Your SlideShare is downloading. ×
Web Application Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Web Application Security

9,493
views

Published on

Event: Tri{PHP}le Treat@USAutoparts Philippines hosted by PHPUGPH …

Event: Tri{PHP}le Treat@USAutoparts Philippines hosted by PHPUGPH
Topic: Web Application Security

Published in: Technology

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
9,493
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
138
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Web Application Security by Example (for LAMP) Arpee Ong
  • 2. Who Am I? Name: Richard Peter Ong a.k.a. Arpee Work: Lead Developer, Internal Projects at SysIQ Inc. Open Source Affiliations: a.)core developer, MiaCMS
  • 3. Who Are you? ✔ PHP Developers/Programmers ✔ L/U/W AMP SysAdmins ✔ IT Managers and Practitioners ✔ Geeks and hackers..
  • 4. Scope and Coverage: ● Securing a Basic U/L AMP Server ● Web Application Attacks Description, Samples and Prevention
  • 5. WHAT IS A WEB APPLICATION? ✔ Any application that is served commonly via http or https protocol ✔ Usually being served from a remote computer acting as a host/server
  • 6. WHAT IS SECURITY? ✔ Is a State of being free from damage and being compromised ✔ Is a condition of being protected against danger or loss
  • 7. Levels of WebApp Security: ✔ Server Level ✔ Application Level
  • 8. Server Level Security: ✔ The Box(es) (physical or virtual server(s)) ✔ httpd (Apache) ✔ mysqld (MySQL) ✔ PHP
  • 9. Secure the Box: ✔ Filesystem ✔ Firewall
  • 10. Filesystem:: File Ownership and Permission ✔ Folders should be 0755 ✔ Files should be 0644 ✔ Files and Folders under Document Root should be owned by the Apache User ✔ 666 is evil, in the web world well, so as 777.
  • 11. Filesystem:: How to Set Permissions ✔ Folders chmod 0755 {directory} ✔ Files chmod 0644 {files}
  • 12. Filesystem:: How to Set Ownership ✔ Files/Folders chown -R {apache_user} {document_root}
  • 13. Firewall:: Opened Ports ✔ Port 80 Web/Http ✔ Port 443 Web/Https ✔ Port 21 FTP ✔ Port 22 SSH ✔ Port 25 SMTP (outgoing) ✔ Port 110 POP (inbound) ✔ Port 3306 MySQL Daemon
  • 14. Secure httpd (Apache): ✔ Set an apache user ✔ Do not run apache as root rd ✔ 3 Party Tools: ✔ ModSecurity http://www.modsecurity.org/
  • 15. Secure the mysqld (MySQL): ✔ Set root(admin) password ✔ Rename the root(admin) account ✔ Restrict Network Access ✔ Use SSH Tunneling/Port Forwarding if necessary
  • 16. MySQL:: Set Admin Password mysql -u root mysql> SET PASSWORD FOR root@localhost=PASSWORD('passw ord'); mysql> FLUSH PRIVILEGES;
  • 17. MySQL:: Change Admin Username mysql -u root -p{PASSWORD} mysql> update user set user=quot;mydbadminquot; where user=quot;rootquot;; mysql> FLUSH PRIVILEGES;
  • 18. MySQL:: Why Restrict Network Access? ✔Usually only your web application needs access to MySQL Server, NOTHING ELSE.
  • 19. MySQL:: How to Restrict Network Access? ✔ Open my.cnf ✔ Add skip-networking parameter to mysqld or mysqld_safe (depending which you are using)
  • 20. MySQL:: How to tunnel mysql via ssh? ssh -N -f -L 3306:localhost:3306 user@mysql_server.com N Do not execute command (useful for port forwarding only) f Run in background L (port:host:hostport)
  • 21. Secure php.ini (PHP): ✔ disable_functions ✔ register_globals=off ✔ allow_url_fopen=on/off ✔ allow_url_include=off rd ✔ 3 Party Tools: ✔ Suhosin http://www.hardened-php.net/suhosin/
  • 22. PHP:: Functions to disable ✔ Exec() - executes a command ✔ Passthru() - execute a command and display raw output
  • 23. PHP:: Register Globals ✔ DO NOT ENABLE register_globals ✔ Write your apps to use SuperGlobals instead in initializing variables and its values whenever necessary. ($_GET, $_POST, $_REQUEST and $_SERVER)
  • 24. PHP:: allow_url_fopen, allow_url_include ✔ Allow_url_fopen if set to on, allows treatment of URLs as files ✔ Allow_url_include - if set to on, allows include/require to open URLs (like http:// or ftp://) as files.
  • 25. PHP:: misuse of register_globals, allow_url_fopen, allow_url_include altogether >> ✔SEE remote file inclusion attacks..
  • 26. Application Level Security:: Attack Samples and Prevention ✔ Remote File Inclusion ✔ Form Spoofing ✔ XSS (Cross-Site Scripting) ✔ CSRF (Cross-Site Request Forgery) ✔ SQL Injection ✔ Session Fixation
  • 27. Application Level Security:: Remote File Inclusion Attack Description A Remote File Inclusion is a type of attack where an Remote File attacker executes a php Inclusion script of his liking against the target web application
  • 28. Application Level Security:: Remote File Inclusion Attack Possible Damage ● Expose/Modiy variable values of the script doing Remote File the include() Inclusion ● Expose stored credentials eg. MySQL user/pass from a webapp configuration file
  • 29. Application Level Security:: Remote File Inclusion Attack Vectors ● User-controllable value of Remote File variable called by Inclusion include() or require()
  • 30. Application Level Security:: Remote File Inclusion Attack Prevention ● Disable register_globals ● Disable allow_url_fopen Remote File ● Disable allow_url_include Inclusion ● Do not include() from a dynamic variable with user controllable value
  • 31. Application Level Security:: Form Spoofing Attack Description A type of an attack where an HTML Form is mimicked Form Spoofing or copied and then submitted from a location different from the original
  • 32. Application Level Security:: Form Spoofing Attack Possible Damage ● Bypass client-side validation ● Mass data insertion Form Spoofing resulting to flood (eg. Flooded guestbooks, forum boards etc.)
  • 33. Application Level Security:: Form Spoofing Attack Vectors ● No Form Tokens present, thus all requests thrown Form Spoofing to the accepting script is considered valid
  • 34. Application Level Security:: Form Spoofing Attack Prevention ● Tokenize the form Form Spoofing ● [optional]Check Referrer
  • 35. Application Level Security:: XSS Attack Description Cross-Site scripting is a type of attack where an attacker inserts html code into the html output of the webapplication, usually a XSS client-side code such as javascript. The injected html/js code script is then executed on the user browsers visiting the infiltrated web application
  • 36. Application Level Security:: XSS Attack Possible Damage ● Steal/Fixate browser cookies and direct to another page XSS ● Redirect user to another page ● Mess up a format of web application page
  • 37. Application Level Security:: XSS Attack Vectors XSS ● Unfiltered input forms
  • 38. Application Level Security:: XSS Attack Prevention ● Do Not Trust User Input Is not enough, I say, XSS Make User Input Trustable ● Filter incoming data
  • 39. Application Level Security:: CSRF Attack Description Cross-Site Request Forgery is a type of attack where an attacker CSRF forces an unknowing victim into making (malicious) http requests
  • 40. Application Level Security:: CSRF Attack Possible Damage ● Make victim execute an operation without his knowledge on a web CSRF application while being validy authenticated (eg. Change Account details, logout, spam etc.
  • 41. Application Level Security:: CSRF Attack Vectors ● XSS Vulnerabilities ● Untokenized forms CSRF ● Usage of $_GET for operations where $_POST may be best suited
  • 42. Application Level Security:: CSRF Attack Prevention ● Use $_POST instead of $_GET and/or $_REQUEST CSRF ● Filter incoming data ● Tokenize
  • 43. Application Level Security:: SQL Injection Attack Description An SQL Injection is an attack where an attacker is able to execute SQL Injection arbitrary sql code against the database
  • 44. Application Level Security:: SQL Injection: Basic Sample //legit $sort = 'ASC'; //malicious injection? $sort = '; TRUNCATE POSTS'; //actual query $query = quot;SELECT * FROM posts ORDER BY date_entered $sortquot;; // Output Query: uh-oh! SELECT * FROM posts ORDER BY date_entered; TRUNCATE POSTS
  • 45. Application Level Security:: SQL Injection Attack Possible Damage ● Corrupt data by executing truncate() SQL Injection ● Alter current DB data (eg. Change admin password)
  • 46. Application Level Security:: SQL Injection Attack Vectors ● Dynamic queries getting SQL Injection values from unsanitized user-submitted data
  • 47. Application Level Security:: SQL Injection (MySQL) Attack Prevention ● Enclose user-submitted SQL Injection Values with mysql_real_escape_string()
  • 48. Application Level Security:: Session Hijacking Attack Description Session Hijacking is an attack where an attacker impersonates a legitimate Session user(commonly the Hijacking administrator) that is currently logged in on the web application
  • 49. Application Level Security:: Session Hijacking Attack Possible Damage ● Attacker gaining Session administrator privileges, Hijacking damage/threat is highly serious.
  • 50. Application Level Security:: Session Hijacking Attack Vectors ● Session ID Fixation via XSS ● Web Application is not going Session thru HTTPS and therefore Hijacking sniffable ● Session id is not regenerated when necessary
  • 51. Application Level Security:: Session Hijacking Attack Prevention ● Protect Site against XSS attacks (Fixation avoidance only) ● Regenerate SID whenever Session necessary and do not Hijacking trust user-specified session id ● Deliver the web app Over HTTPS to avoid getting sniffed
  • 52. In a nutshell: ● The Server Level is part of the Web Application. It is necessary to Secure the Server as well. 30% of Web Application Attacks are still suffered by the Server. ● Do not Trust User Input is not enough, Make User Input TRUSTABLE by filtering methods before they undergo processing. ● Tokenize your forms whenever necessary ● Use SSL Layer (via https) in dealing with highly sensitive data to avoid being sniffed or captured .
  • 53. I hope you enjoyed.. The End...