Technical

Laporan Technical Vunerability Test Di Academic ITTelkom

Oleh :

Ahmad Badawi 116080002

Tri Andri PP 116080062

PROGRAM STUDI SISTEM INFORMASI

FAKULTAS REKAYASA INDUSTRI

INSTITUT TEKNOLOGI TELKOM

BANDUNG

2011

1.1 Working Paper Aplikasi

1.1.1 Pengujian Website Academic.ittelkom.ac.id

1.1.1.1 Kompilasi Temuan

Pengujian ini dilaksanakan pada aplikasi akademik ITTelkom yaitu Academic.ittelkom.ac.id

dengan profil hasil deteksi sebagai berikut :

Host Sistem Operasi Server Web Kode Aplikasi

Academic.ittelkom.ac.idOracle Enterprize Linux 5

Apache PHP

Dalam Website Academic.ittelkom.ac.id memiliki kerentanan yang terdistribusi ke dalam

kategori tinggi, sedang, rendah sebagaimana dapat dilihat dalam tabel berikut ini :

Host Kerentanan

Tinggi Sedang Rendah Total

Academic.ittelkom.ac.id 0 5 29 37

Berikut ini adalah dafta yang terdistribusi dari kerentanan :

NO

Alamat Kerentanan Potensi Dampak Rekomendasi

Port Temuan Tingkat

1 Academic.ittelkom.ac.id

0/tcp Nessus Scan Information

Low None None


0/tcp OS Identification

Low None None


0/tcp Apache Banner Linux Distribution Disclosure

Low None If you do not wish to display this information, edit httpd.conf and set the directive 'ServerTokens Prod' and restart Apache.


0/tcp Additional DNS Hostnames

Low None If you want to test them, re-scan using the special vhost syntax, such as : www.example.com[192.0.32.10]


0/tcp Service Detection (2nd Pass)

Low None If you want to test them, re-scan using the special vhost syntax, such as : www.example.com[192.0.32.10]


22/tcp

SSH Server Type and Version Information

Low None None


53/Udp

DNS Server hostname.bind Map Hostname Disclosur

Low None It may be possible to disable this feature. Consult the vendor's documentation for more information.

e


DNS Server Detection

Low None Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally.


80/tcp

CGI Generic Cross-Site Scripting (Parameters Names)

Medium

attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site.

Contact the vendor for a patch or upgrade.


80/tcp

CGI Generic HTML Injections (quick test)

Medium

attacker may be able to cause arbitrary HTML to be executed in a user's browser within the security context of the affected site. The remote web server may be vulnerable to IFRAME injections or cross-site scripting attacks : - IFRAME injections allow 'virtual defacement' that might scare or anger gullible users. Such injections are sometimes implemented for 'phishing' attacks. - XSS are extensively tested by four other

Either restrict access to the vulnerable application or contact the vendor for an update.

scripts. - Some applications (e.g. web forums) authorize a subset of HTML without any ill effect. In this case, ignore this warning.


80/tcp

PHP expose_php Information Disclosure

Medium

attacker through a special URL. Such an URL triggers an Easter egg built into PHP itself. Other such Easter eggs likely exist, but Nessus has not checked for them.

In the PHP configuration file, php.ini, set the value for 'expose_php' to 'Off' to disable this behavior. Restart the web server daemon to put this change into effect.


80/tcp

Web Server Generic XSS

Medium

attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site.

Contact the vendor for a patch or upgrade.


80/tcp

HTTP TRACE / TRACK Methods Allowed

Medium

The remote webserver supports the TRACE and/or TRACK methods.

Disable these methods. Refer to the plugin output for more information.


80/tcp

CGI Generic Tests HTTP Errors

Low None Rescan with a longer network timeout or less parallelism for example, by changing the following options in the scan policy : - Network -> Network Receive Timeout (check_read_timeout) - Options -> Number of

hosts in parallel (max_hosts) - Options -> Number of checks in parallel (max_checks)


80/tcp

CGI Generic Tests Timeout

Run your run scan again with a longer timeout or less ambitious options : - Combinations of arguments values = 'all combinations' is much slower than 'two pairs' or 'single'. - Stop at first flaw = 'per port' is quicker. - In 'some pairs' or 'some combinations' mode, try reducing web_app_tests.tested_values_for_each_parameter in nessusd.conf


80/tcp

CGI Generic Tests Load Estimation (all tests)

Low None None


80/tcp

Browsable Web Directories

Low None Make sure that browsable directories do not leak confidential informative or give access to sensitive resources. And use access restrictions or disable directory indexing for any that do.


80/tcp

CGI Generic Injectable Parameter

Low None None


80/tcp

WebDAV Detection

Low None update


80/tcp

HyperText Transfer

Low None None

Protocol (HTTP) Information


80/tcp

HTTP Server Type and Version

Low None None


80/tcp

HTTP Methods Allowed (per directory)

Low None None


80/tcp

HMAP Web Server Fingerprinting

Low None None


80/tcp

Gathered e-mail Addresses

Low None None


80/tcp

Web Server No 404 Error Code Check

Low None None


80/tcp

External URLs

Low None None


80/tcp

Web Server Uses Plain Text Authentication Forms

Low None None


80/tcp

HTTP Server Cookies Set

Low None None


80/tcp

Web Server Allows

Low None Add the attribute 'autocomplete=off' to these fields to prevent browsers

Password Auto-Completion

from caching credentials.


80/tcp

Web mirroring

Low None None


80/tcp

HTTP login page

Low None None


80/tcp

Service Detection (2nd Pass)

Low None None

Berikut ini adalah beberapa penyebab terjadinya kerentaan tersebut di atas:

1. Browsing direktori masih enable.

2. Aplikasi server yang belum terupdate karena masih ada celah kerentanan.

3. Konfigurasi Server apache Web belum dikonfigurasi secara aman.

4. Konfgurasi PHP webserver tidak aman.

Berikut ini adalah resume dari kerentanan yang dimiliki , berdasarkan kemungkinan- kemunginan

kerentanan yang dijadikan dalam sekenario pengujian .

1. Kerentanan dapat di perbiki oleh application developer.

2. Kerentanan dapat di perbaiki oleh system administrator.

1.1.2 Pengujian Website Elearning.ittelkom.ac.id

1.1.2.1 Kompilasi Temuan

Pengujian ini dilaksanakan pada aplikasi akademik ITTelkom yaitu Elearning.ittelkom.ac.id

dengan profil hasil deteksi sebagai berikut :

Host Sistem

Operasi

Server Web Kode Aplikasi

Elearning.ittelkom.ac.id Linux

Kernel 2.6

on SuSE

Linux 11.0

Apache PHP

Dalam Website Elearning.ittelkom.ac.id memiliki kerentanan yang terdistribusi ke dalam

kategori tinggi, sedang, rendah sebagaimana dapat dilihat dalam tabel berikut ini :

Host Kerentanan

Tinggi Sedang Rendah Total

Academic.ittelkom.ac.id 0 3 18 21

Berikut ini adalah dafta yang terdistribusi dari kerentanan :

NO Alamat Kerentanan Potensi Dampak Rekomendasi

Port Temuan Tingkat

1 Elearning.ittelkom.ac.id

0/tcp OS Identification

Low None None


0/tcp Apache Banner Linux Distribution Disclosure



22/tcp




22/tcp

SSH Server Type and Version Information

Low None None


80/tcp

PHP expose_php Information Disclosure

Medium attacker through a special URL. Such an URL triggers an

n the PHP configuration file, php.ini, set the value for

Easter egg built into PHP itself.

'expose_php' to 'Off' to disable this behavior. Restart the web server daemon to put this change into effect.


80/tcp

HTTP TRACE / TRACK Methods Allowed

Medium The remote webserver supports the TRACE and/or TRACK methods.

Disable these methods. Refer to the plugin output for more information.


80/tcp

Web Server info.php / phpinfo.php Detection

Medium a remote attacker can discover a large amount of information about the remote web server, including : - The username of the user who installed php and if they are a SUDO user. - The IP address of the host. - The version of the operating system. - The web server version. - The root directory of the web server. - Configuration information about the remote PHP installation.

Remove the affected file(s).


80/tcp

CGI Generic Tests Load Estimation (all tests)

Low None


80/tcp

Web Server Office File

Low None Make sure that such files do not contain

Inventory any confidential or otherwise sensitive information and that they are only accessible to those with valid credentials.


80/tcp

Web Application Potentially Sensitive CGI Parameter Detection

Low None Ensure sensitive data is not disclosed by CGI parameters. In addition, do not use CGI parameters to control access to resources or privileges.


80/tcp

HyperText Transfer Protocol (HTTP) Information

Low None None


80/tcp

HTTP Server Type and Version

Low None None


80/tcp

HMAP Web Server Fingerprinting

Low None None


80/tcp

External URLs

Low None None


80/tcp

Web Server Uses Plain Text Authentication Forms

Low None Make sure that every sensitive form transmits content over HTTPS.


80/tcp

HTTP Server Cookies Set

Low None None


80/tcp

Web Server Allows Password Auto-Completion

Low None Add the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials.


80/tcp

Web mirroring

Low None None


80/tcp

Web Server Directory Enumeration

Low attacker can make arbitrary file or directory requests to any publicly available web server. The existence of a resource can be determined by analyzing the web server HTTP response codes. There are several of Predictable Resource Location attack variations:

Blind searches for common files and directories

/admin/

/backup/

/logs/

/test/

/test.asp

/test.txt

/test.jsp

/test.log

None

/Copy%20of%test.asp

/Old%20test.asp

/vulnerable_file.cgi

Adding extensions to existing filename: (/test.asp)

/test.asp.bak

/test.asp.txt

/test.bak

/test

For content not required to be world accessible either proper access controls should be applied, or removal of the content itself.


80/tcp

HTTP login page

Low None None


80/tcp


Low None None

Berikut ini adalah beberapa penyebab terjadinya kerentaan tersebut di atas:

1. Browsing direktori masih enable.

2. Konfigurasi Server apache Web belum dikonfigurasi secara aman.

3. Konfgurasi PHP webserver tidak aman.

Berikut ini adalah resume dari kerentanan yang dimiliki , berdasarkan kemungkinan- kemunginan

kerentanan yang dijadikan dalam sekenario pengujian .

1. Kerentanan dapat di perbiki oleh application developer.

2. Kerentanan dapat di perbaiki oleh system administrator.

1.2 Working Paper- Infrastruktur

1.2.1 Pengujian Wireless LAN

No Area SSID Mac Address

Tipe Enkripsi

Layer Keamanan Tambahan

Tingkat Kerentanan

Potensi Dampak

1 Gedung A

ittelkom N/A VPN Tinggi Penyerang dapat bergabung dengan WLAN dan melakukan sniffing untuk mendapatkan data sensitif, melakukan flooding man in the midle attack sert berbagai kejahatanlainnya secara leluasa

2 Gedung B


3 Gedung C


4 Gedung D


5 Gedung E


6 Gedung F


7 Gedung G


8 Gedung H


9 MSU ittelkom N/A VPN Tinggi Penyerang dapat bergabung dengan WLAN dan melakukan sniffing untuk mendapatkan data sensitif, melakukan flooding man in the midle attack sert berbagai kejahatanlainnya secara leluasa

10 Library Library N/A VPN Tinggi Penyerang dapat bergabung dengan WLAN dan melakukan sniffing untuk mendapatkan data sensitif, melakukan flooding man in the midle attack sert berbagai kejahatanlainnya secara leluasa

11 Area Luar Kampus

Ittelkom_outdoor

N/A VPN Tinggi Penyerang dapat bergabung dengan WLAN dan melakukan sniffing untuk mendapatkan data sensitif, melakukan flooding man in the midle attack sert berbagai kejahatanlainnya secara leluasa

Technical

Documents

Transcript of Technical