RSS

Kurinchi Blogger Scribbles …

On Open Source Technologies

Archive for the ‘Security’ Category

Nov 27
2009

WebScarab for web application test

Last updated: November 28th, 2009

WebScarab is a testing tool used for analysing application data that is passed between browsers and servers. It can be used to review and modify data at either end by intercepting data originating from http and https layers. This tool can also be used as a bandwidth simulator (slow/fast network), in session id analysis, spidering url’s, parameter analysis and for many other testing schemes.

WebScarab is developed as an open source tool by The Open Web Application Security Project (OWASP) and can be downloaded from OWASP website

Tags: , , , , ,
Posted in Free Download, General, Security | 2 Comments »

Nov 16
2009

SSL: Points to consider before choosing the right certificate

Last updated: November 16th, 2009

Points to consider before choosing the SSL certificate

i) Strength of the encryption offered by the certificates

ii) Browser comptability or recognition of the certificates. A well known brand is recognized by most of the browsers in the market

iii) If the certificate offers backward comptability across browsers offering

iv) Whether the Certification Authority (CA) is a Trusted Root or if they use a Chained Root Certificates.

v) Which web server will be used for SSL installation. Chained root certificates may be little complicated on some web servers.

vi) Nature of the application that will be served over the SSL – depending on the volume of the transactions and the value of each transaction

vii) Warranty offered by the certificate (if that matters which most certainly is when it comes to ECommerce products)

Tags: , , , , ,
Posted in General, Security | No Comments »

Oct 11
2009

Passing data from HTTPS to HTTP

Last updated: October 10th, 2009

Have you ever come across a situation when you need to pass data from HTTPS to HTTP controlled web pages? If you have, you would have come to know that the header values especially REFERER values become empty. Reason for this being that it is not secure to transfer data from a security controlled HTTPS layer to a non-secure site serving HTTP content.

This is one of the key points to remember if you are involved in integrating applications

Solution(s) to the above scenario
i) Transfer data between HTTPs layers instead
ii) pass GET data as query string values
iii) Programatically handle the session across the two sites behind the scenes either by storing a cookie or through database controllers

Some of the tools that comes handy in checking the Header Values are FireBug, Live HTTP Headers, HTTP Watch plugin

Tags: , , , ,
Posted in General, Security | No Comments »

Sep 10
2009

Generating Certificate for validation (CSR generation)

Last updated: September 10th, 2009

In order to install SSL certificates on your Apache server you need to generate a key pair and a CSR (certificate signing request) as the first step. The following points will guide you in the creation of CSR file.

Once you finish generating the CSR file, you need to paste the content of the CSR file on to the SSL certificate request page in order for the certificate authorities to start their verification process.

Command line prompts in a Linux box

Find where openssl is installed and navigated to that directory
$ whereis openssl

Mostly it will be at /usr/bin/. If it is in a different path, then navigate to that directory path
$ cd /usr/bin
(more…)

Tags: , , , , , ,
Posted in Apache, LINUX, Security | No Comments »

Aug 09
2009

Session Poisoning, Cookie Poisoning

Last updated: August 4th, 2009

Session poisoning or Session Pollution is a term used to refer to security exploit when an invalidated input is assigned to session variables which then gets carried over to other pages opening the supposed to be secured pages to outside world.

It can also refer to a state when more than one application shares the same session variable which when modified without necessary validation causes a race condition.

There is a possibility for an attack or a session hijack when the external agent gets control over the session variable used by victim on the server. Both the agent and the victim needs to have access on the same server for such attacks to take place.

When the same scenario happens on the cookie variables, it is called cookie poisoning.

Precaution to avoid such hijacks are to validate each condition if a cookie or a session is shared or if values are assigned to session or cookies. In such cases, it is also advisable to use a secured transaction path to avoid such attacks.

Tags: ,
Posted in General, Security | No Comments »

Aug 08
2009

How to hide Apache version, Modules loaded, PHP Version?

Last updated: August 4th, 2009

It is often advisable not to disclose information than is necessary when web request are made to Apache server.

By default, Apache displays the version of the server, modules loaded in the server and the version of PHP if PHP is configured with Apache.

In httpd.conf file, set the following directives.

ServerSignature Off
ServerTokens ProductOnly

By default, ServerSignature is set to Off and ServerTokens is set to Full in most Linux distros.

Tags: ,
Posted in Apache, Security, Tips, Tricks, Guides | No Comments »

Jul 27
2009

PHP Security: Preventing Session Fixation

Last updated: August 1st, 2009

Session Fixation is method by which an intruder creates a session id which gets carried on when a user comes with that path and continues his/her activity on a website.

For e.g. an intruder may create a link to a site called samplesite.com as <a href=”http://samplesite.com/cart.php?PHPSESSID=Ax23mDud” />Sample Site<a>

When a user clicks on this link the session id gets carried on to the site ‘samplesite.com‘. The intruder waits for the user starts to perform a transaction on the site and will take over vital details by intruding user’s activity on samplesite.com.
(more…)

Tags: , , ,
Posted in Linux Server, PHP, Security | No Comments »

Jul 20
2009

What is Kerberos Authentication System?

Last updated: July 24th, 2009

Kerberos Authentication is a means by which a communicating entity on a non-secure network can prove itself to another entity about its identity in a secured way.

In a system developed for a client-server model, it is inconceivable to identify the threat posed by the network users and the intruders.

Primary goal of Kerberos Authentication System is to prevent free text based transmission of passwords over the network.

Kerberos was created by MIT with a license similar to BSD and the current version is Version 5. It is implemented across various OS – Linux, Unix, Windows, MacOS.

Kerberos system is built on a symmetric key algorithm.
(more…)

Tags: , , ,
Posted in LINUX, Linux Server, Security | No Comments »

Jul 16
2009

How to turn off register_globals via php.ini?

Last updated: July 15th, 2009

It is always secured to turn OFF register_globals in PHP applications. Earlier, we have seen how to turn OFF register_globals setting via .htaccess file and in this blog we will use php.ini instead.

Using a text editor create a file called php.ini. This will be our first step.

Next, we need to add the following line of code in php.ini
register_globals = off

Upload php.ini file to the root folder where your application resides.

Tags: , , , ,
Posted in PHP, Security | No Comments »

Jul 13
2009

How to restrict folder, file permission settings for each user?

Last updated: July 13th, 2009

Sticky bit

There may be situation where you wanted all users to store files in a certain folder but might want to restrict users from deleting other users file. For this scenario, you can set the sticky bit of the folder which will serve our purpose.

For example we have created a folder inside /tmp directory called “user”

root@dev:/tmp# ls -l | tail -1
drwxr-xrwx 2 root root 4096 2009-07-13 11:39 user
root@dev:/tmp# cd user

Now create a file called a.txt (you are currently with root privileges)
root@dev:/tmp/user# touch a.txt

Now change to the user with normal privileges (i have created a user called ‘usr100′ for this purpose)
usr100@dev:/tmp/user$ su usr100
password:
usr100@dev:/tmp/user$ whoami
usr100
(more…)

Tags: , , ,
Posted in LINUX, Security, Tips, Tricks, Guides | No Comments »

Newer Entries

Copyright ©2008 - 2013. Kurinchilion Inc.

Valid HTML 4.01 Strict  Valid HTML 4.01 Strict