Table Of Content
The OWASP Top Ten
Invalidated Redirect and Forwards
Security Misconfiguration
Application Fingerprint
Error handling And Logging
Noise
PHP Guidelines
3. Security Misconfiguration
Scenario
Review of Other Vulnerabilities of Web Application
Table Of Content
The OWASP Top Ten
o Invalidated Redirect and Forwards
Security Misconfiguration
Application Fingerprint
Error handling And Logging
o Noise
PHP Guidelines
4. Security Misconfiguration
The OWASP Top Ten
Invalidated Redirect and Forwards
Security Misconfiguration
Application Fingerprint
Error handling And Logging
PHP Guidelines
5. Top 10 Owasp
Top 10 Owasp
OWASP Top Ten is released every 3 years - this is the fourth release since
2004 launch.
The OWASP TOP 10 has been designed to raise awareness about crucial
security threats faced by organisations.
The top 10 are selected on the basis of exploitability, detectability and
impact estimate from over 500,000 vulnerabilities spanning over hundreds
of organisations and thousands of applications. The purpose of which is to
educate developers, designers, architects, managers and organisations
regarding web application security weaknesses.
10. Security Misconfiguration
What Is Security Misconfiguration
System admins, DBAs and developers leave security holes in the configuration of
computer systems.
12. Security Misconfiguration
Security Misconfiguration Illustrated
Security misconfiguration can happen at any level of an
application stack, including:
the platform
web server
application server
framework
and custom code
14. Security Misconfiguration
Scenario 1: framework misconfiguration
Your application relies on a powerful framework like Yii.
XSS flaws are found in these framework components you rely on.
An update is released to fix these flaws but you don’t update your
libraries.
Until you do, attackers can easily find and exploit these flaws in your app.
15. Security Misconfiguration
Scenario 2: framework misconfiguration
• The app server admin console is automatically installed and not
removed.
• Default accounts aren’t changed.
• Attacker discovers the standard admin pages are on your server, logs in
with default passwords and takes over.
16. Security Misconfiguration
Security Misconfiguration Countermeasure
• Change default user accounts.
• Delete unused pages and user accounts.
• Turn off unused services .
• Disable directory listings if they are not necessary, or set access controls to deny
all requests.
• Stay up-to date on patches.
• Consider internal attackers as well as external.
• Use automated scanners.
17. Security Misconfiguration
Security Msconfiguration Countermeasure
When you install an OS or server tool ,it has a default root account with a
default password. Examples:
Windows - "Administrator"&"Administrator“
SQL Server - “ sa “ & no password
Oracle "MASTER"&"PASSWORD“
Apache "root"&“ change this“
18. Security Misconfiguration
Security Msconfiguration Countermeasure
As soon as an employee or contractor leaves, change his password.
Change his username.
Move files and delete the account
Look for old client accounts and delete them.
19. Security Misconfiguration
Security Msconfiguration Countermeasure
Look through all running services, If they're not being used, turn them
off.
Pay particular attention to:
o Services enabled upon install
• Remote debugging
• Remote registry
• Content management
20. Security Misconfiguration
PHP Configuration :safe_mode
The PHP safe mode includes a set of restrictions for PHP scripts and can
really increase the security in a shared server environment. To name a
few of these restrictions: A script can only access/modify files and folders
which has the same owner as the script itself. Some functions/operators
are completely disabled or restricted.
21. Security Misconfiguration
PHP Configuration :Restrict PHP Information Leakage
To restrict PHP information leakage disable expose_php. Edit php.ini and
set the following directive:
expose_php=Off
22. Security Misconfiguration
PHP Configuration : Log All PHP Errors
Do not expose PHP error messages to all site visitors. Edit php.ini and set
the following directive:
Make sure you log all php errors to a log file:
display_errors=Off
log_errors=On
error_log=/var/log/httpd/php_scripts_error.log
23. Security Misconfiguration
PHP Configuration : Disallow Uploading Files
If users of your application need to upload files, turn this feature on by setting
upload_max_filesize limits the maximum size of files that PHP will accept through uploads:
file_uploads=Off
file_uploads=On # user can only upload upto 1MB via php upload
_max_filesize=1M
24. Security Misconfiguration
PHP Configuration : Turn Off Remote Code Execution
The allow_url_fopen option allows PHP's file functions - such as file_get_contents() and the
include and require statements - can retrieve data from remote locations using ftp or http
protocols.
A large number of code injection vulnerabilities reported in PHP-based web applications are
caused by the combination of enabling allow_url_fopen and bad input filtering. Edit
/etc/php.d/php.ini and set the following directive:
allow_url_fopen=Off
allow_url_include=Off
25. Security Misconfiguration
PHP Configuration : Resource Control (DoS Control)
You can set maximum execution time of each php script, in seconds. Another recommend
option is to set maximum amount of time each script may spend parsing request data, and
maximum amount of memory a script may consume. Edit /etc/php.d/php.ini and set the
following directives:
# set in seconds
max_execution_time = 30
max_input_time = 30
memory_limit = 40M
26. Security Misconfiguration
PHP Configuration : Session Path
Session support in PHP consists of a way to preserve certain data across subsequent
accesses.
Make sure path is outside /var/www/html and not readable or writeable by any other
system users:
session.save_path="/var/lib/php/session" ;
Set the temporary directory used for storing files when doing file upload
upload_tmp_dir="/var/lib/php/session"
27. Security Misconfiguration
PHP Configuration
disable_functions
o This directive can be used to disable functions of our choosing.
allow_url_fopen
o With this option set PHP can operate on remote files with functions like
include and fopen.Recommended: off
28. Security Misconfiguration
PHP Configuration
error_reporting
o We want to write as clean code as possible and thus we want PHP to
throw all warnings etc at us.
o Recommended: E_ALL allow_url_fopen
display_errors
o error_reporting, will be sent to the browser. This is desired in a
development environment but not on a production server, since it could
expose sensitive information about our code, database or web server.
o Recommended: off (production), on (development)
29. Security Misconfiguration
Shared Hosts
When on a shared host, security simply isn't going to be as strong as when on
a dedicated host.
The safe_mode directive can prevent this and similar safety concerns, but
since it only applies to PHP, it doesn't address the root cause of the problem.
Attackers can simply use other languages.
The safe_mode directive can prevent this particular script, but what about
one written in another language?
A good solution is to store sensitive data in a database and use the technique
mentioned earlier to protect your database access credentials.
30. Security Misconfiguration
A Note About PHP Backdoors
You may come across php scripts or so called common backdoors such as c99,
c99madshell, r57 and so on. A backdoor php script is nothing but a hidden script for
bypassing all authentication and access your server on demand. It is installed by an
attackers to access your server while attempting to remain undetected. Typically a PHP
(or any other CGI script) script by mistake allows inclusion of code exploiting
vulnerabilities in the web browser. An attacker can use such exploiting vulnerabilities
to upload backdoor shells which can give him or her a number of capabilities such as:
o Download files
o Upload files
o Install rootkits
o Set a spam mail servers / relay server
31. Security Misconfiguration
How Do we Search PHP Backdoors?
Use Unix / Linux grep command to search c99 or r57 shell:
# grep -iR 'c99' /var/www/html/
# grep -iR 'r57' /var/www/html/
# find /var/www/html/ -name *.php -type f -print0 | xargs -0 grep c99
# grep -RPn "(passthru|shell_exec|system|base64_decode|fopen|fclose|eval)"
/var/www/html/
32. Application Fingerprint
Testing for Web Application Fingerprint
Web server fingerprinting is a critical task for the Penetration tester.
Knowing the version and type of a running web server allows testers to
determine known vulnerabilities and the appropriate exploits to use
during testing.
33. Application Fingerprint
Fingerprinting Methodology
We will outline fingerprinting techniques for the following categories:
o Identify Web Architecture/Topology
o Identify Web Server Version
o Identify Web Application Software
o Identify Backend Database Version
34. Application Fingerprint
Fingerprinting Methodology
Identify Web Architecture/Topology
o It is advantageous to an attacker to accurately identify any intermediary web-
based systems such as proxy servers, load-balancers or web application
firewalls.
Identify Web Server Version
o Correctly identifying the web server version can find by
• Reviewing the Server banner Information
• Implementation differences of the HTTP Protocol
• Error Pages
35. Application Fingerprint
Fingerprinting Methodology
Identify Web Application Software
o confirm what web application technologies are being used such as ASP, .NET,
PHP and Java.
• he first portion of the URL to inspect would be the file extensions used.
• Review Error Pages
36. Application Fingerprint
Fingerprinting Methodology
Identify Backend Database Version
o Determining the database engine type is fundamental if an attacker is to attempt
to successfully execute an SQL Injection attack.
• Review Error Pages
37. Application Fingerprint
How can I fake the banners or rewrite the headers from my
web server?
Banners will generally have the server name and the version number in it. We can
address this problem by either configuring the server not to display the banner at
all or by changing it to make the server look like something else.
There are a number of tools that help in faking the banners.
o mod_security has a feature for changing the identity of the Apache web server.
Use custom Error page
38. Application Fingerprint
Once I fake the banners, can my web server still be
fingerprinted?
Yes. Unfortunately there are tools that fingerprint the web server without relying
on the banners. Different web servers may implement features not specified in
HTTP RFCs differently. Suppose we make a database of these special requests and
the responses of each web server.
We can now send these requests to the web server we want to fingerprint and
compare the responses with the database. This is the technique used by tools like
Fire & Water.
39. Application Fingerprint
Run web server on a non-standard port. Is that right?
A web server generally needs to be accessed by a lot of people on the internet.
Since it normally runs on port 80 and all browsers are configured to access port
80 of the web server, users are able to browse the site. If we change the port, the
users will have to specify the port in addition to the domain name.
But this is a good idea for an intranet application where all users know where to
connect. It is more secure since the web server will not be targeted by automated
attacks like worms that scan port 80 and other standard ports.
40. Error Handling
Description
Error handling, debug messages, auditing and logging are different
aspects of the same topic: how to track events within an application:
Error handling takes two forms:
o structured exception handling
o functional error checking
Motivated attackers like to see error messages as they might leak
information that leads to further attacks, or may leak privacy related
information.
41. Error Handling
Fail safe
Applications should always fail safe. If an application fails to an unknown
state, it is likely that an attacker
o Inspect the application’s fatal error handler.
o Does it fail safe? If so, how?
o Is the fatal error handler called frequently enough?
o What happens to in-flight transactions and ephemeral data?
42. Error Handling
Exception handling
Does the code use structured exception handlers (try {} catch {} etc) or
function-based error handling?
If the code uses function-based error handling, does it check every return
value and handle the error appropriately?
43. Logging
What is Log?
Logs are a source of time-ordered events about everything happening
with your app.
Log File
A file that lists actions that have occurred. For example, Web servers
maintain log files listing every request made to the server.
44. Logging
What to Log
Some application exceptions
Some application events should
o Modification of any data characteristics, including access control
permissions or file system.
o Administrative functions and changes in configuration regardless of
overlap.
o Writing of data logs also where and with what mode (append, replace)
o Some security-related events may be logged such as unauthorized
URL access attempts, user logins
45. Logging
What to Log
Some application states
Executed SQLs may be logged
User HTTP requests may be logged
Some debug information may be logged
o In some applications, you may have some errors and can’t find why
this is happening. You may add some debug logs into your code and
redeploy it to diagnose the problem.
46. Logging
Where to log to?
Logs should be written so that the log file attributes are such that only
new information can be written (older records cannot be rewritten or
deleted).
All logging components should be synced with a timeserver so that all
logging can be co
Logs are useful in reconstructing events after a problem has occurred,
security related or not.nsolidated effectively without latency errors.
Logs are often the only record that suspicious behavior is taking place
47. Logging
Logging benefits
Handling
General Debugging
Forensics evidence
Attack detection
Proof of validity
Quality of service
48. Noise
Description
Noise is intentionally invoking security errors to fill an error log with
entries (noise) that hide the incriminating evidence of a successful
intrusion.
When the administrator or log parser application reviews the logs, there
is every chance that they will summarize the volume of log entries as a
denial of service attempt rather than identifying the 'needle in the
haystack'.
49. Noise
Solution
Failing that, an error log audit tool that can reduce the bulk of the noise,
based on repetition of events or originating from the same source for
example.
It is also useful if the log viewer can display the events in order of severity
level, rather than just time based.
50. PHP Guidelines
register_globals
The register_globals directive makes input from GET, POST and COOKIE,
as well as session variables and uploaded files, directly accessible as
global variables in PHP. This single directive, if set in php.ini, is the root of
many vulnerabilities in web applications.
if ($bIsAlwaysFalse)
{
$sFilename = 'somefile.php';
}
if ( $sFilename != '' )
{
Include( $sFilename );
}
51. PHP Guidelines
register_globals
If we were to call this page like:
page.php?sFilename=/etc/passwd
with register_globalsset, it would be the same as to write the following:
$sFilename = '/etc/passwd'; // This is done internally by PHP
if ($bIsAlwaysFalse)
{
$sFilename = 'somefile.php';
}
if ( $sFilename != '' )
{
Include( $sFilename );
}
52. PHP Guidelines
register_globals : solotion
1. Solution is So turning off register_globals might be a solution but what if
our code ends up on a server with register_globals on.We must bear in
mind that all variables in global scope could have been tampered with. And
initialize variable:
$sFilename =“ ”; //initial variables
if ($bIsAlwaysFalse)
{
$sFilename = 'somefile.php';
}
if ( $sFilename != '' )
{
Include( $sFilename );
}
53. PHP Guidelines
register_globals : solotion
Another solution would be to have as little code as possible in global
scope. Object oriented programming (OOP) is a real beauty when done
right and I would highly recommend you to take that approach.
The correct way to get input from GET, POST, COOKIE.
54. PHP Guidelines
Includes and Remote files
The PHP functions include() and require() provides an easy way of
including and evaluating files.
If the allow_url_fopen directive is enabled in php.ini you can specify the
file to be included using an URL.
Note: The allow_url_fopen directive is enabled by default.
55. PHP Guidelines
Includes and Remote files
If can’t turn off can use this solution
// file.php
define('SECURITY_CHECK', true);
$sIncludePath = '/inc/';
include($sIncludePath . 'functions.php');
...
// functions.php
if ( !defined('SECURITY_CHECK') ) {
// Output error message and exit.
...
}
56. PHP Guidelines
Why htmlspecialchars is not always enough ?
Let's take a look at the following code : ( This page is meant to be called like:
page.php?sImage=filename.jpg)
Since we are already in a HTML tag we do not need < or > to be able to inject malicious
code. Look at the following:// page.php?sImage=javascript:alert(document.cookie);
echo '<img src= “' . htmlspecialchars($_GET['sImage']) . '” />';
// Same code as before:
echo '<img src= “' . htmlspecialchars($_GET['sImage']) . '” />'; <!—
The above would result in:
--> <img src= “javascript:alert(document.cookie);” />
57. PHP Guidelines
Why htmlspecialchars is not always enough ?
Solution : There is no generic solution here other than to only accept
input we know is safe, trying to filter out bad input is hard and we are
bound to miss something. Our final code would look like the following:
// We only accept input we know is safe (in this case a valid filename)
if ( preg_match('/^[0-9a-z_]+.[a-z]+$/i', $_GET['sImage']) ) {
echo '<img src="' . $_GET['sImage'] . '" />;';
}
58. PHP Guidelines
Why htmlspecialchars is not always enough ?
also see function "urlencode()", useful for passing text with ampersand
and other special chars through url.
<?php
echo "<a href='foo.php?text=".urlencode("foo?&bar!")."'>link</a>";
?>