Did my blog help you? Please link to me!
19 Jan 10 Website Security Scan
Websites get hacked every day, customers details taken, and it’s usually REALLY EASY to do. As a security consultant, I often get a call after a Google search turns up with my details as the guy to contact when this happens.
Shameless plug: Why not contact me BEFORE this happens for a FREE basic web scan.
Shameless plug over, why not consider some of the things that can be done to help prevent a website breach..
(more…)
Tags: Apache, backups, code, cookie, cross site scripting, htaccess, LAMP, logs, mod_security, MySQL, PHP, php security, rate limit, restrict limit, Security Consultant, session, sniffing, sql injection, website security scan, xss
14 Jan 10 PHP Security
As a PHP programmer, there are a couple of things you can do quickly and easily to increase the security of your PHP code installation.
Look into PHP’s “safe mode” feature, ESPECIALLY if you’re running a webserver that takes the general public can upload scripts to. Here you’ll find a list of the functions disabled or restricted by safe mode. It is not strictly PHP’s job to restrict these types of functions, however unless you really know what you’re doing, the list of functions restricted by safemode is a good starting point for building secure applications. These are generally functions that allow file and directory manipulation, and socket manipulation. If it’s not possible within your environment to disable them all, disable as many of these functions as possible.
Although not that common, if I’m writing an application that heavily relies on functions that manipulate directories or sockets, I’ll prefer to create a C daemon or similar to handle this side of things and simply use PHP to communicate with it. (more…)
Tags: cross site scripting, directory, error reporting, magic quotes, MySQL, mysql_real_escape_string, PHP, php security, safe mode, socket, sql injection, xss
25 Sep 09 PHP MySQL Developer – Using MySQLi Prepared Statements to Avoid SQL Injection
I’m going to demonstrate a very short and simple method of avoiding SQL Injection at the SQL query level. You’ll need MySQLi support, on Debian you can apt-get install php5-mysql will contain everything that you need, and would be installed by default with your LAMP Installation.
(more…)
Tags: apt-get, bind, blob, double, execute, integer, MySQL, mysqli, mysql_real_escape_string, object oriented, oo, PHP, prepared statements, sql injection, string
18 Sep 09 Web Application Security Consultant Methodology
I wanted to share some thoughts on my general methodology when approaching web application pen testing. Depending on size, scope of work, complexity and a number of factors, there are two separate angles, usually both or a hybrid of both that I will take.
The first angle has to be the network security itself, all the way down the the physical security. As a penetration tester, I’ll test the web, database, storage and any other related networked devices inside and out. Port scanning their interfaces, spoofing IPs and MACs, asking myself questions such as “Does the database accept direct connections from any IP? Does Apache keep too many spare threads waiting?” We need to work our way from bottom to top of the OSI Model, a lot of which can be done using nc (Netcat) and a combination of scripts, as well as nmap.
Secondly, as the security consultant, I would then test the application itself and dependant or otherwise related applications. Crawl the site and it’s file hierarchy using wget or similar, and then run automated test tools, such as burpsuite, acunetix and a combination of curl/wget and shell scripts before manually drilling down into anything suspicious. Unfortunately for the user, the majority of web applications are insecure. A web crawl using a recursive wget, followed by some blind SQL injection checks will more often than not turn up the opportunity for SQL injection. Once this is done, the next query is how far I can go with the SQL injection. Do I have root access now to the database? Does the database user have unnecessary permissions? I should be able to SELECT and possible INSERT/UPDATE data. It’s unlikely that I should be able to actually alter, or even drop the database from the web user. Having table update priviledge on all tables is just as good as being able to drop the database itself though in terms of potential damage. This combination of security issues could lead to even further damage once the initial compromise has been made.
The next question is how far to proceed once an opportunity has been identified. Is demonstrating an opportunity for SQL injection sufficient, or does the opportunity need to be exploited? Once done, does data actually need reading or writing to the database or code changed? This generally depends on the scope of the work and purpose/setting of the systems under test. More will be discussed on this in later articles.
Once complete, I will generally report and rate the issues found from 1 to 5. 1 being informational, 2 being low severity, 3 being medium severity, 4 being high severity and 5 being critical severity. The database user having additional priviledges may fall into categories 3 or 4. An outdated but currently secure version of the webserver running may fall in to category 1, whilst an SQL injection opportunity will for sure fall in to category 5.
Scope depending, I can either discuss the issues and advise on strategies to resolve, or alternatively provide the report ready for the Client to pass on to his own IT consultant.
Tags: acunetix, axunetix, burpsuite, curl, netcat, nmap, osi model, pen test, penetration test, script, Security Consultant, shell, sql, sql injection, web application, wget
06 Sep 09 Security Consultant – PHP Developer – SQL Injection Attacks
One of the most common form of attacks against web applications is SQL Injection. In the most part, the language that the web application is written in is irrelevant, be that PHP, ASP, Python, Perl, C, etc. As long as the back end database uses something SQL based, be that MySQL, MSSQL, etc, again, we’re in business. This probably covers over 99% of web applications out there. Both the security consultant and the php developer or web application developer in general has to be aware of the implications of SQL Injection. Here’s how it works:
(more…)
Tags: blind sql injection, HTML code, insert, MySQL, pen tester, penetration tester, PHP, Security Consultant, select, sql, sql error, sql injection
04 Sep 09 Security Consultant – PHP Developer – Exploiting Common PHP Code Flaws
There are a number of PHP and in fact programming errors in general that PHP Programmers and Security Consultants need to be aware of. Specifically, how can a malicious user use the code to gain access above what he is supposed to.
Cross Site Scripting (XSS), Shell Execution and SQL Injection are all issues that programmers need to be aware of. Luckily, buffer overflows in their traditional sense are not something that PHP developers need to concern themselves with.
Here in it’s most basic sense is an example of how we can read arbitrary files on the filesystem that we should not have access to.
(more…)
Tags: code flaws, cross site scripting, exploit, exploiting, PHP, php code, PHP Developer, Security Consultant, shell execution, sql injection, xss
|
I'm Adam Palmer, and I'm a Freelance Embedded Linux/Embedded Hardware enthusiast and Security Consultant. I run 'APNIC Solutions Ltd' and spend most of my time managing server clusters, and doing some PHP/MySQL development, whilst what little spare time I have is dedicated to playing with gadgets. I'm always happy to consult on or manage any Linux related, Web Application or Hosting project. Please get in touch with me! |
