RFI Security

Remote File Inclusion (RFI) is an attack that targets the computer servers that run Web sites and their applications.
It allows the attacker to upload a custom coded/malicious file on a website or server using a script. The vulnerability exploit the poor validation checks in websites and can eventually lead to code execution on server or code execution on website.Using RFI we can l deface the websites, get access to the server and do almost anything.

Vulnerable Code:- 

<?php
 // remove a file from the user's home directory 
$username = $_POST['user_submitted_name'];
 $userfile = $_POST['user_submitted_filename']; 
$homedir = "/home/$username"; 
unlink("$homedir/$userfile"); 
echo "The file has been deleted!"; 
?>

Attacking Code:- 

<?php 
// removes a file from anywhere on the hard drive that
 // the PHP user has access to. If PHP has root access: 
$username = $_POST['user_submitted_name']; // "../etc"
 $userfile = $_POST['user_submitted_filename']; // "passwd" 
$homedir = "/home/$username"; // "/home/../etc"
 unlink("$homedir/$userfile"); // "/home/../etc/passwd" 
echo "The file has been deleted!"; 
?>

Security:-

1. Only allow limited permissions to the PHP web user binary.

 <?php 
// removes a file from the hard drive that 
// the PHP user has access to.
 $username = $_SERVER['REMOTE_USER']; 
// using an authentication mechanisim
 $userfile = basename($_POST['user_submitted_filename']); 
$homedir = "/home/$username"; 
$filepath = "$homedir/$userfile";
if (file_exists($filepath) && unlink($filepath)) {
 $logstring = "Deleted $filepath\n";
 } else { 
$logstring = "Failed to delete $filepath\n"; 
} 
$fp = fopen("/home/logging/filedelete.log", "a");
 fwrite($fp, $logstring); fclose($fp); 
echo htmlentities($logstring, ENT_QUOTES);
 ?>
2. Check all variables which are submitted.
 <?php
 $username = $_SERVER['REMOTE_USER'];
 // using an authentication mechanisim 
$userfile = $_POST['user_submitted_filename']; 
$homedir = "/home/$username"; 
$filepath = "$homedir/$userfile"; 
if (!ctype_alnum($username) || !preg_match('/^(?:[a-z0-9_-]|\.(?!\.))+$/iD', $userfile)) {
 die("Bad username/filename"); 
} 
//etc... 
?>

Read More

LFI Security

LFI is LOCAL FILE INCLUSION (LFI). LFI is a type of web-application security vulnerability. It is a method of including files on a server through a Modified Special HTTP request. This vulnerability can be exploited using a Web Browser and thus can be very easy to exploit.

Vulnerable Code:-

<?php
 $page = isset($_GET['page']) ? $_GET['page'] : 'home';
 require $page . '.php'; 
?>

The attacker could then do:
index.php?page=../secret
That would give us
 /home/someone/public html/secret.php

Security –
1. From Array of Valid Pages
First of all you could have an array of valid pages, e.g.:
$pages = array(
 'home',
 'login',
 'logout',
 // etc.
 if (!in_array($page, $pages) { 
die('Invalid page'); 
}

2. Check Requested Values in a particular format
Another thing you could do is check that the requested le matches a particular format:

$file = str_replace('\\', '/', realpath($page . '.php'));
 if (!preg_match('%^/home/someone/public_html/[a-z]+\.php$%',
 $file)) {
 die('Invalid page');
 } 
include $file;

 3. Reject file names which contains . , .. or / (or \ under Windows)
 4. Limit file names to basic alphanumeric characters
 5. Append the include directory name and append the appropriate extension.
 6. Use open_basedir() security
 7. Use Strip_tags and htmlspecialchars Function

<?php 
function cleanAll($input) { 
$input = strip_tags($input); 
$input = htmlspecialchars($input);
 return($input)
; } 
?>

Read More

XSS Attack Security

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access control.
           

XSS is very similar to SQL-Injection. In SQL-Injection we exploited the vulnerability by injecting SQL Queries as user inputs. In XSS, we inject code (basically client side scripting) to the remote server.

Types of XSS:-
1.Non-Persistent
2.Persistent

In Non-Persistent attack, it requires a user to visit the specially crafted link by the attacker. When the user visit the link, the crafted code will get executed by the user’s browser. 

Example-

index.php?name=guest<script>alert('attacked')</script>

When the victim load the above URL into the browser, he will see an alert box which says ‘attacked’. Even though this example doesn’t do any damage, other than the annoying ‘attacked’ pop-up.

In persistent attack, the code injected by the attacker will be stored in a secondary storage device (mostly on a database). The damage caused by Persistent attack is more than the non-persistent attack. Here we will see how to hijack other user’s session by performing XSS.


Prevention from XSS Attack:-
This is vulnerable code in for XSS Attack.

To Prevent this attack ,change the your coding which is given below.

Read More

Website Scanning

Website Scanning is complete Malfunctioning of a website.In which we do foot printing, fingerprinting, vulnerability scanning etc.....

 

                                   Footprinting
Footprinting is first and most convenient step used by hackers to gather information,about computer and websites.

Footprinting is a first step that a penetration tester used to evaluate the security of any IT infrastructure, Footprinting means to gather the maximum information about the computer system or a network and about the devices that are attached to this network. 

Footprinting is a first and the important step because after this a penetration tester know how the hacker sees this network.

To measure the security of a computer system, it is good to know more and more as you can because after this you will able to determine the path that a hacker will use to exploit this network. 

Steps in Footprinting:-1. Information gathering
2. Determining the network range
3. Identifying active machines
4. Finding open ports and access points
5. OS fingerprinting
6. Fingerprinting services
7. Mapping the network

                                                          Fingerprinting

 Fingerprinting is done to determine remote OS.For example, attempting Windows-specific hacks against a UNIX system is pointless. Fingerprinting is possible because the TCP/IP specifications do not fully define the behavior of a protocol stack. Therefore, by sending unusual (undefined) network traffic at a system, the hacker will receive responses unique to that system.

There are two types of fingerprinting:-

1. Active Stack fingerprinting :-

 Allows attacker to leave smaller footprint and have greater chance to succeed.

Based on the fact that various OS vendors implement the TCP stack differently.

2. Passive fingerprinting :-

Instead of relying on scanning the target host,it captures packets from the target host and study it for tell tale signs that can reveal the OS.

It is less accurate than active fingerprinting.

 

                                   SCAN YOUR WEBSITE HERE.......
1. http://sitecheck.sucuri.net/scanner/
It is free website malware scanner.
2.https://www.virustotal.com/en/ 
VirusTotal is a free virus, malware and URL online scanning service. File checking is done with more than 40 antivirus solutions.
3.http://siteinspector.comodo.com/ 
This free service will scan only a single page at a time.
4.http://onlinelinkscan.com/
Onlinelinkscan is a fast, free antivirus tool that scans any suspicious websites for adware, trojans, viruses and malware. 
5.http://www.urlvoid.com/
 Scan websites with multiple website reputation engines and domain blacklists to check if the website is safe and legit. 


                 WEBSITE SCANNING WITH TOOLS........ 
1.Acunetix web vulnerability scanner
2.Netsparker community Edition (Windows)
3.Websecurify (Windows,Linux,Mac OS X)
4.Wapiti (Windows,Linux,Mac OS X)
5.N-stalker (Windows) 
6.Skipfish
7.Exploit-me (Windows,Linux,Mac OS X)
8.SQLmap
9.Grendel-scan
10.Appscan

 
 

 

Read More

Security from SQL Injection

 

SQL Injection:-

It is a basically a trick to inject SQL command or query as a input mainly in the form of the POST or GET method in the web pages.
Let’s look at the usual query for user login in PHP,
$sql=”SELECT * FROM tbl_user WHERE username= ‘”.$_POST['username'].”‘ AND password= ‘”.$_POST['password'].”‘”;

$result=mysql_query($sql);
Let’s suppose that an intruder injected x’ OR ‘x’='x in the username field and x’ OR ‘x’='x in the password field.
Then the final query will become like this,
SELECT * FROM tbl_user WHERE username=’x’ OR ‘x’='x’ AND password=’x’ OR ‘x’='x’;

Prevention from Sql Injection Attack in PHP:
1) Always restrict the length of the fields of form such as don’t allow more than 20 characters in the fields like username and password with the “maxlength” property available in the html form.
2) Always validate for the proper input like weather the value is valid email or not, is numeric or not , valid date or not etc.
3) Finally, Always use mysql_real_escape_string() function before sending the variable to the SQL query
For example
$username=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']);
if an intruder inject ‘ OR 1 in the user name and password field then the value of the $username and $password will become \’ OR 1 which is not going to harm us anymore.


Paste this coding in your database coding to prevent SQL injection.

// To protect MySQL injection (more detail about MySQL injection)

$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

Read More

Website security

Website Security is an application that restricts access to certain areas within your Website.

 

1.SQL injection:"SQL Injection" is subset of the an unverified user input vulnerability and the idea is to convince the application to run SQL code that was not intended.

Consider this query:

1. "SELECT * FROM table WHERE column = '" + parameter + "';"

If an attacker changed the URL parameter to pass in ' or '1'='1 this will cause the query to look like this:

1. "SELECT * FROM table WHERE column = '' OR '1'='1';"

Since ‘1’ is equal to ‘1’ this will allow the attacker to add an additional query to the end of the SQL statement which will also be executed.

2.XSS:Cross site scripting is when an attacker tries to pass in JavaScript or other scripting code into a web form to attempt to run malicious code for visitors of your site. When creating a form always ensure you check the data being submitted and encode or strip out any HTML.

 3. Error messages:Be careful with how much information you give away in your error messages.You should use generic messages like “Incorrect username or password” as not to specify when a user got half of the query right. If an attacker tries a brute force attack to get a username and password and the error message gives away when one of the fields are correct then the attacker knows he has one of the fields and can concentrate on the other field.

4.Server side validation/form validation:

Validation should always be done both on the browser and server side. The browser can catch simple failures like mandatory fields that are empty and when you enter text into a numbers only field.

*Validation methods

User’s input can be validated on the server and on the client (web browser). Thus we have server-side and client-side validation.

*Server-side validation

In the server-side validation, information is being sent to the server and validated using one of server-side languages. If the validation fails, the response is then sent back to the client, page that contains the web form is refreshed and a feedback is shown. This method is secure because it will work even if JavaScript is turned off in the browser and it can’t be easily bypassed by malicious users. On the other hand, users will have to fill in the information without getting a response until they submit the form. This results in a slow response from the server.

*Client-side validation

Server-side validation is enough to have a successful and secure form validation. For better user experience, however, you might consider using client-side validation. This type of validation is done on the client using script languages such as JavaScript. By using script languages user’s input can be validated as they type. This means a more responsive, visually rich validation.

With client-side validation, form never gets submitted if validation fails. Validation is being handled in JavaScript methods that you create (or within frameworks/plugins) and users get immediate feedback if validation fails.

5.Passwords

Everyone knows they should use complex passwords, but that doesn’t mean they always do. It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts.

 

As much as users may not like it, enforcing password requirements such as a minimum of around eight characters, including an uppercase letter and number will help to protect their information in the long run.

Passwords should always be stored as encrypted values, preferably using a one way hashing algorithm

6.File uploads

Allowing users to upload files to your website can be a big security risk, even if it’s simply to change their avatar. The risk is that any file uploaded .It could contain a script that when executed on your server completely opens up your website.

If you have a file upload form then you need to treat all files with great suspicion. If you are allowing users to upload images, you cannot rely on the file extension or the mime type to verify that the file is an image as these can easily be faked. Even opening the file and reading the header, or using functions to check the image size are not full proof. Most images formats allow storing a comment section which could contain PHP code that could be executed by the server.

7.Server security

Most hosting providers deal with the server configuration for you, but if you are hosting your website on your own server then there are few things you will want to check.

Ensure you have a firewall setup, and are blocking all non essential ports. Although this might not be possible if you don't have access to your server from an internal network as you would need to open up ports to allow uploading files and to remotely log in to your server over SSH or RDP.

8.SSL

SSL is a protocol used to provide security over the Internet. It is a good idea to use a security certificate whenever you are passing personal information between the website and web server or database. Attackers could sniff for this information and if the communication medium is not secure could capture it and use this information to gain access to user accounts and personal data.

Read More