Ask MetaFilter questions tagged with web and security

Any good books on web penetration testing?

jacobian — Sun, 18 Oct 2009 08:28:13 -0800

Any good books on web penetration testing? I'm a web developer and consultant, and I often deal with web application security. Everything I know about penetration testing I've learned in a pretty ad hoc manner, and I think it's time to give myself a bit of a more formal background.

I'm familier enough with the concepts (SQL injection, XSS, CSRF, etc.); I even teach classes on those subjects. I've got decent knowledge crypto and digital security in general. I also have a few tools I sorta know how to use (Burp Suite being the main one). But I don't really have any good grasp on the "right" way to actually conduct a formal web penetration test -- I usually just flail around for a while trying different things until I "feel" satisfied. Doesn't really make for a very scientific process, I know.

So: any suggestions for books (or any other sort of learning material) on web penetration testing? I'd prefer something more on the advanced side of the spectrum; I'd rather be overwhelmed than bored.

Webhost changes security settings on server and breaks Joomla

clockworkjoe — Fri, 17 Jul 2009 11:27:08 -0800

A webhost my company uses just changed the security settings and now Joomla no longer works correctly. Are these new security settings industry standard and what should I do? You can see the security settings here and the real problem seems to be that php ini.set is disabled, which Joomla needs. I don't know enough about security and coding to know what to do here. My options are to switch to a low security server, described here, try to reconfigure Joomla somehow, switch to a new CMS package or switch to a new web host.

I guess I need to understand what web hosts usually do with Joomla.

Also, my current webhost is nomonthlyfees.com which has had pretty poor tech support lately.

How do I put an end to this reoccurring CMS/hosting security breach?

serial_consign — Sat, 10 Jan 2009 23:06:38 -0800

How do I put an end to this reoccurring CMS/hosting security breach? I am using Drupal as a CMS and all my sites are hosted through the same provider. On a few of my installs (version 6.8 - the latest of Drupal) mysterious directorys full of porn and prescription drug HTML pages keeps occuring. Said host said this was due to a security breach in my CMS, which I do believe. How do I stop it though? I delete these folders when I notice inbound traffic in analytics but I want to solve this problem once and for all. If anybody has any advice or experience with this kind of situation please clue me in.

Please Stop Doing That

rokusan — Thu, 12 Jun 2008 08:12:45 -0800

Apache Filter: blocking logins after failed attempts. A coworker asked me this one first, but I'm stumped, so I turn to the hive mind.

He's running a pretty vanilla Apache on FreeBSD to serve a website that has a /members section protected by htaccess. He administers passwords and such fine, and he's happy with the security and reliability and such, but he's starting to have a problem with scripts/robots hammering his login pages with web-based brute force attacks, trying user names (aaron, adam, arthur, axel...) and common passwords.

This isn't a huge security problem but it's proving to be a heck of a drag on his web server, and it's poisoning his traffic data. Apparently "something like 90 percent" of his traffic last weekend was just that kind of noise. I first suggested just blocking the offending IPs within the .htaccess itself, but the source IPs change every couple of hours, and some are from identifiably dynamic IPs like ADSL users, so temporary blocks are definitely the right way, here.

Obviously, he'd rather not reengineer a whole new authentication scheme, and that's probably beyond his ken anyway. So is there an Apache module or middleware script he could use as an add-on or (pre?)login, to provide temporary lockouts for given user names or IP numbers? The goal is something like the typical bank login response: "Too many failed logins, please try again in (1 hour)." where that (hour) is configurable.

Captchas on login might work, but that strikes me as too strange and cruel, I think, to impose on every login.

It's a straight HTML website right now, nothing fancy at all (he uploads members documents by FTP and uses some web-front end CGI from his ISP for adding/removing htaccess users) and he's not comfortable with Perl or PHP beyond install-and-forget. That said, I could probably lend a couple hours of my own help to implement something one-time, as long as it "just works" after that.

Suggestions, geek-hive?

Apache2, mod_php, suexec security confusion.

odinsdream — Tue, 10 Jun 2008 06:58:46 -0800

Apache2 security theory; mod_php versus CGI php and the use of suExec: What is the non-theoretical problem with running Apache2 with mod_php and thus without using suexec on a dedicated system? I'm setting up a typical LAMP environment. I've used phpsecinfo to evaluate my current environment and implemented all of the recommended changes except for two, Group ID and User ID.

The distribution is the most recent Ubuntu Server with the mostly-default Apache2 configuration, and the mostly-default PHP installation, with the exception of the changes recommended by phpsecinfo.

These warnings indicate that my group and user ID numbers are below 100 (33 to be specific), and therefore may be a problem. I am not sure how to interpret this.

I followed the documentation links and was about to implement SuExec when I realized that this meant doing a lot of other reconfiguration, like not using mod_php, and that meant changing a lot of other things, etc.

This is not a shared system. It will only be used to host one company's applications through several virtual hosts. The applications will be PHP-based, and most frequently will use the Symfony framework. Apache currently runs as www-data, whose shell is /bin/false. SSH access to the system is by public-key authentication only and is further restricted at the daemon level to only specific real users.

What do I need to do to run this securely? Resources, guides and real-world examples would be greatly appreciated.

Chmod 777 Risks

maxwelton — Thu, 14 Feb 2008 22:26:26 -0800

Site security experts: Talk to me about chmod 777 directories. If I have a content manager that is protected by password, checks the mime type upon a file upload, and then saves the file for access via the public website in a "777" directory in the (unix) web root, is that really all that risky? I do have an htaccess file in that directory which denies anything other than defined "safe" file types (as checked by mime-type when the CMS user uploads). There is also an index file in the 777 directory that redirects folks back out to prevent casual browsing.

Again, the great unwashed are not uploading. The files in this directory (all images) are simply used by the public-side site in various pages.

What are the risks, and how likely are they?

What does browser encryption protect me from?

Avenger50 — Wed, 09 Jan 2008 23:57:47 -0800

When my browsing and downloading is "encrypted," who or what am I protecting myself from? Who or what exactly would or could intercept unencrypted browsing, downloads, or submitted form information? Is it my ISP? Is it a trojan on my computer? Is it a port-scanning hacker? Is it someone on my LAN monitoring traffic? What exactly does browser encryption protect me from?

How is Google giving me access to this page?

alms — Wed, 27 Dec 2006 14:29:00 -0800

How come if I search for this page and click on the Google link I get to the page, but if I copy the link that Google gives me and try to access it directly, I'm taken to a login page? What I really want is to be able to e-mail this link to people, or include it in a fpp on the blue.

How do I force HTTPS in Tomcat (through Apache and mod_jk)?

purephase — Wed, 13 Dec 2006 15:56:41 -0800

I'm at my wit's end. I've been trying to configure tomcat (through apache 2 using mod_jk) to automatically re-direct all traffic to HTTPS from HTTP. More boring technical details to follow. Specifically, I'm trying to get CAS working. Tomcat is successfully serving-up the pages over HTTP and HTTPS and the application is working as expected. However, since this particular servlet handles user authentication I would like Tomcat to force HTTPS for all requests.

I have tried using isSecure() through JSP to redirect users but it simply puts the requests into an endless loop. I have tried the following configuration in the web.xml file (see Lukas Bradleys' answer) and it does force a redirect, but it uses the server hostname as the URL and not the proxied URL to the server (which means it doesn't work externally).

I've tried changing the hostname on the server but it continues to use the initial hostname which leads me to believe that this value is somewhere in the Tomcat configuration, but I cannot locate it.

So, is there an easier way to do this? Or, does anyone know where to look to modify that hostname to use the URL for the proxied site? Any assistance would be appreciated.

"The web is with you, young Skywalker. But you are not a Jedi yet."

EatTheWeak — Fri, 11 Aug 2006 10:23:21 -0800

"I want to come with you to Redmond and learn the ways of the Registry. I want to be Teh Haxorz, like my father before me." Good morning, hive mind. I have grown tired of the stressful life of a noob technochondriac, and seek self-education that will allow me to use my computer with confidence.

With the help of three dear friends, I built a powerful PC. My friends with know-how have already gone above and beyond in helping me learn my way around Windows. I've no wish to trouble them further with my ignorance and panic. My computer has slowed a bit from lunging, mercurial machine it was in the first weeks after assembly. I open the task manager and examine the Processes list, but really don't understand what I'm looking at. Is that stack of "svchost.exe" a spyware cell or a routine process? Without straining the patience of my friends, I have no way to know for sure.

So self-reliance is the answer. I've heard tell that mastering the arcane art of The Registry is the key to supremacy for Windows XP. I've also heard that this is a most dangerous place to meddle. Please, mefites, if you can think of a web resource on registry management written with the beginner in mind, I would very much like to begin my training. Being that I'm a luddite at heart, I'll even settle for a book.

Useful pieces of registry manipulating software are also appreciated, but I'm more interested in developing the knowledge that will help me appraise a program's usefulness for myself.

My main aims are to get my computer running at peak efficiency, tightening up security by learning how to spot malware's machinations and the ability to spot and correct anamolous behavior before serious damage is done. A tall order, I know, but I've seldom seen this forum stumped.

Your time and input is deeply appreciated.

What is the probability that google will loose my data (mails and calendars) ?

vincentm — Tue, 09 May 2006 07:19:31 -0800

What is the probability that google will loose my data (mails and calendars) ?

Can you use mail() in PHP without creating an unsecure, open mail relay?

willnot — Wed, 28 Dec 2005 16:30:26 -0800

Can you use mail() in PHP without creating an unsecure, open mail relay boon to spammers everywhere? I keep trying to read This Page, and I think I understand it, but I'm not sure. Like I said, I think I understand the problem, but I don't feel confident in my abilities to reasonably evaluate all the many solutions I've found. I've read through This Recent Related Question.

Would somebody that really knows there stuff tell me if passing anything that will go into mail() through this function would be enough to clean it? Most scripts I've seen are blocking \r and \n. I don't see anybody blocking "%0A" or other hexadecimal equivalents to line breaks. Is that because users can't use those to inject headers or because none of the forms I'm seeing are really secure?

I hate Miva, yes I do...

miss tea — Tue, 13 Dec 2005 11:14:25 -0800

Miva Merchant 4.0 and security certificates...why don't IE customers see the darned lock? My client has a Miva 4.0 store. They have a thawte security certificate and linkpoint payment gateway as their payment system. All of these things are set up correctly in accordance with the documentation. When using the store with Safari, the little lock shows up just fine in the upper right corner while on secure pages like checkout. However in IE there's no lock (even though the address starts with https and everything is set up correctly). What can I do to even troubleshoot this? This is not my area of expertise and I feel like I've exhausted my research-fu. I've spoken with the web host, the security certificate people...the last option is Miva support but they charge $399 per year minimum, which I would like to avoid. Help, I am being driven slowly insane by this problem!

Secure forum?

emptybowl — Tue, 22 Feb 2005 05:32:25 -0800

Can any recommend a good, free and, most importantly, secure web-based forum? I've had it with the security problems with PHPNuke. I just can't keep up. So, I'm thinking of just wiping my site and replacing it with a stand-alone forum. (The forum if the only section of my site that still sees activity anyway.) Can anyone recommend one?

Need replacement for Formmail and NMS Formmail

Pinwheel — Mon, 17 Jan 2005 14:54:05 -0800

Due to "security concerns," my web host provider has just banned two Form-to-email scripts (Formmail and NMS Formmail). Now I'm hard up to find a replacement. Any ideas? I'd prefer a solution that doesn't require a mastery of PERL to configure.

Weird Google Search Results

MrAnonymous — Thu, 20 May 2004 09:27:13 -0800

Every once in a while, when I search Google, I end up with some weird search results. All ads. It doesn't happen all the time and I don't know if it's Google stooping to a new low, or if it's me and some kind of adware. Note that I also get a pop-up window with this page that has a couple other ad links. I'm running Symantec SystemWorks and Adaware. I know I got something on my system a few days ago, but I thought I'd had it cleared out. Apparently not...?

As a new webmaster, what should I do to protect my sites from hacking?

Grod — Thu, 26 Feb 2004 20:16:58 -0800

I'm new to the running a website thing. Reading the log files I noticed that people are already trying to hack me. Right now its the basic look for frontpage access (which, obviously, I don't have as I write everything in textpad) but I want to know what steps should I take to secure the server? How can I protect ftp directories, monitor bandwidth theft in the form of linking to images, etc.? can I prevent that all together? Also, the two most common sources of error pages are browsers looking for favicon.ico (I assume this is gecko and Opera browsers, unless a lot if IE users are bookmarking me) and people (?) looking for pages that don't, in fact, exist but logically might. For example there is an 001.html, but no 005.html. Is this likely to be a person or a bot of somekind? I should add that there is a link to 005.html but it is commented out and has its visibility set to hidden, this way when there is an 005.html all I need to do is remove the comments and change the visibility for the link to show up.