Application Security

•• sylphid.su@sti.com.twsylphid.su@sti.com.tw–

• Defcon 9 ( )• - Web

–• CISSP (Certified Information Systems Security

Professional) • CERT/CC Instructor of Advanced Incident Handling for

Technical Staff–

••• /

Agenda

• Apache Security• PHP Security• MySQL Security

Apache Security

Apache exploits

Installation and configuration

• Use Apache 2• Keep up-to-date• Use only the modules you need• Configure limits• Use SSL

Keep up-to-date

Keep up-to-date : Sony

• Linux nobody apache

apacheuser apachegroup apache

• Linux apache

– Ex.mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex

root apache

• cd /usr/local/apache• chown 0 . bin conf logs• chgrp 0 . bin conf logs• chmod 755 . bin conf logs

• chown 0 /usr/local/apache/bin/httpd• chgrp 0 /usr/local/apache/bin/httpd• chmod 511 /usr/local/apache/bin/httpd

httpd.conf

• Most administrators (>80%) use the default configuration provided by the Apache

• This configuration file is fine but may be optimized security-wise by– Define an explicit IP address and port Apache should listen

on– Define a user and group Apache should run as– Remove any default content (e.g. manual, CGI scripts),

unused modules as well as possibly vendor-provided extras (e.g. SDB)

– Restrict access to local file system– Reduce amount of information leakage

Default httpd.conf (cont.)

• Disable directory indexing and symbolic links<Directory “/usr/local/apache2/htdocs">Options Indexes FollowSymLinksOrder allow,denyAllow from all</Directory>

<Directory “/usr/local/apache2/htdocs">Options NoneOrder allow,denyAllow from all</Directory>

Changing Web Server Identity

• ServerTokens: Configures the Server HTTP response header– ServerTokens Prod

• ServerSignature: Defines the content of the footer available on server-generated documents– ServerSignature Off

• Mod_security– SecServerSignature “Microsoft-IIS/5.0”

ServerTokensDescription: Configures the Server HTTP response headerSyntax: ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|FullDefault: ServerTokens Full

• ServerTokens Prod[uctOnly]– Server sends (e.g.): Server: Apache

• ServerTokens Major– Server sends (e.g.): Server: Apache/2

• ServerTokens Minor– Server sends (e.g.): Server: Apache/2.0

• ServerTokens Min[imal]– Server sends (e.g.): Server: Apache/2.0.41

• ServerTokens OS– Server sends (e.g.): Server: Apache/2.0.41 (Unix)

• ServerTokens Full (or not specified)– Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

ServerTokensDescription: Configures the Server HTTP response headerSyntax: ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|FullDefault: ServerTokens Full

• ServerTokens Prod[uctOnly]– Server sends (e.g.): Server: Apache

• ServerTokens Major– Server sends (e.g.): Server: Apache/2

• ServerTokens Minor– Server sends (e.g.): Server: Apache/2.0

• ServerTokens Min[imal]– Server sends (e.g.): Server: Apache/2.0.41

• ServerTokens OS– Server sends (e.g.): Server: Apache/2.0.41 (Unix)

• ServerTokens Full (or not specified)– Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

Server banner in HTTP response

ServerSignature

IP

• Order Deny,Allow• Deny from all• Allow from 192.168.1.0/24

Putting Apache in Jail

• Jails are an excellent tool to isolate Apache from the rest of the web server.

• Mod_security provides built-in chroot support:– SecChrootDir /usr/local/apache2

• Things to consider:– Do not leave any setuid binaries inside.– Do not have processes of the Apache user running

outside.– Do not allow the Apache user to write anywhere.

• How to 'chroot' an Apache tree with Linux and Solarishttp://penguin.triumf.ca/chroot.html

Logging Basics

• # Access log– LogFormat "%h %l %u %t \"%r\" %>s %b

\"%{Referer}i\" \"%{User-Agent}i\"" combined CustomLog logs/access_log combined

• # Error Log– LogLevel info– ErrorLog logs/error_log

• Use mod_security:– Log POST data– Performance measurement

Apache Health Monitoring

• Performance• Availability• mod_status• mod_watch• apache-monitor

An hour of activity of the Apache running on

www.apache.org. Produced with apache-monitor.

Timeout DoS

Description: Amount of time the server will wait for certain events before failing a request

Syntax: TimeOut secondsDefault: TimeOut 300Context: server config, virtual hostStatus: CoreModule: core• Timeout 45

Indexing

• Disable indexing to prevent content from being accidentally exposed to the public and eventually found by Google (e.g. “Indexof /backup“): – Options None or Options –Indexes

• If necessary, re-enable it only for certain directories you are aware of

SSI

• Best practice: Disable server-side includes completely– Options –IncludesNOEXEC– XBitHack off

• If necessary, use suexec, enable SSI and disable certain commands (e.g. #exec cmdand #exec cgi):– Note: Users will still be able to #include virtual CGI

scripts from ScriptAliased directories.• suexec:

http://httpd.apache.org/docs/2.2/suexec.html

httpd.conf

• includes– Directory Option

Option None Includes• CGI

– CGINone -ExecCGI

– Options –ExecCGI• Apache

– None -FollowSymLinks– Options -FollowSymLinks

Basic HTTP Authentication <Directory /var/www/html/test>

Options Indexes FollowSymLinksAuthType BasicAllowOverride AuthConfigAuthUserFile /var/www/userpasswordrequire valid-userOrder allow,denyallow from 192.168.1.0/24

/Directory>

• htpasswd –c /var/www/userpassword zeng• htpasswd /var/www/userpassword wang

Mod_Security

• http://www.modsecurity.org/• SecRuleSecRule VARIABLES OPERATOR VARIABLES OPERATOR

[ACTIONS] [ACTIONS] VARIABLESOPERATORACTIONS (optional)

• Mod Security http transactionPhase 1:Request Headers Phase

2:Request Body Phase 3: Response Headers Phase 4: Response Body Phase 5:logging

Mod_Security (cont. 1)

•<Location /apps/script.php>

SecRule &ARGS "!@eq 1"SecRule ARGS_NAMES "!^statid$"SecRule ARGS:statID "!^\d{1,3}$“

</Location>

• IP SecRule REMOTE_ADDR "@streq 192.168.254.1" \

allow,phase:1,nologSecRule REMOTE_ADDR "@beginsWith 192.168.254." \

allow,phase:1,nologSecRule REMOTE_ADDR "@rx ^192\.168\.254\.(1|2|5)$" \

allow,phase:1,nolog

Mod_Security (cont. 2)

• Command execution attacks– SecFilter /etc/password– SecFilter /bin/ls

• Directory traversal and XSS attacks– SecFilter "\.\./“– SecFilter "<(.|\n)+>"– SecFilter "<[[:space:]]*script“

• Forbid file upload– SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-

data

Mod_Evasive

• http://www.zdziarski.com/projects/mod_evasive/• Mod_Evasive example(in httpd.conf):

<IfModule mod_evasive.c>DOSHashTableSize 3097DOSPageCount 2DOSSiteCount 50DOSPageInterval 1DOSSiteInterval 1DOSBlockingPeriod 300DOSLogDir <PathToYourApacheLogDirHere>DOSEmailNotify myemal@email.com</IfModule>

PHP Security

Types of PHP Attacks

• PHP vulnerabilities• Command execution and/or writing to the

file system.• SQL injection• Session Hijacking• Cross Site Scripting (XSS) • Cross Site Request Forgeries (CSRF)• Session reading/predicting

PHP vulnerabilities

PHP 5.3.6 Buffer Overflow PoC

PHP 5.3.6 patch

• http://svn.php.net/viewvc/php/php-src/trunk/ext/sockets/sockets.c?r1=311369&r2=311368&pathrev=311369

php.net security notice

• [19-Mar-2011]• The wiki.php.net box was compromised and the

attackers were able to collect wiki account credentials. No other machines in the php.net infrastructure appear to have been affected. Our biggest concern is, of course, the integrity of our source code. We did an extensive code audit and looked at every commit since 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found. The compromised machine has been wiped and we are forcing a password change for all svn accounts.

• We are still investigating the details of the attack which combined a vulnerability in the Wiki software with a Linux root exploit.

Securing PHP

• Default php.ini < V4.8 (5.3.6 now); WARNING ;; This is the default settings file for new PHP installations.; By default, PHP installs itself with a configuration suitable for; development purposes, and *NOT* for production purposes.

• Newer installs are better.• Many PHP applications are installed with a

default php.ini. Therefore vulnerabilities can be exploited.

Secure PHP Settings

• Turn of display errors in– display_errors = Off

• Log errors instead of showing them on screen– log_errors = On

• Users get information about your webserver through these errors – handle errors!

Fatal error: Call to undefined function view_details() in D:\wamp\www\security\fatal.php on line 2

• error_reporting = E_ALL (better error reporting)

More Settings

• session.save_path=/opt/php/session (Should be specified by the user. Where /opt has no apache quota)

• session.gc_maxlifetime=600 (ten minutes of inactivity)• Turn off magic_quotes_gpc in php.ini

– magic_quotes_gpc = off

• Why?– Problematic adds extra slashes in most cases– Requires more processing power and memory if turned on

• mysql_real_escape_string is better

More Settings

• register_globals = Off – Never turn on– Too easy to write insecure code– Auto initializes variables from

Get/Post/Cookie data

URL= index.php?administrator=xyz<?php

if (isset($administrator)){

$authorized = true;}?>

More Settings

safe_mode = On (enable if possible)safe_mode_gid = On (enable if possible)

• Especially useful in Highly Critical attacks.• Can not see files not owned by script owner.• Can not execute files not owned by script

owner.• Functions restricted/disabled by safe mode

(http://tw2.php.net/manual/zh/features.safe-mode.functions.php)

Developing Best Practices

• Develop with security and production in mind.• Form strict policies concerning how data is sanitized and at what

stage.• $_GET, $_COOKIE, $_POST should always be sanitized according

to where it’s going not where it came from.

Mysql = mysql_real_escape_string() Postgres = pg_escape_string ()The P.E.A.R. DB class handles database data with “?”

replacements.To browser = htmlentities () or strip_tags() To Shell = escapeshellcmd()

To Remove Javascript and reduce XSS attacks

• Use preg_replace() on …

• javascript: onclick ondblclick onmousedown onmouseup onmouseover onmousemove onmouseout onkeypress onkeydown onkeyup

Developing Best Practices cont.

• Form strict policies concerning sessions. (storage, timeouts, session id length, etc.)

• If on a multiuser machine make a custom session.save_path or save session data to a database.

• Use session_regenerate_id() to prevent fixation. Especially after privilege escalation.

File Extension for your code

• Don't use .inc to save php code• Must end in .php• Most default installations are geared interpret

only .php files • .inc files may show up your php code as text

in the browser

Developing Best Practices cont. Securing Includes

• Place them outside of document root.• ini_set("include_path",".:/home/user/libs");• But, if you have to place them in root…

End them in .php, so source is not revealed. Ex. database.inc.php

<Files ~ "\.inc$">Order allow,denyDeny from all

</Files>

Where to put db_connect.inc.php

• Not in document root.• If possible, make it non-world readable.

Apache group readable.

PHP SecurityWeb Applications

Cross-Site Scripting

• A technique that allows hackers to:– Execute malicious script in a client’s Web browser– Insert <script>, <object>, <applet>, <form>, and

<embed> tags– Steal Web session information and authentication

cookies– Access the client computer

Any Web page that renders HTMLcontaining user input is vulnerable

Cross-Site Scripting Attack

Cross Site Scripting Cross Site Scripting

Fixing XSS• White list

• Htmlentities() – Converts all possible characters

to html entities &lt; &gt; ....

• Htmlspecialchars()– Converts only <,>,',”,$ to html entities

• strip_tags ( string $str [, string $allowable_tags ] ) – Removes all tags or retains only selective tags– Partial Removal of tags still cause problems

How XSRF Works - 1

/viewbalanceCookie: sessionid=40a4c04de

“Your balance is $25,000”“Your balance is $25,000”

Alice bank.com/login.html

/authuname=victim&pass=fmd9032Cookie: sessionid=40a4c04de

evil.org

How XSRF Works - 2

Alice bank.com/login.html

/authuname=victim&pass=fmd9032Cookie: sessionid=40a4c04de

/evil.html<IMG SRC=http://bank.com/paybill?addr=123 evil st & amt=$10000>

/paybill?addr=123 evil st, amt=$10000Cookie: sessionid=40a4c04de

“OK. Payment Sent!”“OK. Payment Sent!”

XSRF – Protection - 1

• Ensure that there are no XSS vulnerabilities in your application

• Insert custom random tokens into every form and URL that will not be automatically submitted by the browser. For example:<form action="/transfer.do" method="post"><input type="hidden" name="8438927730" value="43847384383">…</form>

XSRF – Protection - 2

• For sensitive data or value transactions, re-authenticate or use transaction signing to ensure that the request is genuine.

• Do not use GET requests (URLs) for sensitive data or to perform value transactions.

• POST alone is insufficient a protection. • Get data correctly

– GET : Request.QueryString[“name”]– POST : Request.Form[“name”] – General : Request ["name"]

File Uploads

• Be careful with what you let users upload• Disable directory browsing using htaccess• Use htaccess to deny access to php, pl or

other executable scripts in upload directories

SQL Injection

• The ability of a user to change the SQL generated in your application and exploit it.

• Prevention – White list– Type cast inputs– Use mysql_real_escape_string()– Using mysqli and prepared statements

exec and fopen

• Clean your inputs before using them in exec and fopen

• exec allows php to run system level commands!

• fopen/file_get_contents allow opening of files from external urls!

• PHP: Disable allow_url_fopen and allow_url_include in php.ini

Sessions – secure them

• Sessions can be spoofed or stolen• Use session_regenerate_id to generate a

new id • session_destroy does not change the

session id !• Prompt for user's password on any critical

changes

Secure Configuration of Common PHP Applications - phpMyAdmin

• Protect config.inc.php if db access is “config”• If possible use mod_cas• If using http authentication force ssl using

mod_rewriteRewriteRule ^/$ /index.php RewriteCond %{SERVER_PORT}!443$

RewriteRule ^(.*) https://host.com:443$1 [R=301,L]

Secure Configuration of Common PHP Applications - phpbb

• If configuring remotely via the web, use ssl.• Sanity.A worm attacked a flaw that allowed for system calls to be

sent using GET vars.

Evil PHP:<?php$term = urldecode($_GET['sterm']);?>

$_GET is decoded once by php then again by urldecode. The second time quotes or other harmful symbols can be decoded and applied to system(). Assuming no magic quotes would have prevented the problem using escapecmd().

Secure Configuration of Common PHP Applications - Gallery

• Verify that gallery has written to the .htaccess and config.php file after install.

Then: chmod 644 .htaccess chmod 644 config.php

chmod 400 setup

Secure Configuration of Common PHP Applications - phpnuke

• Move config.php outside of DocumentRoot• Edit mainfile.php to path of moved config.php.

Web Applications

• When installing free web applications always be aware of security advisories.

• Maintain a backup of your database.• Practice restoring the database.• Be familiar with how to update the application.• If possible always use mod_cas. Especially

with tools like phpMyAdmin.

PHPIDS (1)

• php-ids.org• Interface

PHPIDS (2)

• Rule

<filter><rule><![CDATA[(?:^>[\w\s]*<\/?\w{2,}>)]]></rule><description>finds unquoted attribute breaking in...</description><tags>

<tag>xss</tag><tag>csrf</tag>

</tags><impact>2</impact>

</filter>

PHPIDS – installation

• mkdir /var/www/web1/phpids(document root /var/www/web1/web)

• cd /tmp– wget http://php-ids.org/files/phpids-0.5.4.tar.gz– tar xvfz phpids-0.5.4.tar.gz– cd phpids-0.5.4– mv lib/ /var/www/web1/phpids/

• cd /var/www/web1/phpids/lib/IDS• chown -R www:www tmp/ • cd Config/• vi Config.ini

PHPIDS sample <?phpset_include_path(

get_include_path(). PATH_SEPARATOR. '/var/www/web1/phpids/lib');

require_once 'IDS/Init.php';$request = array(

'REQUEST' => $_REQUEST,'GET' => $_GET,'POST' => $_POST,'COOKIE' => $_COOKIE

);$init = IDS_Init::init('/var/www/web1/phpids/lib/IDS/Config/Config.ini');$ids = new IDS_Monitor($request, $init);$result = $ids->run();

if (!$result->isEmpty()) {// Take a look at the result objectecho $result;require_once 'IDS/Log/File.php';require_once 'IDS/Log/Composite.php';

$compositeLog = new IDS_Log_Composite();$compositeLog->addLogger(IDS_Log_File::getInstance($init));$compositeLog->execute($result);}

?>

PHPIDS screenshot

Suhosin• http://www.hardened-php.net/suhosin/index.html• PHP

PHP Suhosin

– cookies – preg_replace() /e – eval()– infinite

recursion– memory_limit– mail() newline – preg_replace() \0 – session – session – GLOBALS _GET _COOKIE

––

Suhosin - installation

• tar zxvf php-x.x.x.tar.gz• gunzip suhosin-patch-x.x.x-0.x.x.x.patch.gz• cd php-x.x.x• patch -p1 -i ../suhosin-patch-x.x.x-

0.x.x.x.patch• PHP phpinfo()

This server is protected with the Suhosin Patch x.x.x.x

MySQL Security

Secure your configuration

• Simple principles:– Don’t run mysqld as (Unix) root. Run it as a user

created specifically for this purpose, e.g. mysql. Don’t use this account for anything else. (Note that the MySQL root user has nothing to do with Unix users so this doesn’t affect MySQL internally at all.)

– Set permissions on the database directories so that only your mysqld user (e.g. mysql) can access them.

Secure your configuration (cont.)

– Disable symlinks to tables with --skip-symbolic-links.

– Disallow access to port 3306 (or whatever port you have MySQL running on) except from trusted hosts

Accounts and Privileges

• All MySQL accounts need a password, especially root. (Don’t forget anonymous users, either.)– mysql> set password for

root@localhost=password('mysqlpasswd'); • Grant users the minimum level of privilege

required to do their job. (Principle of Least Privilege)– mysql> create database db1;– mysql> grant

select,insert,update,delete,create,drop privileges on db1.* to test1@localhost identified by 'admindb';

Accounts and Privileges (cont.)

• Some privileges require special attention:– Only the root user should have access to the mysql database,

which contains privilege information– Keep FILE, PROCESS, and SUPER for administrative users.

FILE enables file creation, PROCESS allows you to see executing processes (including passwords in plaintext), and SUPER can be allowed to e.g. terminate client connections.

• Avoid wildcards in hostnames in the host table.• Use IPs instead of hostnames in the host table if you

don’t trust your DNS

Mysql

• Mysql /usr/local/mysql/usr/local/mysql/var

– # chown -R mysql.mysql /usr/local/mysql/var– # chmod -R go-rwx /usr/local/mysql/var

Security Issues with LOAD DATA LOCAL

• In a Web environment where the clients are connecting from a Web server, a user could use LOAD DATA LOCAL to read any files.

• You can disable all LOAD DATA LOCAL commands from the server side by starting mysqld with the --local-infile=0 option.

Using encryption

• Don’t store application passwords in plaintext in the database. (Use one way hashing)

• Require database connections to be via ssh or tunneled through it

• Avoid old MySQL passwords (pre 4.1). (Disable with --secure-auth, and avoid use of --old-passwords.)

Q&A