LUP Student Papers

Check Yourself Before You Wreck Yourself- A study of how to assess security vulnerabilities of web servers through configuration analysis

• Mark

Abstract

The web server is an essential component of many systems today. It has the possibility to give access to files with sensitive information and it is the backbone that enable a vast amount of applications. This makes it critical to ensure that files are only accessed and altered by intended users and that web servers are always up and running when expected. One important aspect of doing this is to ensure that the configuration of the web server does not cause security vulnerabilities. However, this is not a straightforward task as there are normally hundreds of configurations parameters and different vulnerabilities to take into account. This thesis explores security vulnerabilities related to the configuration of web servers, more... (More)

The web server is an essential component of many systems today. It has the possibility to give access to files with sensitive information and it is the backbone that enable a vast amount of applications. This makes it critical to ensure that files are only accessed and altered by intended users and that web servers are always up and running when expected. One important aspect of doing this is to ensure that the configuration of the web server does not cause security vulnerabilities. However, this is not a straightforward task as there are normally hundreds of configurations parameters and different vulnerabilities to take into account. This thesis explores security vulnerabilities related to the configuration of web servers, more specifically the web server software Apache and Nginx, and how to verify absence of security misconfiguration.

The exploration consists of three major segments. First, information sources regarding security misconfiguration of Apache and Nginx are analyzed and compared. The conclusion is that there are beneficial sources but none is covering every configuration needed to avoid security misconfiguration. They could also benefit from using scoring systems to allow users to understand which security misconfigurations are the most critical. Next, tools available today that can help users verify absence of faulty configuration are examined and compared. The conclusion is that there is no tool with ready to use content fully covering every configuration needed to avoid security misconfiguration. Besides, they are, to a varied extent, not satisfactory regarding how they present rationale about and possible consequences from needed configuration and an easy to survey output. This result lead to the exploration if it is possible to use available tools to create a beneficial solution which can verify the presence of all needed configuration and at the same time educate users about why this configuration is needed and neatly present the result of this verification. This resulted in the development of new ready to use content for one of the examined tools called Chef Inspec. The purpose of the new content was to see if it was possible to cover all types of needed configuration and how Chef Inspec performed with this new content. The conclusion is that it is possible to create content covering all needed configuration, but problems arise if a user is running multiple Apache instances on the same machine. The solution is fairly satisfying but there is room for improvement of the output of Chef Inspec to facilitate the users understanding of the rational behind the suggested configuration and the survey of the result from the verification. (Less)

Popular Abstract

Web applications are present in a wide range of areas, not only in business related operations but also in financial, healthcare, defense, and other critical infrastructures. It is of high importance to ensure that web applications are secure and that they do not expose security vulnerabilities that malicious users can take advantage of to create damage.

The web server is an essential component of many web applications. It has the possibility to give access to files with sensitive information and it is a backbone that enable a vast amount of systems. Thus, it is critical to ensure that files are only accessed and altered by intended users and that web servers are always up and running when expected.

One important aspect of doing... (More)

Web applications are present in a wide range of areas, not only in business related operations but also in financial, healthcare, defense, and other critical infrastructures. It is of high importance to ensure that web applications are secure and that they do not expose security vulnerabilities that malicious users can take advantage of to create damage.

The web server is an essential component of many web applications. It has the possibility to give access to files with sensitive information and it is a backbone that enable a vast amount of systems. Thus, it is critical to ensure that files are only accessed and altered by intended users and that web servers are always up and running when expected.

One important aspect of doing this is to ensure that the configuration of the web server does not cause security vulnerabilities. However, this is not a straightforward task as there are normally hundreds of configurations parameters and different vulnerabilities to take into account. Besides, research have shown that configuration is today not only performed by professional system administrators but also by pluralistic and novice administrators as a result of open-source software and the on-demand cloud computing infrastructure.

This thesis explores the relationship between configuration of web servers and security. It analyzes what configuration is required to counteract security vulnerabilities of web servers and if, or how, validation to ensure presence of this correct configuration can be performed today. The thesis shows that there are beneficial information sources regarding security misconfiguration of web servers, but none is covering every configuration needed to avoid security misconfiguration. The information sources could benefit from using scoring systems to allow users to understand which security misconfigurations are the most critical. It also demonstrate that no tool was found with ready to use content fully covering every configuration needed to avoid security misconfiguration. Besides, the examined tools are, to a varied extent, not satisfactory regarding how they present rationale behind and possible consequences from needed configuration and an easy to survey output. The thesis suggests that there is one beneficial tool with the possibility to educate users but that the ready to use content for it found was not adequate. New content was written for this tool, showing that it has the possibility to cover almost all types of needed configuration for the web servers Apache and Nginx. However, there is room for improvement of the output and some functions. (Less)