Pen Test on a Raspberry Pi
I recently created a Search engine on a Raspberry Pi. This project was successful. But I was curious as how secure my project is. In the real world if this was a public search engine, it would be behind a firewall. However, how secure is it?
I decided to run a Penetration Test (Web Application Test) against the Raspberry Pi to see how secure everything was. I was running Raspbian Jessie as the operating system and made sure it was fully updated.
The results of the test were a little concerning. I was leaking information that could allow an attacker to break in with little home work. Information being leaked was the Operating system and level, Web server and version also PHP version. There were known vulnerabilities in Apache. An attacker could also carry out much more.
Issues encountered
The version of the Web Server (Apache) happen to be a little old. There were approximately five major flaws that an attacker could take advantage of.
Web folders were browsable.
Click jacking was possible which is tricking a user to undertake an action they are not aware of. For example downloading malware or even getting likes on Facebook.
HttpOnly was not enabled. This stops cookies form being accessed through client side scripts. Of course the browser needs to support this feature (the common ones do).
Response codes were enabled. When you go to a website by following a link and that link no longer exists, you normally receive a 404 error message. This response code of 404 indicates that the page no longer exists. The user should be sent to a generic page as some other codes are more revealing. For example 400 – bad request, 403 – Forbidden, 405 – Method Not Allowed and 500 – Internal Server Error.
How to resolve all these issues.
First off, this is a fully upgraded OS. Well, yes and no.
Raspbian Jessie was at the end of its two year cycle. Debian the creators of Raspbian run their OS’s in two year cycles.
Raspbian Jessie has been superseded by Raspbian Stretch. To do this one needs to alter the /etc/apt/sources.list one easy way is sed -i 's/jessie/stretch/g' /etc/apt/sources.list.Then re-run the upgrade. This upgraded the OS plus all other packages. Apache was also upgraded.
Next on the list was to resolve some Webserver configuration issues.
Editing the file /etc/apache2/apache2.conf one could see a paragraph like the following.
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Removing the word “Indexes” would stop Browsable web directories
To limit (hide OS, PHP and apache version) the server type and version these two lines were added at the end
ServerTokens ProductOnly
ServerSignature Off
The last addition to the file was the following
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "DENY"
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"
To increase security a bit more.
The next file to modify was /etc/apache2/conf-available/security.conf. The line already existed, but ws commended out, so I uncommented out Header always append X-Frame-Options "SAMEORIGIN".
To enable this one needs to run the following command A2enmod headers.
On the PHP webpage I added header("Set-Cookie: hidden=value; httpOnly");
Finally stopping and restarting the web service
Sudo Service apache2 restart
The test was redone and all alerts except for some informational alerts remained.
(NOTE: Not all solutions were shown, only major ones.)