Week 6

Toolwire Lab 8: Performing an IT and Web Application Security Assessment

Name

CIS/542

Instructor: Dr. Osama Morad

Lab Report file

Executive Summary

 

Well-informed organizations understand that their websites and applications are more than just an information service; they also represent the corporate image to their customers and the public. If a website or application has to be taken offline due to a security breach, this can result in loss of information, reputation, trust, and revenue. Ensuring the website or web application can dissuade most internet threats therefore, the organization can continue serving customers and not spend time and money reacting to a data loss or availability issues.

 

Overview

 

Internet-facing web applications, in particular, can create numerous opportunities for malicious individuals who may wish to compromise your organization’s data. To ensure a balanced level of preparedness and effective programming requires an understanding of risks Thoroughness is the key, as the undetected vulnerabilities could leave the organization most at risk.

Damn Vulnerable Web Application (DVWA) is a vulnerable web application used to be an aid for security professionals to test their skills and tools, and better understand the processes of securing web applications in a controlled environment.

This Web Application Security Assessment analyzes vulnerabilities found in the Damn Vulnerable Web Application (DVWA) as determined by the reports provided, and were assessed according to the OWASP guidelines. Recommendations outlined by the OWASP and Open SAMM models are provided to improve secure testing and coding of Web applications to prevent similar vulnerabilities such as these from happening in the future.

All security issues that are discovered must be mitigated based upon the following risk levels. which are based on the OWASP Risk Rating Methodology. Mitigation strategies will be required to fix any discovered issues of medium risk level or greater.

 

· High-Any high risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure.

 

· Medium- Medium risk issues should be reviewed to determine what is required to

mitigate based on the number of issues or increase the risk to an unacceptable level. Issues should be fixed with mitigation strategies that will limit exposure.

 

· Low – Issue should be reviewed to determine what is required to correct the issue and scheduled accordingly.

 

Tools Used for Analysis

 

Dynamic analysis tools Skipfish, an active web application security reconnaissance tool and RATS, a rough auditing tool scan were used to identify vulnerabilities within the application.

 

Skipfish prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active security checks.

 

RATS, provides a security analyst with a list of potential trouble spots on which to focus, along with describing the problem, and potentially suggest remedies. This tool also performs a basic analysis to try to rule out conditions that are visibly not problems. The relative assessment makes available a reasonable starting point in which an auditor can prioritize the severity of each problem in order to perform manual security audits.

 

Items of Top Concern

 

The following lists below display vulnerabilities that were found on the Skipfish and RATS reports in the DVWA application. Vulnerabilities categorized in the below lists are in the application itself, and represent the risk to the organization. Information for each vulnerability will be identified as follows:

 

· Name of the issue, as described in the Skipfish or RATS reports

· Description of the issue

· Most likely causes of the vulnerability

· Possible remediation or prevention methods

 

Skipfish Report

 

 

High Risk Issue

 

Name – Shell injection vector

Description of the issue – Shell injection is generally considered one of the most dangerous vulnerabilities because it can be used to gain complete control over a target server. These attacks include calls to the operating system via system calls, the use of external programs via shell commands, as well as calls to backend databases via SQL (i.e., SQL injection). Any time a web application uses an interpreter of any type there is a danger of an injection attack. The most common places to find shell injection vulnerabilities is during loading of files and in the running of non-local web code.

Likely Causes of the vulnerability – Poor input validation. Injection flaws allow attackers to relay malicious code through a web application to another system. Whole scripts written in perl, python, and other languages can be injected into poorly designed web applications and executed. Any application that builds command strings using non-sanitized data is vulnerable to this bug.

Recommendation for mitigation – Avoid accessing external interpreters wherever possible. For many shell commands and some system calls, there are language specific libraries that perform the same functions. Using such libraries does not involve the operating system shell interpreter, therefore avoids a large number of problems with shell commands.

Applications defend against command injection bugs by doing proper input validation and sanitization. look for all instances where the application invokes a shell-like system function such as exec or system and avoid executing them unless the parameters have been properly validated and sanitized. There are two possible ways to validate these parameters: using black lists or using white lists.

Although server and OS hardening can help to limit the impact and make it harder for an attacker to escalate privileges, there is still significant risk.

Medium Risk Issues

Name – Directory traversal / file inclusion possible

Description of the issue – Directory traversal, also known as path traversal, ranks #13 on the CWE/SANS Top 25 Most Dangerous Software Errors. This type of exploit is when a server allows an attacker to read a file or directories outside of the normal web server directory. Local file inclusion allows an attacker the ability to include an arbitrary local file (from the web server) in the web server’s response.

The local file inclusion vulnerability is a process of including the local files available on the server. This vulnerability occurs when a user input contains the path to the file that has to be included. When such an input is not properly sanitized, the attacker may give some default file names and access unauthorized files, or an attacker may also make use of directory traversal characters and retrieve sensitive files available in other directories.

Both of these bugs can be used to read arbitrary files from the server. File inclusion possible comprises in misusing lacking security acceptance or disinfection of client supplied data document names, with the goal that characters speaking to “navigate to parent index” are gone through to the record APIs. The objective of this assault is to arrange an application to get to a PC record that is not planned to be available. This assault abuses an absence of security (the product is acting precisely as it should) instead of misusing a bug in the code (DuPaul, N., 2012).

Likely Causes of the vulnerability – the main cause for such vulnerabilities is improper filtering and validation of browser input from users.

Recommendation for mitigation – Input validation ensures that attackers cannot use commands that leave the root directory or violate other access privileges. Filters can be used to block URLs containing commands and escape codes that are commonly used by attackers. Additionally, any software that is used should be kept up-to-date with current patches. Regularly patching software is a critical practice for reducing security risk, as software patches typically contain security fixes.

Name – XSS vector via arbitrary URLS

Description of the issue – Cross-Site Scripting (XSS) vulnerability are amongst the most widespread exploited web application vulnerabilities on the Internet. A reflected assault is ordinarily conveyed by means of email or an impartial site. The draw is a pure looking URL, indicating a trusted site yet containing the XSS vector. On the off chance that the trusted site is helpless against the vector, tapping the connection can bring about the casualty’s program to execute the infused script.

Likely Causes of the vulnerability – Cross-Site Scripting (XSS) attacks are caused when data enters a Web application through an untrusted source, most frequently a web request. The data is included in dynamic content that is sent to a web user without being validated for malicious content.

Recommendation for mitigation – The primary defenses against XSS include using rigid permissions when developing and deploying web applications. Use chroot jails and code access security policies to restrict and control the location and type of file operations even if the system is misconfigured. Remove all “Everyone:Full Control” ACLs on Windows, and all mode 777 (world writeable directories) or mode 666 files (world writeable files) on Unix systems. Remove “Guest”, “everyone,” and world readable permissions wherever possible (OWASP, 2013).

Low Risk Issues

Name – External content embedded on a page

Description of the issue – External content embedded on a page means something isn’t right with the site – wrong – yet some way or another we appear to continue building sites that do. This can prompt issues, for example identity theft. You acknowledge that all the HTTP segments of the correspondence stay powerless hence you have to ensure against the SSL hostile to designs

Likely Causes of the vulnerability – Infected email

 

Recommendation for mitigation – Embed external content explicitly via the HTTPS scheme. If you’re only serving the page over HTTPS anyway then it ensures no problems. Using a protocol relative URL, means when the page is loaded over HTTP then the resource will be requested over HTTP. Load the page over HTTPS and the resource embeds over HTTPS.

The web view tag enables the ability to embed external web content in the web page. It replaces iframes that point to remote URLs. Unlike iframes, the web view tag runs in a separate process. This means that an exploit inside of it will still be isolated and won’t be able to gain elevated privileges. Further, since its storage (cookies, etc.) is isolated from the app, there is no way for the web content to access any of the app’s data.

Name – Incorrect or missing MIME type

Description of the issue – MIME Types tell programs what kind of record they are accepting from the site. A web page would normally tell programs they were getting http (MIME type content/html) while a PDF archive ought to have a PDF MIME type (application/pdf). Now and then, an application will send an inaccurate MIME type (like determining content rather than picture) or will send none by any means.

Likely Causes of the vulnerability –

Recommendation for Mitigation –Weigh the pages recorded in an output of your site for MIME Type strings. Guarantee they are serving the correct sort. You can likewise incorporate a neighborhood Apache setup document in every index to naturally set MIME type.

RATS Report

High Risk Issue

Name – Fopen()

Description of the issue – The fopen() function is a file open command used to open a file or URL and binds a named resource, specified by filename, to a stream. This function takes two arguments which are first argument is a pointer to a string containing name of the file to be opened while the second argument is the mode in which the file is to be opened.

It is in the programing language. If some problem in the core file of the Fopen command, then this command is not work properly. Problem like URL change or corrupted the core file. For prevention, we need to reconfigure or reinstall the core file.

Likely Causes of the vulnerability – A null pointer value indicates an error. Search permission is denied on a component of the path prefix, or the file exists and the permissions specified by mode are denied, or the file does not exist and write permission is denied for the parent directory of the file to be created. The named file is a directory and mode requires write access. A component of filename does not name an existing file or filename is an empty string.

Recommendation for mitigation – If settings are stored in an array, it can serialize() them and write to a text file.

Name – Eval

Description of the issue – The eval language build is exceptionally unsafe in light of the fact that it permits execution of discretionary PHP code. Its utilization in this manner is demoralized. On the off chance that you have painstakingly checked that there is no other choice than to utilize this develop, give careful consideration not to pass any client gave information into it without appropriately approving it already. For prevention, we need to reconfigure or reinstall the core file.

Likely Causes of the vulnerability – eval() returns NULL unless return is called in the evaluated code, in which case the value passed to return is returned. As of PHP 7, if there is a parse error in the evaluated code, eval() throws a ParseError exception. It is not possible to catch a parse error in eval() using set_error_handler().(PHP Group, 2016)

Medium Risk Issue

Name – is_writable

Description of the issue – This function checks the given file is writable or not. PHP has issues with Windows ACL’s for figure out whether a catalog is writable or not, this works around them by checking the capacity to open documents as opposed to depending upon PHP to interpreted the OS ACL. For prevention, we need to reconfigure or reinstall the core f.

Likely Causes of the vulnerability – The directory may not be writable if the directory is outside of the paths which PHP is able to write to because of open_basedir restrictions. The directory is on a drive which is mounted as read-only. The directory has immutable or appendonly attributes set. The filesystem is corrupt.

Recommendation for mitigation – Check the PHP error_log file to see if there are any more specific errors or warnings.

 

References

DuPaul, N. (2012). Directory Traversal. Retrieved from: http://www.veracode.com/security/directory-traversal

OWASP. (2013). Command Injection. Retrieved from: https://www.owasp.org/index.php/Command_Injection

Penn Computing. (2016). Injection Flaws (Shell Commands and SQL). Retrieved from: http://www.upenn.edu/computing/security/swat/SWAT_Top_Ten_A6.php

PHP Group. (2016). Eval. Retrieved from: http://php.net/manual/en/function.eval.php

Weichih Sun 2/21/17 TIM 125

Homework 5

Problem	Estimated Time	Actual Time
Problem 1	1 Hour	1 Hour
Problem 2	1.5 Hours	1 Hour
Problem 3	2 Hours	2 Hours
Problem 4	2 Hours	1.5 Hours
Problem 5	2 Hours	1 Hour
Problem 6	2 Hours	2 Hours

 

Qualitative Problems

1. Chapter 11 Discussion Question 1 & 2

Step 1: Define the Problem

1. What is the role of safety inventory in the supply chain? 2. Explain how a reduction in lead time can help a supply chain reduce safety inventory without hurting product availability?

Step 2: Create a Plan

1. Explain the role of safety inventory in the supply chain 2. Explain how reducing lead time helps reduce safety inventory without hurting product availability

Step 3: Execute the Plan

1. Explain the role of safety inventory in the supply chain Safety inventory is the average product that is remaining when the replenishment order is received. It prevents product shortage when consumers’ present demand exceeds the forecasted demand. The success of the supply chain depends on the ability of a firm to satisfy a consumer’s order out of available inventory despite uncertainties in supply and demand.

2. Explain how reducing lead time helps reduce safety inventory without hurting product availability Lead times refer to the gap between placing and receiving an order in the supply chain. Safety inventory decreases as lead time decreases without hurting product availability. A reduction in lead time can help a firm manage uncertainties in supply and demand by narrowing the time needed to place and receive the order. A firm can also maintain a desired level of safety inventory while satisfying a consumer’s order at a time.

Step 4: Check your Work

1. Using the book as my reference and carefully reading through Chapter 11 and using what we learned in lecture. I can say that the definitions I have answered for these discussion questions are correct.

2. Chapter 11 Discussion Questions 6 & 7

Step 1: Define the Problem

1. Why can a Home Depot with a few large stores provide a higher level of product availability with lower inventories than a hardware store chain such as Tru-Value, with many small stores? 2. Why is Amazon.com able to provide a large variety of books and music with less safety inventory than a bookstore chain selling through retail stores?

Step 2: Create a Plan

1. Explain how Home Depot can have a higher level of product availability compared to other hardware store chains 2. Describes Amazon’s strategy that allows them to have less safety inventory for books and music compared to a bookstore chain

Step 3: Execute the Plan

1. Explain how Home Depot can have a higher level of product availability compared to other hardware store chains Home Depot with a few large stores provide a higher level of product availability with lower inventories than a hardware store chain such as Tru-Value with many small stores. This is because Home Depot can hold a reduced level of safety inventory at a lower inventory cost without hurting product availability in its supply chain.

2. Describes Amazon’s strategy that allows them to have less safety inventory for books and music compared to a bookstore chain Amazon can provide a large variety of books and music with less safety inventory than a bookstore chain selling through retail stores. This is because all inventories in one warehouse or distribution center are aggregated. This enables Amazon to match demand uncertainty with maintaining a higher level of product availability.

Step 4: Check your Work

1. Reading through Chapter 11 in the textbook and learning the key objectives. As well as using lecture notes, I can assume that the answers for the discussion questions are correct.

Quantitative Problems

3. Chapter 10 Exercise 3

Step 1: Define the Problem

1. Harley purchases components from three suppliers. Components purchased from supplier A are priced at $5 each and used at the rate of 20,000 units per month. Components purchased from Supplier B are priced at $4 each and used at the rate of 2,500 units per month. Components purchased from Supplier C are priced at $5 each and used at the rate of 900 units per month. Currently, Harley purchases a separate truckload from each supplier. As part of its JIT drive, Harley has decided to aggregate purchases from the three suppliers. The trucking company charges a fixed cost of $400 for the truck with an additional charge of $100 for each stop. Thus, if Harley asks for a pickup from only one supplier, the trucking company charges $500; from two suppliers, it charges $600; and from three suppliers, it charges $700. Suggest a replenishment strategy for Harley that minimizes annual cost. Compare the cost of your strategy with Harley’s current strategy of ordering separately from each supplier. What is the cycle inventory of each component at Harley?

Step 2: Create a Plan

1. List Given Data 2. Calculate EOQ and Total Cost 3. Calculate combined setup cost 4. Calculate the number of orders 5. Calculate the total cost of ordering aggregately 6. Calculate Cycle Inventory for each supplier

Step 3: Execute the Plan

1. List Given Data

Supplier A	Supplier B	Supplier C
DA = 240,000	DB = 30,000	DC = 10,800
S = $500	S = $500	S = $500
CA = $5	CB = $4	CC = $5
h = 0.2	h = 0.2	h = 0.2

 

2. Calculate EOQ and Total Cost EOQ = Supplier A EOQ = = 15,491 Suppler B EOQ = = 6,123 Supplier C EOQ = = 3,286

Total Cost = Supplier A Total Cost = = 15,491 Supplier B Total Cost = = 4,899 Supplier C Total Cost = = 3,286 Total cost of ordering separately = 15,491 + 4,899 + 3,286 = $23,676

3. Calculate combined setup cost S = 400 + 100 + 100 + 100 = $700

4. Calculate the number of orders n = = = 14.01 orders

5. Calculate the total cost of ordering aggregately Annual Inventory Cost = = = $19,614 Here we can see that the total cost of ordering individually is $23,676 and ordering aggregately is $19,614. Since the cost of ordering aggregately is less this would be the better strategy for Harley.

6. Calculate Cycle Inventory for each supplier Cycle Inventory = Supplier A Cycle Inventory = = $7,746 Supplier B Cycle Inventory = = $3,061 Supplier C Cycle Inventory = = $1,643

Step 4: Check your Work

1. Using the given information from the book and using the equations from the book and lecture notes. I can say that my calculations for this question are correct and the strategy I chose for Harley is the more cost efficient strategy.

4. Chapter 11 Exercise 1

Step 1: Define the Problem

1. Weekly demand for Motorola cell phones at a Best Buy store is normally distributed, with a mean of 300 and a standard deviation of 200. Motorola takes two weeks to supply a Best Buy order. Best Buy is targeting a CSL of 95 percent and monitors its inventory continuously. How much safety inventory of cell phones should Best Buy carry? What should its ROP be?

Step 2: Create a Plan

1. Calculate the safety inventory of cell phones 2. Calculate Best Buy’s ROP

Step 3: Execute the Plan

1. Calculate the safety inventory of cell phones Average demand per period, D = 300 Standard deviation of demand per period, = 200 Lead-time, L = 2 weeks CSL = 0.95 The formula to calculate ss = ss = From the sheet we got in class we know = 1.65 ss = = 466.69 Best Buy should have a safety inventory of 466 cell phones

2. Calculate Best Buy’s ROP Average demand per period, D = 300 Standard deviation of demand per period, = 200 Lead-time, L = 2 weeks CSL = 0.95 The formula to calculate ROP = DL + ss DL = D x L DL = 300 x 2 = 600 ROP = 600 + 466 = 1066 So the re-order point should be when there are 1066 cell phones left

Step 4: Check your Work

1. Using the book and lecture notes for formulas and using the given data from the exercise. The calculations I have made should be accurate and correct.

5. Walmart

Step 1: Define the Problem

1. Estimate Walmart’s daily, weekly, monthly and annual cycle inventory for toilet paper. (This is an open-ended problem for which you have to develop a creative method, starting with appropriate assumptions, for determining the estimate.)

Step 2: Create a Plan

1. Research Walmart’s average cost for toilet paper 2. Research annual demand for toilet paper 3. Estimate data with the data researched 4. Calculate optimal lot size and cycle inventory

Step 3: Execute the Plan

1. Research Walmart’s average cost for toilet paper Looking at the prices on Walmart’s website for toilet paper. With so many brands, there were a lot of different average cost for toilet paper. However, it seemed like most toilet paper brand averaged to around $0.50 per roll.

2. Research annual demand for toilet paper Using the website https://www.statista.com/statistics/188710/top-toilet-tissue-brands-in-the-united-states/ it shows us the top leading toilet brands and their sales. With top competitors like Private Label, Angel Soft, Charmin, Scott and many others. Walmart carriers all of these different brands of toilet paper. So we sum up all sales of these leading competitors to obtain annual sales of toilet paper in 2016. Which turned out to be $7,807,400,000 and to calculate annual demand = annual sales / average cost = $7,807,400,000 / 0.50 = 15,614,800,000

3. Estimate data with the data researched D = 15,614,800,000 units S = $500 (we assume that cost per order is $500 since toilet paper is cheaper and is transported in bulk) h = 0.20 (assume holding cost is 20% since toilet paper is ordered in bulk) C = $0.50

4. Calculate optimal lot size and cycle inventory Optimal lot size annually = = = 12,495,919.33 Optimal lot size monthly = = = 1,041,326.61 Optimal lot size weekly = = = 240,306.14 Optimal lot size daily = = = 34,235.39

Cycle Inventory annually = = = 6,247,959.66 Cycle Inventory monthly = = = 520,663.30 Cycle Inventory weekly = = = 120,153.07 Cycle Inventory daily = = = 17,117.69

Step 4: Check your Work

1. Since this is an open-ended question and I could only find the annual demand for toilet paper for all retailers and not just Walmart. My calculations might not be accurate but with the information I found. I have to presume that this is close to what Walmart’s cycle inventory would look like.

Case Study

6. Plantronics

Step 1: Define the Problem

1. What is Plantronics core product line? What is Plantronics competitive strategy? 2. Explain Plantronics’ traditional approach to supply-chain management (“the past”)? Explain Plantronics’ current global supply-chain management (“the present”)? Describe Plantronics’ “dream” SCM scenario for the future? Is this “dream” realizable? 3. Explain the role of the software and information technology in the management of Plantronics global product development effort and its global supply chain network. 4. Summarize 5-10 key lessons learned from studying Kai Hypko’s 2009 “SCM” presentation

Step 2: Create a Plan

1. Describe Plantronics core product line and their competitive strategy 2. Explain Plantronics old approach to supply-chain management. Their current approach and their dream SCM for the future 3. Explain the role of the software and information technology in the management of Plantronics global product development effort and its global supply chain network. 4. Summarize 5-10 key lessons learned from studying Kai Hypko’s 2009 “SCM” presentation

Step 3: Execute the Plan

1. Describe Plantronics core product line and their competitive strategy Plantronics core product line are headsets designed for use with mobile phones, cordless phones, computers and gaming consoles. Plantronics competitive strategy would have to be a focused strategy. They product products that they know will completely satisfy the needs of customers. Their products have a high-quality assurance. Their products are sought out by consumers and business sectors.

2. Explain Plantronics old approach to supply-chain management. Their current approach and their dream SCM for the future Plantronics old approach to supply-chain management was a push model (linear supply chain). They were supply centric, internally focused, vertically integrated, physically asset based, and mass momentum. Now currently they have switched to a pull model (integrated networks). This includes them being demand-driven, global, virtual supply chains, decision based, and lean practices. Their dream SCM would be their Supply Chain Optimization and Re-Engineering (SCORE) project. They want to establish a world-class supply chain by creating a global, integrated, collaborative system and processes which are scalable, without legacy knowledge and added manpower. Some of their project objectives are: improve forecasting process & accuracy, increase inventory turnover, reduce excess & obsolete inventory and etc.

3. Explain the role of the software and information technology in the management of Plantronics global product development effort and its global supply chain network. Software and information technology helps with global product development by taking different roles like business analyst, project manager and many other roles that help lay out the foundation for developing products. It keeps everything on track and all of this can relay back to the supply chain network. To help with forecasting demand, re-ordering inventory and keeping track of the raw materials.

4. Summarize 5-10 key lessons learned from studying Kai Hypko’s 2009 “SCM” presentation SCM delivers the greatest results when SCM is part of the overall business strategy SCM is likely to under deliver when there is a poor connection between functions across a total business World class SC companies collaborate effectively internally to optimize processing, work closely with key suppliers and customers, and effectively apply technology as an enabler SCM can always be improved in some way there are limitless possibilities of improvement Every project has risks and could have a huge effect on the company itself

Step 4: Check your Work

1. Using the presentations from the class website and the internet to research more about Plantronics. I assume that the information I have provided above is correct.