2. Who Am I?
Name: Richard Peter Ong a.k.a. Arpee
Work: Lead Developer, Internal
Projects at SysIQ Inc.
Open Source
Affiliations:
a.)core developer, MiaCMS
3. Who Are you?
â PHP Developers/Programmers
â L/U/W AMP SysAdmins
â IT Managers and Practitioners
â Geeks and hackers..
4. Scope and Coverage:
â Securing a Basic U/L AMP
Server
â Web Application Attacks
Description, Samples and
Prevention
5. WHAT IS A WEB APPLICATION?
â Any application that is served
commonly via http or https
protocol
â Usually being served from a
remote computer acting as a
host/server
6. WHAT IS SECURITY?
â Is a State of being free from
damage and being compromised
â Is a condition of being
protected against danger or loss
7. Levels of WebApp Security:
â Server Level
â Application Level
8. Server Level Security:
â The Box(es) (physical or
virtual server(s))
â httpd (Apache)
â mysqld (MySQL)
â PHP
10. Filesystem::
File Ownership and Permission
â Folders should be 0755
â Files should be 0644
â Files and Folders under
Document Root should be
owned by the Apache User
â 666 is evil, in the web
world well, so as 777.
11. Filesystem::
How to Set Permissions
â Folders
chmod 0755 {directory}
â Files
chmod 0644 {files}
13. Firewall::
Opened Ports
â Port 80 Web/Http
â Port 443 Web/Https
â Port 21 FTP
â Port 22 SSH
â Port 25 SMTP (outgoing)
â Port 110 POP (inbound)
â Port 3306 MySQL Daemon
14. Secure httpd (Apache):
â Set an apache user
â Do not run apache as root
rd
â 3 Party Tools:
â ModSecurity
http://www.modsecurity.org/
15. Secure the mysqld (MySQL):
â Set root(admin) password
â Rename the root(admin)
account
â Restrict Network Access
â Use SSH Tunneling/Port
Forwarding if necessary
16. MySQL::
Set Admin Password
mysql -u root
mysql> SET PASSWORD FOR
root@localhost=PASSWORD('passw
ord');
mysql> FLUSH PRIVILEGES;
17. MySQL::
Change Admin Username
mysql -u root -p{PASSWORD}
mysql> update user set
user=quot;mydbadminquot; where
user=quot;rootquot;;
mysql> FLUSH PRIVILEGES;
18. MySQL::
Why Restrict Network Access?
âUsually only your web
application needs access to
MySQL Server, NOTHING ELSE.
19. MySQL::
How to Restrict Network Access?
â Open my.cnf
â Add skip-networking
parameter to mysqld or
mysqld_safe (depending which
you are using)
20. MySQL::
How to tunnel mysql via ssh?
ssh -N -f -L 3306:localhost:3306 user@mysql_server.com
N Do not execute command (useful
for port forwarding only)
f Run in background
L (port:host:hostport)
22. PHP::
Functions to disable
â Exec() - executes a command
â Passthru() - execute a
command and display raw output
23. PHP::
Register Globals
â DO NOT ENABLE
register_globals
â Write your apps to use
SuperGlobals instead in
initializing variables and its
values whenever necessary.
($_GET, $_POST, $_REQUEST and
$_SERVER)
24. PHP::
allow_url_fopen, allow_url_include
â Allow_url_fopen if set to
on, allows treatment of URLs
as files
â Allow_url_include - if set
to on, allows include/require
to open URLs (like http:// or
ftp://) as files.
27. Application Level Security::
Remote File Inclusion
Attack Description
A Remote File Inclusion is a
type of attack where an
Remote File attacker executes a php
Inclusion script of his liking against
the target web application
28. Application Level Security::
Remote File Inclusion
Attack Possible Damage
â Expose/Modiy variable
values of the script doing
Remote File the include()
Inclusion â Expose stored credentials
eg. MySQL user/pass from a
webapp configuration file
29. Application Level Security::
Remote File Inclusion
Attack Vectors
â User-controllable value of
Remote File
variable called by
Inclusion
include() or require()
30. Application Level Security::
Remote File Inclusion
Attack Prevention
â Disable register_globals
â Disable allow_url_fopen
Remote File â Disable allow_url_include
Inclusion â Do not include() from a
dynamic variable with
user controllable value
31. Application Level Security::
Form Spoofing
Attack Description
A type of an attack where
an HTML Form is mimicked
Form Spoofing or copied and then
submitted from a location
different from the original
32. Application Level Security::
Form Spoofing
Attack Possible Damage
â Bypass client-side
validation
â Mass data insertion
Form Spoofing
resulting to flood (eg.
Flooded guestbooks, forum
boards etc.)
33. Application Level Security::
Form Spoofing
Attack Vectors
â No Form Tokens present,
thus all requests thrown
Form Spoofing
to the accepting script is
considered valid
35. Application Level Security::
XSS
Attack Description
Cross-Site scripting is a type
of attack where an attacker
inserts html code into the
html output of the
webapplication, usually a
XSS client-side code such as
javascript. The injected
html/js code script is then
executed on the user browsers
visiting the infiltrated web
application
36. Application Level Security::
XSS
Attack Possible Damage
â Steal/Fixate browser
cookies and direct to
another page
XSS â Redirect user to another
page
â Mess up a format of web
application page
38. Application Level Security::
XSS
Attack Prevention
â Do Not Trust User Input
Is not enough, I say,
XSS
Make User Input Trustable
â Filter incoming data
39. Application Level Security::
CSRF
Attack Description
Cross-Site Request
Forgery is a type of
attack where an attacker
CSRF forces an unknowing
victim into making
(malicious) http
requests
40. Application Level Security::
CSRF
Attack Possible Damage
â Make victim execute an
operation without his
knowledge on a web
CSRF application while being
validy authenticated (eg.
Change Account details,
logout, spam etc.
41. Application Level Security::
CSRF
Attack Vectors
â XSS Vulnerabilities
â Untokenized forms
CSRF â Usage of $_GET for
operations where $_POST
may be best suited
42. Application Level Security::
CSRF
Attack Prevention
â Use $_POST instead of $_GET
and/or $_REQUEST
CSRF â Filter incoming data
â Tokenize
43. Application Level Security::
SQL Injection
Attack Description
An SQL Injection is an
attack where an attacker
is able to execute
SQL Injection arbitrary sql code
against the database
44. Application Level Security::
SQL Injection: Basic Sample
//legit
$sort = 'ASC';
//malicious injection?
$sort = '; TRUNCATE POSTS';
//actual query
$query = quot;SELECT * FROM posts ORDER BY
date_entered $sortquot;;
// Output Query: uh-oh!
SELECT * FROM posts ORDER BY
date_entered; TRUNCATE POSTS
45. Application Level Security::
SQL Injection
Attack Possible Damage
â Corrupt data by executing
truncate()
SQL Injection â Alter current DB data (eg.
Change admin password)
46. Application Level Security::
SQL Injection
Attack Vectors
â Dynamic queries getting
SQL Injection values from unsanitized
user-submitted data
48. Application Level Security::
Session Hijacking
Attack Description
Session Hijacking is an
attack where an attacker
impersonates a legitimate
Session user(commonly the
Hijacking administrator) that is
currently logged in on the
web application
49. Application Level Security::
Session Hijacking
Attack Possible Damage
â Attacker gaining
Session administrator privileges,
Hijacking damage/threat is highly
serious.
50. Application Level Security::
Session Hijacking
Attack Vectors
â Session ID Fixation via XSS
â Web Application is not going
Session thru HTTPS and therefore
Hijacking sniffable
â Session id is not
regenerated when necessary
51. Application Level Security::
Session Hijacking
Attack Prevention
â Protect Site against XSS
attacks (Fixation
avoidance only)
â Regenerate SID whenever
Session necessary and do not
Hijacking trust user-specified
session id
â Deliver the web app
Over HTTPS to avoid
getting sniffed
52. In a nutshell:
â The Server Level is part of the Web
Application. It is necessary to Secure
the Server as well. 30% of Web
Application Attacks are still suffered
by the Server.
â Do not Trust User Input is not
enough, Make User Input TRUSTABLE by
filtering methods before they undergo
processing.
â Tokenize your forms whenever necessary
â Use SSL Layer (via https) in dealing
with highly sensitive data to avoid
being sniffed or captured .