Information Gathering

When it comes to penetration testing the first step is gathering information about the tar- get system. Kali Linux91

with its penetration tools has been used for this. First of all, port scanning has been performed using nmap92

. From 1.000 scanned ports, the 80 and 443 ports gave some information. Port 80 showed that allowed HTTP methods are GET, HEAD, POST and OPTIONS. It was determined that the proxy might be redirecting re- quests. It also detected Varnish — a caching tool. It was revealed that port 443 was served by Nginx as a web server and it was possible to retrieve several cryptographic properties about the SSL certificate. The type of public key used was Rivest–Shamir–Adleman (RSA) encryption with 2048 bits which holds a valid certificate for one year. The signature algo- rithm used was SHA256withRSAEncryption with HTTPS challenge tls-alpn. Most of the certificate information can be also found from a Mozilla Firefox browser. The configuration is the recommended compatibility as of the time of writing this thesis [72]. It did also find out that HTTP/2 was used and a TCP sequence prediction difficulty with a score of 17 was determined. According to nmap documentation [73, 74], the result 17 is hard to break and thus considered to be secure.

The data mining tool Maltego found information about the actual network infrastructure. It showed that the CDN was operated by Fastly Network Operations. It locatedns-cloud- c1.googledomains.comas the DNS for the domainthesisapp-16048.firebaseapp.com. Personal data was hidden and showed only business details of Google.

Wappalyzer is a tool to discover technologies used on certain website. The front-end tech- nologies were revealed, but not the back-end (for which Express and Node.js are used). It also did not show information about Nginx as a web server. However, this had been already discovered using nmap.

More investigation has been provided by Nikto. This is a scanner with in-depth analy- sis about web servers. The interesting logs are presented on Listing 10 and shows some potential findings:

1 + The Content - E n c o d i n g header is set to " deflate " this may mean

that the server is v u l n e r a b l e to the BREACH attack .

2 + / p h p E v e n t C a l e n d a r / f i l e _ u p l o a d . php: p h p E v e n t C a l e n d a r 1.1 and

prior are v u l n e r a b l e to file upload bug .

3 + / c o n t e n t s / e x t e n s i o n s / asp /1: The IIS system may be v u l n e r a b l e

to a DOS, see https:// docs . m i c r o s o f t . com / en - us / security - updates / s e c u r i t y b u l l e t i n s /2 0 0 2/ MS0 2-0 1 8 for details .

4 + OSVDB -4 5 9 8: / members . asp ? SF =%2 2;}alert (2 2 3 3 4 4) ; f u n c t i o n %2 0x () {v %2 0=%2 2: Web Wiz Forums ver . 7.0 1 and below is v u l n e r a b l e

91

Distribution of Linux designed for security testing.

92

Network scanner which sends packets and analyzes its responses.

6. SECURITY ANALYSIS Master of Science in Technology Thesis

to Cross Site S c r i p t i n g ( XSS ) \ index{Cross - Site S c r i p t i n g ( XSS )}. http:// www . cert . org / a d v i s o r i e s / CA -2 0 0 0-0 2. html .

5 + / servlet / com . unify . s e r v l e t e x e c . U p l o a d S e r v l e t: This servlet

allows a t t a c k e r s to upload files to the server .

6 + OSVDB -3 2 3 3: / index . html . ee: Apache default foreign l a n g u a g e

file found . All default files should be removed from the web server \ index{Web Server} as they may give an a t t a c k e r a d d i t i o n a l system i n f o r m a t i o n .

7 + OSVDB -3 2 3 3: / index . html . it: Apache default foreign l a n g u a g e

file found . All default files should be removed from the web server \ index{Web Server} as they may give an a t t a c k e r a d d i t i o n a l system i n f o r m a t i o n .

8 + /1 5 1.1 0 1.1.1 9 5. tar: P o t e n t i a l l y i n t e r e s t i n g archive / cert file

found .

9 + / thesisapp -1 6 0 4 8f i r e b a s e a p p . jks: P o t e n t i a l l y i n t e r e s t i n g

archive / cert file found .

10 + / thesisapp -1 6 0 4 8f i r e b a s e a p p . tgz: P o t e n t i a l l y i n t e r e s t i n g

archive / cert file found .

11 + / backup . egg: P o t e n t i a l l y i n t e r e s t i n g archive / cert file found . 12 + / thesisapp -1 6 0 4 8. f i r e b a s e a p p . egg: P o t e n t i a l l y i n t e r e s t i n g

archive / cert file found .

13 + OSVDB -3 0 9 2: / t r a f f i c l o g /: This might be i n t e r e s t i n g ... 14 + OSVDB -3 0 9 2: / user /: This might be i n t e r e s t i n g ...

15 + OSVDB -3 0 9 2: / users /: This might be i n t e r e s t i n g ...

16 + OSVDB -3 0 9 2: / w e b a c c e s s . htm: This might be i n t e r e s t i n g ... 17 + OSVDB -3 0 9 2: / w e b a c c e s s / access - options . txt: This might be

i n t e r e s t i n g ...

18 + OSVDB -3 0 9 3: / d a t a b a s e / m e t a c a r t . mdb +: This might be

i n t e r e s t i n g ... has been seen in web logs from an unknown scanner .

19 + OSVDB -3 0 9 3: / OA_JAVA / Oracle /: Oracle A p p l i c a t i o n s portal

pages found .

20 + OSVDB -3 0 9 3: / OA_JAVA / servlet . zip: Oracle A p p l i c a t i o n s portal

pages found .

21 + OSVDB -3 0 9 3: / OA_JAVA / oracle / forms / r e g i s t r y / R e g i s t r y . dat:

Oracle A p p l i c a t i o n s portal pages found .

22 + 7 8 6 4 r e q u e s t s: 0 error ( s ) and 1 0 9 item ( s ) r e p o r t e d on remote

host

23 + End Time: 2 0 1 9-0 8-1 7 2 3:0 2:5 5 ( GMT0) (2 6 7 6 seconds ) Listing 10: Nikto logs.

There are several potential interesting files and information about possible vulnerabilities on the server-side. Interesting are the findings about two different web servers, i.e. Apache and Internet Information Services (IIS). Even though the application is served by Nginx, it looks like the Firebase infrastructure uses mixed technologies. This includes also a Java and a PHP stack.

6. SECURITY ANALYSIS Master of Science in Technology Thesis

the application.