikto is one of the best auditing and exploitation open
source platforms and offers numerous capabilities.
Figure 16. Wikto

Wikto has scanned our web application and found many exploits. The most
significant of them are the fact that many configuration directories and files are
exposed to the public. Also the password files are readable by anyone and the
sessions are not encrypted so each time a user logs in the credentials are
transferred as clear text over the Internet. The full report of Wikto is in the
directory: “ReportsVM SimpleWikto”.
3.7. Comments on results
In this part we will review and comment the security assessment results.
According to our plan, we shall successfully design and setup a secure web
application. The application currently seems to be working though it suffers from
various vulnerabilities, risks, threats and exploits. Table 4 shows a list of the most
important security vulnerabilities identified in all steps of our assessment.
# Vulnerability Description Security Level Tool
1 Multiple
vulnerabilities that
enable attackers to
penetrate into the
system.
Multiple security
updates were not
installed. Also a very
important malicious
software removal tool
is missing.
Critical MBSA
2 Telnet and time
server attacks.
Some potentially
unnecessary services
are installed.
High MBSA
3 Possible O/S
detection.
An attacker may be
able to detect the
exact O/S version and
exploit certain
Medium ZenMap

services.
4 Windows RPC port
is open.
An attacker may
exploit the Windows
RPC and gain full
access to the remote
system.
Critical Nessus
5 MySQL port 3306
is open.
An attacker may
connect to the remote
MySQL server and
destroy the data base.
Critical
Nessus
6 Users password
never expires.
It is possible to
retrieve users whose
password never
expires using
the supplied
credentials.
Medium Nessus
7 Vulnerabilities in
Windows TCP/IP
Could Allow
Remote Code
Execution.
The remote version of
Windows contains a
version of the TCP/IP
protocol which does
not properly parse
IGMPv3, MLDv2 and
ICMP
structure. An attacker
may exploit these
flaws to execute code
on the remote host.
High Nessus
8 Remote Registry is
on.
At attacker may
connect to the remote

system and delete the
registry or change
critical information.
High SuperScan
9 The time
synchronization
service is running.
This could allow to a
remote attacker to
penetrate the system
by exploiting flaws of
this service.
Medium
SuperScan
Table 4. Summary of the most important vulnerabilities identified.
According to the previous reports our web application is mostly vulnerable to
external network attacks rather than to the inside ones. This is though a critical
point since the web applications need to be accessible from the Internet and thus
the potential attacks could be hundreds per second.
We would rather secure our web server in a bottom up process covering all the
interaction layers. First of all we need to secure TCP and IP layers by employing a
firewall, and then we need to eliminate the web application exploits by optimizing
the code and possibly by enabling SSL. Finally we could fine tune the system
with a few extra configurations.
Our goal is to be as protected as possible from an unexpected external attacker
that is continuously scanning the system. In the next chapter, we will analyze the
identified vulnerabilities and we will propose effective security solutions to
counter them.

4. Proposed solutions, security measures and configurations
In this chapter we will first discuss general solutions to deal with the
vulnerabilities identified in the previous chapter. These solutions are mostly
security related. We will also reconfigure the system in order to optimize the
application for supporting a high capacity of load and truly fast responses. Then
we will propose more specific solutions and countermeasures, mainly for the
firewall and the SSL configuration. There will also be a more advanced
configuration overview which might be considered as extreme measures for a
critical scenario. Finally, we will go through a Quality Assurance (QA) of the
source code and the user interface of the web application. This is the last part of
our analysis. After that we should have a full featured optimized web server that
will be able to support our web application on high loads with no obvious security
risks.
4.1. General solutions
In this part we will discuss general security solutions. According to the results of
chapter 3 we need to focus on external access while covering exploits. Before this,
as a first step we should seek for solutions in the O/S layer of the server that hosts
our web application. Then we will focus on the external threats.
The examined server runs a quite large set of programs, applications and services
that interact with each other, many of which are not required. Obviously, flaws
and occasional instability issues might arise. So we have to make sure that only
the necessary programs are running.
The list that follows describes the basic O/S security hardening actions:
 Password Policy: First of all we need to setup a password policy and to
reset the credentials into a new and more secure combination according to
the chosen policy. This can be applied by configuring the local security
policy: “Control Panel  Administrative Tools  Local Security
Policy”. From there we can set the minimum accepted password length,

the accepted vocabulary, size limits and finally a policy for expiration.
Then we have to reset the old password and enter a new and stronger one.
The policy we have set requires at least 10 characters length for the user
password, at least 1 number and does not let you to use the username as a
password. See Table 5 below for details.
System/Application/User Credentials
Windows Server 2003 Username: Administrator
Password: #4dm1n@myw3b53rver!
MySQL Username: root
Password: my5ql
ALPHA CMS - Admin panel Username: admin
Password: 4dm1n@b4ckp4n3l#!
George Delaportas Username: test1
Other user Username: test2
Table 5. Optimized credentials
As you may have noticed form table 4, the users passwords left unchanged since
the users themselves have to protect their sensitive information. The MySQL
password remains less secure but still more complex than the initial one. This is
because the database is being accessed only internally and there is no need of a
more secure policy. Finally, the ALPHA CMS – Administration panel password is

being changed to something more scrambled in order to remain secure since it can
be seen from anyone with internet access.
Figure 17. Cain and Abel – Optimized
 Windows Services Optimization: The second action is to deactivate all the
Windows services that we will not need for our web application. To do so
we need to go to: “Control Panel  Administrative Tools  Services”.
The list that follows shows the services that can and should be deactivated:
o Application Experience Lookup Service
o Help and Support
o Print Spooler
o Remote Registry
o Telephony
o Windows Audio
o Windows Time
o Wireless Configuration

 Remove Irrelevant Applications: After that, we would need to make sure
that any applications that are irrelevant to our web application will be
removed. Once we are ready we should install all security related and
critical updates of Windows Server 2003. Finally, it would be a good idea
to install a lightweight anti virus such as AVG Free [12].
 Cleanup Caches and Disks: Finally, we have cleared all the previous
caches and cleaned up the disk from any junk – temp data or unneeded
files and defragged the hard disk for maximum performance.
We run the MBSA again after the optimizations and the report is now clean. We
have managed to eliminate the most critical security vulnerabilities. Among all we
have updated the Windows 2003 server. The full report of MBSA is in the
directory: “ReportsVM OptimizedMBSA”.
Figure 18. MBSA – Optimized

4.2. Firewalls
This part is dedicated to firewalls. If all the general configuration where
successfully applied then we should configure an external and dedicated firewall
in order to protect our server from XSS and DoS attacks.
The vast majority of dedicated firewalls today offer a great list of ready made
configurations for different scenarios. Our approach is to use a very basic but
wide adapted configuration methodology that will protect the web server and
won’t push the firewall to its limits.
There is one gold rule, among others, for the least needed basic configuration of a
good firewall and this is to deny access of all inbound or outbound ports.
Proposed steps:
1. The first step is to deny any inbound and outbound connections by default.
2. Secondly we should decide which ports should be left free to bypass the
firewall according to the web services we use and the server services. In
our case we should only leave port 80 (HTTP) and port 443 (HTTPS) to be
left opened. To be more specific we should filter data that come through
port 80 and we should redirect all traffic to port 443 in order to offer
secure transfers between clients and the server.
3. Then we may add a few options for IP packets such as fragmentation
limits in order to avoid IP fragmentation attacks.
We run the Nessus scanner again and the report only shows low and medium
security risks of which only one is significant. The full report of Nessus is in the
directory: “ReportsVM OptimizedNessus”.

Figure 19. Nessus – Optimized
4.3. SSL
This part discusses the need of SSL and its importance to our web application.
Secure Sockets Layer (SSL) is a cryptographic protocol which provides secure
connections between entities over the Internet. SSL uses symmetric cryptography
to protect data being transferred over the Internet.
A good way to secure our users so that their username and passwords or their
personal data will never be available to the public, we need to connect them to the
server through an encrypted connection. In order to do so we will setup an SSL
certificate to the web server and we will enable SSL functionality and SSL over
HTTP (HTTPS). After this configuration all the data being transferred from or to
the server and the client will be encrypted and integrity protected.
In order to use the SSL we generate a certificate with PuTTYGen [43]. Then we
put this certificate in the Apache configuration and enable the SSL support

through the “httpd-conf” file. If we call the server with the https protocol then our
connection will be encrypted with SSL.
4.4. Advanced configurations
This part is dedicated to a set of more advanced configurations that will automate
a few procedures and will give to the users and administrations a more secure and
consistent environment.
We may optionally do the three following steps:
1. Make sure that users who reach port 80 (HTTP) will automatically be
redirected to port 443 (HTTPS). We can easily do that my editing the
.htaccess file which can be found in the root directory of our web
application and adding the following lines:
Options +FollowSymLinks
IndexIgnore *
DirectorySlash on
DirectoryIndex index.php
RewriteEngine On
RewriteBase /
RewriteCond %{SERVER_PORT} ^80$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI}
[R,L]

2. Also, we can protect the file that has the configurations inside by writing:
# Prevent viewing of .htaccess
<Files .htaccess>
order allow,deny
deny from all
</Files>
3. Finally, we may enable compression of the HTTP headers so that HTTP
requests will get to the server more quickly. This can be done by adding:
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE application/javascript
application/x-javascript text/css text/javascript text/html text/x-js
</IfModule>
For all the other reports see the directory: “ReportsVM Optimized”.
4.5. Quality Assurance of the web application
In this part we will discuss the web application design and a few issues on the
source code. Then we will analyze it and we will try to assure its quality with
various criteria the logic and functioning behind the application.
The quality assurance can be divided into two subsections. The first subsection is
the web interface – user interface and the second subsection is the source code
performance, stability and effectiveness.

See the subsections below.
1. Web Interface
The user interface is lightweight, simple and straightforward. The point is to
enable users to edit their profiles in seconds with almost no effort. The interface
of this sample demo is pretty small and so we do not have to do an extensive
analysis, but in a real case scenario we should have a consultation by a team of
usability expertise.
2. Code performance
The code is optimized in order to support many simultaneous connections and this
is supported by the ALPHA Framework and ALPHA CMS A.P.I. ALPHA CMS
provides consistent, stable and fast connections. To be more specific we can check
our test site with the internationally accepted W3C HTML and CSS validators
[13], [14].
According to the results the web interface and the code is sufficient and works
well.

5. Conclusions
In this thesis we have conducted an extensive vulnerability analysis of a test web
application. We have analyzed its components and all its parameters. We have run
vulnerability assessments and proposed solutions. We have optimized the initial
web application and its set up environment and we have tried to make it as fast
and secure as possible. We have used tools to verify and validate the web
application against international protocols and logged all of our actions for any
future needs.
More specifically, we have analyzed the most common security vulnerabilities for
web applications. The most important of them are related to remote attacks and
were critical. Among them, the most significant where the ports that might be left
open and the server side services that the administrators, usually, forget to be shut
down. Thus, we show that the human factor is also a high risk too. We have also
used a set of tools for auditing and we were able to investigate vulnerabilities
from many aspects. We have seen that vulnerability scanners are categorized and
can detect different types of vulnerabilities. There were numerous options and
many exploits that we had to check for and so we have evaluated the web
application with a bottom-up philosophy starting from the IP layer to the
application layer. We have used WireShark to capture Ethernet frames, IP packets
and TCP segments. We have scanned for security vulnerabilities in the application
layer with Nessus, SuperScan and MBSA. Finally, we have investigated the web
services and their interconnections. After that, we proposed solutions and
optimized the system based on the reports. We run the tests again and we have
found that our actions and configurations did have a significant impact to the final
results. We also show that a system needs to be checked periodically for new
vulnerabilities.
In conclusion we have seen that a web application, in order to be considered
secure, needs an extensive analysis and advanced configuration need to be
applied. No system can be considered secure forever but only for a short period of
time. Thus, a regular test in fixed time intervals would minimize the risk.

References
[1] Douglas E. Comer (2004), “Networks and Internetworks”, Prentice Hall.
[2] Trygve Reenskaug (1979), MVC architecture,
“MODELS – VIEWS – CONTROLLERS”, Technical note, Xerox PARC.
[3] Security Focus, http://www.securityfocus.net/ (Accessed: 11-26-2010).
[4] Insecure, http://www.insecure.org/ (Accessed: 11-26-2010).
[5] VirtualBox, http://www.virtualbox.org/ (Accessed: 11-26-2010).
[6] Microsoft – Windows Server 2003,
http://www.microsoft.com/windowsserver2003/default.mspx
(Accessed: 11-26-2010).
[7] Apache foundation – HTTP server, http://www.apache.org/ (Accessed: 11-
26-2010).
[8] PHP.net, http://www.php.net/ (Accessed: 11-26-2010).
[9] Smarty.net, http://www.smarty.net/ (Accessed: 11-26-2010).
[10] Oracle – MySQL, http://www.mysql.org/ (Accessed: 11-26-2010).
[11] ALPHA CMS, http://www.sourceforge.net/projects/alpha-cms/
(Accessed: 11-26-2010)
[12] AVG Free Edition, http://free.avg.com/ww-en/homepage/ (Accessed: 11-28-
2010)
[13] W3C HTML Validator, http://validator.w3.org/ (Accessed: 11-29-2010)
[14] W3C CSS Validator, http://jigsaw.w3.org/css-validator/ (Accessed: 11-29-
2010)
[15] Joomla! CMS, http://www.joomla.org/ (Accessed: 01-05-2011)
[16] Drupal CMS, http://www.drupal.org/ (Accessed: 01-05-2011)

[17] OS Commerce, http://www.ocommerce.com/ (Accessed: 01-05-2011)
[18] Zen Cart, http://www.zen-cart.com/ (Accessed: 01-05-2011)
[19] Nessus vulnerability scanner, http://www.nessus.org/ (Accessed: 01-05-
2011)
[20] NMap security scanner, http://www.nmap.org/ (Accessed: 01-05-2011)
[21] SuperScan 4.0, http://www.mcafee.com/us/downloads/free-
tools/superscan.aspx
(Accessed: 01-05-2011)
[22] WireShark, http://www.wireshark.org/ (Accessed: 01-05-2011)
[23] Snort IDS/IPS, http://www.snort.org/ (Accessed: 01-05-2011)
[24] Virtual PC, http://www.microsoft.com/windows/virtual-pc/ (Accessed: 01-
05-2011)
[25] VMware Workstation, http://www.vmware.com/products/workstation/
(Accessed: 01-05-2011)
[26] Xen, http://www.xen.org/ (Accessed: 01-05-2011)
[27] Parallels Workstation, http://www.parallels.com/eu/products/desktop/pd4wl/
(Accessed: 01-05-2011)
[28] Linux, http://www.linux.org/ (Accessed: 01-05-2011)
[29] IBM AIX, http://www-03.ibm.com/systems/power/software/aix/index.html
(Accessed: 01-05-2011)
[30] Solaris, http://www.oracle.com/us/products/servers-
storage/solaris/index.html
(Accessed: 01-05-2011)
[31] BSD, http://www.freebsd.org/ (Accessed: 01-05-2011)
[32] Windows, http://www.microsoft.com/windows/ (Accessed: 01-05-2011)

[33] Internet Explorer,
http://windows.microsoft.com/en-US/internet-explorer/products/ie-9/home
(Accessed: 01-05-2011)
[34] Mozilla Firefox, http://www.mozilla.com/en-US/firefox/ (Accessed: 01-05-
2011)
[35] Google Chrome,
http://www.google.com/chrome/intl/en/landing_chrome.html?hl=en
(Accessed: 01-05-2011)
[36] Microsoft IIS, http://www.iis.net/overview (Accessed: 01-05-2011)
[37] Notepad++, http://notepad-plus-plus.org/ (Accessed: 01-05-2011)
[38] MBSA, http://technet.microsoft.com/en-us/security/cc184924
(Accessed: 01-05-2011)
[39] ZenMap, http://nmap.org/ZenMap/ (Accessed: 01-05-2011)
[40] Cain and Abel, http://www.oxid.it/cain.html (Accessed: 01-05-2011)
[41] WinRTGen, http://www.oxid.it/projects.html (Accessed: 01-05-2011)
[42] Wikto, http://www.sensepost.com/labs/tools/pentest/wikto (Accessed: 01-05-
2011)
[43] PuTTYGen,
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
(Accessed: 01-05-2011)

Appendix A – Source code
In this appendix we are presenting a few important code segments. The appendix
is separated into 2 sections. The first one shows the vulnerable code and the
second one the optimized one.
1. Code segments of initial vulnerable code for the test web application
Dynamic HTML:
if (!defined('ALPHA'))
die('ERROR: Unable to load ALPHA CMS!');
// Current language
$this_lang = $new_alpha->Get_Language();
echo '<center>';
echo '<div id="logo">OMEGA Web-CRM</div>';
// Create a Smarty instance;
$new_smarty = $new_alpha->Smarty_Object();
// Languages
echo '<div id="all_langs">';
$languages = $new_alpha->Load_Language('*');
$new_smarty->assign('languages', $languages);
$new_smarty->display('lang.tpl');
echo '</div>';
$new_alpha->Load_Extension('login_form', php);
echo '</center>';
Home:
// Current language
echo '<center>';
echo '<div id="logo">OMEGA Web-CRM <br/>Home</div>';
// Languages

echo '</div>';
session_start();
$save = $new_alpha->Load_Content('save', 'content', $this_lang);
$reset = $new_alpha->Load_Content('reset', 'content', $this_lang);
$logout = $new_alpha->Load_Content('logout', 'content', $this_lang);
$name = $new_alpha->Load_Content('name', 'content', $this_lang);
$surname = $new_alpha->Load_Content('surname', 'content', $this_lang);
$company = $new_alpha->Load_Content('company', 'content', $this_lang);
$rel_type = $new_alpha->Load_Content('relation_type', 'content', $this_lang);
$imm = $new_alpha->Load_Content('immediate', 'content', $this_lang);
$aff = $new_alpha->Load_Content('affiliate', 'content', $this_lang);
$status = $new_alpha->Load_Content('status', 'content', $this_lang);
$active = $new_alpha->Load_Content('active', 'content', $this_lang);
$descr = $new_alpha->Load_Content('description', 'content', $this_lang);
// Open a connection to the DB
$db_con = $new_alpha->Use_DB();
$sql_com = 'SELECT `name` FROM omega_users_data
WHERE (`user_id` = ' . $_SESSION['OMEGA_UID'] . ')';
$result = $new_alpha->Exec_SQL($sql_com, 'name');
$name_data = $result;
$sql_com = 'SELECT `surname` FROM omega_users_data
$result = $new_alpha->Exec_SQL($sql_com, 'surname');
$surname_data = $result;
$sql_com = 'SELECT `company` FROM omega_users_data
$result = $new_alpha->Exec_SQL($sql_com, 'company');
$company_data = $result;
$sql_com = 'SELECT `relation_type` FROM omega_users_data
$result = $new_alpha->Exec_SQL($sql_com, 'relation_type');
$rel_data = $result;
$sql_com = 'SELECT `status` FROM omega_users_data
$result = $new_alpha->Exec_SQL($sql_com, 'status');
$status_data = $result;
$sql_com = 'SELECT `description` FROM omega_users_data
$result = $new_alpha->Exec_SQL($sql_com, 'description');
$desc_data = $result;
echo '<div id="logout">';
echo '<a href="javascript:void(0);" onmousedown="AJAX_Log_Out(' . $_SESSION['OMEGA_UID'] . ');
window.location=' . ''' . ''' . '">';
echo $logout;
echo '</a>';
echo '</div>';

echo '<div id="user_data" style="clear: both; margin-top: 50px; border-style: solid; width: 300px; height: 208px;
padding: 5px;">
<div style="float: left;">';
echo $name;
echo '</div> <input id="text_name" type="text" value="'; echo $name_data; echo '" style="float: left; margin-
left:60px;"/>
<div style="float: left; clear: both;">';
echo $surname;
echo '</div> <input id="text_surname" type="text" value="'; echo $surname_data; echo '" style="float: left; margin-
left:39px;"/>
echo $company;
echo '</div> <input id="text_company" type="text" value="'; echo $company_data; echo '" style="float: left; margin-
left:35px;"/>
echo $rel_type;
echo '</div>
<div style="float: left; margin-left: 7px;">';
echo $imm;
echo '</div>';
if ($rel_data == 1)
{
echo '<input id="radio_1" style="float: left; margin-left: 7px;" type="radio" name="rel_choice" checked="true"
value="1" />
echo $aff;
echo '</div>
<input id="radio_2" style="float: left; margin-left: 7px;" type="radio" name="rel_choice" value="0" />';
}
if ($rel_data == 2)
{
echo '<input id="radio_1" style="float: left; margin-left: 7px;" type="radio" name="rel_choice" value="0" />
echo $aff;
echo '</div>
<input id="radio_2" style="float: left; margin-left: 7px;" type="radio" name="rel_choice" checked="true"
value="1" />';
}

Login form:
// Create a new ALPHA CMS object
$new_login = new ALPHA;
// Current language
$this_lang = $new_login->Get_Language();
$login_username = $new_login->Load_Content('login_username', 'content', $this_lang);
$login_password = $new_login->Load_Content('login_password', 'content', $this_lang);
$login = $new_login->Load_Content('login', 'content', $this_lang);
$new_login->Load_Extension('forms_manager', 'ajax');
?>
<script type="text/javascript" src="extensions/ajax/forms_manager/input_controler.js"></script>
<script type="text/javascript" src="extensions/ajax/forms_manager/form_validator.js"></script>
<script type="text/javascript">
var login_form_elements = new Array();
login_form_elements[0] = 'login_username_text';
login_form_elements[1] = 'login_password_text';
</script>
<div id="login_controls">
<div id="login_username">
<div id="login_username_label">
<?php echo $login_username; ?> 
</div>
<input id="login_username_text" type="text" maxlength="16" onkeypress="Input_Controler(this);"
onkeyup="Input_Controler(this);" />
</div>
<div id="login_password">
<div id="login_password_label">
<?php echo $login_password; ?> 
</div>
<input id="login_password_text" type="password" maxlength="16" onkeypress="Input_Controler(this);"
</div>
<div id="login_button" style="margin-top: 10px" >
<a id="login" class="class_buttons_white_links" href="JavaScript:void(0);" onclick="Form_Validator('login_form',
login_form_elements);">
<?php echo $login; ?>
</a>
</div>

<div id="login_error" class="class_errors"></div>
</div>
2. Code segments of the optimized code for the test web application
Dynamic HTML:
// Current language
echo '<center>';
echo '<div id="logo">OMEGA Web-CRM</div>';
// Languages
echo '</div>';
$new_alpha->Load_Extension('login_form', php);
echo '</center>';
Home:
// Current language
echo '<center>';
echo '<div id="logo">OMEGA Web-CRM <br/>Home</div>';
// Languages

echo '</div>';
session_start();
$save = $new_alpha->Load_Content('save', 'content', $this_lang);
$reset = $new_alpha->Load_Content('reset', 'content', $this_lang);
$logout = $new_alpha->Load_Content('logout', 'content', $this_lang);
$name = $new_alpha->Load_Content('name', 'content', $this_lang);
$surname = $new_alpha->Load_Content('surname', 'content', $this_lang);
$company = $new_alpha->Load_Content('company', 'content', $this_lang);
$rel_type = $new_alpha->Load_Content('relation_type', 'content', $this_lang);
$imm = $new_alpha->Load_Content('immediate', 'content', $this_lang);
$aff = $new_alpha->Load_Content('affiliate', 'content', $this_lang);
$status = $new_alpha->Load_Content('status', 'content', $this_lang);
$active = $new_alpha->Load_Content('active', 'content', $this_lang);
$descr = $new_alpha->Load_Content('description', 'content', $this_lang);
// Open a connection to the DB
$db_con = $new_alpha->Use_DB();
$sql_com = 'SELECT `name` FROM omega_users_data
$result = $new_alpha->Exec_SQL($sql_com, 'name');
$name_data = $result;
$sql_com = 'SELECT `surname` FROM omega_users_data
$result = $new_alpha->Exec_SQL($sql_com, 'surname');
$surname_data = $result;
$sql_com = 'SELECT `company` FROM omega_users_data
$result = $new_alpha->Exec_SQL($sql_com, 'company');
$company_data = $result;
$sql_com = 'SELECT `relation_type` FROM omega_users_data
$result = $new_alpha->Exec_SQL($sql_com, 'relation_type');
$rel_data = $result;

$sql_com = 'SELECT `status` FROM omega_users_data
$result = $new_alpha->Exec_SQL($sql_com, 'status');
$status_data = $result;
$sql_com = 'SELECT `description` FROM omega_users_data
$result = $new_alpha->Exec_SQL($sql_com, 'description');
$desc_data = $result;
echo '<div id="logout">';
echo '<a href="javascript:void(0);" onmousedown="AJAX_Log_Out(' . $_SESSION['OMEGA_UID'] . ');
window.location=' . ''' . ''' . '">';
echo $logout;
echo '</a>';
echo '</div>';
echo '<div id="user_data" style="clear: both; margin-top: 50px; border-style: solid; width: 300px; height: auto; padding:
5px;">
<div style="float: left;">';
echo $name;
echo '</div> <input id="text_name" type="text" value="'; echo $name_data; echo '" style="float: left; margin-
left:60px;"/>
echo $surname;
echo '</div> <input id="text_surname" type="text" value="'; echo $surname_data; echo '" style="float: left; margin-
left:39px;"/>
echo $company;
echo '</div> <input id="text_company" type="text" value="'; echo $company_data; echo '" style="float: left; margin-
left:35px;"/>
echo $rel_type;
echo '</div>
echo $imm;
echo '</div>';
if ($rel_data == 1)
{
echo '<input id="radio_1" style="float: left; margin-left: 7px;" type="radio" name="rel_choice" checked="true"
value="1" />
echo $aff;

echo '</div>
<input id="radio_2" style="float: left; margin-left: 7px;" type="radio" name="rel_choice" value="0" />';
}
if ($rel_data == 2)
{
echo '<input id="radio_1" style="float: left; margin-left: 7px;" type="radio" name="rel_choice" value="0" />
echo $aff;
echo '</div>
<input id="radio_2" style="float: left; margin-left: 7px;" type="radio" name="rel_choice" checked="true"
value="1" />';
}
Login form:
// Create a new ALPHA CMS object
$new_login = new ALPHA;
// Current language
$this_lang = $new_login->Get_Language();
$login_username = $new_login->Load_Content('login_username', 'content', $this_lang);
$login_password = $new_login->Load_Content('login_password', 'content', $this_lang);
$login = $new_login->Load_Content('login', 'content', $this_lang);
$new_login->Load_Extension('forms_manager', 'ajax');
?>
<script type="text/javascript" src="extensions/ajax/forms_manager/input_controler.js"></script>
<script type="text/javascript" src="extensions/ajax/forms_manager/form_validator.js"></script>
<script type="text/javascript">
var login_form_elements = new Array();
login_form_elements[0] = 'login_username_text';
login_form_elements[1] = 'login_password_text';
</script>
<div id="login_controls">
<div id="login_username">
<div id="login_username_label">
<?php echo $login_username; ?> 
</div>

Appendix B – Detailed security reports
In this appendix we are presenting the most significant reports. The appendix is
separated into 2 sections. The first one shows the reports of the initial vulnerable
application and the second one the optimized one.
1. Reports of the initial test web application
MBSA:
Security assessment: Severe Risk
Computer name: MYNETMYWEBSERVER
IP address: 10.0.2.15
Security report name: MYNET - MYWEBSERVER (24-8-2010 5-35 μμ)
Scan date: 24/8/2010 5:35 μμ
Scanned with MBSA version: 2.2.2170.0
Catalog synchronization date:
Security update catalog: Microsoft Update
Security Updates Scan Results
Issue: Developer Tools, Runtimes, and Redistributables Security Updates
Score: Check failed (critical)
Result: 1 security updates are missing.
Security Updates
| MS09-035 | Missing | Security Update for Microsoft Visual C++
2008 Redistributable Package (KB973924) | Moderate |
Issue: Windows Security Updates

| boinc_project |
| SUPPORT_388945a0 |
Issue: Guest Account
Score: Check passed
Result: The Guest account is disabled on this computer.
Issue: Autologon
Score: Check passed
Result: Autologon is not configured on this computer.
Issue: Restrict Anonymous
Score: Check passed
Result: Computer is properly restricting anonymous access.
Snort:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
09/07-14:39:12.966819 8:0:27:0:4:91 -> FF:FF:FF:FF:FF:FF type:0x800 len:0x5C
192.168.56.1:137 -> 192.168.56.255:137 UDP TTL:128 TOS:0x0 ID:1258 IpLen:20 DgmL
en:78
Len: 50
FE 78 01 10 00 01 00 00 00 00 00 00 20 46 48 46 .x.......... FHF
41 45 42 45 45 43 41 43 41 43 41 43 41 43 41 43 AEBEECACACACACAC
41 43 41 43 41 43 41 43 41 43 41 41 41 00 00 20 ACACACACACAAA..
00 01 ..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/07-14:41:24.668805 8:0:27:8A:8:9C -> FF:FF:FF:FF:FF:FF type:0x800 len:0xFE
192.168.56.101:138 -> 192.168.56.255:138 UDP TTL:128 TOS:0x0 ID:2001 IpLen:20 Dg
mLen:240
Len: 212
11 02 80 2F C0 A8 38 65 00 8A 00 C6 00 00 20 45 .../..8e...... E
4E 46 4A 46 48 45 46 45 43 46 44 45 46 46 43 46 NFJFHEFECFDEFFCF
47 45 46 46 43 43 41 43 41 43 41 43 41 41 41 00 GEFFCCACACACAAA.
20 41 42 41 43 46 50 46 50 45 4E 46 44 45 43 46 ABACFPFPENFDECF
43 45 50 46 48 46 44 45 46 46 50 46 50 41 43 41 CEPFHFDEFFPFPACA
42 00 FF 53 4D 42 25 00 00 00 00 00 00 00 00 00 B..SMB%.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 11 00 00 2C 00 00 00 00 00 00 00 00 00 E8 .....,..........
03 00 00 00 00 00 00 00 00 2C 00 56 00 03 00 01 .........,.V....
00 01 00 02 00 3D 00 5C 4D 41 49 4C 53 4C 4F 54 .....=.MAILSLOT
5C 42 52 4F 57 53 45 00 0C 00 A0 BB 0D 00 4D 59 BROWSE.......MY
4E 45 54 00 00 00 00 00 97 20 E6 77 FF FF 03 0A NET...... .w....
00 10 00 80 FF FF FF FF 4D 59 57 45 42 53 45 52 ........MYWEBSER
56 45 52 00 VER.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
SuperScan:
Apache2.2 Running Apache2.2
BITS Running Background Intelligent Transfer Service
Browser Running Computer Browser
CiSvc Stopped Indexing Service
CryptSvc Running Cryptographic Services

DcomLaunch Running DCOM Server Process Launcher
Dfs Stopped Distributed File System
Dhcp Running DHCP Client
dmadmin Stopped Logical Disk Manager Administrative Service
dmserver Running Logical Disk Manager
Dnscache Running DNS Client
ERSvc Running Error Reporting Service
Eventlog Running Event Log
EventSystem Running COM+ Event System
HidServ Stopped Human Interface Device Access
HTTPFilter Stopped HTTP SSL
ImapiService Stopped IMAPI CD-Burning COM Service
IsmServ Stopped Intersite Messaging
JavaQuickStarterService Running Java Quick Starter
kdc Stopped Kerberos Key Distribution Center
lanmanserver Running Server
lanmanworkstation Running Workstation
LicenseService Stopped License Logging
LmHosts Running TCP/IP NetBIOS Helper
Messenger Stopped Messenger
mnmsrvc Stopped NetMeeting Remote Desktop Sharing
MSDTC Running Distributed Transaction Coordinator
MSIServer Stopped Windows Installer
MySQL Running MySQL
NetDDE Stopped Network DDE
NetDDEdsdm Stopped Network DDE DSDM
Netlogon Stopped Net Logon
Netman Running Network Connections

Nla Running Network Location Awareness (NLA)
NtFrs Stopped File Replication
NtLmSsp Stopped NT LM Security Support Provider
NtmsSvc Stopped Removable Storage
PlugPlay Running Plug and Play
PolicyAgent Running IPSEC Services
ProtectedStorage Running Protected Storage
RasAuto Stopped Remote Access Auto Connection Manager
RasMan Running Remote Access Connection Manager
RDSessMgr Stopped Remote Desktop Help Session Manager
RemoteAccess Stopped Routing and Remote Access
RemoteRegistry Running Remote Registry
rpcapd Stopped Remote Packet Capture Protocol v.0 (experimental)
RpcLocator Stopped Remote Procedure Call (RPC) Locator
RpcSs Running Remote Procedure Call (RPC)
RSoPProv Stopped Resultant Set of Policy Provider
sacsvr Stopped Special Administration Console Helper
SamSs Running Security Accounts Manager
SCardSvr Stopped Smart Card
Schedule Running Task Scheduler
seclogon Running Secondary Logon
Tenable Nessus Running Tenable Nessus
TermService Running Terminal Services
Themes Stopped Themes
TlntSvr Stopped Telnet
TrkSvr Stopped Distributed Link Tracking Server
TrkWks Running Distributed Link Tracking Client
Tssdis Stopped Terminal Services Session Directory

W32Time Running Windows Time
WebClient Stopped WebClient
WinHttpAutoProxySvc Stopped WinHTTP Web Proxy Auto-Discovery Service
winmgmt Running Windows Management Instrumentation
WmdmPmSN Stopped Portable Media Serial Number Service
Wmi Stopped Windows Management Instrumentation Driver Extensions
Nessus:
List of hosts
localhost High Severity problem(s) found
localhost
Scan time :
Start time : Mon Sep 06 14:52:47 2010
End time : Mon Sep 06 15:05:29 2010
Number of vulnerabilities :
Open ports : 5
Low : 35
Medium : 8
High : 30
Information about the remote host :
Operating system : Microsoft Windows Server 2003, Enterprise Edition (English)

NetBIOS name : MYWEBSERVER
DNS name : localhost.
Cumulative Security Update for Internet Explorer (942615)
Synopsis :
Arbitrary code can be executed on the remote host through the web client.
Description :
The remote host is missing the IE cumulative security update 942615.
The remote version of IE is vulnerable to several flaws which may allow an
attacker to execute arbitrary code on the remote host.
Solution :
Microsoft has released a set of patches for Windows 2000, XP, 2003 and Vista :
http://www.microsoft.com/technet/security/Bulletin/MS07-069.mspx
Risk factor :
High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
Plugin output :
- C:WINDOWSsystem32Mshtml.dll has not been patched
Remote version : 6.0.3790.3959
Should be : 6.0.3790.4186
CVE : CVE-2007-0322, CVE-2007-3902, CVE-2007-3903, CVE-2007-4471, CVE-2007-5344, CVE-2007-5347, CVE-
2007-6387
BID : 25544, 26427, 26506, 26815, 26816, 26817, 26819
Nessus ID : 29313
Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275)
Synopsis :
Arbitrary code can be executed on the remote host through the Media File Format.
Description :
The remote host is running Windows Media Player/Service.
There is a vulnerability in the remote version of this software which may
allow an attacker to execute arbitrary code on the remote host.
To exploit this flaw, one attacker would need to set up a rogue
ASF file and send it to a victim on the remote host.

Solution :
Microsoft has released a set of patches for Windows 2000, XP, 2003 and Vista:
http://www.microsoft.com/technet/security/bulletin/ms07-068.mspx
Risk factor :
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Plugin output :
- C:WINDOWSsystem32wmasf.dll has not been patched
Should be : 10.0.0.4000
CVE : CVE-2007-0064
BID : 26776
Other references : OSVDB:39122
Nessus ID : 29312
Vulnerability in RPC Could Allow Denial of Service (933729)
Synopsis :
It is possible to crash the remote server.
Description :
The remote version of Windows contains a version of the RPC library
protocol which is vulnerable to a Denial of Service attack in the NTLM
authentication field.
An attacker may exploit this flaw to crash the remote RPC server (and
the remote system).
Solution :
Microsoft has released a set of patches for Windows 2000, XP, 2003 and Vista :
http://www.microsoft.com/technet/security/bulletin/ms07-058.mspx
Risk factor :
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
Plugin output :
- C:WINDOWSsystem32Rpcrt4.dll has not been patched
Should be : 5.2.3790.4115
CVE : CVE-2007-2228
BID : 25974
Nessus ID : 26964

Wikto:
localhost,/,TRACE / HTTP/1.,generic,TRACE option appears to allow XSS or credential theft.
See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
localhost,/config/,Index of ,generic,This might be interesting...
localhost,/pix/,200,generic,This might be interesting...
localhost,/admin/login.php?action=insert&username=test&password=test,200,generic,php.
Auction may allow user admin accounts to be inserted without proper authentication.
Attempt to log in with user 'test' password 'test' to verify.
localhost,/config/,200,generic,Configuration information may be available remotely.
localhost,/doc/,200,generic,The /doc directory is browsable. This may be /usr/doc.
localhost,/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000,200,generic,PHP reveals potentially
sensitive information via certain HTTP requests which contain specific QUERY strings. OSVDB-12184.
localhost,/index.php?module=My_eGallery,200,generic,My_eGallery prior to 3.1.1.g are
vulnerable to a remote execution bug via SQL command injection.
localhost,/perl/-e%20print%20Hello,200,novell,The PERL interpreter on the novell
system may allow any command to be executed. See BID-5520. Installing Perl 5.6 might fix this issue.
localhost,@CGIDIRSscripts/*%0a.pl,200,generic,This might be interesting...
has been seen in web logs from a scanner.
#Directories
localhost,ListViewItem: { / }
localhost,ListViewItem: { /admin/ }
localhost,ListViewItem: { /cgi-bin/ }
localhost,ListViewItem: { /config/ }

localhost,ListViewItem: { /doc/ }
localhost,ListViewItem: { /admin/images/ }
localhost,ListViewItem: { /admin/js/ }
#Indexable
localhost,ListViewItem: { /config/ }
localhost,ListViewItem: { /admin/images/ }
localhost,ListViewItem: { /admin/js/ }
#Files
localhost,ListViewItem: { /index.php }
localhost,ListViewItem: { /main.php }
localhost,ListViewItem: { /admin/index.php }
localhost,ListViewItem: { /admin/login.php }
ZenMap:
<?xml-stylesheet href="file:///C:/Program Files/Nmap/nmap.xsl" type="text/xsl"?>
<nmaprun start="1283859237" profile_name="Intense scan" xmloutputversion="1.03" scanner="nmap" version="5.21"
startstr="Tue Sep 07 14:33:57 2010" args="nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 192.168.56.101">
<verbose level="1"/>
<debugging level="0"/>
<output type="interactive">
Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-07 14:33 GTB Daylight Time NSE: Loaded 36 scripts for scanning.
Initiating ARP Ping Scan at 14:33 Scanning 192.168.56.101 [1 port] Completed ARP Ping Scan at 14:34, 0.41s elapsed (1
total hosts) Initiating Parallel DNS resolution of 1 host. at 14:34 Completed Parallel DNS resolution of 1 host. at 14:34,
0.03s elapsed Initiating SYN Stealth Scan at 14:34 Scanning 192.168.56.101 [1000 ports] Discovered open port 1025/tcp
on 192.168.56.101 Discovered open port 139/tcp on 192.168.56.101 Discovered open port 135/tcp on 192.168.56.101
Discovered open port 80/tcp on 192.168.56.101 Discovered open port 3306/tcp on 192.168.56.101 Discovered open port
445/tcp on 192.168.56.101 Completed SYN Stealth Scan at 14:34, 1.18s elapsed (1000 total ports) Initiating Service scan at
14:34 Scanning 6 services on 192.168.56.101 Completed Service scan at 14:34, 9.19s elapsed (6 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.101 NSE: Script scanning 192.168.56.101. NSE: Starting runlevel 1 (of
1) scan. Initiating NSE at 14:34 Completed NSE at 14:34, 32.14s elapsed NSE: Script Scanning completed. Nmap scan
report for 192.168.56.101 Host is up (0.017s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.2.11 ((Win32) PHP/5.2.9-1) |_html-title: OMEGA CRM |_http-favicon: Unknown favicon
MD5: E7D1FD0921C450F8FFD638F578D1D043 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds 1025/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql MySQL 5.1.35-community | mysql-info: Protocol: 10 | Version: 5.1.35-community | Thread ID: 9 |
Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection | Status:
Autocommit |_Salt: oS/3Pw+l`zemt}8=j|Tl MAC Address: 08:00:27:8A:08:9C (Cadmus Computer Systems) Device type:
general purpose Running: Microsoft Windows 2003 OS details: Microsoft Windows Server 2003 SP1 or SP2 Network
Distance: 1 hop TCP Sequence Prediction: Difficulty=255 (Good luck!) IP ID Sequence Generation: Incremental Service
Info: OS: Windows Host script results: | nbstat: | NetBIOS name: MYWEBSERVER, NetBIOS user: <unknown>,
NetBIOS MAC: 08:00:27:8a:08:9c | Names | MYWEBSERVER<00> Flags: <unique><active> | MYNET<00> Flags:
<group><active> | MYWEBSERVER<20> Flags: <unique><active> | MYNET<1e> Flags: <group><active> |
MYNET<1d> Flags: <unique><active> |_ x01x02__MSBROWSE__x02<01> Flags: <group><active> | smb-os-
discovery: | OS: Windows Server 2003 R2 3790 Service Pack 2 (Windows Server 2003 R2 5.2) | Name:
MYNETMYWEBSERVER |_ System time: 2010-09-07 14:34:12 UTC+3 |_smbv2-enabled: Server doesn't support
SMBv2 protocol HOP RTT ADDRESS 1 17.02 ms 192.168.56.101 Read data files from: C:Program FilesNmap OS and
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1
host up) scanned in 47.85 seconds Raw packets sent: 1038 (46.384KB) | Rcvd: 1017 (41.260KB)
</output>
<host comment="">
<status state="up"/>
<address addrtype="ipv4" vendor="" addr="192.168.56.101"/>
<address addrtype="mac" vendor="Cadmus Computer Systems" addr="08:00:27:8A:08:9C"/>
<hostnames/>
<ports>
<extraports count="994" state="closed"/>
<port protocol="tcp" portid="80">
<state reason="syn-ack" state="open" reason_ttl="128"/>
<service product="Apache httpd" name="http" extrainfo="(Win32) PHP/5.2.9-1" version="2.2.11" conf="10"
method="probed"/>
</port>
<service product="Microsoft Windows RPC" method="probed" conf="10" name="msrpc"/>
</port>

<service method="probed" conf="10" name="netbios-ssn"/>
</port>
<service product="Microsoft Windows 2003 or 2008 microsoft-ds" method="probed" conf="10" name="microsoft-ds"/>
</port>
<service product="Microsoft Windows RPC" method="probed" conf="10" name="msrpc"/>
</port>
<service product="MySQL" version="5.1.35-community" method="probed" conf="10" name="mysql"/>
</port>
</ports>
<os>
<portused state="open" portid="80" proto="tcp"/>
<portused state="closed" portid="1" proto="tcp"/>
<portused state="closed" portid="42061" proto="udp"/>
<osclass type="general purpose" osfamily="Windows" vendor="Microsoft" osgen="2003" accuracy="100"/>
<osmatch line="27651" name="Microsoft Windows Server 2003 SP1 or SP2" accuracy="100"/>
</os>
2. Reports of the optimized test web application
MBSA:

Report Details for MYNET - MYWEBSERVER (2010-09-08 14:05:25) Security assessment:
Severe Risk (One or more critical checks failed.)
--------------------------------------------------------------------------------
Computer name: MYNETMYWEBSERVER
IP address: 192.168.56.101
Security report name: MYNET - MYWEBSERVER (8-9-2010 2-05 μμ)
Scan date: 8/9/2010 2:05 μμ *** This report is 3 days old. ***
Scanned with MBSA version: 2.2.2170.0
Catalog synchronization date: 2010-08-09T22:13:59Z
Security update catalog: Microsoft Update (offline)
--------------------------------------------------------------------------------
Sort Order: Issue name Score (worst first) Score (best first)
Security Update Scan Results
Score Issue Result
Developer Tools, Runtimes, and Redistributables Security Updates
No security updates are missing.
What was scanned Result details
SQL Server Security Updates
Silverlight Security Updates

Windows Security Updates
Windows Scan Results
Score Issue Result
Incomplete Updates
No incomplete software update installations were found.
What was scanned
Windows Firewall
Windows Firewall is enabled and has exceptions configured. Windows Firewall is enabled on all network connections.
What was scanned Result details How to correct this
Local Account Password Test
Some user accounts (1 of 4) have blank or simple passwords, or could not be analyzed.
Automatic Updates
Updates are automatically downloaded and installed on this computer.
What was scanned

File System
All hard drives (1) are using the NTFS file system.
Autologon
Autologon is not configured on this computer.
What was scanned
Guest Account
The Guest account is disabled on this computer.
Windows Version
Computer is running Microsoft Windows Server 2003.
What was scanned
Internet Information Services (IIS) Scan Results
Score Issue Result
IIS Status
IIS is not running on this computer.
SQL Server Scan Results
Score Issue Result
SQL Server/MSDE Status
SQL Server and/or MSDE is not installed on this computer.

Desktop Application Scan Results
Score Issue Result
IE Zones
Internet Explorer zones do not have secure settings for some users.
What was scanned Result details How to correct this
IE Enhanced Security Configuration for Administrators
The use of Internet Explorer is restricted for administrators on this server.
What was scanned
IE Enhanced Security Configuration for Non-Administrators
The use of Internet Explorer is restricted for non-administrators on this server.
What was scanned
Macro Security
No supported Microsoft Office products are installed.
Snort:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
09/11-16:26:46.822854 8:0:27:8A:8:9C -> 8:0:27:0:4:91 type:0x800 len:0x1A0
192.168.56.101:443 -> 192.168.56.1:7251 TCP TTL:128 TOS:0x0 ID:11838 IpLen:20 Dg
mLen:402 DF
***AP*** Seq: 0xA79A1524 Ack: 0x6EEE6BB5 Win: 0xF7C6 TcpLen: 20

17 03 01 01 40 1C A5 F8 B8 AA 83 4E E3 A4 05 E3 ....@......N....
00 F0 E3 8C 1B CD 8C 16 D4 CA E9 4E 1C EE 3E E9 ...........N..>.
74 3F 74 D7 3D 33 DA 84 A9 DC E5 B0 F8 98 EA 49 t?t.=3.........I
0B 7E F6 2F D6 D4 DE EE C4 FB BD 82 2C C0 6B 46 .~./........,.kF
25 A3 7F 8F D2 35 69 04 04 CF 85 B9 17 61 51 F8 %....5i......aQ.
EF 28 86 BD AE 56 FA 5D B1 6D 1A F5 00 11 BF 57 .(...V.].m.....W
13 03 3E 9B 2E D9 A5 7F 66 55 A1 85 F3 B4 E8 E7 ..>.....fU......
11 88 08 5A A5 B9 CE A3 C1 BF 14 BE D5 FF 3B 1E ...Z..........;.
D6 5F 2F 5A 1E C0 62 54 86 D9 9C 85 00 50 7A 77 ._/Z..bT.....Pzw
8E CA 31 E7 34 76 93 F1 CB 04 D3 2E 43 4D AA DE ..1.4v......CM..
D7 A6 93 3D F3 3C C1 12 BB 73 54 23 E1 40 B0 B0 ...=.<...sT#.@..
7C C4 E3 E8 A3 D7 BC FB 25 B8 3D E3 91 86 9F 41 |.......%.=....A
5B 78 72 10 13 CD 3B A8 0C 42 A3 E4 36 86 AE 0E [xr...;..B..6...
28 EF 5D 0D 93 02 09 0A 3B 8B A1 A2 9D 60 30 EE (.].....;....`0.
12 92 96 E1 43 8B 24 DA BC 44 C6 47 28 F0 88 33 ....C.$..D.G(..3
1B 3F 9D 31 64 8E 7D E4 66 C3 22 0E 9A 3F D4 3C .?.1d.}.f."..?.<
84 C7 FC D1 F2 FE C9 C2 B3 E6 07 8E DB 80 DF 32 ...............2
D4 C6 6D 2A A6 E7 8E 8C 6A D8 74 F7 6F 52 4C 32 ..m*....j.t.oRL2
26 DC 1A 26 90 44 07 E4 E7 8C 1B ED 9B 0C 29 75 &..&.D........)u
6E 21 05 C9 74 2D 11 5D 9F 3E 53 3C 29 3C C7 72 n!..t-.].>S<)<.r
03 6C 94 DF 6D 17 03 01 00 20 63 4D 0C 15 BC 8C .l..m.... cM....
E6 FD A7 FE 2B 4D 69 88 C4 40 EC B5 88 24 93 D9 ....+Mi..@...$..
CD 2F 28 3D 51 15 CD AC 43 42 ./(=Q...CB
SuperScan:
NetBIOS information on 127.0.0.1

Attempting a NULL session connection on 127.0.0.1
NULL session successful to 127.0.0.1IPC$
MAC addresses on 127.0.0.1
Trusted Domains on 127.0.0.1
Account Domain: MYWEBSERVER
Primary Domain: MYNET
Remote services on 127.0.0.1
Apache2.2 Running Apache2.2
AppMgmt Stopped Application Management
aspnet_state Stopped ASP.NET State Service
AudioSrv Running Windows Audio
BITS Stopped Background Intelligent Transfer Service
Browser Stopped Computer Browser
CiSvc Stopped Indexing Service
ClipSrv Stopped ClipBook
clr_optimization_v2.0.50727_32 Stopped .NET Runtime Optimization Service v2.0.50727_X86
clr_optimization_v4.0.30319_32 Stopped Microsoft .NET Framework NGEN v4.0.30319_X86
COMSysApp Stopped COM+ System Application
CryptSvc Running Cryptographic Services
DcomLaunch Running DCOM Server Process Launcher
Dfs Stopped Distributed File System
HidServ Stopped Human Interface Device Access
HTTPFilter Running HTTP SSL
idsvc Stopped Windows CardSpace
ImapiService Stopped IMAPI CD-Burning COM Service
IsmServ Stopped Intersite Messaging
JavaQuickStarterService Running Java Quick Starter

kdc Stopped Kerberos Key Distribution Center
lanmanserver Running Server
lanmanworkstation Running Workstation
LicenseService Stopped License Logging
LmHosts Running TCP/IP NetBIOS Helper
mnmsrvc Stopped NetMeeting Remote Desktop Sharing
MSDTC Running Distributed Transaction Coordinator
MSIServer Stopped Windows Installer
MySQL Running MySQL
NetDDE Stopped Network DDE
NetDDEdsdm Stopped Network DDE DSDM
Netlogon Stopped Net Logon
Netman Running Network Connections
NetTcpPortSharing Stopped Net.Tcp Port Sharing Service
Nla Running Network Location Awareness (NLA)
NtFrs Stopped File Replication
NtLmSsp Stopped NT LM Security Support Provider
NtmsSvc Stopped Removable Storage
PlugPlay Running Plug and Play
PolicyAgent Running IPSEC Services
ProtectedStorage Running Protected Storage
RasAuto Stopped Remote Access Auto Connection Manager
RasMan Running Remote Access Connection Manager
RDSessMgr Stopped Remote Desktop Help Session Manager
RemoteAccess Stopped Routing and Remote Access
rpcapd Stopped Remote Packet Capture Protocol v.0 (experimental)
RpcLocator Stopped Remote Procedure Call (RPC) Locator
SamSs Running Security Accounts Manager

Schedule Running Task Scheduler
seclogon Running Secondary Logon
SharedAccess Running Windows Firewall/Internet Connection Sharing (ICS)
stisvc Stopped Windows Image Acquisition (WIA)
swprv Stopped Microsoft Software Shadow Copy Provider
SysmonLog Stopped Performance Logs and Alerts
Tenable Nessus Running Tenable Nessus
TermService Running Terminal Services
Nessus:
List of hosts
localhost Medium Severity problem(s) found
localhost
Scan time :
Start time : Mon Sep 06 21:26:00 2010
End time : Mon Sep 06 21:42:23 2010
Number of vulnerabilities :
Open ports : 8
Low : 45
Medium : 9

High : 0
Information about the remote host :
Operating system : Microsoft Windows Server 2003, Enterprise Edition (English)
NetBIOS name : MYWEBSERVER
DNS name : localhost.
HTTP TRACE / TRACK Methods
Synopsis :
Debugging functions are enabled on the remote web server.
Description :
The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.
In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
"Cross-Site Tracing", when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.
See also :
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/867593
Solution :
Disable these methods.
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Solution :
Add the following lines for each virtual host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Plugin output :
The server response from a TRACE request is :
TRACE /Nessus3210.html HTTP/1.1
Connection: Close
Host: localhost
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
CVE : CVE-2004-2320
BID : 9506, 9561, 11604
Other references : OSVDB:877, OSVDB:3726
Nessus ID : 11213
/doc directory browsable ?
The /doc directory is browsable.
/doc shows the content of the /usr/doc directory and therefore it shows which programs and - important! - the version of the
installed programs.
Solution : Use access restrictions for the /doc directory.
If you use Apache you might use this in your access.conf:
<Directory /usr/doc>
AllowOverride None
order deny,allow
deny from all
allow from localhost
</Directory>
Risk factor : High
CVE : CVE-1999-0678
BID : 318
Nessus ID : 10056
Wikto:
localhost,/_vti_inf.html,200,iis,FrontPage may be installed.
localhost,/stats.html,200,generic,Just found this log file...
localhost,/wwwstats.html,200,generic,Just found this log file...
localhost,/index.php?base=test%20,200,generic,This might be interesting...
has been seen in web logs from an unknown scanner.
localhost,/index.php?IDAdmin=test,200,generic,This might be interesting...
localhost,/index.php?pymembs=admin,200,generic,This might be interesting...

localhost,/index.php?SqlQuery=test%20,200,generic,This might be interesting...
localhost,/index.php?tampon=test%20,200,generic,This might be interesting...
localhost,/mlog.html,200,generic,This might be interesting...
#Directories
localhost,ListViewItem: { / }
localhost,ListViewItem: { /admin/ }
localhost,ListViewItem: { /pix/ }
#Indexable
0
#Files
0
ZenMap:
<?xml-stylesheet href="file:///C:/Program Files/Nmap/nmap.xsl" type="text/xsl"?>
<nmaprun start="1284213324" profile_name="Intense scan" xmloutputversion="1.03" scanner="nmap" version="5.21"
startstr="Sat Sep 11 16:55:24 2010" args="nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 192.168.56.101">
<verbose level="1"/>
<debugging level="0"/>
<output type="interactive">
Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-11 16:55 GTB Daylight Time NSE: Loaded 36 scripts for scanning.
Initiating ARP Ping Scan at 16:55 Scanning 192.168.56.101 [1 port] Completed ARP Ping Scan at 16:55, 0.72s elapsed (1
total hosts) Initiating Parallel DNS resolution of 1 host. at 16:55 Completed Parallel DNS resolution of 1 host. at 16:55,
0.04s elapsed Initiating SYN Stealth Scan at 16:55 Scanning 192.168.56.101 [1000 ports] Discovered open port 80/tcp on
192.168.56.101 Discovered open port 443/tcp on 192.168.56.101 Discovered open port 3306/tcp on 192.168.56.101

Completed SYN Stealth Scan at 16:55, 4.76s elapsed (1000 total ports) Initiating Service scan at 16:55 Scanning 3 services
on 192.168.56.101 Completed Service scan at 16:55, 14.23s elapsed (3 services on 1 host) Initiating OS detection (try #1)
against 192.168.56.101 NSE: Script scanning 192.168.56.101. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 16:55
Completed NSE at 16:55, 6.58s elapsed NSE: Script Scanning completed. Nmap scan report for 192.168.56.101 Host is up
(0.0043s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.16
((Win32) mod_ssl/2.2.16 OpenSSL/0.9.8o PHP/5.3.3) | html-title: OMEGA CRM |_Did not follow redirect to
https://localhost/ 443/tcp open ssl/http Apache httpd 2.2.16 ((Win32) mod_ssl/2.2.16 OpenSSL/0.9.8o PHP/5.3.3) |_sslv2:
server still supports SSLv2 |_html-title: OMEGA CRM MAC Address: 08:00:27:8A:08:9C (Cadmus Computer Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type:
general purpose Running: Microsoft Windows 2003 OS details: Microsoft Windows Server 2003 SP1 or SP2, Microsoft
Windows Server 2003 SP2 Network Distance: 1 hop TCP Sequence Prediction: Difficulty=259 (Good luck!) IP ID
Sequence Generation: Busy server or unknown class HOP RTT ADDRESS 1 4.27 ms 192.168.56.101 Read data files from:
C:Program FilesNmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/
. Nmap done: 1 IP address (1 host up) scanned in 34.57 seconds Raw packets sent: 2040 (92.278KB) | Rcvd: 17 (862B)
</output>
<host comment="">
<status state="up"/>
<address addrtype="ipv4" vendor="" addr="192.168.56.101"/>
<address addrtype="mac" vendor="Cadmus Computer Systems" addr="08:00:27:8A:08:9C"/>
<hostnames/>
<ports>
<extraports count="997" state="filtered"/>
<service product="Apache httpd" name="http" extrainfo="(Win32) mod_ssl/2.2.16 OpenSSL/0.9.8o PHP/5.3.3"
version="2.2.16" conf="10" method="probed"/>
</port>
<service product="Apache httpd" name="http" extrainfo="(Win32) mod_ssl/2.2.16 OpenSSL/0.9.8o PHP/5.3.3"
version="2.2.16" conf="10" method="probed"/>
</port>
</ports>
<os>
<portused state="open" portid="80" proto="tcp"/>

Kingston University Thesis - Design and Implementation of a Secure Web Application

More Related Content

Viewers also liked (20)

Similar to Kingston University Thesis - Design and Implementation of a Secure Web Application (20)

More from PROBOTEK (20)

Recently uploaded (20)

Kingston University Thesis - Design and Implementation of a Secure Web Application