SECURITY ANALYSIS OF OPEN SOURCE CONTENT MANAGEMENT SYSTEMS WORDPRESS, JOOMLA, AND DRUPAL
A Thesis
Presented to the Faculty of California State Polytechnic University, Pomona
In Partial Fulfillment Of the Requirements for the Degree Master of Science In Computer Science
By
Rasha Ali Alghofaili 2018 SIGNATURE PAGE
THESIS: SECURITY ANALYSIS OF OPEN SOURCE CONTENT MANAGEMENT SYSTEMS WORDPRESS, JOOMLA, AND DRUPAL
AUTHOR: Rasha Ali Alghofaili
DATE SUBMITTED: Spring 2018
Computer Science Department
Dr. Mohammad I. Husain Thesis Committee Chair Computer Science
Dr. Sampath Jayarathna Computer Science
Dr. Yu Sun Computer Science
ii ACKNOWLEDGEMENT
First and foremost, I would like to thank Allah for giving me this opportunity and the strength to complete this study and achieve my goal. Without his blessings, this would not have been possible. Secondly, I would like to express my sincere gratitude and deepest apprecia tion to my thesis advisor, Dr. Mohammad I. Husain, for his guidance, continuous support, and encouragement during my Master’s study. His direction was the key to my success over all the time researching and writing this thesis. Specially, I thank him for his patience, motivation, immense knowledge, and faith, which motivated me to work in this area, which has always been my dream. I could not have imagined having a better advisor for my Master’s study. Besides my advisor, I would like to thank my thesis committee, Dr. Sampath Jayarathna and Dr. Yu Sun, for motivating me to widen my research. I would further like to take the opportunity to thank my sponsor, the Saudi Arabian Cultural Mission (SACM), for the valuable and unforgettable opportunity of studying abroad, along with all of their other help and assistance. Last but not the least, I offer my most sincere gratitude to my beloved family my parents, Ali Alghofaili and Amal Alswailem, my sister, Lulu Alghofaili, and my friend Ohoud Almosa for their patience, understanding, and spiritual support throughout my journey to make this dream come true and my life in general. This accomplishment would not have been possible without God’s blessing and them.
I love you all.
iii ABSTRACT
Content Management Systems (CMS) is a web-based application that helps mul tiple users with different permission levels to build and manage content online even without web programing knowledge. When talking about CMS, Wordpress, Joomla and Drupal are the first CMS that state to mind they are the most popu lar CMS solutions on the market today. Since they are easy to use, people have used the CMS to build their own websites without paying attention to security, this is a major problem, because protecting a website is essential to any business. In this paper, we evaluate three different open source content management sys tems, Wordpress, Joomla, and Drupal. They are assessed based on the following criteria: ease of installation, usability, and security. To perform the comparison a website in each CMS has been developed and tested before and after adding the security practices. In addition, all vulnerabilities will be examined to provide the best practices and plugins to prevent them.
iv Contents
Signature Page ii
Abstract iii
Abstract iv
1 Introduction 1
1.1 What is CMS ...... 1 1.2 Motivation ...... 1 1.3 Problem Description ...... 2 1.4 Research Goal ...... 3 1.5 Background ...... 3 1.5.1 Why We Use CMS ...... 3 1.5.2 Types of CMS ...... 4 1.5.3 Features of the CMS ...... 4
1.5.4 Web Hosting ...... 4
1.6 Literature Review ...... 5
2 Open Source Management System 8
2.1 Joomla ...... 8
2.1.1 Features ...... 8 2.1.2 Installation ...... 9 2.1.3 Hosting ...... 9
v 2.1.4 Joomla.com vs Joomla.org ...... 9 2.1.5 Joomla Website "Securityprojectj.com" ...... 10 2.2 WordPress ...... 10 2.2.1 Features ...... 11 2.2.2 Installation ...... 11 2.2.3 Hosting ...... 11 2.2.4 Wordpress.com vs Wordpress.org vs Wordpress.com for Busi ness ...... 11 2.2.5 Wordpress Website "SecurityProjectwp.com" ...... 12 2.3 Drupal ...... 13 2.3.1 Features ...... 13 2.3.2 Installation ...... 13 2.3.3 Hosting ...... 13 2.3.4 Drupal 7 Vs Drupal 8 ...... 14 2.3.5 SecurityprojectD.com ...... 14
3 Web Application Analysis 15
3.1 Testing Requirement ...... 15 3.2 Scanning Tools ...... 15 3.2.1 OWASP Zed Attack Proxy Project ...... 15
3.2.2 Skipfish ...... 16
3.2.3 Vega Scanner ...... 16
3.2.4 Zenmap ...... 16
3.2.5 OWASP WebScarab ...... 16
3.2.6 Burp Suite ...... 17 3.2.7 WP Scan ...... 17
vi 4 Scanning Results 18
4.1 Joomla ...... 18 4.1.1 OWASP Zed Attack Proxy Project ...... 19 4.1.2 SkipFish ...... 20 4.1.3 WebScarab ...... 21 4.1.4 ZENMAP ...... 22 4.1.5 Vega ...... 23 4.1.6 Problems ...... 24 4.2 WordPress ...... 25 4.2.1 ZAP ...... 26 4.2.2 Skip Fish ...... 27 4.2.3 Vega ...... 28 4.2.4 ZENMAP ...... 29 4.2.5 WP Scan ...... 30 4.3 Drupal ...... 31 4.3.1 ZAP ...... 31 4.3.2 SkipFish ...... 33 4.3.3 WebScarab ...... 34 4.3.4 Vega ...... 35 4.3.5 Zenmap ...... 36
4.3.6 BrupSuite ...... 38
5 CMS Security 39
5.1 Security Practices ...... 39
5.1.1 Secure Hosting ...... 39 5.1.2 Use SSL Certificate ...... 40 5.1.3 Login Security ...... 40 5.1.4 .Htaccess File ...... 41
vii 5.1.5 Take Regular Backup ...... 41 5.1.6 Keep Everything Up To Date ...... 41 5.1.7 Choose Trusted Add-ons ...... 42 5.1.8 Directory permission ...... 42 5.1.9 Set Up a Two Factor Authentication ...... 43 5.1.10 Backend Protection ...... 43 5.1.11 Deleting Core Dump Files ...... 44 5.1.12 Block IP Address ...... 45 5.1.13 Secure Coding Practices ...... 45 5.1.14 Database Security ...... 45 5.1.15 Security Plug ins, Extensions and Modules: ...... 45 5.1.16 Web Application Firewall ...... 46 5.1.17 PHP Protection ...... 46
6 Adding Plug ins, Extensions, Modules 47
6.1 Joomla Extensions ...... 47 6.1.1 Security Check Extension: ...... 47 6.1.2 Akeeba ...... 48 6.1.3 Securityprojectj.com ...... 49 6.1.4 Problems ...... 50
6.2 WordPress ...... 51
6.2.1 Wordfence ...... 51
6.2.2 UpdraftPlus ...... 51
6.2.3 Shield ...... 52
6.2.4 Securityprojectwp.com ...... 53 6.3 Drupal ...... 54 6.3.1 Security Review Module ...... 54 6.3.2 TFA Basic Plugins ...... 55
viii 6.3.3 Backup and Migrate ...... 55 6.3.4 Security Kit ...... 56 6.3.5 Drupal Firewall ...... 56 6.3.6 Security Practices ...... 56
7 Vulnerability Analysis 57
7.1 Joomla ...... 57 7.1.1 Extensions ...... 57 7.1.2 Joomla Core ...... 60 7.2 Wordpress ...... 61 7.2.1 Plug ins ...... 61 7.2.2 Wordpress Core ...... 61 7.3 Drupal ...... 63 7.3.1 Drupal Modules Projects ...... 63 7.3.2 Drupal Core ...... 65
8 Results after Adding Security 66
8.1 Joomla ...... 66 8.1.1 ZAP ...... 66 8.1.2 Skipfish ...... 68 8.1.3 Vega ...... 68
8.1.4 WebScarab ...... 69
8.1.5 Zenmap ...... 69
8.1.6 Burpsuit ...... 71
8.2 Wordpress ...... 72
8.2.1 ZAP ...... 72 8.2.2 Skipfish ...... 73 8.2.3 Vega ...... 74
ix 8.2.4 Webscarab ...... 74 8.2.5 Zenmap ...... 75 8.2.6 Burpsuit ...... 76 8.3 Drupal ...... 77 8.3.1 ZAP ...... 77 8.3.2 SkipFish ...... 78 8.3.3 Vega ...... 79 8.3.4 Zenmap ...... 79 8.3.5 Burp Suit ...... 80
9 Discussion 81
9.1 Results ...... 81 9.2 Results ...... 83 9.3 Vulnerabilities Analysis ...... 84
10 Conclusion 86
10.1 Summary ...... 86 10.2 Future Work ...... 87
x List of Tables
7.1 Joomla Extensions Vulnerabilities Not Fixed (“Joomla.org. Joomla!”, n.d.) ...... 58 7.2 Joomla Extensions Vulnerabilities Fixed (“Joomla.org. Joomla!”, n.d.) 59 7.3 Joomla Core Vulnerabilities (“Joomla.org. Joomla!”, n.d.) ...... 60 7.4 Wordpress Plug ins Vulnerabilities (“WordPress CMS”, n.d.) . . . . . 62 7.5 Wordpress Core Vulnerabilities (“Drupal Open Source CMS.”, n.d.) . 62 7.6 Drupal Models Vulnerabilities (“Drupal Open Source CMS.”, n.d.) . 64 7.7 Drupal Core Vulnerabilities (“Drupal Open Source CMS.”, n.d.) . . . 65
9.1 Scanning Result before adding security ...... 81 9.2 Scanning Result After adding security ...... 82
xi List of Figures
4.1 Joomla Website"SecurityProjectj.com" ...... 18 4.2 Securityprojectj.com ZAP Scanning Results ...... 19 4.3 Securityprojectj.com SkipFish Scanning Results ...... 20 4.4 Securityprojectj.com WebScarab Scanning Results ...... 21 4.5 Securityprojectj.com Zenmap Scanning Results ...... 22 4.6 Securityprojectj.com Vega Scanning Results ...... 23 4.7 SecurityProjectj.com Problem ...... 24 4.8 SecurityprojectWP.com Layout ...... 25 4.9 Securityprojectwp.com ZAP Scanning Results ...... 26 4.10 Securityprojectwp.com SkipFish Scanning Results ...... 27 4.11 Securityprojectwp.com Vega Scanning Results ...... 28 4.12 Securityprojectwp.com Zenmap Scanning Results ...... 29 4.13 Securityprojectwp.com WPScan Scanning Results ...... 30 4.14 SecurityProjectD.com main page ...... 31
4.15 Securityprojectd.com ZAP Scanning Results ...... 32
4.16 Securityprojectd.com SkipFish Scanning Results ...... 33
4.17 Securityprojectd.com Webscarab Scanning Results ...... 34
4.18 Securityprojectd.com Vega Scanning Results ...... 35
4.19 Securityprojectd.com Zenmap Scanning Results ...... 37 4.20 Securityprojectd.com BurpSuite Scanning Results ...... 38
5.1 Core Dump Files ...... 44
xii 6.1 Security Check Extension ...... 48 6.2 SSL Certificate ...... 49 6.3 Problems ...... 50 6.4 Shield Security Plug in ...... 52 6.5 Security Review Module ...... 54 6.6 TFA Module ...... 55
8.1 Securityprojectj.com ZAP Results ...... 67 8.2 Securityprojectj.com SkipFish Results ...... 68 8.3 Securityprojectj.com WebScarab Results ...... 69 8.4 Securityprojectj.com Zenmap Results ...... 70 8.5 Securityprojectj.com Burpsuit Results ...... 71 8.6 Securityprojectwp.com ZAP Results ...... 72 8.7 Securityprojectwp.com SkipFish Results ...... 73 8.8 Securityprojectwp.com WebScarab Results ...... 74 8.9 Securityprojectwp.com Zenmap Results ...... 75 8.10 Securityprojectwp.com BurpSuit Results ...... 76 8.11 Securityprojectd.com ZAP Results ...... 77 8.12 Securityprojectd.com SkipFish Results ...... 78 8.13 Securityprojectd.com Znmap Results ...... 79
8.14 Securityprojectd.com Burpsuit Results ...... 80
xiii List of Abbreviations
CMS Content Management Systems XSS Cross Site Scripting
xiv Chapter 1
Introduction
1.1 What is CMS
A content management system as known as CMS, is a web-based application or a server-based software; it allows any content to be published. The content can be text, picture, audio or any other type of files. All the files in the CMS can be managed through modifying, editing and maintaining the content from a central page in any location. CMS supports web-based management, which will allow the user to develop the website more easily (“Joomla.org. Joomla!”, n.d.). CMSs are becoming more and more popular because they don’t require any technical knowledge to be used. One of the main features of the CMS is managing and maintaining the user content such as text, photos, music, video, documents, or anything (Mirdha, Jain, & Shah, 2014). In addition, users can have no technical knowledge to maintain a website using the CMS.
1.2 Motivation
Web applications are becoming something we can’t live without; everything from shopping at a boutique to ordering food online, every business or a person nowa days has a website or a blog. Therefore, building a website has become essential
1 for every business. Web content management systems become very popular since there is no need for programming knowledge to build a website or blog. With so many people using the CMS to build their own websites or blogs comes the main motivation for this paper. Many people develop websites with no programming skills which begs the question of how secure their website may or may not be. This reutilization provided the necessary incentive for this paper to dig deep into the CMS and find the best practices to help all the people with no coding experience to secure their own websites.
1.3 Problem Description
As CMSs become so popular, people would not pay attention to security, they only focus, on having the best website to present to people with great design, pic tures, and simple functionality. Hackers will find it easier to hack a simple website where there are no simple security functions to protect the website. Website own ers always think that hackers have no interest in their websites since they are not considered as a large corporation as other websites, so they don’t implement any security measures because it will cost more to implement in a website. However, hackers might not target the user website specifically, but it can be targeted from an automated system run by the hackers to hack many websites (Vasek, Wadleigh,
& Moore, 2016).
2 1.4 Research Goal
The main research goal is to find the most secure CMS among the top three: Word- press, Joomla, and Drupal. Having this in mind, different types of plug ins, exten sions, and attacks were examined. Taking into consideration the different objec tives of the tools examined, the major research goal is to find the most secure CMS; moreover, security analysis is done in each of the platforms. The website content will be the same in all the three CMSs. After creating and managing the websites, the recommended security in each one of the CMSs will be applied to the web site, and the result will be documented. Next, all the security vulnerabilities that hackers can think of are scanned ans analyzed , and apply a statical and dynamic analysis comparison of the three open source CMSs one applied by describing how effective the plug ins and are what the risks in each implemented plug in or exten sion. Finally, proposing a solution of plug ins and applications add more security to all the websites that have been developed using CMSs.
1.5 Background
1.5.1 Why We Use CMS
CMSs are for everyone but will be useful for people who are non-technical; they can build and maintain the website. Beside this, CMS helps users to update and backup all files automatically, which will save time and resources. In addition, any web change can be done from anywhere since the CMS can be accessed from any location since it is web-based. Since CMSs are open source, they are free to download and use.
3 1.5.2 Types of CMS
There are many types of CMSs; this paper will explain the open source content management systems. Open source CMS can be downloaded and used with no fees; however, some additional costs may occur when downloading plug ins that can improve the website such as templates, security, backups, and much more. Ac cording to websitesetup.org, the most three popular CMS in 2017 are Wordpress, Joomla, and Drupal respectively Mening, 2013. Each one of the three CMS has its different features depending on the user’s needs.
1.5.3 Features of the CMS
There are many beneficial and useful features in the use of CMSs. The first, is that CMSs are flexible and easy to use for programmers and non programmers use. The second is that plug ins, extension and modules can extended the website to another level by virtue of their inclusion. In addition, a one click update can save time and fix many issues. Moreover, the support, most of the problems in the CMS can be fixed with all the solutions available in the open source CMS developers community . Furthermore,Word Press, Joomla and Drupal offer more than 70 lan guages in their multilingual platforms “Joomla.org. Joomla!”, n.d. Finally, content developed through and for the website is easy to create and publish with the CMS platforms.
1.5.4 Web Hosting
Web hosting is a service that provides the user a space on the server, where the user can store all the website files that are required to make a website; these service will be available and can be accessed by people who are connected to the Internet. Despite the fact that it is possible to utilize your own website, it will not be easy
4 for a non-technical user since it requires a lot of work and experience. The hosting company require a domain in order to host the website if the user don’t have one the hosting company can help the user to generate one Most of the web hosting companies offer security. There are different types of web hosting such as shared hosting, cloud hosting, and other kinds. The hosting used in the paper is shared hosting; shared hosting is where multiple websites are being hosted by the hosting provider using a single server (Rouse & Cote, n.d.) The hosting services used in the paper are Blue Host and Site Ground host; both are popular web hosting solutions companies; they are reliable and trustworthy .
1.6 Literature Review
A comparative analysis of open source CMS study done by Mirdha, Jain and Shah compared seven CMSs names. The analysis shows that Wordpress, Joomla, and Drupal are the three top CMS and currently the most popular CMS’s. The study also indicates the common features for all of them additionally to four more CMS, Alfresco, Typo3, Dotnetnuke and Plone total of seven CMSs. The common fea tures that were discussed in the paper are Security, performance, support, built-in features, management and ease of use. As for security category, they discussed four features versioning, Email, Captcha, and Login history. It is shown all three
CMS’s has the following features available or as a free add-on except the captcha in
WordPress is not available. The study concludes that Wordpress, Joomla, and Dru- pal are in the same position when it comes to security if we only consider the four features above. The study did not discuss the plug ins in WordPress, extensions in
Joomla and Models in Drupal which can be different if we added the plug ins and compare the CMSs again. Furthermore, no solution was discussed in the paper to solve the security problems. Another study by Patel, Rathod, and Parkih indicate a
5 statistical comparison of the three CMS’s Wordpress, Joomla, and Drupal. The way the comparison was conducted by creating a page in each platform with minimum information such as clock and calendar by using plug ins. The main purpose is to prove which is the best CMS in terms of performance and security. As shown in the study Wordpress is the best when trying to go live on a server, Joomla caches less, therefore, it will benefit sites with multiple functionalities. Drupal is benefi cial to use for an informative site since it consumes low load time. This kind of approach is similar to the way that I’m approaching the problem in this paper. However, more research will be conducted by adding more complicated function alities to the website such as adding more different plug ins. plug ins or extensions are a threat to any open source content management system since the installation is easy and no need to check the source code. According to the quality of Wordpress plug ins by Koskien, Ihantola and karavirta many hackers can obtain information from a website or a blog by only installing a plug in. This scenario can happen when a plug in or extension is not well developed the hacker can find vulnerabil ities and target them. This would be a huge problem because many CMSs users install more than one plug in or extension in a blog or a website. The study spec ifies the top 5 PHP vulnerabilities are remote code execution, cross-site scripting (XSS), SQL injection, PHP configuration and file system attacked. The researcher discussed how non expert PHP programmers can cause vulnerabilities while de signing a plug in by not designing the language in a proper way which can lead the hacker to exploit vulnerabilities in plug ins and web applications. They also did an experiment with 322 plug ins in Wordpress the results indicate 860 vulnerabilities from 127 plug ins. As for the first vulnerability type, the Cross-site Scripting (XSS) is the number one by having a total of 615 vulnerability in 107 plug ins, that is a total of 72 %. The experiment was encouraging according to the paper since over half of passing the static analysis with no vulnerability detected, however, it is not
6 as secure as it should be. Furthermore, the user rating of each plug in should not be the only factor to determine the plug in since the study found there is no true relationship between the high user rating and the best plug in. So for this paper similar approach is followed by downloading some of the popular plug ins and test the website.
7 Chapter 2
Open Source Management System
2.1 Joomla
Joomla is an open source content management system, written in PHP scripting language and uses a MySQL database. It is the newest CMS compared to Word- Press and Drupal; it was created in 2005 “Joomla.org. Joomla!”, n.d. Recently, Joomla become really popular, since it was awarded the best open source con tent management system in 2015, 2016, and 2017 by the CMS critic awards (“CMS Critic”, 2018). Joomla core features are the main reason why it has been awarded three times. In addition, Joomla uses 6% of the entire Internet (“Web Technology Surveys.” N.d.) Web, which is a very large percentage considering not all the In ternet uses CMS.
2.1.1 Features
The Joomla package can be installed on Windows, Linux, and Mac OS. It has many free templates to choose from and around 7,994 extensions to help the users to enhanced the quality of the Joomla website. In addition, Joomla is a very flexible system and can be manged easily. Some of the Joomla core features are user, media, cache, content, and news feed managements (“Joomla.org. Joomla!”, n.d.), all these functions are unique to Joomla.
8 2.1.2 Installation
Joomla can be installed manually by downloading the Joomla package and work ing on it locally before publishing it using the host provider; It can also be installed by buying the domain first from the host and building the website immediately using the one click features from the host provider (“SiteGround: Web Hosting Services”, n.d.) To install it manually, go to the Joomla website and download the ZIP file, then unzip the Joomla package and find the the config file, and change the following database name, hosting user name, and hosting password. Then log into the hosting services and add all the files to register in the host. Finally, complete the registration information, and the installation steps are complete (“Joomla.org. Joomla!”, n.d.). As for the second step, it is simple because most of the reliable web hosting companies have one click installation for all the major CMSs, which makes it easier for all the users to finish setting up the CMS using the web hosting control panel.
2.1.3 Hosting
For the Joomla website, the hosting company that has been used in this paper is Siteground. It was recommended by the Joomla.org website; moreover, Siteground is the Joomla.com hosting company and partner. Therefore, Siteground was the first choice for the Joomla website host in this experiment.
2.1.4 Joomla.com vs Joomla.org
Joomla has two different services:
• Joomla.com
Joomla.com, hosting is a part of the service that allows the customer to build and maintain a free website; however, some features are limited. For instance, there are
9 a limited number of templates and they can not be edited. Also the user can only install five extensions; thus, it is recommended for blogging and simple websites (“Joomla.org. Joomla!”, n.d.).
• Joomla.org
Which is referred in this paper as simply as Joomla. In Joomla, there are no limits to what the user can do or create; even though the user is responsible for finding the hosting company and choosing the domain there, are no limits to this service. In this paper, the self hosted option was chosen; It is a more efficient option since there are no limit to all the functionalities and extensions that can be used. Also, many people use the self-hosted open source Joomla site which is the main focus of the this paper.
2.1.5 Joomla Website "Securityprojectj.com"
After choosing the domain name the host Siteground was chosen for the Joomla website; the Joomla framework was downloaded with one click installation and the website was ready to use. There were no major changes to securityprojectj.com; only few articles changed. The goal is to test and scan the website before adding extension or changing any things on the website.
2.2 WordPress
Wordpress is the most popular CMS, around 59.9% of the CMS market is using
Wordpress (“CMS Critic”, 2018). It is also the simplest and easiest CMS to use. It is known for being the best CMS for small blogging websites to business owners websites (Mening, 2013). Since it is very popular, the Wordpress community has many different design templates and plug ins with various functionalities.
10 2.2.1 Features
Wordpress is very easy to use with a simple interface; all the content in a website can be published easily. The Wordpress community is very large since it is the most used CMS in the world so any problem faces the user it can be solved. Another reason for being popular is that there are a large number of themes, and plug ins that can be used it
2.2.2 Installation
Just like Joomla, Wordpress installation can be done in two ways; first, manually install by downloading the Wordpress package, and work on it locally before pub lishing it. Second, choose a web hosting site, choose the domain, and use one click installation from the web hosting control panel. It is a feature available in the top hosting websites. The one click feature, will build the Wordpress immediately.
2.2.3 Hosting
BlueHost is the hosting provider that will be used with the Wordpress website. It has been recommended by Wordpress.org. BlueHost has an optimized hosting for Wordpress. However, it is designed for businesses and websites that reaches 100 of million of visits per month; it is also more expensive to get for a small website
Nevertheless, a basic hosting plan was chooses to host the website.
2.2.4 Wordpress.com vs Wordpress.org vs Wordpress.com for Busi
ness
• Wordpress.com:
11 Is the fully hosted free website by Wordpress the user dose not need to look for a good hosting company or worry about downloading and managing anything tech nical. However, the domain will include "Wordpess.com" with the domain name, and the user only has access to the provided themes not the customs themes. Fur thermore, uploading a plug in or changing the code is not allowed. (“WordPress CMS”, n.d.)
• Wordpress.com for business:
It is similar to the Wordpress.com where it is fully hosted by Wordpress, but there are some additional features such as the ability to download any plug in from the Wordpress community (where the user can build an E-commerce store;) (“Wor press business plan”, n.d.) this plan will cost the user more money. It is great choice for people who are willing to pay more to not deal with the website at all.
• Wordpress.org:
Is the open source publishing platform; it is the responsibility of the user to host his own website; and maintain the site as well as adding all the plug ins the website need. Backups and security are the user responsibility (WordPress) In addition, there is no limit to the different functionalities that can be used to design and cus tomize the website coding languages building. Registration to Wordpress is not required in Wordpress.org.
2.2.5 Wordpress Website "SecurityProjectwp.com"
It is Similar to the Joomla website securityprojectj.com, nothing was changed for the securityProjectwp.com, only some articles to match the Joomla website. After choosing the domain and the host Bluehost the Wordpress was installed with one click installation.
12 2.3 Drupal
Drupal is a free content management software. It is written in PHP and distributed under the General Public License (GNU). According to the Drupal website as of November 2017, the Drupal community is composed of more than 1.3 million members. Many websites are using Drupal platform such as Tesla, US department of transportation, and many governments websites (“Drupal Open Source CMS.”, n.d.). It is known to be a powerful and scalable CMS; therefor, many governments website uses Drupal.
2.3.1 Features
Drupal is ideal for complex websites with a large amount of content. Drupal is also known for it’s secure modules projects that can be added to the website. They allow new features and custom behavior, extending Drupal’s core capabilities. Drupal is more complex to use because of the number of different functionalities. It also consecrate on the security more than the usability (“Drupal Open Source CMS.”, n.d.).
2.3.2 Installation
Like the previous CMSs Joomla and Wordpess, install it by using the one click in stallation and choosing the host first, or download it from Drupal.org, then choose the host company and domain.
2.3.3 Hosting
The host for Drupal website is Bluehost. The Blue host was recommended by the Drupal website, it is very reliable according to Drupal. One click installation is also available in Bluehost.
13 2.3.4 Drupal 7 Vs Drupal 8
Drupal 8 is the latest core version of Drupal However Drupal 7 is the most used core. The latest statistics shows that in March 25, 2018, there was around 1,069,557 usage for 7.x and 241,049 for 8.x, which makes Drupal 7.x the most used core ver sion up to date ()Drupal:CMS. Even though Drupal 8 is newer version with many improved features, Druapl 7 was chosen in the paper to use since it is more popu lar.
2.3.5 SecurityprojectD.com
SecurityprojectD.com was installed using the one click installation feature in Blue- host. Only the article was changed to match Wordpress and Joomla websites. Nothing was added to the site, only articles has been changed.
14 Chapter 3
Web Application Analysis
3.1 Testing Requirement
Using the VirtualBox version 5.1.30 and Kali Linux VM (Lakhani & Muniz, 2013) where all the tools are are already installed on Kali.
3.2 Scanning Tools
3.2.1 OWASP Zed Attack Proxy Project
The OWASP Zed Attack Proxy (ZAP) is an open source and free tool. It is an automated web application security scanner. It is one of the world’s most popular free security tools. It helps to automatically find security vulnerabilities the web applications while developing and testing your applications (ZAP, 2018). The tool attack the website and gives detailed alerts of the vulnerabilities. In this tool a report was generated to understand all the vulnerabilities to be able to compare between the three CMS’s and find a way to solve or prevent the high and medium risk alerts.
15 3.2.2 Skipfish
Skipfish is an open source automated web application vulnerability scanner. It targets the site by crawling and generate a report. All the security links for the vulnerabilities are given . Skipfish tool is easy to use, high performance, and well designed security checks (Zalewski, Heinen, & Roschke, 2009). After Skipfish is done scanning, the report will divide the vulnerabilities into four risk flows, high, medium, low and informational. Each have different vulnerabilities depending on the risk level for each vulnerability
3.2.3 Vega Scanner
Vega scanner is an open source web security scanner written in Java. It scans and crawl the website to find all the possible problems that will effect the web- site(“Vega Vulnerability Scanner”, n.d.) The scanner has two modes a scanner and a proxy, the scanner mode has been used in this paper to find the path of the vul nerabilities in the web application.
3.2.4 Zenmap
Zenmap is an free and open source GUI for Nmap. It is a network scanning and host detection tool that identify the target host and open ports (“Worpress business plan”, n.d.) to help the user to secure them, so no attacker can use the open ports to attack the site.
3.2.5 OWASP WebScarab
It is an open source Java based application developed by OWASP. It analyses, record and intercept the HTTP and HTTPS protocols. The tool provide the abil ity to make changes to the requests and responds. Therefore, it has been used to
16 record all the requests. (ZAP, 2018) is an old tool however, still available on Kali Linux and it is effective as well.
3.2.6 Burp Suite
Burp Suite is a penetration test tool it analyse the web and mobile applications and can be used to strengthen the applications as well. It gives a complete anal ysis of the results. (“Burp Suite Scanner | PortSwigger”, n.d.) The tool has many components, In this analysis the components that has been used: target, were it displayed all the information of the application. Proxy, It intercept, inspect traffic between the application and the server.
3.2.7 WP Scan
WP Scan is written in "Ruby" it is devolved for word press websites only. the WP scan tool detect the following plug ins, core version, themes, users and all security configuration. For Plug ins and themes the tool will show the version for each and if the user need to update them or uninstall any. Also will include alerts if there is any theme or plug in have security issues. The WP Scan is used for Wordpress website. (“Wpscan.org”, n.d.)
17 Chapter 4
Scanning Results
4.1 Joomla
FIGURE 4.1: Joomla Website
Figure 4.1 shows the main page of the Securityprojectj.com website; the thing that have been changed are the title of the site and the description of the website.
The login form is to log in into the admin page to control the website; it can be removed, but it will be there for testing purposes.
18 4.1.1 OWASP Zed Attack Proxy Project
The first stage of securityprojectj.com had six alerts one high, one medium and four low. The high alert was the “SQL injection”, there were a 20 URLs related to this alert. All the URLs were attacks generated by the tool to attack the website and have the results available. There is no solution that can help to eliminate the problem but there are some practices that may reduce the problem. As for the medium alerts, it was the “X-frame-options header not set”, this might affect the web site by having a “clickjacking attacks”. All the web pages for the website need to be supported by an HTTP header . The other low risk alerts are “X-content Options Header Missing” ,“Password AutoComplete in a browser” ,“Web Browser XSS Protection not enabled”, and “cookie No HttpOnly Flag”. Most of the alerts are related to the browser and not the web application.
FIGURE 4.2: Securityprojectj.com ZAP Scanning Results
19 4.1.2 SkipFish
Skipfish crawls the securityprojecj.com website and the crawling results were more specific than the Zed Attack Proxy Project as shown in Figure 4.3. There was three main high risk issues: "Query injection vector", "Shell injection vector", and "Server-side XML injection vector." There was also three medium risk issues: "Di rectory travesal/file," "Inclusion possible," "Incorrect or missing charset," and "XSS vector in document body". There are many other issues, low risk problems, and informative issues. The high risk issues are very sensitive since almost any source of data can be an injection vector, and that will lead to many problems such as data loss or denial of access.
FIGURE 4.3: Securityprojectj.com SkipFish Scanning Results
20 4.1.3 WebScarab
All the folders in securityprojectj.com that are in the root directory are available, and all the requests have been intercepted, and the the user name and password became available. This tool acts as the man in the middle, allowing the intercept of web requests while they are passing from the web browser to the server. In Figure 4.4, all the files are available and can be accessed and changed, also all the requests have been intercept.
FIGURE 4.4: Securityprojectj.com WebScarab Scanning Results
21 4.1.4 ZENMAP
The TCP 21, 53, 80, 110, 443, 993, 995 and 3306 ports are open on the target host. All the others are closed as shown on the Figure 4.5 Port 21 is for the "File Trans fer Protocol (FTP)," Port 53 is for the "Domain Name System (Domain)," Port 80 is for "Hypertext Transfer Protocol (HTTP)," Port 110 is for "Post Office Protocol (POP3)," Port 443 is for "Hypertext Transfer Protocol (HTTPS)," Port 993 is for the "Internet Message Access Protocol (IMAPS),"Port 995 is for the "Post Office Proto col 3 (POP3S)," and Port 3306 is for "MySQL database system" (“List of TCP and UDP port numbers”, 2018). Because, all these port are open, and they will expose the aforementioned those services to exploits. This means that Joomla has no fire wall built in to save all these ports and reduce the exposed ports.
FIGURE 4.5: Securityprojectj.com Zenmap Scanning Results
22 4.1.5 Vega
While using Vega, the Joomla website has three main categories of high risk alerts shell, SQL injection, and context password over HTTP. However, after checking all the alerts by going through the links, not all of the shell and SQL injections were accurate; some of them were tested to no accurate results. The tool was not very accurate, but the requests were readable and could intercept some of them.
FIGURE 4.6: Securityprojectj.com Vega Scanning Results
23 4.1.6 Problems
Joomla Website host (“SiteGround: Web Hosting Services”, n.d.) has blocked me several times with the anti-bot AI that prevent brute-force attacks. The testing could not been conducted because the system blocked the user immediately for a decent amount of time which made the testing process slow. This can be huge bounce for the host since it is a great help to minimize the malicious traffic bots. A CAPTCHA page is generated before accessing the website.
FIGURE 4.7: SecurityProjectj.com Problem
24 4.2 WordPress
FIGURE 4.8: SecurityProjectwp.com
Figure 4.8 shows the main page of the Wordpress website that has been de veloped (Securityprojectwp.com); just like the Joomla website, nothing major was added to the website. The title and the site description has only been changed in the interface. The results of the scanning will be descried in this chapter.
25 4.2.1 ZAP
The results for securityprojectwp.com website were similar to the Joomla website there were seven alters one high, tow medium and four low. The high alert is the "SQL Injection" as shown in the Figure 4.9, as for the medium risk alerts "Format String errors" and "X Frame Option Header not Set." The other low risk alerts are “X content Options Header Missing,” “Password AutoComplete in a browser,” “Web Browser XSS Protection not enabled,” and “cookie No HttpOnly Flag”. All these problem are not related to the website itself it is related to the browser which can be different from one user to another.
FIGURE 4.9: Securityprojectwp.com ZAP Scanning Results
26 4.2.2 Skip Fish
As shown in Figure 4.10 Skipfish had no impact on the Wordpress website. There is no main reason why this tool wont work, it keeps generate 404. SkipFish is known as the 404 generator because it doesn’t work on most of the websites such as word press (Zalewski et al., 2009). Thus,there were no results for the Wordpress website the tool only keep generating 404 during the scan.
FIGURE 4.10: Securityprojectwp.com SkipFish Scanning Results
27 4.2.3 Vega
The high alert risks were SQL and shell injections, and page fingerprint diffrent detected; medium alerts were the possible XML injection, and no low risk alerts. Vega provide, URLs to all the links where the problem appears, and all the tests done by Vega are available to check.
FIGURE 4.11: Securityprojectwp.com Vega Scanning Results
28 4.2.4 ZENMAP
The Zenmap tool showed all the ports are open for the target which, means there is no firewall at all where as in Figure 4.12, all the ports were open setting it up. It also shows who is hosting the website, Bluehost.com
FIGURE 4.12: Securityprojectwp.com Zenmap Scanning Results
29 4.2.5 WP Scan
The WP scan tool which is recommended by Wordpress security team, is a tool for Word Press websites (“WordPress CMS”, n.d.) It only scan Wordpress websites. The tool scan the Wordpress website and display all the website information such as Wordpress version, theme, server name, and Plug ins. As shown in Figure 4.13, the info given for securityprojectwp.com is that there were no plug ins installed, and the version of Wordpress. However, there wasn’t enough info since the site is very basic, and it doesn’t have any plug ins yet.
FIGURE 4.13: Securityprojectwp.com WPScan Scanning Results
30 4.3 Drupal
FIGURE 4.14: SecurityProjectD.com main page
The Drupal security project, securityprojectD.com is shown in figure 4.14. It is a simple site, only the site name and body has been changed, no modules added. The log in form is available by default, and it can be removed if the user desires to but it will be there for testing purposes.
4.3.1 ZAP
As shown in figure 4.15, securityprojectD.com has the least number of vulner abilities compared to Wordpress and Joomla websites. There are two high risk
vulnerabilities; “remote OS command injection“ and the "SQL injection." Both are
common attacks on web applications. As for medium alert, the "X-Frame Option
Header not set" was detected, and for low risk the "web browser XSS protection
not Enabled" which is related to the browser.After testing all the alerts the ”remote
OS command injection” the vulnerability was not detected and it only caused by ZAP Scanner.The ZAP scanner can give False results if the website is just been developed.
31 FIGURE 4.15: Securityprojectd.com ZAP Scanning Results
32 4.3.2 SkipFish
The SkipFish tool didn’t work as on the securityprojectwp.com website since; the securityprojectj.com keeps generating the 404 during the scan (Zalewski et al., 2009) the same problem was detected during the securityprojectwp.com Word- press website.
FIGURE 4.16: Securityprojectd.com SkipFish Scanning Results
33 4.3.3 WebScarab
Figure 4.17 shows that the web scarab tool was able to interrupt all the requests and responses for the securityprojectd.com website. All the website files are visible and can be accessed and edited. All the results are the same in the Joomla , Wordpress and Drupal sites can be accessed with this tool.
FIGURE 4.17: Securityprojectd.com Webscarab Scanning Results
34 4.3.4 Vega
Vega tool had four high alerts, one medium alert, one low alert and tow info alerts. The high alerts were "SQL Injection", "Shell Injection", and"Page finger prints detected- possible local file include". For the medium alerts a "possible XML injection alert" was detected. The low alert is not related to the Drupal web site; it is related to the browser which has a password field with auto-complete enabled.
FIGURE 4.18: Securityprojectd.com Vega Scanning Results
35 4.3.5 Zenmap
The TCP 21, 22, 25, 26, 53, 80, 110, 143, 443, 465, 587, 995, 2222, 3306, 8080,and 8443 ports are open on the target host. And all remaining ports are closed as shown on the Figure 4.19 Port 21 is for "the File Transfer Protocol (FTP)", Port 22 Secure is for "open SSH " secure shell" that secure logins and file transfer over unsecured network, Port 25 It is used to send emails "Simple Mail Transfer Protocol," Port 53 is for "the Domain Name System (Domain)," Port 80 is for "Hypertext Transfer Protocol (HTTP),"Port 110 is for "Post Office Protocol, version 3 (POP3)," Port 143 is for "Internet Message Access Protocol (IMAP)," Port 443 is for "Hypertext Trans fer Protocol (HTTPS)," Port 465 is for "Authenticated Simple Mail Transfer Proto col," Port 587 is for "Email message submission," Port 993 is for "Internet Message Access Protocol (IMAPS)," Port 995 is for "Post Office Protocol 3 (POP3S)," Port 2222 is for "EtherNet/IP implicit messaging for IO data," Port 3306 is for "MySQL database system," and Port 8080 is a "Alternative port for HTTP"(“List of TCP and UDP port numbers”, 2018) All these port are open and the securityprojectd.com will be exposed to many vulnarabilities listed. The Drupal web site needs to have a firewall to save the website from all the exposed ports.
36 FIGURE 4.19: Securityprojectd.com Zenmap Scanning Results
37 4.3.6 BrupSuite
In Brupsuite, all the response and request traffic can be intercepted, and all the content can be discovered. It also captures the cookie details and HTTP headers of the page. The scanner wasn’t available to be used since it is the community edition. In the Drupal Website there are no any problem, related to testing and scanning. The host did not send me any emails or alerts for any suspicious activity.
FIGURE 4.20: Securityprojectd.com BurpSuite Scanning Results
38 Chapter 5
CMS Security
5.1 Security Practices
The websites running on a CMS need some kind of security to protect the website from attacks. After scanning and testing the three different websites that were de veloped under Wordpress, Joomla, and Drupal, the results were not so promising since many vulnerabilities could effect the website. As a result, security practices need to be implemented to all the three websites and test again to see how it ef fect the website. As being popular, CMSs are also subject to all sort of hacking attacks. Therefore, security extensions, plug ins and modules can protect the site from hackers, malware, phishing, Spam and prevent any harm or damage to the website (Mening, 2013) In addition, other security practices are recommended to add to any CMS website, to save the user a lot of mony on expensive repair costs and time. Open source CMS are subject to hacking attacks and the following prac tices will help maintain the security Of CMS.
5.1.1 Secure Hosting
Choosing the right hosting company is the key to the website security. The host is known as a foundation for any website, thus it is necessary to find a trustworthy hosting company to host the website. While choosing the host for the website,
39 the user need to ensure the host can be trusted with the business. In the market today, there are many host companies that provide extra layers of security to your website. So, choosing the right host might save the website from different attacks. All the hosting companies used in this paper are trusted.
5.1.2 Use SSL Certificate
SSL certificates are also intended to encrypt any sensitive data like credit card num bers or password. Using an SSL certification, the website URL will change from Http to Https; S is for secure(“SiteGround: Web Hosting Services”, n.d.). It au thenticates and encrypts the data transferred through the website to the server. Therefore, if a user logs into the site or submits sensitive information, the data cannot be stolen. SLL Features protect the site from spoofing, gain visitors trust by displaying security padlock, ban data alteration and editing, and protect your visitors personal data from misuse.
5.1.3 Login Security
Usually the Super user or admin has access to everything on the site; therefore, the username and password must be unique. Many attackers try to brute-force your login details. This means that they use a list of commonly used passwords to guess the super user passwords. For that reason, the super user should not leave the default user name “admin” or “administrator.” By doing so, the hacker has a very easy job and can access the site easily. As for the passwords use a very complicated one with as many special characters as possible. Avoid any pass word that includes personal information or the site name. Moreover, enforcing unique username and strong password on users, limiting the number of logins attempts.(“WordPress CMS”, n.d.)
40 5.1.4 .Htaccess File
The .htaccess stands for Hypertext Access, it is a configuration file read by the server. It is found on the root directory of all CMSs when downloaded, it is very important to the CMS because the file is used for website security, website opti mization, redirect visitors different pages, and able and disable functionalities for the website. A any security practece can be fourced by writing it in the htacesses file. It is a powerful file to use in the website therefore, it need to be protected. In Joomla the file needs to be activated by changing the file htaccess.txt to .htaccess. This step is done by renaming the file on the file manager of the site. This is very important step since the .htaccess is a configuration file for use on web servers run ning the Apache Web Server software(“Joomla.org. Joomla!”, n.d.). As for Drupal and Wrodpress it is already activated, yet need to be secured by taking back up, restricting the access to the file and prevent directory browsing.
5.1.5 Take Regular Backup
Backups are essential to any website; the will help the site recover if any hacking happens. Therefore, the only way to back up a CMS is by adding an extension to each website. The backup is needed to recover all the CMS files and the database. It can be done manually or automatically depending on the user preference. Some backup extensions also offers to backup the website to the cloud, which can be a huge benefit as well.
5.1.6 Keep Everything Up To Date
One of the most important things to do for any software is to update it regularly. Any new update will help the software in terms of security; all the CMSs are the same, a new update will help fix security issues in the CMS core. Besides, updating
41 the plug ins, extensions and modules for the three CMS Wordpress, Joomla, and Drupal are fundamental as well. Thus, it is essential to keep every thing up to date.
5.1.7 Choose Trusted Add-ons
Wordpress, Joomla, and Drupal all have lot of developer support, so there are many add-ons available to downland and use. Many plug ins unknowingly leave your site open to exploits; choosing the extension might be challenging sometimes, but it is important to check the add-ons before using it on the website. To evaluate any plug in, the user should check the plug in rating, last update, how many web site is using it and it is from a reputable and trusted developers . This might help the user to determine which plug ins to use. In addition, most of the CMSs have a list that is updated with all the Vulnerable Plug ins; the user is recommended to check the list before using any plug in. Also uninstall any plug ins that have been out dated or not used.
5.1.8 Directory permission
To have a secure website the files need to set the right permission for the folders and files.One of the most security prevalent issues in CMS is some people have permissions to folders and files they are not supposed to have access to, and this might jeopardize the security of the website. For instance, if there are more than one person who uses the website such as designer the admin should specifies the permissions. There are different access types for each website: Read, Write and
Execute. Read access files can be displayed to the user. Write Files can be modi
fied by the user, and Execute can be executed and accessed files. The web server needs to be able to read your web pages in order to be able to display them in a browser (“WordPress CMS”, n.d.) . Therefore, the permissions should follow the
42 host recommend many hosts give the recommendations as default, but the user can change them. Yet any change is done by the user might affect the security of the files and folders.
5.1.9 Set Up a Two Factor Authentication
According to the Joomla website, Joomla CMS was the first to implement Two- Factor Authentication, but all the CMSs have a plug in for it (“Joomla.org. Joomla!”, n.d.) There is more than one way to use this technology, but the most popular ways are using Google Authenticator, a software token that implements two-step verifi cation, or using Yubikey which is a hardware authentication device. The two-factor authentication appears when the admin wants access the website; a code will be needed to access the site, along with the user name and password. The code re quired is a OTP “One-Time Password." The OTP is generated on the google Au thenticator app that can be downloaded on the phone; the code changes every 30 seconds. The user needs to enter the username, password, and a six digit security code to be able to login to the site. This provides extra protection against hackers trying to login to the admin account and compromise the site. Even if they were able to get hold of your credentials, they only have a maximum 30 seconds to hack your site. This is not functional for hackers. In this way, the Two-Factor Authenti cation prevents your site against unauthorized access.(“Joomla.org. Joomla!”, n.d.)
5.1.10 Backend Protection
The admin page needs to be protected because it can be accessed easily by typing the website name/Administrator, and the login administration page will be avail able(“Joomla.org. Joomla!”, n.d.) So a backend protection to protect the admin log in page is essential to the security of the CMS website. This security practice can be
43 achieved by using a plug in. The backend protection feature will protect your site by generating a key in .htaccess file. and set a rule to be used whenever accessing the admin log in page.
5.1.11 Deleting Core Dump Files
Deleting core dump files can be beneficial for the website performance. The core dump files can be a sign that the website is being scanned, which may lead to an at tack. (“SiteGround: Web Hosting Services”, n.d.) During the testing and scanning phase, the tools run many scripts on the site. Therefore, there was a huge number of dump files was recorded on the root directory. They can be safely deleted to improve the performance of the site, but it is better to check before deleting them since they can be useful to investigate any problem with the website. As shown in Figure 5.1 Core Dump files in securityprojectj.com
FIGURE 5.1: Core Dump Files
44 5.1.12 Block IP Address
While monitoring your site, keep close look at all the suspicious activity from dif ferent IP addresses, and if any suspicious IP address hits the website, block it im mediately. This feature is found in Wordpress, Joomla, and Drupal.
5.1.13 Secure Coding Practices
In some CMSs, the user needs to write a code for certain commands for the website; therefore, the developer needs to follow certain criteria to avoid security breaches in code. Some of the secure coding practeses are: Never trust user input., More over, the performance and speed can be effected by the way the code is written. Some of the practices: comment while coding, using global variables, using recur sive functions, naming the functions, and much more.(n.d.)
5.1.14 Database Security
Database is essential for any CMS website and it is one of the most important parts of website. Hackers love to use SQL injection (SQLi) which will be explained in chapter 8, that effect the database. That is why securing the database with unique user names and strong passwords is important. Another recommendation is to change the table prefix and table names to help prevent SQL injections and review the databases, users and permissions. (“WordPress CMS”, n.d.)
5.1.15 Security Plug ins, Extensions and Modules:
Downloading security plug ins for your web site is the key to help protecting the CMS website(“Drupal Open Source CMS.”, n.d.) On the other hand, downloading
45 many security plug ins can effect the security, speed and performance of the web site. Consequently, choosing right security plug ins are important. More about the plug ins, extensions, and modules will be explained in chapter 6.
5.1.16 Web Application Firewall
A Firewall is a system that is used to protect the CMS from all incoming traffic. It will block many security threats before it can get into your website. Adding a Firewall plug in is essential to any CMS website.
5.1.17 PHP Protection
PHP it is very common used scripting language used in web application. Most of the CMS are written using PHP (“WordPress CMS”, n.d.), it is one of the most important languages in web applications, therefore, it need to be hardening in the CMS. This step can be done by restricting all the important PHP files in the root depository, disabling unused PHP models, and update the core regularly.
46 Chapter 6
Adding Plug ins, Extensions, Modules
6.1 Joomla Extensions
Joomla is the second popular CMS in the world (“Web Technology Surveys.” N.d.), and as any CMS it needs protection by using extensions that are available to down load and use on the user website. They are called extensions in Joomla world . After searching the and analyzing the Joomla security extension here are some of the most important extensions users used in Joomla website.
6.1.1 Security Check Extension:
There are two versions of this security extension paid and free. The free version has less features of the paid version. The security check extension features are: A mod ular interface to manage the entire extension quickly and easily. A Web Firewall, that will help against most of the web application attacks. An.Htaccess protection securing the .Htaccess will help to prevent from the brute force attacks. Vulner abilities checking, the extension provide a scanner that checks all the versions of all the components of your Joomla installation (“Joomla.org. Joomla!”, n.d.) After installing the extension and activating the firewall, the extension dashboard Figure 6.2 shows the overall security process 100 percent all the features are shown on the dashboard. All the features are running without any problems.
47 Furthermore, the extension generates a backend protection for the admin page, where the admin page cant be accessed using the site name/ admin, it will give a 404 error page.
FIGURE 6.1: Security Check Extension
6.1.2 Akeeba
Akeeba Backup Core is the most widely used open-source backup component for the Joomla CMS. it create a full backup that can be restored on any Joomla, it is reliable, easy to use and open source (“Joomla.org. Joomla!”, n.d.). Akeeba Features: One-click backup the entire site, automatic configuration and server setup, customize permissions, backup to cloud, ZIP file or custom JPA files,
scheduled and remote backups, manage backups, directories, databases Restore,
and encrypted configuration with strong 128-bit AES cryptography (“Joomla.org.
Joomla!”, n.d.)
48 6.1.3 Securityprojectj.com
For the Joomla website the security has been applied and used on the website all the practices that has been included in the website. Only two extensions needed to secure the website because the Joomla website has many security in the core like the tow factor authentication file permissions and restricting the file accesses. The SLL certificate for Joomla web site. Most of the popular host services provide the SSL certificate free of charge. It was easy to activate and managed.
FIGURE 6.2: SSL Certificate
49 6.1.4 Problems
While scanning an testing the website i got an email saying the website has reached the 100 percent of the monthly quota of the 30000 Cpu seconds. The Startup host ing plan the allowed Quota is 300000 CPU seconds each month and the securi typrojectj.com Usage is 304823.76 CPU seconds/month. That leads to limiting the access to the website, but all other services such as email, cPanel or else are ac tive and available for the user. This is one of the biggest limitation of SiteGround shared hosting(“SiteGround: Web Hosting Services”, n.d.) So , for conducting my scanning i could do it that month. The Admin will get an email saying the website cant be access and either wait for the new month to come or upgrade to a higher hosting plan.
FIGURE 6.3: Problems
50 6.2 WordPress
Wordpress is the most popular CMS today (“Web Technology Surveys.” N.d.). There are a huge risk for any website under the Wordpress platform to be hacked. In this section, all the top WordPress security tips will be applied to help protecting the securityprojectwp.com. While WordPress core software is secure, there is a lot that can be added to enhanced the security. For Wordpress protection 3 kinds of security needed protection , recovery and detection. Therefor, for the plug ins we tried to find the plug ins for all the 3 kinds of security to help protecting the site.
6.2.1 Wordfence
It is the most downloaded security plug in for WordPress websites. It has more than 50 million installation with a 4.8 out of five star rating (“WordPress CMS”, n.d.) There are a free and premium versions of the plug in. Wordfence is the most comprehensive WordPress security solution available. Features: firewall, that identifies and blocks malicious traffic. Integrated malware scanner blocks requests that include malicious code or content. Brute force attacks protection, by limiting login attempts and enforcing strong passwords. Security scanner, checks core files, themes and plug ins for malware, bad URLs, backdoors, SEO spam, malicious redi rects and code injections. Regular website checks and alerts the user even when
a plug in has been removed or abandoned. Security tools: Live Traffic to monitor
visits and hack attempts and can block the IP address, and much more.
6.2.2 UpdraftPlus
It is a backup plug in it is the most popular backup plug in in Wordpress. This Plug in has been downloaded because the tow plug ins has no back up features to use therefore it has been downloaded. UpdraftPlus Features are scheduled backups,
51 backup to a cloud , Drop box, backup every thing even data base and give the user the chance to remove any file to not back it up.
6.2.3 Shield
The Wordfence Security plug in didn’t have all the features that we needed to our website, therefore, shield was one of the best plug ins that has tow Factor authenti cation for free. Furthermore, It asset with audit trail and logging,Core file scanners, reCAPTCHA, Firewall, Automatic Updates Control and much more(“WordPress CMS”, n.d.) the main reason for choosing this plug in is it has the features that the Wordfence only have in the premium version. The tow factor authentication used in the plug in has been connected to Google authenticator application as appear in Figure 6.9.
FIGURE 6.4: Shield Security Plug in
52 6.2.4 Securityprojectwp.com
Using the plug ins all the security practices has been implied in the securitypro jectwp.com in Wordpress only three plug ins are needed to include the required security practices for a Wordpress website.the SSL certificate was provided from the Blue host.
53 6.3 Drupal
Drupal is the third most used CMS (“Web Technology Surveys.” N.d.), It is known for strong performance and usability.Drupal depends on coding and program ming. For this matter, the security module were not as varies as Joomla and Word Press. Furthermore, the Drupal community care a lot about security, but the mod ules available are not as diverse as other CMS. Each module consecrate on less numbers of vulnerabilities to solve, therefore, one or tow security modules are not enough for securityprojectD.com security.
6.3.1 Security Review Module
The Security Review features: checks the following, safe file system permissions, text formats don’t allow dangerous tags, PHP or Javascript in content, safe error re porting, Large amount of database errors and failed logins (“Drupal Open Source CMS.”, n.d.) and if any problem found on the site will immediately alert the user and try to find an immediate solution for it. In the Figure 6.10 the module check all the previous by running a test to check what there are to fix in the website.
FIGURE 6.5: Security Review Module
54 6.3.2 TFA Basic Plugins
It is the most downloaded module in Drupal for Tow-Factor Authentication.It provides the TFA for the Drupal website, It has 29,179 downloads(“Drupal Open Source CMS.”, n.d.) The Module uses the TOTP " a Time Based one time Password, By using Google authenticator application, or a SMS using Twilio. The method us ing the Google authentication application has been choose to use with the Google tow factor authenticator application .
FIGURE 6.6: TFA Module
6.3.3 Backup and Migrate
The Back up and Migrate module is the most downloaded back up model in Dru- pal. It back up the Database, code, and all the website files. It uses the AES encryp tion to backup the website. In addition, Using the module the user can restore the whole website with the data base if any attack happens to the site. It also backup to the NodeSquirrel.com a free cloud Backup for Drupal service, or to other ser vices such as cloud , Drop box and more.(“Drupal Open Source CMS.”, n.d.) All backups can be done manually or scheduled, depending on the user needs. It is available for both Drupal 7 and 8.
55 6.3.4 Security Kit
Security Kit is a security module for Drupal available for all versions. It provides different options to secure the Drupal website from security attacks. Security Kit features: Prevent Cross-site Scripting attacks, Click jacking, manging SSL/TLS and Implementation of From-Origin HTTP response header. There are 33,809 Drupla Website Uses this module.(“Drupal Open Source CMS.”, n.d.)
6.3.5 Drupal Firewall the Drupal Firewall is recommended to install in Drupal 7 by Drupal website (“Drupal Open Source CMS.”, n.d.) therefore, it has been downloaded, to protect the website.
6.3.6 Security Practices
Just like Joomla And Wordpress all the security methods has been implemented on the securityprojectd.com. As well as the SSL certificate by the Blue host website. However, for securityprojectd.com five module has been used to make sure that all the security measurements are implemented on the website. There isn’t any module that have all the required security so all the following modules had been installed
56 Chapter 7
Vulnerability Analysis
7.1 Joomla
Security Strike Team is a team that solves security issues with the Joomla project and takes security very seriously. The Joomla project allows anyone to report a vul nerability for Joomla extensions. This allow the Security Strike Team (JSST)(“Joomla.org. Joomla!”, n.d.) to analyze and fix the security issues.
7.1.1 Extensions
• Extension that has not been fixed yet
Table 7.4 shows the extensions that have not been solved in Joomla. In 2018, there were 20 extension with no solution; according to the Joomla vulnerable extensions list, the vulnerability that has not been fixed is the SQL Injection. It is very popular in the Joomla extension directory and many still do not have a solution for it. Other vulnerabilities such as file upload, backdoor, and file permissions also have not been solved until now . In addition, Rapicode extension has sub extensions, Rapi
Content Ticker, Rapi Content Carousel, Rapi Cookie Consent, Rapi Countdown, Rapi Preloader, Rapi Loading Progress Bar and Rapi Page Animate all of these extension have the same problem backdoor vulnerability. The backdoor seems to
57 TABLE 7.1: Joomla Extensions Vulnerabilities Not Fixed (“Joomla.org. Joomla!”, n.d.)
Name Version Problem Fixed Big File Uploader 1.0.2 File Upload No JB Visa 1.0 SQL Injection No En Masse All versions SQL Injection No cms2cms improper N/A File/Folder permissions No Saxum Astro 4.0.14 SQL Injection No Saxum Numerology 3.0.4 and older SQL Injection No Saxum Picker 3.2.10 and older SQL Injection No Social Pinboard 2.0 SQL Injection No Realpin 1.5.04 and older SQL Injection No Media Library Free 4.0.12 and older SQL Injection No JS Autoz 1.0.9 and older SQL Injection No JMS Music 1.1.1 SQL Injection No SquadManagement 1.0.3 SQL Injection No Simple Calendar 3.1.9 and older SQL Injection No JB Bus 2.3 SQL Injection No File Download Tracker 3.0 SQL Injection No Fastball All SQL Injection No Google Map Landkarten 4.2.3 SQL Injection No Mobilejoomla 2.1.24 Malcious redirects No Rapicode" All Extensions" Current version Back Door No
be loading mining code, that could load scripts from the developer site. There is no solution for this problem. The Security Strike Team recommends to unistall any extension that is listed with no solution.
• Extension that has been fixed
Table 7.5 lists all extensions in 2018 that have been fixed. Just like the non fixed ex tensions, the SQL Injection is the most popular vulnerability in Joomla extensions.
There are other different vulnerabilities such as XSS, Arbitrary File Upload, per missions, and CVS Injection. All have been been fixed in newer versions of each extension.
58 TABLE 7.2: Joomla Extensions Vulnerabilities Fixed (“Joomla.org. Joomla!”, n.d.)
Name Version Problem Solotion User Bench 1.0 sql injection 1.1 Easy Discuss 4.0.20 XSS 4.0.21 Joomla Guru 5.0.15 & previous SQL Injection 5.0.16 Ajax Quiz by Webkul 2.0 & previous SQL Injection 2.1 Simple Image Gallery 3.5.0 & previous XSS 3.6.0 Next Gen Editor 2.1.0 SQL Injection 2.2.0 JCE Editor 2.6.25 only XSS 2.6.26 JS Support Ticket 1.1.0 XSS 1.1.1 ccNewsletter 2.2.2 & previous SQL injection 2.2.3 JS Jobs 1.1.9 & previous SQL Injection 1.2.0 ZH GoogleMap 8.4.0.0 & previous SQL Injection 8.4.1.0 ZH Yandex Map 6.2.1.0, & provirus SQL Injection 6.3.1.0 Zh BaiduMap 3.0.0.1 & previous SQL Injection 3.0.1.0 JSP Tickets 1.1 & previous SQL Injection 1.2.0 Solidres 2.5.0 & previous SQL Injection 2.5.1 Responsive Schedule 1.6 & previous SQL injection 1.7 JSP Store Locator 2.4 & previous SQL Injection 2.5 Smart Shoutbox 2.9.5 & previous SQL Injection 3.0.0 Jimtawl 2.2.6 & previous Arbitrary File Upload 2.2.7 SIGE 3.2.3, & previous XSS 3.2.4 Proclaim 9.1.1 & previous Arbitrary File 9.1.2 OS Property 3.12.8 & previous SQL Injection 3.12.9 Gallery WD 1.3.9 & previous SQL Injection 1.3.10 Jticketing 2.0.16 & previous SQL Injection 2.0.18 Invitex 3.0.5 & previous SQL Injection 3.0.6 Form Maker 3.6.14 & previous SQL Injection 3.6.15 JGive 2.0.9 & previous SQL Injection 2.0.11 Alexandria Book Library 3.1.3 & previous SQL Injection 3.1.4 NeoRecruit 4.2.1 & previous SQL Injection 4.2.2 hecklist by Joomplace 1.1.1.003 & previous SQL Injection 1.1.1.004 JQuickContact 1.3.2.3 & previous SQL Injection 1.3.2.4 JomEstate 3.7 & previous SQL Injection 3.8 DT Register 3.2.7 & previous SQL Injection 3.2.8 Kunena,3.x 5.0.13 & previous Ownership and 5.0.14 Permission Visual Calendar 3.1.5 & previous SQL Injection 3.1.6 CP Event Calendar 3.0.2 & previous SQL Injection 3.0. Ek rishta 2.9 & previous SQL Injection 2.10 Attachments 3.2.5 & previous SQL Injection 3.2.6 AcyMailing 5.9.5 & previous CSV Injection 5.9.6 AcySMS 3.5.0 & previous CSV Injection 3.5.1 JS Jobs 1.2.0 & previous XSS 1.2.1 PrayerCenter 3.0.2 & previous SQL Injection 3.0.3 Virtuemart 3.2.12 & previous XSS 3.2.14 jDownloads 3.2.58 & previous XSS 3.2.59 CW Tags 2.0.8 & previous SQL Injection 2.1.1 Watchfulli SSO Plugin 1.2 & previous Other 1.3 Convert Forms 2.0.3 & previous CSV Injection 2.0.4 Gridbox 2.4.0 & previous Multiple 2.4.1.1
59 TABLE 7.3: Joomla Core Vulnerabilities (“Joomla.org. Joomla!”, n.d.)
Problem Version Description Fixed XSS in module chromes 3.0.0-3.8.3 Lack of escaping 3.8.4 XSS in com fields 3.7.0-3.8.3 Inadequate input filtering 3.8.4 XSS in Uri class 1.5.0-3.8.3 Inadequate input filtering 3.8.4 SQLi in Hathor 3.7.0-3.8.3 Lack of type casting of a variable 3.8.4 postinstall message SQLi in User Notes 3.5.0-3.8.5 Lack of type casting of a variable 3.8.6
7.1.2 Joomla Core
Joomla Core had 5 problems during the first quarter of 2018. It attacks different versions of Joomla and all have been solved by updating to the newer version. In the Joomla Core, the XSS and SQL injection are the two vulnerabilities that have been recorded in the period that the test was conducted. Both vulnerabilities are in the Most Critical Web Application Security Risks top 10. The Joomla team fixed all the core problems with the newer updates that are available. Therefore updating to the newer version of the Joomla is always important to maintain the security of Joomla website.
60 7.2 Wordpress
Wordpress is a widely distributed system, and thus become a desirable target for hackers. According to the WPScan Vulnerability Database, the main source of Wordpress vulnerabilities are Wordpress core, plugins, and themes respectively. As reported by the WPScan Vulnerability database, Wordpress currently has 10592 vulnerabilities in the database; 7670 Wordpress core vulnerabilities, 2571 Plug in vulnerabilities and 315 theme vulnerabilities. The WPScan Statistics period starts from 2014 to present(“WordPress CMS”, n.d.)
7.2.1 Plug ins
In Wordpress there are no security requirements for Wordpress plugin develop ment, there are only recommendations and suggested techniques to use. There fore, there are many vulnerable plug ins. The Table 7.1 illustrates all the plug in vulnerabilities in 2018, from Jan 2018 to May 2018. There are 16 different plug ins: 11 has been fixed, 4 with no solution and one is not applicable. The most popular vulnerability is the XSS cross-site scripting. More than half of the plug ins have this problem in Wordpress plug ins.
7.2.2 Wordpress Core
Apart from the plug ins, the Wordpress core is full of vulnerabilities as well. As reported by the WPScan Vulnerability Database, Wordpress has the highest num ber of vulnerabilities. Most of the Wordpress core problems are fixed with every new update; thus, it is important to update. Most vulnerabilities are fixed but one vulnerability the DOS attack is the only vulnerabilities that is not fixed. It is im portant for Wordpress core to solve all the vulnerabilities, and they usually solve all the problems in the next version of the Wordpress.
61 TABLE 7.4: Wordpress Plug ins Vulnerabilities (“WordPress CMS”, n.d.)
Name Version Description Fixed WP Background Takeover 4.1.4 Directory Traversal Yes BuddyBoss Media 3.2.3 Stored XSS No Dark Mode 1.6 Stored XSS Yes furikake N/A Unauthenticated Open Redirect No Share This Image 1.03 Cross-Site Scripting (XSS) Yes Site Edito 1.1.1 Local File Inclusion (LFI) No Pinterest Feed 1.1.1 Authenticated XSS Yes Splashing Images 2.1 Authenticated PHP Object Yes Injection WP Site Protect 1.0 Cross-Site Scripting (XSS) No Affiliate Ads 1.6 Cross-Site Scripting (XSS) Yes Coming Soon 1.1.18 Authenticated Stored XSS Yes File Manager 5.0.0 Information Disclosure Yes GD Rating System 2.3 Multiple Vulnerabilities N/A Booking calendar 2.1.7 Authenticated Stored XSS Yes Z-URL Preview 1.6.2 Cross-Site Scripting (XSS) Yes PropertyHive 1.4.14 Cross-Site Scripting (XSS) Yes
TABLE 7.5: Wordpress Core Vulnerabilities (“Drupal Open Source CMS.”, n.d.)
Version Description Fixed WordPress 2.8.6-4.9 Authenticated JavaScript File Upload Yes WordPress 1.5.0-4.9 RSS and Atom Feed Escaping Yes WordPress 4.3.0-4.9 HTML Language Attribute Escaping Yes WordPress 3.7-4.9 ’newbloguser’ Key Weak Hashing Yes WordPress 3.7-4.9.1 MediaElement Cross-Site Scripting Yes WordPress 4.9.4 Denial of Service (DoS)(unpatched) No WordPress 3.7-4.9.4 Remove localhost Default Yes WordPress 3.7-4.9.4 Use Safe Redirect for Login Yes WordPress 3.7-4.9.4 Escape Version in Generator Tag Yes
62 7.3 Drupal
Drupal takes security very seriously, so the Drupal Security Team (“Drupal Open Source CMS.”, n.d.) always give security announcements for Drupal core and Con tributed projects or "modules".
7.3.1 Drupal Modules Projects
Drupal module or contributed projects as the Druapl web site call them, are con sider as third party projects that are not a part of Drupal core. All the posts are posted by the Drupal security team. where they discover and try to solve all the problems. All the posted Projects are "Critical" to "Moderately Critical", and most of the problems are solved. Nevertheless, if they cannot solve it or the module was not supported, they recommend the user to uninstall it immediately. Table 7.7 indicates all the issues with the Drupal projects; access bypass is the most common in the Drupal Projects community, then the XSS and other vulnerabilities. All the problems have been fixed, and all the unfixed projects are recommended to unin stall by the Drupal security team. Furthermore, Drupal have a security advisory policy, that will help the developer to determine which module to download. If it is covered by the security advisory policy, then it is trusted by Drupal to use.
63 TABLE 7.6: Drupal Models Vulnerabilities (“Drupal Open Source CMS.”, n.d.)
Name Level Problem Fixed Stacks Critical Arbitrary PHP execution Yes Node View Permissions Moderately critical Access Bypass Yes Bible Critical Multiple Vulnerabilities yes Backup and Migrate Critical Arbitrary PHP execution yes Taxonomy Term Reference Moderately critical XSS yes FileField Sources Moderately critical Access Bypass yes Entity Reference Tab Moderately critical XSS yes VChess Critical Module Unsupported Uninstall Custom Permissions Moderately critical Access bypass yes Dynamic Banner Critical Module Unsupported Uninstall Entity Backup Critical Module Unsupported Uninstall Entity API Moderately critical Information Disclosure yes CKEditor Upload Image Critical Access bypass yes JSON API Moderately critical Multiple Vulnerabilities yes JSON API Moderately critical Access Bypass yes Exif Critical Access bypass yes Menu Import and Export Critical Access bypass yes Display Suite Critical XSS yes Media Critical Remote Code Execution yes DRD Agent Critical PHP object injection yes JSON API Moderately critical Cross Site Request Forgery yes
64 TABLE 7.7: Drupal Core Vulnerabilities (“Drupal Open Source CMS.”, n.d.)
Problem Version Level Solution Remote Code Execution All High Critical 7 to 7.59 and 8 to 8.5.3 Cross Site Scripting All Moderately 7 to 7.59 and 8 to 8.5.3 Critical Remote Code Execution All Highly critical 7 to 7.59 and 8 to 8.5.3 Multiple Vulnerabilities All Critical 7 to 7.59 and 8 to 8.5.3
7.3.2 Drupal Core
Table 7.8 shows the Drupl core security vulnerabilities. These posts by the Drupal security team and have been fixed in newer versions of Drupal. Since Drupal has more than one version (6,7 and 8), all the versions get an update. The core prob lems in Drupla effect all the versions and they are Remote code execution that is a high critical vulnerability or XXS a moderately critical. All of these vulnerability are between Critical and low less critical and all has been fixed in the newer ver sion of Drupla 7 and 8. The Drupal core has a very low amount of security issues comparing it to Wordpress and Joomla.
65 Chapter 8
Results after Adding Security
8.1 Joomla
In this section, the security measurements and practices have already been added to the securityprojectj.com web site, and the website has been scanned again using the same scanning tools and scanning proses to check the website.
8.1.1 ZAP
The report on Figure 8.1 shows how some of the high risk vulnerabilities such as “Cross Site Scripting” attack, has been eliminated. Yet, some of the alerts were still notfixed, like the “X-frame-options header not set," and "the HTTP header is not included" Another medium alert the “Format string Error” also still not solved. Further more, the low risk alerts are still there as well such as the “Password Autocomplete in Browser,” and the “X-Content-Type-Option Header Missing.”
66 FIGURE 8.1: Securityprojectj.com ZAP Results
67 8.1.2 Skipfish
Skipfish tool cannot access the website, because of the SSL certificate that has been added to the site. The tool took less than one minute to crawl the website and couldn’t access the website. The report in Figure 8.2, shows the host is providing a SSL certificate and the Skipfish tool cannot access the website
FIGURE 8.2: Securityprojectj.com SkipFish Results
8.1.3 Vega
The Vega tool didn’t on Joomla it keeps lagging and no results were available to conduct.
68 8.1.4 WebScarab
WebScarab had errors while trying to retrieve; shown in Figure 8.3 The tool couldn’t access and crawl the securityprojectj.com site as before. there was an error while trying to retrieve. No interruption has been made, this happened because of the extension firewall and the SSL certificate blocked the tool from accessing the the website. The SSL certificate helped to secure the connection between the server and the browser.
FIGURE 8.3: Securityprojectj.com WebScarab Results
8.1.5 Zenmap
Figure 8.4, shows that there are no previous results same ports are open.
69 FIGURE 8.4: Securityprojectj.com Zenmap Results
70 8.1.6 Burpsuit
All the HTTP interception has been interrupted and most of the files were accessed by the tool however, important; files such as configuration files were not accessed. Figure 8.5 shows a lock near the website name that all the requests are protected HTTPS.
FIGURE 8.5: Securityprojectj.com Burpsuit Results
71 8.2 Wordpress
8.2.1 ZAP
In ZAP tool the only the SQL injection is the only high risk vulnerability, all the medium risk vulnerabilities are not there; some of the low vulnerabilities are new such as the cookie no HTTPOnly flag and the Cookie Without secure flag; but nothing major. The Figure 8.6, shows the scanning report.
FIGURE 8.6: Securityprojectwp.com ZAP Results
72 8.2.2 Skipfish
Similar to the Joomla website the SkipFish tool cannot access the site since it has the SSL certificate added to the website. The tool took less than one minute to crawl the website and couldn’t access the website because it has a Https . the report tool showed the host is providing a SSL certificate and the skipfish tool cannot access the website
FIGURE 8.7: Securityprojectwp.com SkipFish Results
73 8.2.3 Vega
The Vega tool has no results the tool could not access the website and scan it or even accessed the HTTP and HTTPS requests.
8.2.4 Webscarab
Like Joomla and word press the tool cant intercept any of the requests since all the requests are protected by the SSL certificate. Figure 8.8 shows that the tool encountered an error trying to retrieve.
FIGURE 8.8: Securityprojectwp.com WebScarab Results
74 8.2.5 Zenmap
In Figure 8.9 all the Ports are open only the 25 is closed. This is surprising since firewall and security has been implemented but still most of the ports are open.
FIGURE 8.9: Securityprojectwp.com Zenmap Results
75 8.2.6 Burpsuit
In Figure 8.10, the securityprojectd.com has been accessed by Burp suit tool how ever not all the files and requests been accessed, some of the conigration files can not be obtain.
FIGURE 8.10: Securityprojectwp.com Burpsuit Results
76 8.3 Drupal
8.3.1 ZAP
The ZAP tool scanned the website As shown in Figure 8.11 one high risk "SQL injection", one medium and 3 low.
FIGURE 8.11: Securityprojectd.com ZAP Results
77 8.3.2 SkipFish
The SSL certificate block the tool from crawling though the website therefore, it wont give any results. The scanning will finish quickly and the report will give the following information in figure 8.12
FIGURE 8.12: Securityprojectd.com SkipFish Results
78 8.3.3 Vega
In securityprojectd.com the tool has no result it took more than normal to scan the website and it crashed there are no important results according to the tool.
8.3.4 Zenmap the Zenmap shows that all the ports that were open on the previous scanning are still open and nothing has been changed even though there are a firewall down loaded to the website. The figure 8.13 shows all the ports that are open.
FIGURE 8.13: Securityprojectd.com Zenmap Results
79 8.3.5 Burp Suit
As illustrated in Figure 8.14, the Burp tool intercept all the HTTP headers were however some of the important files were not accessible most of the configuration files were not accessible.
FIGURE 8.14: Securityprojectd.com Burpsuit Results
80 Chapter 9
Discussion
9.1 Results
TABLE 9.1: Scanning Result before adding security
Joomla WordPress Drupal SQL injection Yes Yes Yes Shell injection Yes Yes Yes XML injection Yes Yes Yes Cross Site Scripting (XSS) Yes Yes Yes X-frame - Options Header not Set Yes Yes Yes Password AutoComplete in a Yes Yes Yes Browser Web Browser XSS Protection not Yes Yes Yes Enabled Cookie No HttpOnly Flag Yes Yes No Cookie without Secure Flag Yes No No Format String Error Yes Yes No Remote Os Command Injection No No Yes X- content Type Options Header Yes Yes No Missing Cleartext Password Over HTTP Yes No Yes Possible HTTP PUT File Upload Yes Yes Yes Local Filesystem Paths Found Yes Yes Yes Directory Travel-set Yes Yes Yes Ports Open 21,53,143 ALL 21,22,25,26,52,80, ,80,110 ,443,993, 110,143,443,464,587, 995, 3306 993,995,2222,3306, 8080,8443
81 TABLE 9.2: Scanning Result After adding security
Joomla WordPress Drupal SQL Injection No Yes Yes Shell Injection No No No XML Injection No No No
Cross Site Scripting (XSS) No No No X-frame - Options Header not Set Yes Yes Yes Password AutoComplete in a Yes Yes No Browser Web Browser XSS Protection not Yes Yes Yes Enabled Cookie No HttpOnly Flag Yes Yes No Cookie without Secure Flag Yes No No Format String Error Yes Yes No
Remote Os Command Injection No No No X- Content Type Options Header Yes Yes No Missing Cleartext Password over HTTP No No No Possible HTTP PUT File Upload No No No Local Filesystem Paths Found No No No Directory Travel-set No No No Ports Open 21,53, 143, 25 Closed 21,22,25,26,52,80, 80,110, 443, 993, only 110,143,443,464,587, 995, 3306 993,995,2222,3306, 8080,8443
82 9.2 Results
Results As shown in table 9.1 all three CMSs has many vulnerabilities and the secu rityprojectj.com has the most; however, not all the ports are open in matter of fact, it is the least ports are open in Joomla website. As for seurityprojectwp.com has all the ports open and that is very risky . As for the securityprojectd.com has the least number of vulnerabilities comparing to the WordPress and Joomla websites. After adding the security table 9.2 shows, a decrease on the number of vulnerabil ities since the security practices and measurements have been added. Most of the vulnerabilities have not been detected and most of the high risk vulnerabilities are gone. This shows how the security practices protect the website from vulnerabili ties risks and being attacked. In addition, some of the tools such as Skipfish, Vega, WebScarab were not able to access the website, crawl it, and intercept the HTTP and HTTPS request. All of the three tools were not working on any of the three websites, after the security practices have been added.
83 9.3 Vulnerabilities Analysis
All the vulnerabilities has been found and discussed on the testing phase will be explained briefly in this section. According to the OWASP top 10 Most Critical Web Application Security Risks, the most popular vulnerability is injection it is very common in the web appli cation. There are different types of injection the popular are SQL injection is the most popular in all the three injections attacks (“Owasp.org”, 2017). It occurs by injecting a code to comprise a database. Second, the XML injection, it is an at tack where a malicious code is injected to compromise the logic of an application. (“Owasp.org”, 2017). Finally, Command injection, it is also referred as “Shell in jection” or “OS command injection”. It is injecting execute a commands in the OS level(“Owasp.org”, 2017)
Cross-Site Scripting (XSS), is another popular vulnerability(“Owasp.org”, 2017) The attacker inject malicious script to a website that will be activated every time an end user visit the website, it will send back to the hacker all the user information such as cookie session or login and passwords. There are 3 types of XSS:
• Stored XSS.
• Reflected XSS
• DOM-based XSS.
Web browser X-XSS-Protection, It is related to the browser as well. In modern browser this step is not really important since the content security policy is imple mented in newer browsers(ZAP, 2018) Cookie No Httponly Flag and Without the HTTPonly Flag means that the cookie can be accessed. Most of the modern web
84 browsers support HTTPOnly (“Owasp.org”, 2017) Format string error: if a string input is evaluated as a command the format string will occur (“Owasp.org”, 2017) X Frame option not set: the HTTP response is not included where websites can use it to avoid against clickjacking attacks(“Owasp.org”, 2017) So if it set it will improve the protection against the clickjacking attacks. To solve the problem : check the browser since all new browser support the X Frame Option . Password autocomplete attribute is not disabled and the password is stored in the browser. This password can be retrieved by an attacker since it is stored. Therefor, disabling the auto completion will help the security of the website. X- content -Type-option : A MIME sniffing can be performed when the sniffing header is set to nosniff . The MIME sniffing is a type of sniffing where the web browser can sniff the content . It can lead to XSS attack as well (“Owasp.org”, 2017) This problem is related to end user since It is not possible to determine if the user have a modern browser or not . However, modern browser solve this problem. Local File systems path found: where it could lead to File inclusion. The at tacker can inject and read files from the server that will affect the website(“Owasp.org”, 2017) This may lead to XSS, DOS, and much more. It was found on Joomla and Drupal however it wasn’t reliable since the scanner gave a possibility not a cer tainty.
Cookie without secure Flag, If the cookie does not have a secure flag, then it can be intercepted by an attacker via unencrypted HTTP connection(“Owasp.org”,
2017) There for HTTPS can protect against it.
85 Chapter 10
Conclusion
10.1 Summary
In paper a security analyses has been conducted on three major CMSs: Word- press, Joomla and Drupal. A website was build on each CMS platform, securi typrojectj.com for Joomla,securityprojectwp.com for Wordpress, and securitypro- jectD.com for Drupal. Next, all of the three developed website have been scanned twice before and after adding the security measurements to the websites. From the results, Drupal website was more secure than Joomla and Wordpress before adding any security practices. However, after adding security practices and mea surements all three websites vulnerabilities decreased. Furthermore,The second part of the paper, analyzing all the vulnerabilities in all the three CMS core, add- ons, and themes have been collected from each CMS vulnerability data base. The data that has been included in the research it was conducted on the first quarter of 2018. Drupal was the winner with the least amount of core vulnerabilities and least amount of plug ins vulnerabilities as well. All the security practices included in this research will help the user to secure the website and protect against all the attacks that might effect the website.
86 10.2 Future Work
Future work will concerns deeper analysis of different CMSs that are available in the market today. This research has been mainly focused on analyzing the security aspect of three major CMSs: WordPress, Joomla and Drupal. In addition, It will be interesting to build more complexed websites such as E-commerce and focus on analysing the security to explore all the problems. Moreover, developing a security add-on in all the three CMS Wordpress, Joomla and Drupal where it contain all the required security to protect the website without the need to downland any other plug ins or even using the website configuration to secure the website.
87 References
Aravindhan, R., Shanmugalakshmi, R., Ramya, K., & Selvan, C. (2016). Certain investigation on web application security: phishing detection and phishing target discovery. In Advanced computing and communication systems (icaccs), 2016 3rd international conference on (Vol. 1, pp. 1–10). IEEE. Avancini, A. & Ceccato, M. (2011). Security testing of web applications: a search- based approach for cross-site scripting vulnerabilities. In Source code analy sis and manipulation (scam), 2011 11th ieee international working conference on
(pp. 85–94). IEEE. Con¸tu, C. A., Popovici, E. C., Fratu, O., & Berceanu, M. G. (2016). Security issues in most popular content management systems. In Communications (comm), 2016 international conference on (pp. 277–280). IEEE. da Fonseca, J. C. C. M. & Vieira, M. P. A. (2014). A practical experience on the impact of plugins in web security. In Reliable distributed systems (srds), 2014 ieee 33rd international symposium on (pp. 21–30). IEEE.
Hills, M. (2016). Navigating the wordpress plugin landscape. In Program compre
hension (icpc), 2016 ieee 24th international conference on (pp. 1–10). IEEE.
Koskinen, T., Ihantola, P., & Karavirta, V. (2012). Quality of wordpress plug-ins: an
overview of security and user ratings. In Privacy, security, risk and trust (pas- sat), 2012 international conference on and 2012 international confernece on social
computing (socialcom) (pp. 834–837). IEEE.
88 Kumar, J. P., Ravi, T., & Nagendra, K. (2012). Analysis of security vulnerabilities for web based application. IET Conference Proceedings, 233–236(3). Retrieved from http://digital-library.theiet.org/content/conferences/10.1049/cp.2012.2535 Kumar, R. (2015). Analysis of key critical requirements for enhancing security of web applications. In Computers, communications, and systems (icccs), interna tional conference on (pp. 241–245). IEEE. Kyaw, A. K., Sioquim, F., & Joseph, J. (2015). Dictionary attack on wordpress: se curity and forensic analysis. In Information security and cyber forensics (infosec), 2015 second international conference on (pp. 158–164). IEEE. Lakhani, J. M. A. & Muniz, J. (2013). Web penetration testing with kali linux. PACKT publishing. September. Lashkaripour, Z. & Bafghi, A. G. (2013). A security analysis tool for web application reinforcement against sql injection attacks (sqlias). In Information security and cryptology (iscisc), 2013 10th international isc conference on (pp. 1–8). IEEE. Masood, A. & Java, J. (2015). Static analysis for web service security-tools & tech niques for a secure development life cycle. In Technologies for homeland security (hst), 2015 ieee international symposium on (pp. 1–6). IEEE. Meike, M., Sametinger, J., & Wiesauer, A. (2009). Security in open source web con tent management systems. IEEE Security & Privacy, 7(4). Mening, R. (2013). WordPress vs. Joomla vs. Drupal (CMS Comparison). how to
make a website. http://websitesetup.org/cms-comparison-wordpress-vs
joomla-drupal/. Accessed October 20,2017.
Mening, R. (2017). Step-by-Step Guide for Beginners. https://websitesetup.org/.
Accessed April 23, 2018.
Mirdha, A., Jain, A., & Shah, K. (2014). Comparative analysis of open source con tent management systems. In Computational intelligence and computing research (iccic), 2014 ieee international conference on (pp. 1–4). IEEE.
89 (n.d.). https://www.drupal.org/. Burp Suite Scanner | PortSwigger. (n.d.). https://portswigger.net/burp. Drupal Open Source CMS. (n.d.). https://www.drupal.org/. Joomla (CMS). (n.d.). https://www.joomla.org. Joomla.org. Joomla! (n.d.). http://www.joomla.org/. Official Bluehost Blog. (n.d.). http://Bluehost.com. Securitycheck Spam Protection. (n.d.). https://securitycheck.protegetuordenador. com/our-products/securitycheck-spam-protection. SiteGround: Web Hosting Services. (n.d.). Retrieved from https://www.siteground. com/. Usage statistics for Chaos tool suite (ctools)| Drupal.org. (n.d.). https://www. drupal.org/project/usage/ctools. Accessed November 20, 2017. Vega Vulnerability Scanner. (n.d.). https://subgraph.com/vega/. Web Technology Surveys. (n.d.). http://w3techs.com. What is Web Hosting? (n.d.). https://www.website.com/beginnerguide/webhosting/ 6/1/what-is-web-hosting?.ws. WordPress CMS. (n.d.). https://wordpress.org. Worpress business plan. (n.d.). https://en.support.wordpress.com/com-vs-org/. Accessed October 23, 2017. Wpscan.org. (n.d.). https://wpscan.org/.
Zenmap - Official cross-platform Nmap Security Scanner GUI. (n.d.). https : / /
nmap.org/zenmap/.
Owasp.org. (2017). https://www.owasp.org/.
CMS Critic. (2018, June). Retrieved from https://www.cmscritic.com/.
List of TCP and UDP port numbers. (2018). https://en.wikipedia.org/wiki/List_ of_TCP_and_UDP_port_numbers. Accessed October 15, 2017.
90 OWASP. (2017). Application security risks-2017, open web application security project (owasp). Patel, S. K., Rathod, V. R., & Parikh, S. (2011). Joomla, drupal and wordpress-a statistical comparison of open source cms. In Trendz in information sciences and computing (tisc), 2011 3rd international conference on (pp. 182–187). IEEE. Patel, S. K., Rathod, V. R., & Prajapati, J. B. (2013). Comparative analysis of web security in open source content management system. In Intelligent systems and signal processing (issp), 2013 international conference on (pp. 344–349). IEEE. Rouse, M. & Cote, D. (n.d.). What is shared hosting? http://searchmicroservices. techtarget.com/definition/shared-hosting. Accessed November, 2017. Sharma, P., Doshi, D., & Prajapati, M. M. (2016). Cybercrime: internal security threat. In Ict in business industry & government (ictbig), international conference on (pp. 1–4). IEEE. Uskov, A. V. (2013). Hands-on teaching of software and web applications secu rity. In Interdisciplinary engineering design education conference (iedec), 2013 3rd (pp. 71–78). IEEE. Vasek, M., Wadleigh, J., & Moore, T. (2016). Hacking is not random: a case-control study of webserver-compromise risk. IEEE Transactions on Dependable and Se cure Computing, 13(2), 206–219. Zalewski, M., Heinen, N., & Roschke, S. (2009). Skipfish - web application security
scanner. https://code.google.com/archive/p/skipfish/wikis/SkipfishDoc.
wiki. Accessed October 20, 2017.
ZAP, O. (2018). Owasp zed attack proxy project. https://www.owasp.org/index.
php/OWASP_Zed_Attack_Proxy_Project. Accessed April 10, 2018.
91