web application security

Web Application Security by Example (for LAMP)Arpee Ong

Who Am I?

Name: Richard Peter Ong a.k.a. Arpee

Work: Lead Developer, Internal Projects at SysIQ Inc.

Open Source Affiliations: a.)core developer, MiaCMS

Who Are you?

✔ PHP Developers/Programmers✔ L/U/W AMP SysAdmins✔ IT Managers and Practitioners✔ Geeks and hackers..

Scope and Coverage:

●Securing a Basic U/L AMP Server

●Web Application Attacks Description, Samples and Prevention

WHAT IS A WEB APPLICATION?

✔ Any application that is served commonly via http or https protocol✔ Usually being served from a remote computer acting as a host/server

WHAT IS SECURITY?

✔ Is a State of being free from damage and being compromised✔ Is a condition of being protected against danger or loss

Levels of WebApp Security:

✔ Server Level✔ Application Level

Server Level Security:

✔ The Box(es) (physical or virtual server(s))✔ httpd (Apache)✔ mysqld (MySQL)✔ PHP

Secure the Box:

✔ Filesystem✔ Firewall

Filesystem:: File Ownership and Permission

✔ Folders should be 0755✔ Files should be 0644✔ Files and Folders under Document Root should be � owned� by the Apache User✔ 666 is evil, in the web world � well, so as 777.

Filesystem:: How to Set Permissions

✔ Folders

✔ Files

chmod 0755 {directory}

chmod 0644 {files}

Filesystem:: How to Set Ownership

✔ Files/Folders

chown -R {apache_user} {document_root}

Firewall::Opened Ports

✔ Port 80 � Web/Http ✔ Port 443 � Web/Https ✔ Port 21 � FTP✔ Port 22 � SSH✔ Port 25 � SMTP (outgoing)✔ Port 110 � POP (inbound)✔ Port 3306 � MySQL Daemon

Secure httpd (Apache):

✔ Set an apache user✔ Do not run apache as root✔ 3rd Party Tools:

✔ ModSecurity http://www.modsecurity.org/

http://www.modsecurity.org/

Secure the mysqld (MySQL):

✔ Set root(admin) password✔ Rename the root(admin) account✔ Restrict Network Access✔ Use SSH Tunneling/Port Forwarding if necessary

MySQL::Set Admin Password

mysql -u rootmysql> SET PASSWORD FOR root@localhost=PASSWORD('password');mysql> FLUSH PRIVILEGES;

MySQL::Change Admin Username

mysql -u root -p{PASSWORD}mysql> update user set user="mydbadmin" where user="root";mysql> FLUSH PRIVILEGES;

MySQL::Why Restrict Network Access?

✔ Usually only your web application needs access to MySQL Server, NOTHING ELSE.

MySQL::How to Restrict Network Access?

✔ Open my.cnf✔ Add � skip-networking� parameter to mysqld or mysqld_safe (depending which you are using)

MySQL::How to tunnel mysql via ssh?

ssh -N -f -L 3306:localhost:3306 user@mysql_server.com

N � Do not execute command (useful for port forwarding only) f � Run in backgroundL � (port:host:hostport)

Secure php.ini (PHP):

✔ disable_functions✔ register_globals=off✔ allow_url_fopen=on/off✔ allow_url_include=off✔ 3rd Party Tools:

✔ Suhosinhttp://www.hardened-php.net/suhosin/

http://www.hardened-php.net/suhosin/

PHP::Functions to disable

✔ Exec() - executes a command✔ Passthru() - execute a command and display raw output

PHP::Register Globals

✔ DO NOT ENABLE register_globals✔ Write your apps to use SuperGlobals instead in initializing variables and its values whenever necessary. ($_GET, $_POST, $_REQUEST and $_SERVER)

PHP::allow_url_fopen, allow_url_include

✔ Allow_url_fopen � if set to on, allows treatment of URLs as files✔ Allow_url_include - if set to on, allows include/require to open URLs (like http:// or ftp://) as files.

PHP::misuse of register_globals, allow_url_fopen, allow_url_includealtogether >>

✔ SEE � remote file inclusion� attacks..

Application Level Security::Attack Samples and Prevention

✔ Remote File Inclusion✔ Form Spoofing✔ XSS � (Cross-Site Scripting)✔ CSRF � (Cross-Site Request Forgery)✔ SQL Injection✔ Session Fixation

Attack Description

Remote File Inclusion

Application Level Security::Remote File Inclusion

A Remote File Inclusion is a type of attack where an attacker executes a php script of his liking against the target web application

Attack Possible Damage



● Expose/Modiy variable values of the script doing the include()

● Expose stored credentials eg. MySQL user/pass from a webapp configuration file

Attack Vectors



● User-controllable value of variable called by include() or require()

Attack Prevention


● Disable register_globals● Disable allow_url_fopen● Disable allow_url_include● Do not include() from a dynamic variable with user controllable value


Attack Description

Form Spoofing

Application Level Security::Form Spoofing

A type of an attack where an HTML Form is � mimicked� or copied and then submitted from a location different from the original


Form Spoofing


● Bypass client-side validation

● Mass data insertion resulting to � flood� (eg. Flooded guestbooks, forum boards etc.)

Attack Vectors

Form Spoofing


● No Form Tokens present, thus all requests thrown to the accepting script is considered valid

Attack Prevention

Form Spoofing● Tokenize the form● [optional]Check Referrer


Attack Description

XSS

Application Level Security::XSS

Cross-Site scripting is a type of attack where an attacker inserts html code into the html output of the webapplication, usually a client-side code such as javascript. The � injected� html/js code script is then executed on the user browsers visiting the infiltrated web application


XSS


● Steal/Fixate browser cookies and direct to another page

● Redirect user to another page

● Mess up a format of web application page

Attack Vectors

XSS


● Unfiltered input forms

Attack Prevention

XSS

● � Do Not Trust User Input�Is not enough, I say, � Make User Input Trustable�● Filter incoming data


Attack Description

CSRF

Application Level Security::CSRF

Cross-Site Request Forgery is a type of attack where an attacker forces an unknowing victim into making (malicious) http requests


CSRF


● Make victim execute an operation without his knowledge on a web application while being validy authenticated (eg. Change Account details, logout, spam etc.

Attack Vectors

CSRF


● XSS Vulnerabilities● Untokenized forms● Usage of $_GET for operations where $_POST may be best suited

Attack Prevention

CSRF

● Use $_POST instead of $_GET and/or $_REQUEST

● Filter incoming data● Tokenize


Attack Description

SQL Injection

Application Level Security::SQL Injection

An SQL Injection is an attack where an attacker is able to execute arbitrary sql code against the database

Application Level Security::SQL Injection: Basic Sample

//legit$sort = 'ASC';//malicious injection?$sort = '; TRUNCATE POSTS';

//actual query$query = "SELECT * FROM posts ORDER BY date_entered $sort";

// Output Query: uh-oh!SELECT * FROM posts ORDER BY date_entered; TRUNCATE POSTS


SQL Injection


● Corrupt data by executing truncate()

● Alter current DB data (eg. Change admin password)

Attack Vectors

SQL Injection


● Dynamic queries getting values from unsanitized user-submitted data

Attack Prevention

SQL Injection● Enclose user-submitted Values with mysql_real_escape_string()

Application Level Security::SQL Injection (MySQL)

Attack Description

Session Hijacking

Application Level Security::Session Hijacking

Session Hijacking is an attack where an attacker impersonates a legitimate user(commonly the administrator) that is currently logged in on the web application


Session Hijacking


● Attacker gaining administrator privileges, damage/threat is highly serious.

Attack Vectors

Session Hijacking


● Session ID Fixation via XSS● Web Application is not going thru HTTPS and therefore � sniffable�

● Session id is not regenerated when necessary

Attack Prevention

Session Hijacking

● Protect Site against XSS attacks (Fixation avoidance only)

● Regenerate SID whenever necessary and do not trust user-specified session id● Deliver the web app Over HTTPS to avoid getting � sniffed�


In a nutshell:

● The Server Level is part of the Web Application. It is necessary to Secure the Server as well. 30% of Web Application Attacks are still suffered by the Server.

● � Do not Trust User Input� is not enough, � Make User Input TRUSTABLE� by filtering methods before they undergo processing.

● Tokenize your forms whenever necessary● Use SSL Layer (via https) in dealing with highly sensitive data to avoid being � sniffed� or � captured� .

I hope you enjoyed..

The End...

web application security

Technology