WebGoat is a insecure web application which is designed to teach web application security concepts.
You can try hacking: Access Control Flaws, Authentication Flaws, Session Management Flaws, Cross-Site Scripting (XSS), Buffer Overflows, Injection Flaws, Improper Error Handling, Insecure Storage, Denial of Service, Insecure Configuration, Web Services and AJAX Security.

There is a “Lesson Plan” a kind of tutorial and in the “Hints Menu” you can view the parameters, cookies, the Code and the solution.
It’s a lot of fun and you learn more about web application security.

You can download the app from http://code.google.com/p/webgoat/.

It comes with the Java Runtime Environment and a configured Tomcat 5.5
server and should run on any platform.

If you are using Linux or OSX you must download http://webgoat.googlecode.com/svn/tags/webgoat-5.1/main/webgoat.sh to start webgoat.
Put the webgoat.sh in your unpacked webgoat directory and start it
with the terminal:

$ sh webgoat.sh start8080

On Windows it should run throw a double-click on webgoat8080.bat.

Browse to http://guest:guest@127.0.0.1:8080/WebGoat/attack with your
browser and start your first lesson.

happy hacking

If there is a reason why you don’t want humans to read your JavaScript code, you can use the packer from
http://dean.edwards.name/packer/ to obfuscated it (online).

The packer compress the code to one line, deletes all comments and has the option to encode it with Base62. You can put the generated code in your code, it should work with any browser.
You must correctly terminate all JavaScript statements with semi-colons.

Here an example script and the output from the packer:

after packing

after packing and Base62 encoding

I had positive feedback after posting my article about hardening Joomla!, so I will now focus on the blog-software wordpress.
Here are a couple of tips that you can use to make your wordpress a bit securer.

Change the default name of your administrator login (admin) and choose a strong password for all your accounts. It’s also a good idea to use different login- and author-names, wordpress has also a great user levels.

Hide the version of wordpress by removing the generator-meta-tag. You find it in the template code it should look something like this:
<meta name=”generator” content=”WordPress ” />
Please note it’s possible to view the version in the feed.

If your register-globals settings are on, try to disable them (php.ini or .htaccess).

Turn your Magic quotes for incoming GET/POST/Cookie data on, again SQL injections.

Restrict access with a .htaccess in your wp-admin/ folder. Take a look on an older posting http://phpsecurity.wordpress.com/2007/12/22/htaccess-tips-and-tricks/ where you find solutions for limiting by IP addresses and password protection.

Delete disabled templates and plugins that you don’t need from your webspace.

Block wordpress-folders from being indexed by search engines.
Add the following line to your robots.txt:
Disallow: /wp-*

With an online tool from blogsecurity.net, you can scan your wordpress. You need a plugin before doing that.
http://blogsecurity.net/wordpress/news-140707/
http://blogsecurity.net/cgi-bin/wp-scanner.cgi

Disable public browsing of the plugin folder, by putting an empty index.html in wp-content/plugins/.

And last but not least, update your wordpress, your plugins and make regular backups of your site and database.

I played last night with a backdoor shell that I found on the net and will show you how this works and how you can find traces if you are the system administrator.

I used 2 vm’s (virtual machines), both based on Debian/Linux one called “victim” it simulates the cracked server where the backdoor runs and the other box called “hacky” where the bad guy is sitting in front :)

The first step of the bad guy is to start a server that listens on some port (12345) on his box, a good program for this is netcat, the command could be something like: netcat -l -p 12345

After compiling the backdoor in an executable program on the cracked server (”victim”), the bad guy starts it and sends a shell to his box home.

Back at the shell of the bad guy we see that the backdoor sends us some information about the box and the banner of the author of the script.

The bad guy can now send every command to the cracked server, like “hostname” and he gets the hostname which is “victim” back

So what can a system administrator do in this case?

First of all, don’t panic and plug out the computer, a lot of traces could be destroyed after you do that.

A good way is to check the process list, with something like “ps ax” or “ps fax”. As you can see there is the process of the backdoor (marked red)

We know now the process ID the port and the IP where the shell is listening. Now it’s time for another great program called ngrep. With ngrep you can sniff network traffic in nearly the same way you can use the normal grep on Linux.
Start ngrep on the port that the backdoor uses.

The bad guy sends the command “uptime”.

And the administrator sees in his ngrep output the “uptime” request also.

Yes this was a very lucky system administrator, in the real life crackers use encrypted backdoors or rootkit which can hide processes or manipulate commands like ps.

I’m not a big fan of Joomla! but a client wanted to use it and so I had a closer look on it, to make it a bit securer.
For the moment I work with the 1.0.14 version and read that the Joomla1.5 work with safe mode on and has some nice security features.
Here are some tips which you can also use if you aren’t a Joomla head.

- always upgrade to newer stable versions, you can check if there is an upgrade for your Joomla! in your Admin panel System->Version Check
- put a .htaccess file in your “administrator”-folder to protect all the files in the folder and subfolders
- change your administrator login, default is “admin” to another name and make sure the password is strong enough
- change the permissions of your config file

- if you can use SSL without any pain use it.
- delete temporary installation files and images you don’t need from Joomla!’s subdirectories
- if you plan to install and use extensions, take a look at security lists for it, like http://secunia.com/search/?search=Joomla and keep them fresh

all changes in the php.ini are global so be careful with changes!
- disable function that could be a security risk with “disable_functions”

- Magic quotes for incoming GET/POST/Cookie data again SQL injections

- Turn off your Register Globals

I’m a big fan of the open source philosophy but sometimes it’s useful to have an unreadable binary source code.
In this posting i will show you how to use and how to install bcompiler to encode your scripts in phpbytecode, enabling you to protect the source code.

First we need a source file (source.php) and convert it with make_bytecode.php to a byte code file (crypt.php).

The source.php is an example php file you can add your own code here.

make_bytecode.php converts the source.php to crypt.php. Make sure that crypt.php is writeable.

After executing make_bytecode.php in your browser or command line crypt.php should be generated.

As you can see in the picture below the source code of crypt.php isn’t readable but you can execute the php code like any other php file.

Install:

The package and information you can find here:
http://pecl.php.net/package/bcompiler
I installed bcompiler on Debian Etch, but it should work on any Linux systems and on windows too.

If not installed you have to install the php-developer package (php4 or php5):
sudo aptitude install php5-dev

I also had to install the libbz2-dev, to prevent the error message “configure: error: Please reinstall the BZip2 distribution” from the pecl installer.
sudo aptitude install libbz2-dev

After that I installed bcompiler version 0.8 over the pecl installer:
sudo pecl install channel://pecl.php.net/bcompiler-0.8

Make sure that the installer return this line at the end “install ok: channel://pear.php.net/bcompiler-0.8″.
If not check the error messages and try to fix it!

Add extension=bcompiler.so to your php.ini

Akismet, or Automattic Kismet, is a text spam filtering service created by Automattic, the corporation which employs most of the main developers of WordPress.

When a new comment is posted on your site, Akismet webs service catches the comment and tests whether a comment is valued as “spam” or “not spam”.
This is a good protection because a lot of bloggers and the WordPress software use Akismet and flag new spam pattern to the Akismet site.

If you have a comment form on your webapp you can protect it with the Akismet-service and some PHP code around. I use it for a python application and it catches a lot of comment spam day for day and as Douglas Adams says “I may not have gone where I intended to go, but I think I have ended up where I needed to be.”.

First you need to generate a WordPress API key on this page. You don’t need to get a blog, choose the “just an account” option when signing up.
http://wordpress.com/signup/

There are two (and sure more) classes, that make a implementation in your own webapp easy as possible.
Take a look at the docs on both sites:

PHP 4 class by Bret Kuhns:
http://miphp.net/pages/akismet_docs

PHP 5 class by Alex Potsides:
http://www.achingbrain.net/stuff/akismet/#usage

.htaccess (hypertext access) is the default name of Apache’s directory-level configuration file. .htaccess is placed in a particular directory, and the directives in the .htaccess file apply to that directory, and all subdirectories thereof.

The most common feature is to restrict access to a folder by force the user to a login prompt, but there are some other helpful things also that I show you in this posting.

Allow access only for the IP 127.0.0.1

Forbid access to files with extensions .bak, .sql, .inc.

This line make the “.txt” extension to executable PHP scripts.

Redirceting from web folder “bla” to http://phpsecurity.wordpress.com/

Rewriting you can use to make better reading URLs. It’s very handy for SEO and looks much more friendlier than long-cryptic looking URLs for your visitors.
In this example the URL can be http://example.org/de/ or http://example.org/en/ and the Rewrite engine catches the parameters in the brackets and give the value “de” or “en” to the $lang to index.php.

Last but not least, set a password prompt to any directory you want

on linux you create a .htpasswd file with:

than you put this lines to your .htaccess:

If you have any problems with .htaccess and you have access to your server, look in the error logs of your apache server. You find them in /var/log/apache2/error.log (depending on system).

The null byte (also null terminator) is a character with the value zero, present in the ASCII and Unicode character sets. Strings end if there is a null character.
In PHP this character looks like this %00.

Ok whats the deal with null bytes?

A lot of people think that this method below, to include a file which has a fix extension (.php), is a bullet prof one, but that’s not true.

If you call the script with a null byte in the URL it’s possible to include any local or remote site!

http://example.com/?site=../../../../etc/passwd%00

In part 1 we made sure that the value is an integer, but what if a value could be a string?
You have to escape special characters in a string for using in a SQL statement. This means that a single quote (’) get a backslash before (\’).

There are escape functions for each popular database:

MySQL: mysql_real_escape_string()
PostgreSQL: pg_escape_string()
SQLite: sqlite_escape_string()

You can also use PDO’s prepared statements support. PDO uses the native prepared statement support for your database.
As you can see in the next example $_GET['name'] would be escaped, before the query touches the database.

There are some database abstraction layer (DAL) for PHP, such as AdoDB, PEAR::MDB2, or Zend_Db. Most DAL’s provide support for prepared statements and quoting like PDO.

It’s up to you which protection you use, but think about that your database is the heart of your website.