If there is a reason why you don’t want humans to read your JavaScript code, you can use the packer from
http://dean.edwards.name/packer/ to obfuscated it (online).

The packer compress the code to one line, deletes all comments and has the option to encode it with Base62. You can put the generated code in your code, it should work with any browser.
You must correctly terminate all JavaScript statements with semi-colons.

Here an example script and the output from the packer:

after packing

after packing and Base62 encoding

I had positive feedback after posting my article about hardening Joomla!, so I will now focus on the blog-software wordpress.
Here are a couple of tips that you can use to make your wordpress a bit securer.

Change the default name of your administrator login (admin) and choose a strong password for all your accounts. It’s also a good idea to use different login- and author-names, wordpress has also a great user levels.

Hide the version of wordpress by removing the generator-meta-tag. You find it in the template code it should look something like this:
<meta name=”generator” content=”WordPress ” />
Please note it’s possible to view the version in the feed.

If your register-globals settings are on, try to disable them (php.ini or .htaccess).

Turn your Magic quotes for incoming GET/POST/Cookie data on, again SQL injections.

Restrict access with a .htaccess in your wp-admin/ folder. Take a look on an older posting http://phpsecurity.wordpress.com/2007/12/22/htaccess-tips-and-tricks/ where you find solutions for limiting by IP addresses and password protection.

Delete disabled templates and plugins that you don’t need from your webspace.

Block wordpress-folders from being indexed by search engines.
Add the following line to your robots.txt:
Disallow: /wp-*

With an online tool from blogsecurity.net, you can scan your wordpress. You need a plugin before doing that.
http://blogsecurity.net/wordpress/news-140707/
http://blogsecurity.net/cgi-bin/wp-scanner.cgi

Disable public browsing of the plugin folder, by putting an empty index.html in wp-content/plugins/.

And last but not least, update your wordpress, your plugins and make regular backups of your site and database.

I played last night with a backdoor shell that I found on the net and will show you how this works and how you can find traces if you are the system administrator.

I used 2 vm’s (virtual machines), both based on Debian/Linux one called “victim” it simulates the cracked server where the backdoor runs and the other box called “hacky” where the bad guy is sitting in front :)

The first step of the bad guy is to start a server that listens on some port (12345) on his box, a good program for this is netcat, the command could be something like: netcat -l -p 12345

After compiling the backdoor in an executable program on the cracked server (“victim”), the bad guy starts it and sends a shell to his box home.

Back at the shell of the bad guy we see that the backdoor sends us some information about the box and the banner of the author of the script.

The bad guy can now send every command to the cracked server, like “hostname” and he gets the hostname which is “victim” back

So what can a system administrator do in this case?

First of all, don’t panic and plug out the computer, a lot of traces could be destroyed after you do that.

A good way is to check the process list, with something like “ps ax” or “ps fax”. As you can see there is the process of the backdoor (marked red)

We know now the process ID the port and the IP where the shell is listening. Now it’s time for another great program called ngrep. With ngrep you can sniff network traffic in nearly the same way you can use the normal grep on Linux.
Start ngrep on the port that the backdoor uses.

The bad guy sends the command “uptime”.

And the administrator sees in his ngrep output the “uptime” request also.

Yes this was a very lucky system administrator, in the real life crackers use encrypted backdoors or rootkit which can hide processes or manipulate commands like ps.

Akismet, or Automattic Kismet, is a text spam filtering service created by Automattic, the corporation which employs most of the main developers of WordPress.

When a new comment is posted on your site, Akismet webs service catches the comment and tests whether a comment is valued as “spam” or “not spam”.
This is a good protection because a lot of bloggers and the WordPress software use Akismet and flag new spam pattern to the Akismet site.

If you have a comment form on your webapp you can protect it with the Akismet-service and some PHP code around. I use it for a python application and it catches a lot of comment spam day for day and as Douglas Adams says “I may not have gone where I intended to go, but I think I have ended up where I needed to be.”.

First you need to generate a WordPress API key on this page. You don’t need to get a blog, choose the “just an account” option when signing up.
http://wordpress.com/signup/

There are two (and sure more) classes, that make a implementation in your own webapp easy as possible.
Take a look at the docs on both sites:

PHP 4 class by Bret Kuhns:
http://miphp.net/pages/akismet_docs

PHP 5 class by Alex Potsides:
http://www.achingbrain.net/stuff/akismet/#usage

Automated testing is an extremely useful bug-killing tool for the modern Web developer and a lot of vulnerability in fact are based on bugs.
With Selenium IDE, a free Firefox extension, you can easily record your clicks and inputs in the browser, set tests and replay the records. If a test failed you get a feedback.

I’ll show you an example, to make the power of Selenium clearer.

This example code echoes a form value.

Start selenium and make sure the record lamp (red) is on. All steps will now record as long as the lamp is on.

Send a string “bla” over the form

Mark the output “bla” and choose in the right mouse context “verifyTextPresents bla”.
This is a testcase that “bla” is on the site displayed.

Go back to the selenium window and stop the recording (click on the red lamp).
Now it’s possible to run a playback of the recording, in 3 tempos (Run, Walk, Step), by pressing the green play button.

Ok time for a bug, change the variable name in the php line from “name” to “foo”

now we run a test in selenium and get a red marked error, because selenium doesn’t found the string “bla”.

This is only a bit of the power from Selenium. You can also debug with breakpoints, save tests in a lot of formats, edit the tests by hand, …

website: http://www.openqa.org/selenium-ide/
example video: http://wiki.openqa.org/display/SIDE/Recording+a+Test

With the follow commands you can execute an external program on the system (server).

• shell_exec
• proc_open
• system
• exec
• passthru
• popen
• “ (back tick operator)

This form sends a domain name and prints the result back from the linux program whois.

send example.com to the whois program

The problem of this script is that the user input touches directly the system without any validation. An attacker can end the whois command with a semicolon (;) and add any command he wants.

send “;uname -a” to the system and print system informations

Using system calls which can be manipulate could be very dangerous. Never trust the user, always Filter Input.
If you must use system calls, use “escapeshellarg” and “escapeshellcmd” to escape strings.

Subversion allows users to keep track of changes made to source code. It’s very handy and many developers use it everyday, like me.

Some websites have a svn checkout in their public web folder to make faster updates if code change.

Letting the cat out of the bag right now: If the webserver has directory listening on, it’s easy to spy parts of your website.
If you take a closer look to the structure of Subversion you will notice that Subversion creates on every folder a subfolder called “.svn” with some files.

A example is a webshop which uses Subversion on the web server.

The start site of the webshop

After adding a “.svn/” in the URL, you see the svn structure.

The subfolder “text-base” shows us which files are in the folder

we can view the configuration file …

.. and the database dump

Sure this was fictitious, but we saw that it was easy to look at the structure of the site and view the files on the server with an webbrowser, we didn’t know before.

Take care of your production site if you have running a Subversion checkout on it!

CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) can protect you and your users from spammers and crackers.
Broadly spoken, user don’t like this ugly looking pictures and I saw a lot of false implemented code or very easy to crack. To see some examples which CAPTCHAs can be broken you should check out http://sam.zoy.org/pwntcha/

An easy to implement, free and I guess secure service can be found on recaptcha.org and you help by digitizing books.

You go there, create an account, generate a API key and include the code into your application form. After 10 minutes you have a nice secure solution.

I’ve been using it now for some months and I’m very happy with it.
An important point to me was that recaptcha has audio support, so visually handicapped people also can login.

On the site you can find example code and plugins for many programming languages and well known applications.

http://recaptcha.net
http://recaptcha.net/plugins/php/
Breaking a Visual CAPTCHA
http://sam.zoy.org/pwntcha/

Pixy is a free Java program that performs automatic scans of PHP 4 source code, aimed at the detection of Cross-site scripting (XSS) and SQL injection (SQLI) vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.

There is also a easy to use webinterface where you can upload your files or paste the code to analyse it.

http://pixybox.seclab.tuwien.ac.at/pixy/webinterface.php

After my last posting “(evil) Register Globals (on)“, I got an email asking what remote files look like and what they do. I call remote files “phpshells”. phpshells can send commands directly to the server system over http.

An easy version could be using a GET variable for a system call. Indeed, it’s enough to steal information, destroy pages and do other nasty stuff on a web server.

The r57shell is the deluxe version of a phpshell. I added some pictures below. It’s an interface and has functions like ftp, mail and many more.