Check whether your web server is correctly configured

Last year Zone-H reported a record number of 1.5 million websites defacements. 1 million of those websites where running Apache.

When it comes to configuring a web server, some people tend to turn everything on by default. Developers are happy because the functionality that they wanted is available without any extra configuration, and there is a reduction in support calls due to functionality not working out-of-the-box. This has proven to be a major source of problems for security in general. A web server should start off with total restriction and then access rights should be applied appropriately.

You can check whether your web server is correctly configured by using Nikto, a great open source vulnerability scanners that is able to scan for quite a large number of web server vulnerabilities. From their site:

“Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.”

I’m going to run a default scan by just supplying the IP of the target:

$ cd nikto-2.1.4
$ ./nikto.pl -h 127.0.0.1

- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP:          127.0.0.1
+ Target Hostname:    localhost.localdomain
+ Target Port:        80
+ Start Time:         2011-12-12 13:06:59
---------------------------------------------------------------------------
+ Server: Apache
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 6448 items checked: 0 error(s) and 0 item(s) reported on remote host
+ End Time:           2011-12-12 13:08:07 (68 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

By looking at the last section of the Nikto report, I can see that there are no issues that need to be addressed.

Tools like Nikto and Skipfish serve as a foundation for professional web application security assessments. Remember, the more tools you use, the better.

Links

Apache HTTP DoS tool released

Yesterday an interesting HTTP DoS tool has been released. The tool performs a Denial of Service attack on Apache (and some other, see below) servers by exhausting available connections. While there are a lot of DoS tools available today, this one is particularly interesting because it holds the connection open while sending incomplete HTTP requests to the server.

More info here

Data filtering using PHP’s filter functions

Filtering data. We all have to do it. Most, if not all of us, despise doing it. However, unbeknown to most are PHP’s filter functions, that allow us to do all sorts of filtering and validation. Using PHP’s filter functions, we can validate and sanitize data types, URLs, e-mail addresses, IP addresses, strip bad characters, and more, all with relative ease.

This is part one of two, covering filter_var() and the different constants and flags that can be set.

Data Filtering Using PHP’s Filter Functions

Google gives away a free web application security scanner

Google announced the release of ratproxy, a passive web application security assessment tool that they’ve been using internally at Google. This utility, developed by their information security engineering team, is designed to transparently analyse legitimate, browser-driven interactions with a tested web property and automatically pinpoint, annotate, and prioritize potential flaws or areas of concern.

The proxy analyses problems such as cross-site script inclusion threats, insufficient cross-site request forgery defences, caching issues, cross-site scripting candidates, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more.

Find out more

Intrusion Detection For PHP Applications With PHPIDS

This tutorial explains how to set up PHPIDS on a web server with Apache2 and PHP5. PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.

Search your code for vulnerabilities

I’m a big fan of PHP_CodeSniffer and I think it’s a great development tool, it ensures that you write code that is easy to read and maintain. But, what about making sure that the code you write is secure and doesn’t have any vulnerabilities?

Right, there’s another tool for that…

PHP Security Scanner is a tool written in PHP intended to search PHP code for vulnerabilities. MySQL DB stores patterns to search for as well as the results from the search. The tool can scan any directory on the file system.

Check out the Website

Web Application Security Scanner

Web security is possibly today’s most overlooked aspect of securing the enterprise and should be a priority in any organization.

Recent research shows that 75% of internet attacks are done at web application level.

Web application security scanners ensure website security by automatically checking for SQL injection, Cross site scripting and other vulnerabilities.

There are a few good security scanners that you can use to test the security of your site, and Scavenger is one of them.

Tell me more about Scavenger…

Scavenger is an open source real-time vulnerability management tool. It helps you respond to vulnerability findings, track vulnerability findings, review accepted or false-positive answered vulnerabilities, and not ‘nag’ you with old vulnerabilities.

Scavenger parses the results from a Nessus scan and stores them in a MySQL database. From that point, a user can login to a web interface and answer a vulnerability as ‘addressed’, ‘accept’, or ‘false-positive’. If an administrator answers accept or false-positive, Scavenger will not insert a new vulnerability again. However, if a user marks a vulnerability as ‘addressed’ and it comes up again in a scan, it will insert a new vulnerability into the database.

Visit the Website