Vulnerability Assessment and Quality Assurance of the Most Important Websites of Bangladesh govt.

Proposed
By

Farhan Tanvir

Gazi Tarique Mahmud

MAY 13, 2015

Table of Contents
Preface 1
Type chapter title (level 2) 2
Type chapter title (level 3) 3
Type chapter title (level 1) 4
Type chapter title (level 2) 5
Type chapter title (level 3) 6
Preface:

We have entered into the digital era. To keep up with the digital world and to serve the people
better the government of Bangladesh is bringing more and more services online. Now more
people are using internet based services which means they are putting more information on the
internet. And if we don’t ensure the security of our information, it might hit us back. We need to
secure our cyberspace otherwise we will be at risk to expose our confidential information both at
government and personal level. The significant increase of cybercrime worldwide also puts us in
risk. There is no absolute security in cyber world, but if we take preventive measures to secure
our internet and web infrastructures, we might mitigate the risk of being attacked significantly.

A Proof of Concept:

As an effort to measure the security of our common online services provided by the government
of Bangladesh, we found numerous vulnerabilities in our web services which might lead us to a
cyber-disaster within a short period of time.

With a little effort any hacker with malicious purpose can access to our services illegally and
gain access to confidential information. As a proof of concept we hacked (with no malicious
purpose) into several government websites and dumped all the databases including education
board, stock exchange, police and Bangabhaban’s website. Any cyber-criminal with a decent
skill can do significant damage to most of the web services provided by government and
humiliate us as a nation.

Threats we are currently exposed to:

1. Massive Denial of service (Dos) attack.

2. Botnet command & control center.
3. Use government servers to launch an attack against another nation.
4. Malware infection.
5. Stealing and tampering our confidential data.
Etc…
Our Proposal:

We will conduct a penetration testing on the top 50 most important government websites to find
the security vulnerabilities and produce detailed reports on our findings. We will make sure that
during our testing no information which is intended to be hidden will not come out in public
from us. We welcome any measure taken by the authority to monitor our effort during the testing
process. And the authority can include or exclude any number of websites from the list of
websites we have chosen initially for penetration testing, but the total number of websites cannot
exceed 50 unless the duration of the project is extended.

Strategy:

We will follow the PTES (Penetration Testing Execution Standard) for this project.
We will use both available open source tools and customized scripts to exploit the holes
according to our search for vulnerabilities.

The penetration test will be conducted in 3 stages:

1. System Exploration:
In this stage we will scan the system to gather information about it. We will also go
through the websites to understand their purpose and later for threat modeling. We will
also identify any visual error related to quality assurance and produce a separate QA
report.

2. Identify Vulnerability:
We will use both automated vulnerability scanner as well as customized scripts to
identify the vulnerabilities in the system. We will also identify the threat level by
analyzing the vulnerabilities.

3. Vulnerability Exploitation:
During this stage we will actually attack the system to exploit the vulnerabilities and try
to compromise the system like the real hackers do. Also we will try to escalate the
privilege level of the compromised system and try to connect back to our system from the
compromised server.
Attack Vector:
Web:

1. Injection flaws (SQL, OS, and LDPA):

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent
to an interpreter as part of a command or query. The attacker’s hostile data can trick the
interpreter into executing unintended commands or accessing data without proper
authorization.

2. Broken Authentication & Session Management:

Application functions related to authentication and session management are often not
implemented correctly, allowing attackers to compromise passwords, keys, or session
tokens, or to exploit other implementation flaws to assume other users’ identities.

3. Cross Site Scripting (XSS):

XSS flaws occur whenever an application takes untrusted data and sends it to a web
browser without proper validation or escaping. XSS allows attackers to execute scripts in
the victim’s browser which can hijack user sessions, deface web sites, or redirect the user
to malicious sites.

4. Insecure Direct Object Reference:

A direct object reference occurs when a developer exposes a reference to an internal
implementation object, such as a file, directory, or database key. Without an access
control check or other protection, attackers can manipulate these references to access
unauthorized data.

5. Sensitive Data Exposure:

Many web applications do not properly protect sensitive data, such as credit cards, tax
IDs, and authentication credentials. Attackers may steal or modify such weakly protected
data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves
extra protection such as encryption at rest or in transit, as well as special precautions
when exchanged with the browser.

6. Missing Function Level Access Control:

Most web applications verify function level access rights before making that functionality
visible in the UI. However, applications need to perform the same access control checks
on the server when each function is accessed. If requests are not verified, attackers will
be able to forge requests in order to access functionality without proper authorization.

7. Cross Site Request Forgery (CSRF):

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request,
including the victim’s session cookie and any other automatically included authentication
 information, to a vulnerable web application. This allows the attacker to force the
victim’s browser to generate requests the vulnerable application thinks are legitimate
requests from the victim.

8. Using Components with known Vulnerabilities:

Components, such as libraries, frameworks, and other software modules, almost always
run with full privileges. If a vulnerable component is exploited, such an attack can
facilitate serious data loss or server takeover. Applications using components with known
vulnerabilities may undermine application defenses and enable a range of possible attacks
and impacts.

9. Invalidated Redirects and Forwards:

Web applications frequently redirect and forward users to other pages and websites, and
use untrusted data to determine the destination pages. Without proper validation,
attackers can redirect victims to phishing or malware sites, or use forwards to access
unauthorized pages.

Network:

1. Network scanning to discover port status:

Scan the IP of the website to search for both open & closed ports to determine the
possibility of finding ways to connect to the server.

2. Service Discovery:
Using more intensive scan to find the version of the services we will be able to determine
the common vulnerabilities exploitation. Also we will try to detect the OS fingerprint &
service software version.

3. Bypass firewall:
Different techniques will be used to bypass the firewall rules and establish a connection
to the server.

4. Security Misconfiguration:
Good security requires having a secure configuration defined and deployed for the
application, frameworks, application server, web server, database server, and platform.
Secure settings should be defined, implemented, and maintained, as defaults are often
insecure. Additionally, software should be kept up to date.

5. Simulate Dos (Denial of Service) attack scenarios:

Dos attacks will be used to see how much time it takes to make the service inaccessible to
the users. Slow http attacks, post http attacks and SYN flooding will be used for Dos
attack. No DDoS (Dynamic Dos) will be performed.
Tools:
1. Metasploit:
Metasploit is the de facto exploit development framework. It is best known for its anti-
forensic and evasion tools. It has a large database of shell code and is well known for
developing and executing exploit code against a remote target machine. Metasploit has
been marked as the no.1 penetration testing tool for many years.

2. Nmap:
Nmap ("Network Mapper") is an open source utility for network exploration or security
auditing. It was designed to rapidly scan large networks, although it works fine against
single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are
available on the network, what services (ports) they are offering, what operating system
(and OS version) they are running, what type of packet filters/firewalls are in use, and
dozens of other characteristics.

3. Wireshark:
Wireshark is a free network protocol analyzer for UNIX and Windows. It allows you to
examine data from a live network or from a capture file on disk. You can interactively
browse the capture data, viewing summary and detail information for each packet.
Ethereal has several powerful features, including a rich display filter language and the
ability to view the reconstructed stream of a TCP session.

4. Kali-Linux:
The operating system based on Linux and specially crafted for penetration testing,
previously known as backtrack 5.

5. W3af:
W3af is a Web Application Attack and Audit Framework. The project’s goal is to create a
framework to help you secure your web applications by finding and exploiting all web
application vulnerabilities.

6. SQLmap:
SQLmap is an open source penetration testing tool that automates the process of
detecting and exploiting SQL injection flaws and taking over of database servers. It
comes with a powerful detection engine, many niche features for the ultimate penetration
tester and a broad range of switches lasting from database fingerprinting, over data
fetching from the database, to accessing the underlying file system and executing
commands on the operating system via out-of-band connections.

7. Arachni:
 Arachni is an Open Source, feature-full, modular, high-performance penetration testing
framework aimed towards helping penetration testers and administrators evaluate the
security of web applications.

8. Burp Suite (Free edition):

Burp Suite is a Java application that can be used to secure or penetrate web applications.
The suite consists of different tools, such as a proxy server, a web spider, intruder and
repeater.

Report Generation:
For every website we will produce 2 reports:

1. Penetration testing report

2. Quality Assurance (QA) report

In the penetration testing report we will include every information we could gather about the
website from different sources and detailed explanation about every vulnerability we found, how
we exploited it and what was the impact. We will also put our recommendations on how to
mitigate those errors that caused the vulnerabilities at the first place.

In the QA (Quality Assurance) report we will include all the visual errors like if some links are
not working or spelling mistakes etc.

Expected Project Duration:

We expect to finish the project within 6 months. But the authority can extend the time period if
they want to retest or extend the list of websites to be tested.

Expected Outcome:
After successfully completing the penetration test we expect to identify most of the common
vulnerabilities of the hosting servers and the web applications. And if proper steps are taken to
mitigate those vulnerabilities then we can expect our government online services to be safer and
secured.