WebScarab is developed as an open source tool by The Open Web Application Security Project (OWASP) and can be downloaded from OWASP website

i) Strength of the encryption offered by the certificates

ii) Browser comptability or recognition of the certificates. A well known brand is recognized by most of the browsers in the market

iii) If the certificate offers backward comptability across browsers offering

iv) Whether the Certification Authority (CA) is a Trusted Root or if they use a Chained Root Certificates.

v) Which web server will be used for SSL installation. Chained root certificates may be little complicated on some web servers.

vi) Nature of the application that will be served over the SSL – depending on the volume of the transactions and the value of each transaction

vii) Warranty offered by the certificate (if that matters which most certainly is when it comes to ECommerce products)

This is one of the key points to remember if you are involved in integrating applications

Solution(s) to the above scenario
i) Transfer data between HTTPs layers instead
ii) pass GET data as query string values
iii) Programatically handle the session across the two sites behind the scenes either by storing a cookie or through database controllers

Some of the tools that comes handy in checking the Header Values are FireBug, Live HTTP Headers, HTTP Watch plugin

Once you finish generating the CSR file, you need to paste the content of the CSR file on to the SSL certificate request page in order for the certificate authorities to start their verification process.

Command line prompts in a Linux box

Find where openssl is installed and navigated to that directory
$ whereis openssl

Mostly it will be at /usr/bin/. If it is in a different path, then navigate to that directory path
$ cd /usr/bin

If asked for a pass phrase, enter a phrase which you need to use when generating the CSR file from the key file.

Next, we will use des3 algorithm to generate the key. If you want to generate a key for a site abc.com you can give certificate-name=www.abc.com for easy reference
$ openssl genrsa -des3 -out certificate-name.key 2048

Next in the process is to generate the CSR file from the key
$ openssl req -new -key certificate-name.key -out certificate-name.csr

This will involve a step of questions where you need to answer your two-digit country code, province or state, company name, organizational unit name, company name and email address.For the part that involves “Common Name (eg, your name or your server’s name)” enter the domain name for which you want to get the certificate (for e.g. www.abc.com).

Now, copy the content of CSR file and paste it on the certificate request page (probably the web page of the certificate authorities web page like RapidSSL, GoDaddy, VeriSign, Thawte SSL certificate issuance authority.

After submitting the .csr file, you need to wait for the .cer files from the certificate authority. If you are going with Godaddy, they will send you a bundle certificate along with the original .cer file which you need to install in your web server.

It can also refer to a state when more than one application shares the same session variable which when modified without necessary validation causes a race condition.

There is a possibility for an attack or a session hijack when the external agent gets control over the session variable used by victim on the server. Both the agent and the victim needs to have access on the same server for such attacks to take place.

When the same scenario happens on the cookie variables, it is called cookie poisoning.

Precaution to avoid such hijacks are to validate each condition if a cookie or a session is shared or if values are assigned to session or cookies. In such cases, it is also advisable to use a secured transaction path to avoid such attacks.

By default, Apache displays the version of the server, modules loaded in the server and the version of PHP if PHP is configured with Apache.

In httpd.conf file, set the following directives.

ServerSignature Off
ServerTokens ProductOnly

By default, ServerSignature is set to Off and ServerTokens is set to Full in most Linux distros.

For e.g. an intruder may create a link to a site called samplesite.com as <a href=”http://samplesite.com/cart.php?PHPSESSID=Ax23mDud” />Sample Site<a>

When a user clicks on this link the session id gets carried on to the site ‘samplesite.com‘. The intruder waits for the user starts to perform a transaction on the site and will take over vital details by intruding user’s activity on samplesite.com.

How to prevent Session Fixation in PHP?

i) Regenerate session id’s at every juncture where necessary (usage of session_regeneration_id() function)

ii) Avoid passing session id’s in GET/POST variables

iii) If you have a blacklisted referrer list, you can possibly compare the referrer before generating the session for each user. You can also check the referrer on the top of the program in the pages where session based activity is carried out

iv) Generate a session id from the server and check if the session id was generted from the server and if it is not empty.

v) Expire a session after a valid interval and never let it go unexpired.

Reference:

• Wikipedia
• Webappsec
• shiflett.org

In a system developed for a client-server model, it is inconceivable to identify the threat posed by the network users and the intruders.

Primary goal of Kerberos Authentication System is to prevent free text based transmission of passwords over the network.

Kerberos was created by MIT with a license similar to BSD and the current version is Version 5. It is implemented across various OS – Linux, Unix, Windows, MacOS.

Kerberos system is built on a symmetric key algorithm.

How the Kerberos system works?

Indicators:
- User1 on Workstation WS
- Key Distribution Center (KDC)
- Ticket Granting Service (TGS)
- Ticket Granting Ticket (TGT)

Logical Kerberos Database:
User1 : Key1
User2 : Key2
Service1 : Key3
User3 : Key4

Keys for users are derived from User’s password.

Kerberos Communication Flow
1) User1 logs into the network from work station WS
2) Principal is sent to Key Distribution Center KDC
3) KDC checks its database for User1 and generates TGT if User1 is present in its database. TGT is encrypted with Key1 (key that is derived from users password)
4) TGT is sent to WS from KDC
5) In the workstation WS, the key is decrypted with the password entered from WS in order to derive the TGT. TGT is session based and is set to expire after its time limit.

For a Service that runs on a network, the client requests the TGT from Ticket Granting Service (TGS) which may run on the same server as KDC.

Using a text editor create a file called php.ini. This will be our first step.

Next, we need to add the following line of code in php.ini
register_globals = off

Upload php.ini file to the root folder where your application resides.

There may be situation where you wanted all users to store files in a certain folder but might want to restrict users from deleting other users file. For this scenario, you can set the sticky bit of the folder which will serve our purpose.

For example we have created a folder inside /tmp directory called “user”

root@dev:/tmp# ls -l | tail -1
drwxr-xrwx 2 root root 4096 2009-07-13 11:39 user
root@dev:/tmp# cd user

Now create a file called a.txt (you are currently with root privileges)
root@dev:/tmp/user# touch a.txt

Now change to the user with normal privileges (i have created a user called ‘usr100′ for this purpose)
usr100@dev:/tmp/user$ su usr100
password:
usr100@dev:/tmp/user$ whoami
usr100

usr100@dev:/tmp/user# touch b.txt
usr100@dev:/tmp/user$ ls -ltr
total 4
-rw-r–r– 1 root root 0 2009-07-13 11:42 a.txt
-rw-r–r– 1 usr100 usr100 0 2009-07-13 11:42 b.txt
usr100@dev:/tmp/user$ rm -i a.txt

usr100@dev:/tmp/user$ ls -ltr
total 4
-rw-r–r– 1 usr100 usr100 0 2009-07-13 11:42 b.txt

The file created by root user got deleted by usr100.

In order to prevent this, set the sticky bit for the folder ‘user’

usr100@dev:/tmp/user$ su root
root@dev:/tmp# chmod +t user
root@dev:/tmp# cd usr
root@dev:/tmp/usr# touch a.txt
root@dev:/tmp/usr# su usr100
usr100@dev:/tmp$ ls -ltr | tail -1
drwxr-xrwt 2 root root 4096 2009-07-13 12:07 user

Notice “t” at the end of the permission settings which denote that the folder /user has been set with the sticky bit.

usr100@dev:/tmp/user$ ls -ltr
total 0
-rw-r–r– 1 usr100 usr100 0 2009-07-13 11:42 c.txt
-rw-r–r– 1 root root 0 2009-07-13 12:07 a.txt

Now try deleting the file a.txt created by root user
usr100@dev:/tmp/user$ rm -i a.txt
rm: remove write-protected regular empty file `a.txt’? y
rm: cannot remove `a.txt’: Operation not permitted

As the sticky bit is set for the folder ‘user’, usr100 is prevented from deleting the file created by ‘root’ user