Web Application Security
by Example (for LAMP)
Arpee Ong
Who Am I?

Name: Richard Peter Ong a.k.a. Arpee
Work: Lead Developer, Internal
        Projects at SysIQ Inc.
Open Source
...
Who Are you?


✔   PHP Developers/Programmers
✔   L/U/W AMP SysAdmins
✔   IT Managers and Practitioners
✔   Geeks and hack...
Scope and Coverage:


 ● Securing a Basic U/L AMP
   Server
 ● Web Application Attacks

   Description, Samples and
   Pre...
WHAT IS A WEB APPLICATION?
✔ Any application that is served
commonly via http or https
protocol
✔ Usually being served fro...
WHAT IS SECURITY?
✔ Is a State of being free from
damage and being compromised
✔ Is a condition of being

protected agains...
Levels of WebApp Security:
✔   Server Level
✔   Application Level
Server Level Security:
✔ The Box(es) (physical or
virtual server(s))
✔ httpd (Apache)

✔ mysqld (MySQL)

✔ PHP
Secure the Box:
✔   Filesystem
✔   Firewall
Filesystem::
File Ownership and Permission
 ✔ Folders should be 0755
 ✔ Files should be 0644

 ✔ Files and Folders under

...
Filesystem::
How to Set Permissions
 ✔   Folders
     chmod 0755 {directory}
 ✔   Files
     chmod 0644 {files}
Filesystem::
How to Set Ownership
 ✔   Files/Folders
 chown -R {apache_user} {document_root}
Firewall::
Opened Ports
 ✔   Port   80     Web/Http
 ✔   Port   443     Web/Https
 ✔   Port   21     FTP
 ✔   Port   22   ...
Secure httpd (Apache):
✔   Set an apache user
✔   Do not run apache as root
     rd
✔   3 Party Tools:
     ✔  ModSecurity...
Secure the mysqld (MySQL):
✔ Set root(admin) password
✔ Rename the root(admin)

account
✔ Restrict Network Access

✔ Use S...
MySQL::
Set Admin Password

 mysql -u root
 mysql> SET PASSWORD FOR
 root@localhost=PASSWORD('passw
 ord');
 mysql> FLUSH ...
MySQL::
Change Admin Username

 mysql -u root -p{PASSWORD}
 mysql> update user set
 user=quot;mydbadminquot; where
 user=q...
MySQL::
Why Restrict Network Access?
 ✔Usually only your web
 application needs access to
 MySQL Server, NOTHING ELSE.
MySQL::
How to Restrict Network Access?
 ✔ Open my.cnf
 ✔ Add  skip-networking
 parameter to mysqld or
 mysqld_safe (depen...
MySQL::
How to tunnel mysql via ssh?
ssh -N -f -L 3306:localhost:3306 user@mysql_server.com


  N     Do not execute comma...
Secure php.ini (PHP):
✔   disable_functions
✔   register_globals=off
✔   allow_url_fopen=on/off
✔   allow_url_include=off
...
PHP::
Functions to disable
 ✔ Exec() - executes a command
 ✔ Passthru() - execute a

 command and display raw output
PHP::
Register Globals
 ✔ DO NOT ENABLE
 register_globals
 ✔ Write your apps to use

 SuperGlobals instead in
 initializin...
PHP::
allow_url_fopen, allow_url_include

 ✔ Allow_url_fopen   if set to
 on, allows treatment of URLs
 as files
 ✔ Allow_...
PHP::
misuse of register_globals,
allow_url_fopen, allow_url_include
altogether >>

 ✔SEE remote file
 inclusion attacks..
Application Level Security::
Attack Samples and Prevention
 ✔   Remote File Inclusion
 ✔   Form Spoofing
 ✔   XSS (Cross-S...
Application Level Security::
Remote File Inclusion

   Attack             Description
               A Remote File Inclusi...
Application Level Security::
Remote File Inclusion

   Attack          Possible Damage
               ● Expose/Modiy varia...
Application Level Security::
Remote File Inclusion

   Attack                 Vectors


               ●   User-controllab...
Application Level Security::
Remote File Inclusion

   Attack               Prevention
               ●   Disable register...
Application Level Security::
Form Spoofing

    Attack             Description

                 A type of an attack where...
Application Level Security::
Form Spoofing

    Attack           Possible Damage
                 ● Bypass client-side
   ...
Application Level Security::
Form Spoofing

    Attack                  Vectors

                 ●   No Form Tokens prese...
Application Level Security::
Form Spoofing

    Attack                Prevention


                 ●   Tokenize the form
...
Application Level Security::
XSS

   Attack           Description
            Cross-Site scripting is a type
            o...
Application Level Security::
XSS

   Attack        Possible Damage
             ● Steal/Fixate browser
               cook...
Application Level Security::
XSS

   Attack               Vectors



     XSS     ●   Unfiltered input forms
Application Level Security::
XSS

   Attack           Prevention

             ●  Do Not Trust User Input
             Is ...
Application Level Security::
CSRF

   Attack         Description
            Cross-Site Request
            Forgery is a t...
Application Level Security::
CSRF

   Attack           Possible Damage
             ●   Make victim execute an
           ...
Application Level Security::
CSRF

   Attack             Vectors

             ● XSS Vulnerabilities
             ● Untoke...
Application Level Security::
CSRF

   Attack             Prevention

            ●   Use $_POST instead of $_GET
         ...
Application Level Security::
SQL Injection

   Attack            Description
               An SQL Injection is an
       ...
Application Level Security::
SQL Injection: Basic Sample
//legit
$sort = 'ASC';
//malicious injection?
$sort = '; TRUNCATE...
Application Level Security::
SQL Injection

    Attack           Possible Damage

                 ● Corrupt data by execu...
Application Level Security::
SQL Injection

    Attack                  Vectors


                 ●   Dynamic queries get...
Application Level Security::
SQL Injection (MySQL)

    Attack                 Prevention


                 ●   Enclose u...
Application Level Security::
Session Hijacking

   Attack             Description
               Session Hijacking is an
 ...
Application Level Security::
Session Hijacking

   Attack             Possible Damage

               ●   Attacker gaining...
Application Level Security::
Session Hijacking

   Attack               Vectors

               ● Session ID Fixation via ...
Application Level Security::
Session Hijacking

   Attack            Prevention
               ● Protect Site against XSS
...
In a nutshell:
 ● The Server Level is part of the Web
   Application. It is necessary to Secure
   the Server as well. 30%...
I hope you enjoyed..


The End...
Upcoming SlideShare
Loading in...5
×

Web Application Security

9,587

Published on

Event: Tri{PHP}le Treat@USAutoparts Philippines hosted by PHPUGPH
Topic: Web Application Security

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
9,587
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
140
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Web Application Security

  1. 1. Web Application Security by Example (for LAMP) Arpee Ong
  2. 2. Who Am I? Name: Richard Peter Ong a.k.a. Arpee Work: Lead Developer, Internal Projects at SysIQ Inc. Open Source Affiliations: a.)core developer, MiaCMS
  3. 3. Who Are you? ✔ PHP Developers/Programmers ✔ L/U/W AMP SysAdmins ✔ IT Managers and Practitioners ✔ Geeks and hackers..
  4. 4. Scope and Coverage: ● Securing a Basic U/L AMP Server ● Web Application Attacks Description, Samples and Prevention
  5. 5. WHAT IS A WEB APPLICATION? ✔ Any application that is served commonly via http or https protocol ✔ Usually being served from a remote computer acting as a host/server
  6. 6. WHAT IS SECURITY? ✔ Is a State of being free from damage and being compromised ✔ Is a condition of being protected against danger or loss
  7. 7. Levels of WebApp Security: ✔ Server Level ✔ Application Level
  8. 8. Server Level Security: ✔ The Box(es) (physical or virtual server(s)) ✔ httpd (Apache) ✔ mysqld (MySQL) ✔ PHP
  9. 9. Secure the Box: ✔ Filesystem ✔ Firewall
  10. 10. Filesystem:: File Ownership and Permission ✔ Folders should be 0755 ✔ Files should be 0644 ✔ Files and Folders under Document Root should be owned by the Apache User ✔ 666 is evil, in the web world well, so as 777.
  11. 11. Filesystem:: How to Set Permissions ✔ Folders chmod 0755 {directory} ✔ Files chmod 0644 {files}
  12. 12. Filesystem:: How to Set Ownership ✔ Files/Folders chown -R {apache_user} {document_root}
  13. 13. Firewall:: Opened Ports ✔ Port 80 Web/Http ✔ Port 443 Web/Https ✔ Port 21 FTP ✔ Port 22 SSH ✔ Port 25 SMTP (outgoing) ✔ Port 110 POP (inbound) ✔ Port 3306 MySQL Daemon
  14. 14. Secure httpd (Apache): ✔ Set an apache user ✔ Do not run apache as root rd ✔ 3 Party Tools: ✔ ModSecurity http://www.modsecurity.org/
  15. 15. Secure the mysqld (MySQL): ✔ Set root(admin) password ✔ Rename the root(admin) account ✔ Restrict Network Access ✔ Use SSH Tunneling/Port Forwarding if necessary
  16. 16. MySQL:: Set Admin Password mysql -u root mysql> SET PASSWORD FOR root@localhost=PASSWORD('passw ord'); mysql> FLUSH PRIVILEGES;
  17. 17. MySQL:: Change Admin Username mysql -u root -p{PASSWORD} mysql> update user set user=quot;mydbadminquot; where user=quot;rootquot;; mysql> FLUSH PRIVILEGES;
  18. 18. MySQL:: Why Restrict Network Access? ✔Usually only your web application needs access to MySQL Server, NOTHING ELSE.
  19. 19. MySQL:: How to Restrict Network Access? ✔ Open my.cnf ✔ Add skip-networking parameter to mysqld or mysqld_safe (depending which you are using)
  20. 20. MySQL:: How to tunnel mysql via ssh? ssh -N -f -L 3306:localhost:3306 user@mysql_server.com N Do not execute command (useful for port forwarding only) f Run in background L (port:host:hostport)
  21. 21. Secure php.ini (PHP): ✔ disable_functions ✔ register_globals=off ✔ allow_url_fopen=on/off ✔ allow_url_include=off rd ✔ 3 Party Tools: ✔ Suhosin http://www.hardened-php.net/suhosin/
  22. 22. PHP:: Functions to disable ✔ Exec() - executes a command ✔ Passthru() - execute a command and display raw output
  23. 23. PHP:: Register Globals ✔ DO NOT ENABLE register_globals ✔ Write your apps to use SuperGlobals instead in initializing variables and its values whenever necessary. ($_GET, $_POST, $_REQUEST and $_SERVER)
  24. 24. PHP:: allow_url_fopen, allow_url_include ✔ Allow_url_fopen if set to on, allows treatment of URLs as files ✔ Allow_url_include - if set to on, allows include/require to open URLs (like http:// or ftp://) as files.
  25. 25. PHP:: misuse of register_globals, allow_url_fopen, allow_url_include altogether >> ✔SEE remote file inclusion attacks..
  26. 26. Application Level Security:: Attack Samples and Prevention ✔ Remote File Inclusion ✔ Form Spoofing ✔ XSS (Cross-Site Scripting) ✔ CSRF (Cross-Site Request Forgery) ✔ SQL Injection ✔ Session Fixation
  27. 27. Application Level Security:: Remote File Inclusion Attack Description A Remote File Inclusion is a type of attack where an Remote File attacker executes a php Inclusion script of his liking against the target web application
  28. 28. Application Level Security:: Remote File Inclusion Attack Possible Damage ● Expose/Modiy variable values of the script doing Remote File the include() Inclusion ● Expose stored credentials eg. MySQL user/pass from a webapp configuration file
  29. 29. Application Level Security:: Remote File Inclusion Attack Vectors ● User-controllable value of Remote File variable called by Inclusion include() or require()
  30. 30. Application Level Security:: Remote File Inclusion Attack Prevention ● Disable register_globals ● Disable allow_url_fopen Remote File ● Disable allow_url_include Inclusion ● Do not include() from a dynamic variable with user controllable value
  31. 31. Application Level Security:: Form Spoofing Attack Description A type of an attack where an HTML Form is mimicked Form Spoofing or copied and then submitted from a location different from the original
  32. 32. Application Level Security:: Form Spoofing Attack Possible Damage ● Bypass client-side validation ● Mass data insertion Form Spoofing resulting to flood (eg. Flooded guestbooks, forum boards etc.)
  33. 33. Application Level Security:: Form Spoofing Attack Vectors ● No Form Tokens present, thus all requests thrown Form Spoofing to the accepting script is considered valid
  34. 34. Application Level Security:: Form Spoofing Attack Prevention ● Tokenize the form Form Spoofing ● [optional]Check Referrer
  35. 35. Application Level Security:: XSS Attack Description Cross-Site scripting is a type of attack where an attacker inserts html code into the html output of the webapplication, usually a XSS client-side code such as javascript. The injected html/js code script is then executed on the user browsers visiting the infiltrated web application
  36. 36. Application Level Security:: XSS Attack Possible Damage ● Steal/Fixate browser cookies and direct to another page XSS ● Redirect user to another page ● Mess up a format of web application page
  37. 37. Application Level Security:: XSS Attack Vectors XSS ● Unfiltered input forms
  38. 38. Application Level Security:: XSS Attack Prevention ● Do Not Trust User Input Is not enough, I say, XSS Make User Input Trustable ● Filter incoming data
  39. 39. Application Level Security:: CSRF Attack Description Cross-Site Request Forgery is a type of attack where an attacker CSRF forces an unknowing victim into making (malicious) http requests
  40. 40. Application Level Security:: CSRF Attack Possible Damage ● Make victim execute an operation without his knowledge on a web CSRF application while being validy authenticated (eg. Change Account details, logout, spam etc.
  41. 41. Application Level Security:: CSRF Attack Vectors ● XSS Vulnerabilities ● Untokenized forms CSRF ● Usage of $_GET for operations where $_POST may be best suited
  42. 42. Application Level Security:: CSRF Attack Prevention ● Use $_POST instead of $_GET and/or $_REQUEST CSRF ● Filter incoming data ● Tokenize
  43. 43. Application Level Security:: SQL Injection Attack Description An SQL Injection is an attack where an attacker is able to execute SQL Injection arbitrary sql code against the database
  44. 44. Application Level Security:: SQL Injection: Basic Sample //legit $sort = 'ASC'; //malicious injection? $sort = '; TRUNCATE POSTS'; //actual query $query = quot;SELECT * FROM posts ORDER BY date_entered $sortquot;; // Output Query: uh-oh! SELECT * FROM posts ORDER BY date_entered; TRUNCATE POSTS
  45. 45. Application Level Security:: SQL Injection Attack Possible Damage ● Corrupt data by executing truncate() SQL Injection ● Alter current DB data (eg. Change admin password)
  46. 46. Application Level Security:: SQL Injection Attack Vectors ● Dynamic queries getting SQL Injection values from unsanitized user-submitted data
  47. 47. Application Level Security:: SQL Injection (MySQL) Attack Prevention ● Enclose user-submitted SQL Injection Values with mysql_real_escape_string()
  48. 48. Application Level Security:: Session Hijacking Attack Description Session Hijacking is an attack where an attacker impersonates a legitimate Session user(commonly the Hijacking administrator) that is currently logged in on the web application
  49. 49. Application Level Security:: Session Hijacking Attack Possible Damage ● Attacker gaining Session administrator privileges, Hijacking damage/threat is highly serious.
  50. 50. Application Level Security:: Session Hijacking Attack Vectors ● Session ID Fixation via XSS ● Web Application is not going Session thru HTTPS and therefore Hijacking sniffable ● Session id is not regenerated when necessary
  51. 51. Application Level Security:: Session Hijacking Attack Prevention ● Protect Site against XSS attacks (Fixation avoidance only) ● Regenerate SID whenever Session necessary and do not Hijacking trust user-specified session id ● Deliver the web app Over HTTPS to avoid getting sniffed
  52. 52. In a nutshell: ● The Server Level is part of the Web Application. It is necessary to Secure the Server as well. 30% of Web Application Attacks are still suffered by the Server. ● Do not Trust User Input is not enough, Make User Input TRUSTABLE by filtering methods before they undergo processing. ● Tokenize your forms whenever necessary ● Use SSL Layer (via https) in dealing with highly sensitive data to avoid being sniffed or captured .
  53. 53. I hope you enjoyed.. The End...
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×