IN618-Security-Assignment2: Server Hardening and Web Application Security This assignment is worth 35% of your total course mark The assignment requires completion of the following tasks: 1. The assignment tasks must be performed on your virtual machine 2. The self-assessment portion of the marking sheet Deadline: 2 June 2017, 5pm Submission: 1. Submit virtual machine (vCloud) 2. Submit self-assessment (GitBucket) Learning Objective: Perform server hardening and secure a vulnerable web application 1.0 Scenario: You recently finished your bachelor degree at Otago Polytech and have started working for “the man” at the prestigious software development company: Initech. Although you didn’t really want the job, the pressure of mounting student loan debt meant you had little choice…. You new boss, Bill Lumbergh, is a total jerk! Bill wants to bring Initech into the 21st century by providing a selection of web applications for clients. Apparently, your co-worker Milton Waddams has already set up a web server and started development of a web application. However, Milton is inept and the new server is riddled with security issues. Bill Lumbergh has since fired Milton. It looks like you are the only employee at Initech who is not an idiot, and Bill has tasked you with securing the web application and hardening the web server. You just want to quit the job, but you need the money – so start fixing that server! 2.0 Instructions: This assignment is not about following a specific set of instructions to secure a web application server. Rather, you are encouraged to be resourceful, using the knowledge gained in classes, skills gained from the lab exercises, and external information from reputable web resources such as Digital Ocean and Java programming documentation from Oracle. In this assignment, you will perform a security overhaul of a web application server used to host a web application for the company Initech. This job includes two main tasks: 1. Server hardening: securing the system that hosts the web application including securing SSH using good configuration settings and fail2ban, and securing connections to the server by implementing a strong firewall. 2. Securing the web application: the web application has two SQL injection vulnerabilities that need to be fixed, a XSS exploit that needs to be removed from the database, and fixing the actual XSS vulnerability. In addition, password hashing needs to be implemented, so stored passwords are safer from attack. 3.0 Resources: In this assignment, you are provided with a single virtual machine. You will perform all the required tasks on this virtual machine. This machine will be submitted for marking. The virtual machine has the following details: 1. InitechWebApps: A VMWare virtual machine server running Ubuntu Server version 16.04-2 LTS 64-bit. The server is installed and partially configured with SSH, Apache TomCat, and a poorly written web application. The virtual machine is available using vCloud: vCloud: Each student has been supplied with a vApp on vCloud which contains the single InitechWebApps virtual machine. The vApp is named differently for each student: “IN618_studentCode”, where studentCode is your OP username. vCloud is available through a web browser from: • Externally: https://cloud.op.ac.nz/cloud/org/ict Please do not change the following settings on the virtual machine: 1. The “opstudent” username, or the default password (passw0rd) 2. Please do not enable password-less SSH access (e.g., please do not use public/private keys for SSH login) 3. Please do not change the default TomCat installation, all web application files must be available in /opt/tomcat/webapps/initech The virtual machine will be marked in this assignment, so any change to file location will make the marking script unable to extract you modifications. 4.0 InitechWebApps Configuration: Listed in this section are some useful settings for the InitechWebApps virtual machine. Firstly, the operating system information is: • username: opstudent • password: passw0rd • IP address: varies between each student (use the vCloud web site to determine the IP address – covered in Lab-12-1.docx) An SSH server has been installed using the OpenSSH software. However, no configuration has been performed. You can login with the above username and password. A MySQL database has been installed and partially configured. The credentials for the MySQL database are: • username: root • password: passw0rd Apache TomCat (a type of web server software) has also been installed on the server. The TomCat service is a Java Servlet Container – basically a web server that allows the creation and sharing (via HTTP) of a web application written with Java on the server-side. Although the web application is very simple (compared to real-world web applications), getting used to the setup can take some practice. Here is some relevant information about the web application configuration: • No web application is installed by default, you need to install by yourself. This information is thoroughly documented in Lab-12-1.docx (on the I:\ drive) • Web applications are stored in: /opt/tomcat/webapps/ • The web application operates on port 8080 The directory structure of the web application is very important to learn and understand to make good progress with the assignment. The following directory structure represents the web application: • WEB-INF – a folder containing application resources o classes – a folder containing java code login.java – server-side code for the login form web page search.java – server-side code for the employee search web page guestform.java – server-side code for the guestbook page o lib – a folder containing .jar dependencies (for MySQL) mysql-connector-java-5.1.42-bin.jar – dependency jar file • guestbook.jsp – the HTML code for the guest comments web page • index.jsp – the HTML code for the login web page • search.jsp – the HTML code for the employee search web page • style.css – the CSS style sheet for the web application • jquery.js – the JQuery dependency for the guestbook web page • initech-logo.jpg – the lnitech logo to make things look pretty • scripts – a collection of scripts that might make life easier o create_db.sql – the Initech database entries o recreate_db.sh – this script uses create_db.sql to delete the old database and recreate the original entries Much more information about how to setup the web application server can be found in the Lab-12-1.docx worksheet. There is a step by step process of how to download, compile and deploy the web application. 4.0 Assignment Tasks: The assignment tasks are divided into four specific categories, as outlined below: Task 1: Server Hardening: Firewall The web server has been partially configured. However, minimal configuration was performed with security in mind. Therefore, you need to harden the server. The firewall needs to be configured correctly for the system. If we set incorrect rules, users may not be able to access the resources on the server (e.g., not able to login using SSH). The services present on the server are: • Secure Shell (ssh) running on port 22 • Apache TomCat (http) on port 8080 Requirements: • Configure a firewall using iptables • Filter incoming traffic (apart from ports 22 and 8080) • Filter outgoing traffic (apart from ports 22 and 8080) • User stateful firewall rules when possible/useful Resources: • Lect-8-1 and Lab-8-1 – we set up a firewall on an Ubuntu system • Lect-8-2 – discussion on advanced firewalls • Digital Ocean tutorial to setup iptables as a firewall • There are many other good Digital Ocean tutorials, and other web resources Task 2: Service Hardening: Secure Shell (SSH) We are unable to work directly on the server in this assignment, so remote access has been configured. Secure Shell (SSH) is a great option to provide secure remote access for server administration. However, currently the server does have a default installation of SSH without any security considerations. You have been tasked with Requirements: • Configure SSH using best practices, including: o Display a banner at login with a warning message o Setting the maximum number of connections o Disabling X11 connections • Configure the fail2ban service to stop brute force attacks • You must allow password logins (e.g., do not implement RSA public/private keys) • You must not remove or change the “opstudent” user account Resources: • Lect-8-1 and Lab-8-1 – we configured SSH • Lect-8-2 and Lab-8-2 – we setup and configured fail2ban • Digital Ocean tutorial to secure Apace web server Task 3: Secure Against SQL Injection Attacks Currently, the web application suffers from SQL injection attacks on two different pages of the web site. This is a major security issue that needs to be resolved immediately. You need to modify/correct the server-side program (written in Java) that takes user input and creates an SQL query to the database. Requirements: • Protect against SQL injection attacks by using correctly handling user input • Two different web pages do not correctly handle user input – find and fix both! Resources: • Lect-11-1 and Lab-11-1 – we covered SQL injection attacks • Check DVWA SQL injection attack exercises (as covered in class) • Check online SQL injection attack training exercises (as covered in class) • Oracle Java Documentation: Using Prepared Statements • Check other Java code in the web application, one web page handles input correctly Task 4: Secure Against Cross-site Scripting (XSS) Attacks The web application also suffers from XSS vulnerabilities. To further complicate the problem, and attacker has already performed a Stored XSS attack against the web application, and the malicious JavaScript code is persistently stored in the web application. You need to remove the Stored XSS attack and configure the web application server to ensure XSS scripting attacks are not possible. Requirements: • Remove the XSS exploit that is stored in the web application. The exploit is embedded in the GuestBook section of the web site and the XSS code is stored persistently in the Initech database • Fix the JavaScript code that handles the GuestBook web page (this code is stored in guestbook.jsp) Resources: • Lect-11-2 and Lab-11-2 – we covered XSS attacks • Check DVWA XSS (stored and reflected) attack exercises (as covered in class) Task 5: Configure Password Hashing The web application also suffers from lack of password hashing. Currently, all passwords are stored in clear text in the MySQL database! You need to write some Java code in the login.java file that hashes user supplied passwords. You also need to update the existing entries in the Initech database so that the current users have their passwords hashed. Requirements: • Select a suitable hash algorithm for password hashing (it is recommended that you choose a simple algorithm to implement, e.g., SHA-1) • Remove the plaintext passwords in the database, and replace them with hashed versions of the same password • Update the JavaScript code that handles the login web page (this code is stored in login.java) to include password hashing Resources: • Lect-4-1 and Lab-4-1 – we covered password hashing • Lect-4-2 and Lab-4-2 – we covered salting hashes • Hashing in Java by OWASP • There are numerous tutorials to hash a string in Java