Team minutes Security - nordquip/sousms GitHub Wiki

Goals for 121121

  • Create src/security/sanitizeTest.php
  • santizeTest.php must do the following:
    • include sanitize.php
    • call each function multiple times, and echo the result, until you feel it is thoroughly tested

Note:

test by doing the following (assumes you have installed an xampp stack on your system -- see https://github.com/nordquip/sousms/wiki/Machine-Environment to set up your xampp stack if you haven't done so):

  • git pull the repository to your local system
  • comment out any portion of sanitize.php that is not yours and add in your tests
  • copy both sanitize.php and sanitizeTest.php to the root of your xampp document directory
  • in your browser, visit localhost/sanitizeTest.php It should print the results of your tests
  • When satisfied that your code works as it should, commit both sanitize.php and sanitizeTest.php and push

Goals for 121114

  • Make src/security directory

  • create src/security/sanitize.php (use doc/securityTeam/register.php as a template)

  • create functions, include comments telling what your function does and how to call it:

    • checkEmail() - Brandon
    • checkInt() - Judy
    • checkFloat() - Hunter -- created doc/SecuritycheckFloat.md
    • checkPassword() - John
    • checkName() - Blake -- DONE -

  • Brandon - Write: comment at the top of file that explains:

    • usage:
      include /security/sanitize.php
    • purpose of this file

  • John - find out from user accounts what error messages they want for each data type

  • Blake - Move your file doc/BlakesPhpFiles.php from fork into nordquip/sousms/doc/SecurityTeam/ repository - See https://github.com/nordquip/sousms/wiki/UCContributeToNordquipSousmsUsingGitShell

  • Brandon - Move register.php to nordquip/sousms/doc/SecurityTeam/

Stretch

  • Hunter - make a list of filenames of logs you would like to see from the server, add a task to the issues list. Assign the task to jeremy-french (build team).

Goals for 121107

  • Hunter - Andrew or David Whipp if we can have logs from our attack on the server two weeks ago. DONE: "We have sudo, so get them that way"
  • Hunter, John - Contact Daniel DeFreez to see if we can get a VM in 115. -- N/A. I talked with Daniel, and we can't do it.

Note: I think the best thing to do is have the security team take over the 'sanitize' interface specified by user accounts. I talked with Lana about this, and she thought it would be OK.

  • All - review the pseudocode for the 'sanitize' interface in https://github.com/nordquip/sousms/blob/master/doc/UAPseudocode.md. Put suggestions for improvement in doc/securityTeam/sanitize.md -- DONE: Hunter -- no one else did this.

  • Judy - write a plan for testing security of the mobile connection, and add it to doc/securityTeam/mobileAttackPlan.md -- NOT DONE: will be done by end of day.

  • Brandon & Blake (1 each): Choose a data validation check (start with http://en.wikipedia.org/wiki/Data_validation) -- DONE - in-secure-stock-market-sim/securityTeam/register.php

  • Blake: Write (first draft) php to implement the check you chose -- src/security/blakesSecurityCheck.php -- DONE, but doesn't compile -- still doesn't connect to db. No new action since last week.

  • John found tradeEngine/transaction.php (their test harness) and index.html problems -- DONE

Goals for 121031

  • Add doc/security directory to security fork -- DONE
  • move all documents into security directory
  • Sync security to nordquip/sousms -- See https://github.com/nordquip/sousms/wiki/Git,-Group-Fork-Merge-Process -- DONE during the meeting
  • Hunter: Search for additional exploits that are applicable to our server that could be run with metasploit. Document exploits researched, including where you searched, desribe applicability to our server, and launch if possibile and record results. Add results to attack log file in doc/security -- DONE
  • John: Try exploit found last week, and record results in doc/security/. -- DONE
  • Blake: finish form and have it connect to webpages database. -- DONE
  • Brandon & Blake (1 each): Choose a data validation check (start with http://en.wikipedia.org/wiki/Data_validation) -- ?? NOT in the repository
  • Blake: Write (first draft) php to implement the check you chose -- src/security/blakesSecurityCheck.php -- ?? NOT in the repository
  • Brandon: Write (first draft) php to implement the check you chose -- src/security/brandonSecurityCheck.php -- ?? NOT in the repository
  • Judy - Find one Metasploit attack and run it against the system, record results in doc/security/jwattackLog.md. -- NOT DONE -- did find an exploit, but couldn't run it, because we were told not to.

###NOTES: All present at the meeting. No goals submitted for next meeting.

Goals for 121024

  • John - make the following subdirectories in the carlsonjohn/ repository: doc/Security, test/Security, src/Security -- NOT DONE
  • John - fuzz the system and write a report of 'fuzz tests' run and put report in carlsonjohn/doc/Security/Pentest-Exploit.md - DONE: ran nmap port scan to get software version numbers. Found an exploit for this version of apache.
  • Hunter - BackTrack5r3Metasploit the production server as it exists now. Add the results of your attack to carlsonjohn/doc/Security/serverAttackLog.md -- DONE: survived Metasploit hail Mary attack
  • Brandon - Add 'new' submit button to form that does not display the table. Demonstrate that you can sql-inject the email field and the 'new' button causes some portion of the db to be displayed. Save the injectable php file in carlsonjohn/test/Security/injectable.php -- NOT DONE
  • Blake - Put up a mysql database on your account on webpages and write a php page that has an input field, and demonstrate you can sql-inject this field similar to the way Brandon did. Save your file in carlsonjohn/test/Security/injectableBL.php. -- NOT DONE: started -- have a form and a database, but database is not on webpages. Mysqlworkbench didn't work, because mysql_update needed to be run.
  • Brandon - Find php example code to prevent SQL injection. -- NOT DONE - didn't look. Hunter and Brandon spent couple of hours trying to sql inject myspace.
  • Blake - copy carlsonjohn/test/Security/injectableBL.php to carlsonjohn/test/Security/nonInjectable.php. -- BLOCKED
  • Blake - insert the code Brandon found into carlsonjohn/test/Security/nonInjectable.php -- BLOCKED
  • Brandon and Blake - demonstrate that the sql injections that broke injectable.php adn injectableBL.php do not break nonInjectable.php -- BLOCKED
  • Judy - Find one Metasploit attack and run it against the system. -- NOT DONE.

Goals for 121018:

  • John - Execute MemoryC0rruption attack on server -- NOT DONE: Could
  • Hunter - BackTrack5r3Metasploit server as it exists now -- NOT DONE: Tried to build up old system as a test machine, but was unable to get it to boot.
  • Document the tests you ran in a file in the carlsonj/in-secure-stock-market-sim/test directory (please push this file up to your team's repository fork). -- NOT DONE
  • Brandon / Blake - Each Put up a mysql databases on your account on webpages and write a php page that has an input field. -- Brandon DONE.
  • Judy - Find one Metasploit attack and run it against the server. -- Judy didn't show for the 12/18 meeting.

Note: In future, want to inspect logs to develop protocols for recognizing attacks.

##Goals for 121010: ###Infrastructure goals:

  • John: Create a GitHub fork for the Testing team -- DONE
  • John: Make all team members collaborators on the fork -- DONE
  • John: Send all team members the URL of the fork -- DONE
  • All: Clone the security fork repository onto your local system -- DONE, blake?

###Use case goals:

###Notes: Division of labor:
Brandon - SQL injection Blake - SQL injection Hunter - metasploit John - memory corruption Terak - metasploit ?? - Attacks on server itself