Web Server Hardening - Apache Tomcat

Reference: https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html


1. Remove Extraneous Resources


Removing sample resources
C:\xampp\Tomcat\webapps\docs
C:\xampp\Tomcat\webapps\examples

Removing Manager Application if not using
C:\xampp2\Tomcat\webapps\host-manager
C:\xampp2\Tomcat\webapps\manager
C:\xampp2\Tomcat\conf\Catalina\localhost\manager.xml

Disable unused Connector
C:\xampp2\tomcat\conf\server.xml

cat server.xml | grep "Connector"




2. Limit Server Platform Information Leaks

Alter the Advertised server information

Audit:
cd $CATALINA_HOME/lib
jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
grep server.info org/apache/catalina/util/ServerInfo.properties


Remediation:
server.info=<SomeWebServer>
server.number=<someversion>
server.built=


Disable X-Powered-By HTTP Header and Rename the Server Value for all Connectors

Turn off TRACE

Affected file: $CATALINA_HOME/conf/server.xml

Remediation:
<Connector
...
xpoweredBy="false"
allowTrace="false"/>


https://tomcat.apache.org/tomcat-8.0-doc/config/http.html


Disable client facing Stack Traces

Affected file: $CATALINA_HOME/conf/web.xml
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/error.jsp</location>
</error-page>



3 Protect the Shutdown Port

Set a nondeterministic Shutdown command value


Vulnerable:
<Server port="8005" shutdown="SHUTDOWN">

Remediation -  set a nondeterministic value for the shutdown attribute:
<Server port="8005" shutdown="asequenceofrandomcharacters">


4 Protect Tomcat Configurations

Restrict access to Tomcat dDirectories

($CATALINA_HOME, $CATALINA_BASE, configuration, logs, temp, binaries, web application
catalina.policy)

catalina.properties

Audit (If the ownership and permission are set correctly, no output should be displayed):
# cd $CATALINA_HOME
# find . -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find logs -follow -maxdepth 0 \( -perm /o+rwx -o ! -user tomcat_admin -o ! - group tomcat \) -ls
# find temp -follow -maxdepth 0 \( -perm /o+rwx -o ! -user tomcat_admin -o ! - group tomcat \) -ls
# find bin -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls 
# find webapps -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls

# cd $CATALINA_HOME/conf
# find . -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find catalina.policy -follow -maxdepth 0 \( -perm /o+rwx -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find catalina.properties -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find context.xml -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find logging.properties -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find server.xml -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find tomcat-users.xml -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find web.xml -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls

# cd $CATALINA_BASE
# find . -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls

Remediation:

  • Set the ownership to tomcat_admin:tomcat
  • Remove write permissions (g-w) for the group
  • Remove read, write, and execute permissions (o-rwx) for the world


# chown tomcat_admin.tomcat $CATALINA_HOME
# chmod g-w,o-rwx $CATALINA_HOME

# chown tomcat_admin:tomcat $CATALINA_HOME/logs
# chmod o-rwx $CATALINA_HOME/logs
# chown tomcat_admin:tomcat $CATALINA_HOME/temp
# chmod o-rwx $CATALINA_HOME/temp
# chown tomcat_admin:tomcat $CATALINA_HOME/bin
# chmod g-w,o-rwx $CATALINA_HOME/bin
# chown tomcat_admin:tomcat $CATALINA_HOME/webapps
# chmod g-w,o-rwx $CATALINA_HOME/webapps

# chown tomcat_admin:tomcat $CATALINA_HOME/conf
# chmod g-w,o-rwx $CATALINA_HOME/conf
# chown tomcat_admin:tomcat $CATALINA_HOME/conf/catalina.policy
# chmod 770 $CATALINA_HOME/conf/catalina.policy
# chown tomcat_admin:tomcat $CATALINA_HOME/conf/catalina.properties
# chmod g-w,o-rwx $CATALINA_HOME/conf/catalina.properties
# chown tomcat_admin:tomcat $CATALINA_HOME/conf/context.xml
# chmod g-w,o-rwx $CATALINA_HOME/conf/context.xml
# chown tomcat_admin:tomcat $CATALINA_HOME/conf/logging.properties
# chmod g-w,o-rwx $CATALINA_HOME/conf/logging.properties
# chown tomcat_admin:tomcat $CATALINA_HOME/conf/server.xml
# chmod g-w,o-rwx $CATALINA_HOME/conf/server.xml
# chown tomcat_admin:tomcat $CATALINA_HOME/conf/tomcat-users.xml
# chmod g-w,o-rwx $CATALINA_HOME/conf/tomcat-users.xml
# chown tomcat_admin:tomcat $CATALINA_HOME/conf/web.xml
# chmod g-w,o-rwx $CATALINA_HOME/conf/web.xml

# chown tomcat_admin.tomcat $CATALINA_BASE
# chmod g-w,o-rwx $CATALINA_BASE


5 Configure Realms

Tomcat realm is a database of usernames and passwords used to identify valid users of web applications

Use secure Realms

Audit (The below commands should not emit any output)
# grep "Realm className" $CATALINA_HOME/conf/server.xml | grep MemoryRealm
# grep "Realm className" $CATALINA_HOME/conf/server.xml | grep JDBCRealm
# grep "Realm className" $CATALINA_HOME/conf/server.xml | grep UserDatabaseRealm
# grep "Realm className" $CATALINA_HOME/conf/server.xml | grep JAASRealm


Use LockOut Realms

Audit (To check to see if a LockOut realm is being used)
# grep "LockOutRealm" $CATALINA_HOME/conf/server.xml


Remediation:
<Realm className="org.apache.catalina.realm.LockOutRealm"
failureCount="3" lockOutTime="600" cacheSize="1000"
cacheRemovalWarningTime="3600">

<Realm
className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName=... />
</Realm>


https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html


6 Connector Security


(Review the Connector configuration in server.xml)

Setup Client-cert Authentication


Audit:
Ensure the clientAuth parameter is set to true

Remediation:

  • Ensure SSLEnabled is set to True for Sensitive Connectors
  • Ensure scheme is set accurately
  • Ensure secure is set to true only for SSL-enabled Connectors
  • Ensure SSL Protocol is set to TLS for Secure Connectors


<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
clientAuth="true" sslProtocol="TLS"/>


Audit:

  • Ensure SSLEnabled attribute set to true
  • ensure the secure attribute is set to true for those Connectors having SSLEnabled set to true
  • set the sslProtocol attribute to "TLS" for Connectors having SSLEnabled set to true
  • Ensure the Connector’s scheme attribute is set to https for  Connectors operating over HTTPS


Remediation:
<Connector
...
SSLEnabled="true"
secure="true"
sslProtocol="TLS"
scheme="https"
...
/>

Force SSL when accessing the manager application


Audit (Ensure <transport-guarantee> attribute set to CONFIDENTIAL):
# grep transport-guarantee $CATALINA_HOME/webapps/manager/WEB-INF/web.xml

Remediation:
<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
<user-data-constraint>
</security-constraint>



7 Establish and Protect Logging Facilities


Application specific logging


Audit:
Ensure a logging.properties file is locate at $CATALINA_BASE\webapps\<app_name>\WEB-INF\classes

(By default, installing Tomcat places a logging.properties file in $CATALINA_HOME\conf.
This file can be used as base for an application specific logging properties file)

Remediation:
Create a logging.properties file and place that into your application WEB-INF\classes directory.


Specify file handler in logging.properties files

$ grep handlers \
$ CATALINA_BASE\webapps\<app name>\WEB-INF\classes\logging.properties
$ grep handlers $CATALINA_BASE\conf\logging.properties

Remediation:
handlers=org.apache.juli.FileHandler, java.util.logging.ConsoleHandler

org.apache.juli.FileHandler.level=FINEST

Ensure className is set correctly in context.xml


Audit:
# grep org.apache.catalina.valves.AccessLogValve $CATALINA_BASE\webapps\<appname>\META-INF\context.xml

Remediation:

<Valve
className="org.apache.catalina.valves.AccessLogValve"
directory="$CATALINA_HOME/logs/"
prefix="access_log"
fileDateFormat="yyyy-MM-dd.HH"
suffix=".log"
pattern="%t %H cookie:%{SESSIONID}c request:%{SESSIONID}r %m %U %s %q %r"
/>


Ensure directory in context.xml is a secure location




9 Application Deployment

Starting Tomcat with Security Manager


Audit:
Review the startup configuration in /etc/init.d

Remediation:
$ $CATALINA_HOME/bin/catalina.sh start -security (Unix)
C:\> %CATALINA_HOME%\bin\catalina start -security (Windows)


Disabling auto deployment of applications

Audit:
# grep "autoDeploy" $CATALINA_HOME/conf/server.xml

Remediation:
autoDeploy="false"




10 Miscellaneous Configuration Settings

Restrict access to the web administration

Remediation:
Affected File: $CATALINA_HOME/conf/server.xml

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1"/>


Rename the manager application

Audit (Ensure the following directories and files do not exsist):

$CATALINA_HOME/conf/Catalina/localhost/manager.xml
$CATALINA_HOME/webapps/host-manager/manager.xml
$CATALINA_HOME/webapps/manager

Remediation:

1. mv $CATALINA_HOME/webapps/host-manager/manager.xml \ $CATALINA_HOME/webapps/host-manager/new-name.xml

2. Update the docBase attribute within $CATALINA_HOME/webapps/host-manager/new-name.xml to ${catalina.home}/webapps/new-name

3. Move $CATALINA_HOME/webapps/manager to $CATALINA_HOME/webapps/new-name

$ mv $CATALINA_HOME/webapps/manager $CATALINA_HOME/webapps/new-name


Enable strict servlet Compliance

Audit:
Ensure the above parameter is added to the startup script which by default is located at $CATALINA_HOME/bin/catalina.sh

-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true


-- Turn off session façade recycling


Force SSL when accessing the manager application

Audit:
grep transport-guarantee $CATALINA_HOME/webapps/manager/WEB-INF/web.xml

Affected File: $CATALINA_HOME/webapps/manager/WEB-INF/web.xml

Remediation
<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
<user-data-constraint>
</security-constraint>

Popular posts from this blog

Remote Desktop Protocol (RDP) Security

Image
Common Remote Desktop Protocol (RDP) Vulnerabilities Terminal Services Encryption Level is Medium or Low Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness Terminal Services Doesn't Use Network Level Authentication (NLA) Only Terminal Services Encryption Level is Medium or Low Vulnerability Assessment: Host Assessment: Remediation: Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security/Set client connection encryption level Set client connection encryption level to High Note: High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD S...
Read more

Penetration Testing - Network

Image
Manual Vulnerability Assessment TCP/21: FTP Anonymous FTP Enabled anonymous guest TCP/22: SSH nmap -p 22 --script ssh2-enum-algos <ip_address> SSH Weak Algorithms Supported SSH Server CBC Mode Ciphers Enabled ssh -oCiphers=<ciphers> <ip_address> SSH Weak MAC Algorithms Enabled ssh -oMACs=<algorithm> <ip_address> SSH Protocol v1 Supported ssh -1 <ip_address> -v Hardening on SSH Ciphers aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com TCP/23: Telnet Unencrypted Telnet Server telnet <ip_address> 23 TCP/25: SMTP SMTP Service Cleartext Login Permitted telnet <ip_address> 25 EHLO <ip_address> AUTH LOGIN Mailserver answer to VRFY and EXPN requests * nc <ip_address> 25 EXPN root VRFY root TCP/53: DNS DNS Server Cache Snooping Remote Information Disclosure ...
Read more

Damn Vulnerable Web Services (DVWS) - Walkthrough

Image
Installation Damn Vulnerable Web Services  (DVWS) is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities. https://github.com/snoopysecurity/dvws WSDL Enumeration Spider DVWS using Burp Suite and look for service.php Requests processed by SOAP service include  check_user_information ,  owasp_apitop10 ,  population  and  return_price XPATH Injection User Login: 1' or '1'='1 User Password: 1' or '1'='1 Command Injection Original Request parameter value of name is " find "   by default  Edited Request change the parameter value of  name  from "find" to " dir "   Cross Site Tracing (XST) Hint of " The NuSOAP Library service is vulnerable to a Cross-site scripting flaw " is given by DVWS. Exploit is published at exploit DB ( https://www.exploit-db.com/e...
Read more

Server Message Block (SMB) Security

Image
Common SMB related vulnerabilities Microsoft Windows SMBv1 Multiple Vulnerabilities SMB Signing Disabled Microsoft Windows SMB NULL Session Authentication Microsoft Windows SMB Shares Unprivileged Access Network Discovery: TCP port 5357 - Web Services on Devices API (WSDAPI) File and Printer Sharing: TCP port 135 - Remote Procedure Call (RPC) TCP port 139 - NETBIOS Session Service TCP port 445 - Server Message Block (SMB) By disable NetBIOS over TCP/IP (TCP Port 139), NETBIOS name discovery will be prevented Microsoft Windows SMBv1 Multiple Vulnerabilities Vulnerability Assessment: NSE script smb-protocols can be used to check if the server supported NT LM 0.12 (SMBv1) . Host Assessment: Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath} Remediation: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters...
Read more

Offensive Security Testing Guide

Image
This cheat sheet compiles the commands we learned to exploit vulnerable machines. However, these commands alone may not be sufficient to obtain your Offensive Security Certified Professional (OSCP) certification. So... Try Harder! Information Gathering Operating System Windows Interesting Path "Documents and Settings"/Administrator/Desktop file:///C:/xampp/readme_en.txt file:///C:/xampp/passwords.txt file:///C:/xampp/webdav/webdav.txt file:///C:/xampp/apache/conf/extra/httpd-dav.conf file:///C:/xampp/apache/conf/extra/httpd-xampp.conf file:///C:/xampp/apache/logs/access.log file:///C:/xampp/apache/logs/error.log file:///C:/xampp/security/webdav.htpasswd file:///C:/xampp/htdocs/dashboard/phpinfo.php file:///C:/xampp/phpmyadmin/config.inc.php file:///C:/xampp/php/logs/php_error_log file:///C:/xampp/mysql/bin/my.ini C:\Users\<User>\AppData\Local\Temp #Email Address C:\Users\<User>\AppData\Local\Microsoft\Outlook Active Connection netstat -...
Read more

Host Configuration Assessment - Windows

Image
OS Information Gathering systeminfo wmic computersystem get domainrole 0 - Standalone workstation 1 - Member workstation 2 - Standalone server 3 - Member server 4 - Domain controller secedit /export /cfg cfg.ini > nul net user administrator > netuseradmin.txt auditpol.exe /get /category:* > auditpol.txt netsh advfirewall show allprofiles > firewall.txt net accounts > netaccount.txt gpresult /f /h evid/gporesult.html > nul accesschk /accepteula -q -a * > accesschk.txt *Simplify the process with Scgary ! User Right Assignment type cfg.ini | grep "^SeAuditPrivilege\|^SeCreatePagefilePrivilege\|^SeRemoteShutdownPrivilege\|^SeRemoteInteractiveLogonRight\|^SeEnableDelegationPrivilege\|^SeLockMemoryPrivilege\|^SeDenyNetworkLogonRight\|^SeChangeNotifyPrivilege\|^SeDebugPrivilege\|^SeDenyBatchLogonRight\|^SeCreateGlobalPrivilege\|^SeShutdownPrivilege\|^SeIncreaseQuotaPrivilege\|^SeTrustedCredManAccessPrivilege\|^SeDenyIn...
Read more

Content Page

The Cheat Sheets offer a variety of information security cheat sheets on various security assessments and provides code to simplify testing and verification processes. Penetration Testing Network CMS - WordPress Mobile - Android Mobile - iOS Web Service (API) Security Damn Vulnerable Web Services - Walkthrough OWASP Series 2017  A1 Injection 2017  A3 Sensitive Data Exposure 2017  A4 XML External Entities (XXE) 2017 A6 Security Misconfiguration 2017 A7 Cross-Site Scripting (XSS) 2017 A8 Insecure Deserialization Configuration Assessment Windows Linux Network Device Web Server Hardening Apache PHP MySQL SSL Security Database Assessment Oracle PostgreSQL Database Assessment Tool Host Device Hardening Server Message Block (SMB) Security Remote Desktop Protocol (RDP) Security Social Engineering Social Engineering Testing - Phishing Email Security Malware Exploitation using Shell Post Exploitation Physical ...
Read more

Mobile Penetration Testing - Android

Image
Testing Environment Android Emulator Geny Motion: https://www.genymotion.com/fun-zone/ Android Debug Bridge (ADB) C:\Users\<User>\AppData\Local\Android\Sdk\platform-tools adb -s <specific device> shell #Specific Device adb -d shell #Device adb -e shell #Emulator Basic ADB command adb install <apk file> adb pull <location> adb push <file> <location> Basic Linux command cat /proc/version #Kernel version cat /proc/cpuinfo #Processor Information ps #Processes cat /system/etc/permissions/platform.xml #Permission and GID Information Gathering Retrieve APK file from Device (Recommended) adb shell pm list packages pm path <package> adb pull <apk path> Retrieve APK file from Internet https://apkpure.com To check the certificate information keytool -printcert -file CERT.RSA #C:\Program Files\Java\jre1.8.0_131\bin\keytool.exe Android Manifest Analysis 1. Activity, Service, Content Provider, Broadcast ...
Read more

Penetration Testing with OWASP Top 10 - 2017 A7 Cross-Site Scripting (XSS)

Image
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. DOM-Based XSS Proof of Concept <html> <head> <title>DOM-based Cross-site Scripting</title> </head> <body> Hi, <script> var pos = document.URL.indexOf("name=")+5; //finds the position of value var userInput = document.URL.substring(pos,document.URL.length); //copy the value into userInput variable document.write(unescape(userInput));  //writes content to the webpage </script> </body> </html> XSS Validation Bypass <Script>alert(1)</script> <script<script>>alert(1)</script> <svg onload=...
Read more