Little-beak.com's gitlab server

Commit 54ee08d0 authored by drexl's avatar drexl

privatized the names and Matr. Numbers

parent bebb27ef
......@@ -12,7 +12,7 @@
\@writefile{toc}{\contentsline {paragraph}{First, we can limit our exploration for an already known vulnerability. Secondly, it will give us an idea of where adjacent vulnerabilities may lie.}{2}}
\@writefile{toc}{\contentsline {paragraph}{As of the 8th, May 2017, Nextcloud server version 11.0.3, the known vulnerabilities according to the Nextcloud advistory, are shown in table \nobreakspace {}1\hbox {}.}{2}}
\@writefile{toc}{\contentsline {paragraph}{Following is a list of common attacks, against a LAMP stack.}{2}}
\@writefile{lot}{\contentsline {table}{\numberline {1}{\ignorespaces Vulnerabilities as of {August 14, 2017}}}{3}}
\@writefile{lot}{\contentsline {table}{\numberline {1}{\ignorespaces Vulnerabilities as of {August 21, 2018}}}{3}}
\newlabel{tab: currentVulnerabilities}{{1}{3}}
\citation{site4}
\@writefile{toc}{\contentsline {paragraph}{We will go through, and carefully consider each attack vector.}{4}}
......@@ -45,16 +45,16 @@
\@writefile{toc}{\contentsline {paragraph}{The better code replaces "/" "\textbackslash \textbackslash ", with the "/". This particular vulnerability was scanned with eyeballs, as it was not something that could be easily parsed with a text editor like vi.}{7}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {1.3.8}Shell Injection}{7}}
\@writefile{toc}{\contentsline {paragraph}{Since Nextcloud doesn't offer any type of core abilities that would allow PHP to execute shell commands, we consider this area a low risk. We did search through some elements that could conceivably use shell commands, but they did not. Unless someone codes a particular application that does so, there does not appear to be a threat from this vector.}{7}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {1.3.9}Sensitive Data Exposure}{8}}
\@writefile{toc}{\contentsline {paragraph}{Nextcloud does not store it's application location in a webroot directly, thus it cannot be accessed simply by using a web browser.}{8}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {1.3.9}Sensitive Data Exposure}{7}}
\@writefile{toc}{\contentsline {paragraph}{Nextcloud does not store it's application location in a webroot directly, thus it cannot be accessed simply by using a web browser.}{7}}
\citation{site3}
\@writefile{toc}{\contentsline {subsection}{\numberline {1.4}Detailed Findings}{8}}
\@writefile{toc}{\contentsline {paragraph}{In the end, we were unable to find any security vulnerabilities at this time. For an open source project, Nextcloud is mature, and well developed. With continued development, however, penetration testing will be required periodically. However, at the moment, it appears that Nextcloud has a robust security system in place, that should inspire confidence in it's users.}{8}}
\@writefile{toc}{\contentsline {section}{\numberline {2}Methodology}{8}}
\@writefile{toc}{\contentsline {paragraph}{The primary focus of our task was defining the methodology. We asked ourselves the followed questions:}{8}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Protocols \& adjacent technologies to be examined}{8}}
\@writefile{toc}{\contentsline {paragraph}{In defining our scope, we consider all threats, from all attack vectors--across all relevant technologies, which would for this project, include the following areas:}{8}}
\citation{site3}
\@writefile{toc}{\contentsline {paragraph}{Predominantly, however, the application under review will dive us deep into PHP.}{9}}
\@writefile{toc}{\contentsline {paragraph}{Predominantly, however, the application under review will dive us deep into PHP.}{8}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Nextcloud Threat-model}{9}}
\@writefile{toc}{\contentsline {paragraph}{We will, however, mostly focus our attention mostly on Nextcloud's threat model. Following is the model:}{9}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.1}Administrator privileges}{9}}
......@@ -66,7 +66,7 @@
\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.4}Attacks involving other Android apps on the device}{9}}
\@writefile{toc}{\contentsline {paragraph}{We do consider attacks involving other Android apps on the device as minimal risk, also especially considering that the Nextcloud Android apps stores synced files locally accessible on the device. (since no Content Provider is yet implemented).}{9}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.5}Denial of Service}{9}}
\@writefile{toc}{\contentsline {paragraph}{Due to the usage of the PHP scripting language Nextcloud does consider Denial of Service not something that can at the moment be completely prevented. For this reason while we do fix and acknowledge specific Denial of Service attacks we do generally not consider DoS a bounty-worthy vulnerability.}{10}}
\@writefile{toc}{\contentsline {paragraph}{Due to the usage of the PHP scripting language Nextcloud does consider Denial of Service not something that can at the moment be completely prevented. For this reason while we do fix and acknowledge specific Denial of Service attacks we do generally not consider DoS a bounty-worthy vulnerability.}{9}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.6}Audit logging}{10}}
\@writefile{toc}{\contentsline {paragraph}{The audit logging feature in Nextcloud is at the moment missing some logs for things like "Accessing previews of files", these will be added in a future release and known issues are tracked in our issue tracker.}{10}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.7}Version disclosure}{10}}
......@@ -79,12 +79,12 @@
\@writefile{toc}{\contentsline {paragraph}{At the moment we do not consider brute-forcing of credentials or a missing password threshold eligible vulnerabilities. In the case of Nextcloud we currently expect people to protect their instance using measures such as fail2ban. We do have a native anti-bruteforce protection.}{10}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {2.2.11}Server-side request forgery}{10}}
\@writefile{toc}{\contentsline {paragraph}{Nextcloud ships with multiple features that perform sending requests to other hosts, we do consider this accepted behavior and advocate people to deploy Nextcloud into its own segregated network segment.}{10}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.3}How we examined the client software}{10}}
\bibcite{site1}{1}
\bibcite{site2}{2}
\bibcite{site3}{3}
\bibcite{man1}{4}
\bibcite{site4}{5}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.3}How we examined the client software}{11}}
\@writefile{toc}{\contentsline {paragraph}{We used a two-pronged approach. First, we used manual penetration testing to try and "break" the system. Using the web as a source, we were able to find previously successful attack methods (against other systems), and try them against Nextcloud. This gave us examples of malicious javascript and php files that we could try. Additionally, it gave us an idea of how we could attempt to 'hack' Nextcloud. Lastly, we used methods learned throughout the course of how we could compromise Nextcloud.}{11}}
\@writefile{toc}{\contentsline {paragraph}{The second phase involved digging into the source code, and searching for sloppy code that could lead to system breaches. We relied heavily on the Nextcloud Developer's manual--and to a lesser extent Nextcloud's Administrator Manual--for highlighting of best practices, as well as things to be avoided. The amount of code to read was copious. It's understandable why often times security analysis relies on automated software. However, nothing is as good as a few good eyeballs. Additionally, we found it rewarding to work with vi and bash, to allow us to quickly parse through code, that otherwise would have been more laborious without.}{11}}
\@writefile{toc}{\contentsline {paragraph}{Lastly, we tried to balance our tests, against the Nextcloud threat model. It doesn't make sense to bother with things that they, themselves, deem outside of their scope, e.g. DoS attacks, for example.}{11}}
This diff is collapsed.
No preview for this file type
......@@ -67,7 +67,7 @@
\author{Rustchev, Rusland and Licea, Esteban}
\author{R********, Rusland and Licea, Esteban}
\begin{document}
......@@ -115,15 +115,15 @@
\begin{minipage}{0.4\textwidth}
\begin{flushleft} \large
\emph{Author:}\\
Ruslan \textsc{Rutschev}\\ (527018)\\ % Your name
Esteban \textsc{Licea}\\ (536206)\\ % Your name
Ruslan \textsc{R*******}\\ (Matr. Nr)\\ % Your name
Esteban \textsc{L****}\\ (Matr. Nr)\\ % Your name
\end{flushleft}
\end{minipage}
~
\begin{minipage}{0.4\textwidth}
\begin{flushright} \large
\emph{Supervisor:} \\
M. Sc. Bruno \textsc{Kirschner} % Supervisor's Name
M. Sc. B**** \textsc{Kirschner} % Supervisor's Name
\end{flushright}
\end{minipage}\\[4cm]
......
......@@ -36,15 +36,15 @@
\contentsline {paragraph}{The better code replaces "/" "\textbackslash \textbackslash ", with the "/". This particular vulnerability was scanned with eyeballs, as it was not something that could be easily parsed with a text editor like vi.}{7}
\contentsline {subsubsection}{\numberline {1.3.8}Shell Injection}{7}
\contentsline {paragraph}{Since Nextcloud doesn't offer any type of core abilities that would allow PHP to execute shell commands, we consider this area a low risk. We did search through some elements that could conceivably use shell commands, but they did not. Unless someone codes a particular application that does so, there does not appear to be a threat from this vector.}{7}
\contentsline {subsubsection}{\numberline {1.3.9}Sensitive Data Exposure}{8}
\contentsline {paragraph}{Nextcloud does not store it's application location in a webroot directly, thus it cannot be accessed simply by using a web browser.}{8}
\contentsline {subsubsection}{\numberline {1.3.9}Sensitive Data Exposure}{7}
\contentsline {paragraph}{Nextcloud does not store it's application location in a webroot directly, thus it cannot be accessed simply by using a web browser.}{7}
\contentsline {subsection}{\numberline {1.4}Detailed Findings}{8}
\contentsline {paragraph}{In the end, we were unable to find any security vulnerabilities at this time. For an open source project, Nextcloud is mature, and well developed. With continued development, however, penetration testing will be required periodically. However, at the moment, it appears that Nextcloud has a robust security system in place, that should inspire confidence in it's users.}{8}
\contentsline {section}{\numberline {2}Methodology}{8}
\contentsline {paragraph}{The primary focus of our task was defining the methodology. We asked ourselves the followed questions:}{8}
\contentsline {subsection}{\numberline {2.1}Protocols \& adjacent technologies to be examined}{8}
\contentsline {paragraph}{In defining our scope, we consider all threats, from all attack vectors--across all relevant technologies, which would for this project, include the following areas:}{8}
\contentsline {paragraph}{Predominantly, however, the application under review will dive us deep into PHP.}{9}
\contentsline {paragraph}{Predominantly, however, the application under review will dive us deep into PHP.}{8}
\contentsline {subsection}{\numberline {2.2}Nextcloud Threat-model}{9}
\contentsline {paragraph}{We will, however, mostly focus our attention mostly on Nextcloud's threat model. Following is the model:}{9}
\contentsline {subsubsection}{\numberline {2.2.1}Administrator privileges}{9}
......@@ -56,7 +56,7 @@
\contentsline {subsubsection}{\numberline {2.2.4}Attacks involving other Android apps on the device}{9}
\contentsline {paragraph}{We do consider attacks involving other Android apps on the device as minimal risk, also especially considering that the Nextcloud Android apps stores synced files locally accessible on the device. (since no Content Provider is yet implemented).}{9}
\contentsline {subsubsection}{\numberline {2.2.5}Denial of Service}{9}
\contentsline {paragraph}{Due to the usage of the PHP scripting language Nextcloud does consider Denial of Service not something that can at the moment be completely prevented. For this reason while we do fix and acknowledge specific Denial of Service attacks we do generally not consider DoS a bounty-worthy vulnerability.}{10}
\contentsline {paragraph}{Due to the usage of the PHP scripting language Nextcloud does consider Denial of Service not something that can at the moment be completely prevented. For this reason while we do fix and acknowledge specific Denial of Service attacks we do generally not consider DoS a bounty-worthy vulnerability.}{9}
\contentsline {subsubsection}{\numberline {2.2.6}Audit logging}{10}
\contentsline {paragraph}{The audit logging feature in Nextcloud is at the moment missing some logs for things like "Accessing previews of files", these will be added in a future release and known issues are tracked in our issue tracker.}{10}
\contentsline {subsubsection}{\numberline {2.2.7}Version disclosure}{10}
......@@ -69,7 +69,7 @@
\contentsline {paragraph}{At the moment we do not consider brute-forcing of credentials or a missing password threshold eligible vulnerabilities. In the case of Nextcloud we currently expect people to protect their instance using measures such as fail2ban. We do have a native anti-bruteforce protection.}{10}
\contentsline {subsubsection}{\numberline {2.2.11}Server-side request forgery}{10}
\contentsline {paragraph}{Nextcloud ships with multiple features that perform sending requests to other hosts, we do consider this accepted behavior and advocate people to deploy Nextcloud into its own segregated network segment.}{10}
\contentsline {subsection}{\numberline {2.3}How we examined the client software}{11}
\contentsline {subsection}{\numberline {2.3}How we examined the client software}{10}
\contentsline {paragraph}{We used a two-pronged approach. First, we used manual penetration testing to try and "break" the system. Using the web as a source, we were able to find previously successful attack methods (against other systems), and try them against Nextcloud. This gave us examples of malicious javascript and php files that we could try. Additionally, it gave us an idea of how we could attempt to 'hack' Nextcloud. Lastly, we used methods learned throughout the course of how we could compromise Nextcloud.}{11}
\contentsline {paragraph}{The second phase involved digging into the source code, and searching for sloppy code that could lead to system breaches. We relied heavily on the Nextcloud Developer's manual--and to a lesser extent Nextcloud's Administrator Manual--for highlighting of best practices, as well as things to be avoided. The amount of code to read was copious. It's understandable why often times security analysis relies on automated software. However, nothing is as good as a few good eyeballs. Additionally, we found it rewarding to work with vi and bash, to allow us to quickly parse through code, that otherwise would have been more laborious without.}{11}
\contentsline {paragraph}{Lastly, we tried to balance our tests, against the Nextcloud threat model. It doesn't make sense to bother with things that they, themselves, deem outside of their scope, e.g. DoS attacks, for example.}{11}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment