There are nearly two billion websites on the Internet. Security flaws in many of them are fertile soil for easy takeover. Analysts claim that at least half of all content management system (CMS) installations are out of date and thus lack critical patches. About a quarter of web applications that run on sites are reportedly riddled with vulnerabilities.
By David Balaban, Computer Security Researcher, Privacy-PC.com
These statistics look staggering, don’t they? Let’s see how to prevent your website from ending up in the same boat.
The Classic Exploitation Chain
Based on the development peculiarities, any website falls into one of the following categories: hand-coded, made with turnkey website builders, and designed using a CMS platform such as WordPress, Drupal, Joomla, etc. The third type is prevalent and therefore targeted the most.
From an attacker’s perspective, content management systems are just like other online services. Since their code is publicly accessible, anyone can check it for security gaps and create exploits that piggyback on the discovered issues. Imperfections in third-party components such as plugins and themes significantly expand the attack surface.
In this scenario, the hack workflow is usually automated and targets multiple websites in one go. It involves bots that scan all sites within a certain range and determine which ones are susceptible to a specific exploitation vector.
Penetration testers follow the same logic, except that their objectives are benign. Before probing a website for weak links, they gather information about it using a tool like WhatWeb. It provides the big picture by determining the site’s CMS, the installed plugins, the geographic location, and the scripting language in use (PHP or jQuery).
Security Audit of a WordPress Website
If you need to pinpoint vulnerabilities in a website running WordPress, the world’s most popular CMS, an incredibly effective scanner called WPScan is your best bet. It retrieves a ton of site information, including the WordPress version, plugins, themes, usernames, unsecured wp-config files, database dumps, and open directories.
If any components are misconfigured or have known vulnerabilities, the tool will let you know by displaying exclamation marks next to them. WPScan is also equipped with a password brute-forcing feature so that you can find out what users have weak access credentials. Depending on how in-depth you want the report to be, you can choose between passive, aggressive, and mixed scanning modes.
One more tip is to add the CVE service to your handbook. It will allow you to explore all documented vulnerabilities in specific areas of the WordPress site. For example, you can browse known weaknesses in its PHP version. This is a great source of information about the potential entry points.
Looking for Joomla Website Vulnerabilities
The easiest way to check a Joomla site for security imperfections is to use a tool called JoomScan. Masterminded by specialists at the Open Web Application Security Project (OWASP), it determines the CMS version and provides a list of vulnerabilities with links to their CVE descriptions along with the associated public exploits. It additionally gives you a summary of all the open directories and fetches the hyperlink to the configuration file if the site administrator didn’t bother hiding it.
JoomScan is incapable of brute-forcing passwords. To try and retrieve such information, you may need a tool that works in concert with several proxy servers. Cracking weak credentials for the admin dashboard is very challenging because many Joomla sites use a plugin called Brute Force Stop. It blocks an attacker’s IP if the number of failed sign-in attempts reaches a predefined limit.
Checking websites that use Drupal and other CMS platforms
Unfortunately, a one-stop vulnerability scanner that would assess sites running Drupal and lesser-known CMS instances have yet to be created. A plugin-based tool called DroopeScan is perhaps the only option to automate the process. However, its report only includes basic site details that may not suffice to get actionable insights into vulnerable areas and other things that could improve.
With that said, you will have to take the manual route to explore the website’s security condition thoroughly. As part of this routine, look for proof-of-concept (POC) exploits on GitHub and scour the CVEdetails database for known vulnerabilities.
An illustration of what you can find this way is a bug tracked as CVE-2018-7600, which allows a perpetrator to run arbitrary code on sites using several Drupal versions from the 7.x and 8.x range. A little bit of further research will reveal a POC exploit for this vulnerability. Even if the automatic scanner only shows the CMS version and it turns out to be vulnerable, this information could be enough to compromise the website.
What about Hand-coded Websites?
There is no such thing as a scanner that checks a hand-coded site for obsolete web applications and known vulnerabilities. To bridge the gap, you need to look for potential flaws manually using the OWASP methodology or a tactic of your own. One of the best ways to systematize this process is to use the OWASP Web Security Testing Guide. It provides clear-cut rules for pinpointing the most critical web application vulnerabilities from the OWASP Top 10 list.
The previously mentioned WhatWeb scanner can point you in the right direction by listing all built-in services and their versions. If you find out that the website uses an old version of Apache Tomcat or Ruby on Rails application framework, you can search the web for the associated exploits.
The programming language version can also shed light on the potential vectors of compromise. For example, white hats are discovering new PHP vulnerabilities all the time, and the patches may take weeks to arrive.
The next thing on your to-do list is to run a content scanner like DIRB that will crawl the web server’s open directories and inspect the responses. A few more platform-neutral instruments that can help you spot common vulnerabilities are Burp Suite, Mantra Security Framework, nikto, OWASP Zed Attack Proxy (ZAP), skipfish, and w3af.
Keep Your Website Safe
If you use a CMS, avoid installing sketchy plugins, get rid of unused ones, and maintain proper software update hygiene. Web development specialists should thoroughly check the scripts found on the Internet before implementing them. It’s also important to comply with basic coding rules such as filtering database queries that contain special characters. Constant monitoring of your site’s performance will help to find any security issues before they can cause serious damage.
To steer clear of security issues with a custom-built website, the principle is similar: you need to check its web components for known vulnerabilities, purge it of all the elements you don’t use, and keep the others up to date. Another tip is to make sure that the web design studio that created the website provides a decent level of tech support.
It’s also a great idea to hire an unbiased penetration tester who will conduct a full audit of the site according to vulnerability assessment best practices. On a side note, some major companies run bug bounty programs and generously reward security professionals for finding security loopholes in their digital infrastructures, including official websites.
If you have a knack for spotting weak links in Internet-based services, the use of the OWASP Web Security Testing Guide is an amazingly effective way to hone your expertise. You can start with sandbox environments like virtual machines polluted by common vulnerabilities. If you get the hang of this activity, it can become a springboard for a brilliant penetration testing career.
About the Author
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs, and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.