Content for TS 33.117 Word version: 17.1.0
4.3.4 Web Servers p. 84
4.3.4.1 General p. 84
Hardening requirements for Web servers of this section are well covered also by external sources, such as Center for Internet Security (CIS) benchmarks <https://benchmarks.cisecurity.org/index.cfm>. It is highly recommended to consult e.g. CIS, for the purpose of using automatic testing tools, for product-specific considerations, and for manual auditing, when testing the below listed requirements. If and when such mapping of requirements is used, i.e. to those of an external source, it needs to be well verified and documented that they cover the requirements of this section.
4.3.4.2 No system privileges for web server p. 84
Requirement Name:
No system privileges for web server.
Requirement Description:
No web server processes shall run with system privileges. This is best achieved if the web server runs under an account that has minimum privileges. If a process is started by a user with system privileges, execution shall be transferred to a different user without system privileges after the start.
Test Case:
Test Name:
TC_NO_SYSTEM_PRIVILEGES_WEB_SERVER
Purpose:
Verify that the Web server is not run under system privileges.
Procedure and execution steps:
Pre-Conditions:
- The tester has needed administrative privileges.
- A tester machine is available.
- Recommended: an automatic assessment tool has been configured /script adapted in line with the Requirement Description.
- Check that no web server processes runs with system privileges. Check that this is the case even for processes that may have been started by a user with system privileges.
- Check that relevant system settings and configurations are correct to ensure fulfilment of the requirement.
- There are no findings of processes that run with system privileges.
- System settings have been found correctly set to ensure that no processes will run with system privileges.
A testing report provided by the testing agency which will consist of the following information:
- Log files and screen shots of test executions
- Test result (Passed or not)
4.3.4.3 No unused HTTP methods p. 85
Requirement Name:
Unused HTTP methods shall be deactivated.
Requirement Description:
HTTP methods that are not required shall be deactivated. Standard requests to web servers only use GET, HEAD, and POST. If other methods are required, they shall not introduce security leaks such as TRACK or TRACE.
Test Case:
TBA
Test Name:
TC_NO_UNUSED_HTTP_METHODS
Purpose:
Verify that the Web server has deactivated all HTTP methods that are not required.
Procedure and execution steps
Pre-Conditions:
- The tester has needed administrative privileges.
- A tester machine is available.
- Recommended: an automatic assessment tool has been configured / script adapted in line with the Requirement Description.
- Check that relevant system settings and configurations are correct to ensure fulfilment of the requirement.
- System settings and configurations have been found adequately set, in all Web components of the system, to ensure that unneeded HTTP methods are deactivated.
A testing report provided by the testing agency which will consist of the following information:
- Log files and screen shots of test executions
- Test result (Passed or not)
4.3.4.4 No unused add-ons p. 85
Requirement Name:
Any add-ons and components that are not required shall be deactivated.
Requirement Description:
All optional add-ons and components of the web server shall be deactivated if they are not required. In particular, CGI or other scripting components, Server Side Includes (SSI), and WebDAV shall be deactivated if they are not required.
Test Case:
Test Name:
TC_NO_UNUSED_ADD-ONS
Purpose:
To verify that the Web server has deactivated unneeded add-ons and unneeded scripting components.
Procedure and execution steps
Pre-Conditions:
- The vendor has supplied a list of add-ons or scripting tools for Web server components needed for system operation, and that therefore need to be exempted from the test investigation.
- The tester has administrative privileges.
- A tester machine is available.
- Recommended: an automatic assessment tool has been configured / script adapted in line with the Requirement Description.
- Check that the web server is only running and listening on known ports (e.g. tcp port 80 and/or 443). Check that CGI or other scripting components, Server Side Includes (SSI), and WebDAV are deactivated if they are not required. See also guidance under clause 4.3.4.12.
- Check that nothing else has been installed than the web server.
- Check that relevant system settings and configurations are correct to ensure fulfilment of the requirement.
- System settings and configurations have been found adequately set, in all Web components of the system, to ensure that all unneeded add-ons or script components are deactivated.
A testing report provided by the testing agency which will consist of the following information:
- Log files and screen shots of test executions.
- Test result (Passed or not).
4.3.4.5 No compiler, interpreter, or shell via CGI or other server-side scripting p. 86
Requirement Name:
No compiler, interpreter, or shell via CGI or other server-side scripting.
Requirement Description:
If CGI (Common Gateway Interface) or other scripting technology is used, the CGI directory - or other corresponding scripting directory - shall not include compilers or interpreters (e.g. PERL interpreter, PHP interpreter/compiler, Tcl interpreter/compiler or operating system shells).
Test Case:
Test Name:
TC_NO_COMPILER_FOR_CGI
Purpose:
To verify that the Web server has deactivated unneeded add-ons and unneeded scripting components.
Procedure and execution steps
Pre-Conditions:
- The tester has administrative privileges
- A tester machine is available.
- Recommended: an automatic assessment tool has been configured /script adapted in line with the Requirement Description.
- Check that there are no compilers or interpreters (e.g., PERL interpreter, PHP interpreter/compiler, Tcl interpreter/compiler or operating system shells) in the directory/directories used for CGI or for other scripting tools (including PERL, PHP, and others).
- Check that relevant system settings and configurations are correct to ensure fulfilment of the requirement.
- System settings and configurations have been found adequately set, in all Web components of the system, to ensure that all unneeded add-ons or script components are deactivated.
A testing report provided by the testing agency which will consist of the following information:
- Log files and screen shots of test executions
- Test result (Passed or not)
4.3.4.6 No CGI or other scripting for uploads p. 87
Requirement Name:
No CGI or other scripting for uploads.
Requirement Description:
If CGI or other scripting technology is used, the associated CGI/script directory shall not be used for uploads.
Test Case:
Test Name:
TC_NO_CGI_OR_SCRIPTING_FOR_UPLOADS
Purpose:
To test whether the upload directory is equal to the CGI/Scripting directory.
Procedure and execution steps:
Pre-Condition:
If the web server is configured with CGI/Scripting on, this test applies.
Execution Steps
Execute the following steps:
The tester checks whether the upload directory is configured to be different from the CGI/Scripting directory.
Expected Results:
The configured upload directory is different from the CGI/Scripting directory.
Additional evidence might be provided that shows that the web server has no write rights for the CGI/Scripting directory.
Expected format of evidence:
A part of the configuration file / screenshot of the configuration showing that the web server is properly configured.
4.3.4.7 No execution of system commands with SSI p. 87
Requirement Name:
No execution of system commands with SSI.
Requirement Description:
If Server Side Includes (SSI) is active, the execution of system commands shall be deactivated.
Test Case:
Test Name:
TC_NO_EXECUTION_OF_SYSTEM_COMMANDS
Purpose:
To test whether it is possible to use the exec directive and if so, whether it can be used for system commands.
Procedure and execution steps:
Pre-Condition:
If the web server is configured with SSI active, this test applies.
Execution Steps
Execute the following steps:
The tester checks whether execution of system commands is disabled in the web server configuration.
Expected Results:
For example, a configuration file that shows that the IncludesNOEXEC (APACHE) or ssiExecDisable (IIS) is set.
Expected format of evidence:
A part of the configuration file / screenshot of the configuration showing that the web server is properly configured.
4.3.4.8 Access rights for web server configuration p. 88
Requirement Name:
Access rights for web server configuration files shall only be granted to the owner of the web server process or to a user with system privileges.
Requirement Description:
Access rights for web server configuration files shall only be granted to the owner of the web server process or to a user with system privileges. Implementation example: Delete "read" and "write" access rights for "others." Only grant "write" access to the user who configures the web server.
Test Name:
Test Case:
TC_ACCESS_RIGHTS_WEB_SERVER_FILES
Purpose:
To verify that the access rights for Web server configuration files are correctly set.
Procedure and execution steps
Pre-Conditions:
- The tester has administrative privileges
- A tester machine is available.
- Recommended: an automatic assessment tool has been configured / script adapted in line with the Requirement Description.
- Check the access rights settings for Web server system configuration files.
- Check that relevant system settings and configurations are correct to ensure fulfilment of the requirement.
- Access rights for system configuration files are adequately set.
A testing report provided by the testing agency which will consist of the following information:
- Log files and screen shots of test executions
- Test result (Passed or not)
4.3.4.9 No default content p. 89
Requirement Name:
Default content shall be removed.
Requirement Description:
Default content (examples, help files, documentation, aliases) that is provided with the standard installation of the web server shall be removed.
Test Case:
Test Name:
TC_NO_DEFAULT_CONTENT
Purpose:
To verify that there is no default content on the web server, that is not needed for web server operation, since such default content can be useful for an attacker.
Procedure and execution steps
Pre-Conditions:
- The tester has needed administrative privileges
- A tester machine is available.
- Recommended: an automatic assessment tool has been configured / script adapted in line with the Requirement Description.
- Check that all default content (examples, help files, documentation, aliases) that is provided with the standard installation of the web server has been removed.
- No default content (examples, help files, documentation, aliases, un-needed directories or manuals) has been found to remain on any Web server component.
A testing report provided by the testing agency which will consist of the following information:
- Log files and screen shots of test executions.
- Test result (Passed or not).
4.3.4.10 No directory listings p. 89
Requirement Name:
No directory listings / Directory Browsing.
Requirement Description:
Directory listings (indexing) / "Directory browsing" shall be deactivated.
Test Case:
Test Name:
TC_NO_DIRECTORY_LISTINGS
Purpose:
To verify that Directory listings / Directory browsing has been deactivated in all Web server components.
Procedure and execution steps
Pre-Conditions:
- The tester has administrative privileges
- A tester machine is available.
- Recommended: an automatic assessment tool has been configured / script adapted in line with the Requirement Description.
- Check that Directory listings (indexing) / "Directory browsing" has been deactivated in all Web server components.
- Evidence that Directory listing / Directory browsing has been deactivated in all Web server components.
A testing report provided by the testing agency which will consist of the following information:
- Log files and screen shots of test executions
- Test result (Passed or not)
4.3.4.11 Web server information in HTTP headers p. 90
Requirement Name:
Information about the web server in HTTP headers shall be minimized.
Requirement Description:
The HTTP header shall not include information on the version of the web server and the modules/add-ons used.
Test Case:
Test Name:
TC_NO_WEB_SERVER_HEADER_INFORMATION
Purpose:
To verify that HTTP headers do not include information on the version of the web server and the modules/add-ons used.
Procedure and execution steps
Pre-Conditions:
- The tester has administrative privileges
- A tester machine is available.
- Recommended: an automatic assessment tool has been configured / script adapted in line with the Requirement Description.
- Check that HTTP headers do not include information on the version of the web server and the modules/add-ons used.
- Evidence that HTTP headers do not include information on the version of the web server and the modules/add-ons used.
A testing report provided by the testing agency which will consist of the following information:
- Log files and screen shots of test executions
- Test result (Passed or not)
4.3.4.12 Web server information in error pages p. 91
Requirement Name:
Web server information in error pages shall be deleted.
Requirement Description:
User-defined error pages shall not include version information about the web server and the modules/add-ons used. Error messages shall not include internal information such as internal server names, error codes, etc. Default error pages of the web server shall be replaced by error pages defined by the vendor.
Test Case:
Test Name:
TC_NO_WEB_SERVER_ERROR_PAGES_INFORMATION
Purpose:
To verify that error pages and error messages do not include information about the web server.
Procedure and execution steps
Pre-Conditions:
- The tester has needed administrative privileges.
- A tester machine is available.
- Recommended: an automatic assessment tool has been configured / script adapted in line with the Requirement Description.
- Check that generated error pages and error messages do not include information about the web server.
- Evidence that generated error pages and error messages do not include information about the web server.
A testing report provided by the testing agency which will consist of the following information:
- Log files and screen shots of test executions
- Test result (Passed or not)
4.3.4.13 Minimized file type mappings p. 92
Requirement Name:
File type- or script-mappings that are not required shall be deleted.
Requirement Description:
File type- or script-mappings that are not required shall be deleted, e.g. php, phtml, js, sh, csh, bin, exe, pl, vbe, vbs.
Test Case:
Test Name:
TC_NO_WEB_SERVER_FILE_TYPE MAPPINGS
Purpose:
To verify that file type- or script-mappings that are not required have been deleted.
Procedure and execution steps
Pre-Conditions:
- The tester has needed administrative privileges.
- A tester machine is available.
- Recommended: an automatic assessment tool has been configured / script adapted in line with the Requirement Description.
- Check that all file type- or script-mappings that are not required have been deleted.
- Evidence that all file type- or script-mappings, that are not required, have been deleted.
A testing report provided by the testing agency which will consist of the following information:
- Log files and screen shots of test executions
- Test result (Passed or not)
4.3.4.14 Restricted file access p. 92
Requirement Name:
The web server shall only deliver files which are meant to be delivered.
Requirement Description:
Restrictive access rights shall be assigned to all files which are directly or indirectly (e.g. via links or in virtual directories) in the web server's document directory. In particular, the web server shall not be able to access files which are not meant to be delivered.
Test Case:
Test Name:
TC_RESTRICTED_FILE_ACCESS
Purpose:
To test whether the restrictive access rights are assigned to all files which are directly or indirectly in the web server's document directory and to verify whether path traversal is made improbable.
Procedure and execution steps:
Pre-Condition:
- The web server is configured according to the manual
Execute the following steps:
Expected Results:
-
The tester verifies that access rights on the servable content (meaning directories and files) is set to the following:
- The files are owned by the user that runs the web server;
- The files are not writable to others, except the web server's account;
- The tester verifies that the user running the web server is an unprivileged account;
- For Operating Systems that have chrooted environments, the tester verifies that the web server runs inside a jail or chrooted environment.
- Name of user running the web server with the privileges of the account;
- Access rights of files and directories that the web server serves;
- Configuration that shows that the web server is in a chrooted environment.
A part of the configuration file / screenshot of the configuration showing that the web server, the file access rights and the account running the web server is properly configured.
4.3.4.15 Void
4.3.5 Network Devices p. 93
4.3.5.1 Traffic Separation p. 93
Requirement Name:
Traffic Separation
Requirement Description:
The network product shall support physical or logical separation of traffic belonging to different network domains. For example, O&M traffic and control plane traffic belong to different network domains. See RFC 3871 for further information.
Security Objective references:
tba.
Test case:
Test Name:
TC_TRAFFIC_SEPARATION
Purpose:
To test whether traffic belonging to different network domains is separated.
Procedure and execution steps:
Pre-Condition:
The network product has at least two separate (logical) interfaces dedicated to different network domains. Network products for which the test applies and that fail to meet this precondition fail the test by definition.
Execution Steps
Execute the following steps:
Expected Results:
- The tester checks whether the network product refuses traffic intended for one network domain on all interfaces meant for the other network domain, and vice versa.
- Step 1 is to be performed for all pairs of different network domains.
The two tests should be successful.
Expected format of evidence:
A PASS or FAIL.
4.3.6 Network Functions in service-based architecture |R16| p. 94
4.3.6.1 Introduction p. 94
The purpose of the sub-clauses in 4.3.6 is to identify and describe the hardening related requirements for all Network Function (NF) within the 5G Core (5GC) utilizing Service-Based Interfaces (SBI) and the corresponding test cases.
4.3.6.2 No code execution or inclusion of external resources by JSON parsers p. 94
Requirement Name:
No code execution or inclusion of external resources by JSON parsers.
Requirement Description:
Parsers used by Network Functions (NF) shall not execute JavaScript or any other code contained in JSON objects received on Service Based Interfaces (SBI). Further, these parsers shall not include any resources external to the received JSON object itself, such as files from the NF's filesystem or other resources loaded externally.
Threat References:
TR 33.926, clause 6.3.2.1, JSON Parser Exploits
Test Case:
Test Name:
TC_JSON_PARSER_CODE_EXEC_INCL
Purpose:
NFs implementing SBI transfer application data serialized as JSON objects. When receiving such data, an NF parses this JSON representation and creates equivalent internal data structures. Since the contents of the JSON objects must be considered untrusted, blindly executing code fragments or loading resources from a local path or Uniform Resource Identifier (URI) must not be possible.
Procedure and execution steps:
Pre-Conditions:
- The tester has the privileges to log in the network product and to access to the all system resources (e.g. log files)
- A list of all available network services containing at least the following information shall be included in the documentation accompanying the Network Product:
- all interfaces providing IP-based protocols;
- the available transport layer protocols on these interfaces;
- their open ports and associated services in the form of an OpenAPI3.0 interface specification;
- The tester should have access to an effective Web Application Security (WAS) test tool that allows to generate HTTP messages exploiting JSON parsers that do not prevent the above-mentioned scenarios of code execution and loading external resources. The accredited test lab is expected to have sufficient expertise to recognize the level of effectiveness of the available tools.
- A network traffic analyser on the network product (e.g. TCPDUMP) or an external traffic analyser directly connected to the network product and on a tester machine is available.
- Execution of available WAS test tools against the network product's API endpoints via its Service Based Interfaces.
- Using a network traffic analyser on the network product, e.g. TCPDUMP or an external traffic analyser directly connected to the network product, the tester verifies that no external resources get loaded during JSON parsing.
- Depending on the actual JavaScript code in the HTTP message, the tester verifies that the network product does not execute any of the contained actions.
- The NF does not load any resources external to the JSON object itself.
- The NF does not execute any JavaScript code contained in JSON objects.
A testing report provided by the testing agency which will consist of the following information:
- The used tool(s) name and version information
- Settings and configurations used
- The output log file of the chosen tool that displays the results (passed/failed).
- Screenshot
- Test result (Passed or not)
4.3.6.3 Unique key values in IEs p. 95
Requirement Name:
Validation of the unique key values in IEs.
Requirement Reference:
Clause 6.2 of TS 29.501 Principles and Guidelines for Services Definition.
Requirement Description:
"For data structures where values are accessible using names (sometimes referred to as keys), e.g. a JSON object, the name shall be unique. The occurrence of the same name (or key) twice within such a structure shall be an error and the message shall be rejected".
Threat References:
TR 33.926, clause 6.3.2.2, JSON Parser not Robust
Test Case:
Purpose:
Verify that the API implementation fullfills the requirements as specified in TS 29.501, clause 6.2.
Pre-Conditions:
Test environment with network product under test. Rest of the network and network products may be simulated.
Execution Steps
- The test equipment sends requests with duplicate keys in message IE payload to the network product under test.
- The test equipment sends valid requests to network product under test
- Network product under tests responses with an error message
- Network product under test still responses normally to valid requests
- A testing report provided by the testing agency which will consist of the following information:
- The used tool(s) name and version information,
- Settings and configurations used
- The output log file of the chosen tool that displays the results (passed/failed).
- Test result (Passed or not)
- Log/evidence tracing possible crashes
- Information of any input causing unspecified, undocumented, or unexpected behaviour
4.3.6.4 The valid format and range of values for IEs p. 96
Requirement Name:
Validation of the IEs limits.
Requirement Reference:
Clause 6.2 of TS 29.501 Principles and Guidelines for Services Definition.
Requirement Description:
"The valid format and range of values for each IE, when applicable, shall be defined unambiguously:
- For each message the number of leaf IEs shall not exceed 16000.
- The maximum size of the JSON body of any HTTP request shall not exceed 2 million bytes.
- The maximum nesting depth of leaves shall not exceed 32."
Threat References:
TR 33.926, clause 6.3.2.2, JSON Parser not Robust
Test Case:
Purpose:
Verify that the API implementation fullfills the requirements as specified in TS 29.501, clause 6.2.
Pre-Conditions:
Test environment with network product under test. Rest of the network may be simulated.
Execution Steps
-
The test equipment sends requests with out of bounds IEs towards the network product under test.
Expected Results:
- Network product under tests responses with an error message.
A testing report provided by the testing agency which will consist of the following information:
- The used tool(s) name and version information,
- Settings and configurations used.
- The output log file of the chosen tool that displays the results (passed/failed).
- Test result (Passed or not).
- Log/evidence tracing possible crashes.
- Information of any input causing unspecified, undocumented, or unexpected behaviour.
