Web Application Security
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Web Application Security

  • 10,387 views
Uploaded on

Event: Tri{PHP}le Treat@USAutoparts Philippines hosted by PHPUGPH ...

Event: Tri{PHP}le Treat@USAutoparts Philippines hosted by PHPUGPH
Topic: Web Application Security

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
10,387
On Slideshare
10,350
From Embeds
37
Number of Embeds
3

Actions

Shares
Downloads
137
Comments
0
Likes
4

Embeds 37

http://www.slideshare.net 30
http://www.linkedin.com 6
http://www.slashdocs.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Web Application Security by Example (for LAMP) Arpee Ong
  • 2. Who Am I? Name: Richard Peter Ong a.k.a. Arpee Work: Lead Developer, Internal Projects at SysIQ Inc. Open Source Affiliations: a.)core developer, MiaCMS
  • 3. Who Are you? ✔ PHP Developers/Programmers ✔ L/U/W AMP SysAdmins ✔ IT Managers and Practitioners ✔ Geeks and hackers..
  • 4. Scope and Coverage: ● Securing a Basic U/L AMP Server ● Web Application Attacks Description, Samples and Prevention
  • 5. WHAT IS A WEB APPLICATION? ✔ Any application that is served commonly via http or https protocol ✔ Usually being served from a remote computer acting as a host/server
  • 6. WHAT IS SECURITY? ✔ Is a State of being free from damage and being compromised ✔ Is a condition of being protected against danger or loss
  • 7. Levels of WebApp Security: ✔ Server Level ✔ Application Level
  • 8. Server Level Security: ✔ The Box(es) (physical or virtual server(s)) ✔ httpd (Apache) ✔ mysqld (MySQL) ✔ PHP
  • 9. Secure the Box: ✔ Filesystem ✔ Firewall
  • 10. Filesystem:: File Ownership and Permission ✔ Folders should be 0755 ✔ Files should be 0644 ✔ Files and Folders under Document Root should be owned by the Apache User ✔ 666 is evil, in the web world well, so as 777.
  • 11. Filesystem:: How to Set Permissions ✔ Folders chmod 0755 {directory} ✔ Files chmod 0644 {files}
  • 12. Filesystem:: How to Set Ownership ✔ Files/Folders chown -R {apache_user} {document_root}
  • 13. Firewall:: Opened Ports ✔ Port 80 Web/Http ✔ Port 443 Web/Https ✔ Port 21 FTP ✔ Port 22 SSH ✔ Port 25 SMTP (outgoing) ✔ Port 110 POP (inbound) ✔ Port 3306 MySQL Daemon
  • 14. Secure httpd (Apache): ✔ Set an apache user ✔ Do not run apache as root rd ✔ 3 Party Tools: ✔ ModSecurity http://www.modsecurity.org/
  • 15. Secure the mysqld (MySQL): ✔ Set root(admin) password ✔ Rename the root(admin) account ✔ Restrict Network Access ✔ Use SSH Tunneling/Port Forwarding if necessary
  • 16. MySQL:: Set Admin Password mysql -u root mysql> SET PASSWORD FOR root@localhost=PASSWORD('passw ord'); mysql> FLUSH PRIVILEGES;
  • 17. MySQL:: Change Admin Username mysql -u root -p{PASSWORD} mysql> update user set user=quot;mydbadminquot; where user=quot;rootquot;; mysql> FLUSH PRIVILEGES;
  • 18. MySQL:: Why Restrict Network Access? ✔Usually only your web application needs access to MySQL Server, NOTHING ELSE.
  • 19. MySQL:: How to Restrict Network Access? ✔ Open my.cnf ✔ Add skip-networking parameter to mysqld or mysqld_safe (depending which you are using)
  • 20. MySQL:: How to tunnel mysql via ssh? ssh -N -f -L 3306:localhost:3306 user@mysql_server.com N Do not execute command (useful for port forwarding only) f Run in background L (port:host:hostport)
  • 21. Secure php.ini (PHP): ✔ disable_functions ✔ register_globals=off ✔ allow_url_fopen=on/off ✔ allow_url_include=off rd ✔ 3 Party Tools: ✔ Suhosin http://www.hardened-php.net/suhosin/
  • 22. PHP:: Functions to disable ✔ Exec() - executes a command ✔ Passthru() - execute a command and display raw output
  • 23. PHP:: Register Globals ✔ DO NOT ENABLE register_globals ✔ Write your apps to use SuperGlobals instead in initializing variables and its values whenever necessary. ($_GET, $_POST, $_REQUEST and $_SERVER)
  • 24. PHP:: allow_url_fopen, allow_url_include ✔ Allow_url_fopen if set to on, allows treatment of URLs as files ✔ Allow_url_include - if set to on, allows include/require to open URLs (like http:// or ftp://) as files.
  • 25. PHP:: misuse of register_globals, allow_url_fopen, allow_url_include altogether >> ✔SEE remote file inclusion attacks..
  • 26. Application Level Security:: Attack Samples and Prevention ✔ Remote File Inclusion ✔ Form Spoofing ✔ XSS (Cross-Site Scripting) ✔ CSRF (Cross-Site Request Forgery) ✔ SQL Injection ✔ Session Fixation
  • 27. Application Level Security:: Remote File Inclusion Attack Description A Remote File Inclusion is a type of attack where an Remote File attacker executes a php Inclusion script of his liking against the target web application
  • 28. Application Level Security:: Remote File Inclusion Attack Possible Damage ● Expose/Modiy variable values of the script doing Remote File the include() Inclusion ● Expose stored credentials eg. MySQL user/pass from a webapp configuration file
  • 29. Application Level Security:: Remote File Inclusion Attack Vectors ● User-controllable value of Remote File variable called by Inclusion include() or require()
  • 30. Application Level Security:: Remote File Inclusion Attack Prevention ● Disable register_globals ● Disable allow_url_fopen Remote File ● Disable allow_url_include Inclusion ● Do not include() from a dynamic variable with user controllable value
  • 31. Application Level Security:: Form Spoofing Attack Description A type of an attack where an HTML Form is mimicked Form Spoofing or copied and then submitted from a location different from the original
  • 32. Application Level Security:: Form Spoofing Attack Possible Damage ● Bypass client-side validation ● Mass data insertion Form Spoofing resulting to flood (eg. Flooded guestbooks, forum boards etc.)
  • 33. Application Level Security:: Form Spoofing Attack Vectors ● No Form Tokens present, thus all requests thrown Form Spoofing to the accepting script is considered valid
  • 34. Application Level Security:: Form Spoofing Attack Prevention ● Tokenize the form Form Spoofing ● [optional]Check Referrer
  • 35. Application Level Security:: XSS Attack Description Cross-Site scripting is a type of attack where an attacker inserts html code into the html output of the webapplication, usually a XSS client-side code such as javascript. The injected html/js code script is then executed on the user browsers visiting the infiltrated web application
  • 36. Application Level Security:: XSS Attack Possible Damage ● Steal/Fixate browser cookies and direct to another page XSS ● Redirect user to another page ● Mess up a format of web application page
  • 37. Application Level Security:: XSS Attack Vectors XSS ● Unfiltered input forms
  • 38. Application Level Security:: XSS Attack Prevention ● Do Not Trust User Input Is not enough, I say, XSS Make User Input Trustable ● Filter incoming data
  • 39. Application Level Security:: CSRF Attack Description Cross-Site Request Forgery is a type of attack where an attacker CSRF forces an unknowing victim into making (malicious) http requests
  • 40. Application Level Security:: CSRF Attack Possible Damage ● Make victim execute an operation without his knowledge on a web CSRF application while being validy authenticated (eg. Change Account details, logout, spam etc.
  • 41. Application Level Security:: CSRF Attack Vectors ● XSS Vulnerabilities ● Untokenized forms CSRF ● Usage of $_GET for operations where $_POST may be best suited
  • 42. Application Level Security:: CSRF Attack Prevention ● Use $_POST instead of $_GET and/or $_REQUEST CSRF ● Filter incoming data ● Tokenize
  • 43. Application Level Security:: SQL Injection Attack Description An SQL Injection is an attack where an attacker is able to execute SQL Injection arbitrary sql code against the database
  • 44. Application Level Security:: SQL Injection: Basic Sample //legit $sort = 'ASC'; //malicious injection? $sort = '; TRUNCATE POSTS'; //actual query $query = quot;SELECT * FROM posts ORDER BY date_entered $sortquot;; // Output Query: uh-oh! SELECT * FROM posts ORDER BY date_entered; TRUNCATE POSTS
  • 45. Application Level Security:: SQL Injection Attack Possible Damage ● Corrupt data by executing truncate() SQL Injection ● Alter current DB data (eg. Change admin password)
  • 46. Application Level Security:: SQL Injection Attack Vectors ● Dynamic queries getting SQL Injection values from unsanitized user-submitted data
  • 47. Application Level Security:: SQL Injection (MySQL) Attack Prevention ● Enclose user-submitted SQL Injection Values with mysql_real_escape_string()
  • 48. Application Level Security:: Session Hijacking Attack Description Session Hijacking is an attack where an attacker impersonates a legitimate Session user(commonly the Hijacking administrator) that is currently logged in on the web application
  • 49. Application Level Security:: Session Hijacking Attack Possible Damage ● Attacker gaining Session administrator privileges, Hijacking damage/threat is highly serious.
  • 50. Application Level Security:: Session Hijacking Attack Vectors ● Session ID Fixation via XSS ● Web Application is not going Session thru HTTPS and therefore Hijacking sniffable ● Session id is not regenerated when necessary
  • 51. Application Level Security:: Session Hijacking Attack Prevention ● Protect Site against XSS attacks (Fixation avoidance only) ● Regenerate SID whenever Session necessary and do not Hijacking trust user-specified session id ● Deliver the web app Over HTTPS to avoid getting sniffed
  • 52. In a nutshell: ● The Server Level is part of the Web Application. It is necessary to Secure the Server as well. 30% of Web Application Attacks are still suffered by the Server. ● Do not Trust User Input is not enough, Make User Input TRUSTABLE by filtering methods before they undergo processing. ● Tokenize your forms whenever necessary ● Use SSL Layer (via https) in dealing with highly sensitive data to avoid being sniffed or captured .
  • 53. I hope you enjoyed.. The End...