Learning from JNU's XSS: How an institution can keep it's website secure ?

This post has been long overdue, Thanks to my sloppiness. In March 2016, I did a responsible vulnerability disclosure to a prestigious university i.e. "Jawaharlal Nehru University" (JNU) located in New Delhi, India. The university was in news, grabbing a lot of media (including social media) attention and going through intense public scrutiny.  I do not want to stress more on "Why the university was in news ?" but rather use the responsible vulnerability disclosure as an opportunity to share my thoughts on "What basic steps an institution can adopt to keep it's website secure ?"

Background

One fine day, I visited the JNU's main website with an objective to seek information about the admission process followed by the university. The website's main page had a "Search" feature (now removed) that caught my attention. I am sure that all white hat's like me develop this kind of strange intuition overtime that by looking at/or playing with a web form/feature your brain suddenly starts ticking that something is not "good" from an information security standpoint . It was just a matter of time to figure out that my notion about the "Search" feature was indeed correct. The "Search" field was vulnerable to reflected cross site scripting vulnerability. Please refer to the below screenshot.

Reflected XSS on www.jnu.ac.in

As you can clearly see in the HTML source code of the vulnerable page there is no output encoding performed on the user supplied input leading to reflected cross site scripting (XSS).

HTML source code of the vulnerable page

The vulnerability could have been easily be exploited for carrying out a successful targeted phishing scam against JNU's faculty, staff members and students. Visit this link to learn more about how a reflected XSS can be exploited for carrying out phishing. Trust me this might initially look trivial but in reality it is not that difficult to exploit. The potential impact of a successful phishing scam on the victims (JNU's faculty, staff members and students) could have been really bad. Some of the tricks motivated adversaries would have tried are:

• Compromise of personal account credentials (username, password) for email, corporate intranet, social networking etc
• Redirection to evil websites triggering download of malwares, rootkits or back doors that might infect and compromise university's computer system.

Good thing is on JNU's website I got the reference of the concerned authorities to whom I can report the vulnerability.

Timelines

Below is a brief summary on the "Responsible Vulnerability Disclosure" timelines:

• March 3, 2016 at 10:15 p.m: Discovered a reflected XSS instance on www.jnu.ac.in
• March 4, 2016 at 11.16 a.m: Reported the vulnerability to JNU's Director CIS
• March 7, 2016 at 1:35 p.m: Observed that JNU has removed the vulnerable "Search" feature
• March 8, 2016 at 1:24 a.m: JNU notified the XSS instance is fixed by removing the "Search" feature

Special thanks to Mr. Sanjeev Kumar (Director, CIS) and Ms.Ritu Nidhi (WebSite Hosting and Content/Multimedia Development) from JNU for being diligent and going that extra mile to ensure the vulnerability is quickly addressed. That demonstrates JNU's commitment and professionalism towards information security. Once the vulnerability was fixed, Ms.Ritu Nidhi from JNU reached out to me via email with a query:

How to get further help and support from you regarding website security vulnerability ?

I thought this question is quite relevant and applicable to all institutions (including universities, colleges, schools, public libraries, hospitals, NGOs etc)  that are maintaining a web presence (via websites). So without wasting any more time I want to highlight some of the basic steps which an institution can adopt to keep it's website secure:

1. Harden the website's hosting infrastructure

"Hardening" is a common term used in computer security. It is the process by which the attack surface of any computer system or network is reduced by removing or blocking  the access to unwanted/unused services. For institutions that are managing their own website infrastructure it is strongly recommended to:

• Block access to default ports and services from the internet.
• Remove default accounts and credentials from the web server, application server, database, FTP server or network components (e.g. router)  
• Configure robots.txt file  for your web/application server.
• Ensure the TLS certificate is valid.
• Remove unwanted files or directories from your web/application server for e.g. configuration files, test scripts, source code.
• Disable directory listing on the web/application server.
• Keep the web hosting infrastructure up to date by regularly applying security patches. This is essential to keep the infrastructure secure against any known threats or exploits for e.g. zero day exploits, CVE's
• Enable active monitoring and logging for critical components for your web hosting infrastructure such as web server, database, FTP etc
• Install anti-virus software especially if you are using Windows Operating System.

2. Use firewalls to filter out malicious traffic

The primary function of a Firewall is to monitor and control incoming and outgoing network traffic using pre-configured security rules. It can greatly help in reducing as well as thwarting common Denial of Service attacks targeted against your website infrastructure for e.g. SYN Flood.  

Moreover a Firewall can also be useful in isolating and restricting access to internal networks along with securing high value assets like database or FTP server containing highly sensitive data.

3. Ensure website code is secure by design

It is extremely important to ensure that the code powering your website is secure by design. The code should be free from the most prevalent and high risk security vulnerabilities as listed below:

• Injection Flaws (SQL Injection, Command Injection, X-Path Injection etc)
• Cross Site Scripting
• Cross Site Request Forgery
• Buffer Overflow
• Race Conditions and Object Deadlock Condition
• Insecure File Upload
• Business Logic Flaws
• Broken Access Control
• Weak Cryptography
• Weak Authentication and Poor Session Management
• Information Leakage
• Error Handling

For a more detailed and comprehensive list you can refer to OWASP Secure Coding Cheat Sheet or SANS Top 25 Software Errors

4. Enable HTTPS for the website

HTTPS is the secure version of HTTP. Once HTTPS is enabled for a website the communication between the user's browser (client) and the website (web server) will be encrypted, meaning the end users will no longer fall prey to eavesdropping  or Man-in-the-Middle attack as the website's traffic is encrypted. This will have a positive impact on the user's trust while simultaneously improving the search rankings for your website. So ensure that HTTPS is enabled on your website.

Moreover If you want to learn more about how to enable HTTPS using a free certificate authority such as Let's Encrypt please refer to this link

5. Enforce strong password policy

Passwords are the first line of defense for restricting access to any computer system or network. A strong password can act as a deterrent for motivated attackers. Whereas a weak password can help attackers to compromise even the most hardened computer system or network.

Institutions should adopt and enforce a strong password policy across their computer network including web hosting infrastructure. A strong password policy should be a combination of :

• Minimum password length should be 8 characters.
• Password should be a combination of 1-upper case, 1-numeric and 1-special character.
• Enforce users to periodically change (for e.g. once in 90 days) their passwords.
• Enforce password history check for users while updating their passwords. For e.g. a user should not be able to choose last 5 passwords as the current password while updating it.
• Temporarily block access to user accounts in case of 3 to 5 consecutive failed login attempts on a computer system or network.
• Make users aware about the importance of choosing a strong password as well as not disclosing it to anyone (including friends or colleagues or near and dear ones)

6. Follow "principle of least privilege"

Principle of least privilege entitles providing only minimum set of privileges/permissions to users, accounts and programs necessary to accomplish a task. Institutions must ensure that they are following this principle to secure their web hosting infrastructure.  Some of the best practices around this could be:

• Restrict access to web/application server, database, FTP server etc to only a select group of individuals for e.g. Admin users only
• Restrict access to configuration and log files.
• Execute database queries with only minimum set of privileges.
• Periodically review user account access especially remove/disable access for users who have left the organization.

7. Encrypt sensitive data

If an institution's website is handling or collecting sensitive data including login credentials, personally identifiable information etc ensure that the data is encrypted in transit (using https) as well as at rest (in the database). A lot of databases usually support secure encryption algorithms to encrypt data, so use it instead implementing your own custom logic. Moreover secrets like passwords should always be hashed while storing using a secure hashing algorithm for e.g. SHA-2, bcrypt etc.

8. Your website vendor understands information security

A majority of institutions typically outsource their website development and maintenance work to external vendors. Cost plays a vital role in selecting the right vendor for managing an institution's website. While this might not be true for all institutions but for the ones with limited funding cost is indeed a major factor.

So apart from cost, an institution should also pay special emphasis on whether the vendor understands the importance of information security while designing, developing, deploying and maintaining a website or not. The vendor should be well versed with at least one of the below listed standards/frameworks with respect to web security:

• Open Web Application Security Project (OWASP) Top 10
• Building Security in Maturity Model (BSIMM)
• NIST CyberSecurity Framework
• CERT - Secure Coding Standards

Moreover If an institution has an in-house team (full-time or part-time) to manage their website make sure they are also aware of the above recommended standards/framework.

9. Periodically scan your website

It is always a good idea to periodically scan (half yearly or yearly) your website (web pages and underlying infrastructure) for potential security vulnerabilities. This can greatly help institution's in identifying and mitigating security risk before then can actually be exploited by an adversary.

10. Provide contact information

It is always beneficial to share contact information on your website for e.g. email address of the person/group responsible for maintaining an institution's website. This can greatly help security researchers  to do a responsible vulnerability disclosure in case they are able to identify a serious security flaw with respect to your website.

Conclusion

For any institution maintaining a web presence (via websites) is a positive step. At the same time it is equally important to ensure the website is secure by design and is safe for the end users. The best practices highlighted in this post are not comprehensive but can play a significant role in lifting the information security posture of an institution's website and it's underlying infrastructure if followed correctly.