It wouldn’t surprise me if at least some of them land some pretty good IT security jobs as a result.

Would you hire someone from LulzSec? Answer in the comments please.

My most sincere apologies to anyone who may have been sent somewhere as a result of visiting this site in the past few days and my genuine gratitude to the kind people who reported the issue.

Because it is so free and open you can visit the site right now and check out some of the really cool things like;

• A PHP security library.
• The OWASP top 10.
• The Development Guide.
• Secure Coding Practices.
• Loads more things…

All for free, literally thousands of hours worth of work from some of the top security professionals in the world, available completely for free.  It is brilliant, and why the internet is just a great place to work.

OWASP is split into localised chapters, with new ones popping up all the time.  My local chapter would be the Dublin based one (so I use the term local very very loosely, I even have to take out crazy fake money when I go down there!).

Again, you can join chapters for free, this gives you access to mailing lists and free talks that get put on as regularly as can be organised.  In my opinion anyone who gives half a crap about the security of the web applications they are creating should be attending these talks as often as they can.  I mean it is free, you are getting free security advise from professionals who have proven their chops many times over.

The other thing you can do, and the real point of my post, is that you can become a paid supporter.  This costs a minimum of $50, which I think is more than fair for the amount of excellent information available on their site alone (ignoring the talks organised by chapters), in fact, I say more than fair – I have spent more on ale in an evening, and I am willing to bet you have chucked away more than $50 on lesser causes before.

By rights the $50 should just get you the nice feeling of knowing you have contributed to an excellent cause, but it doesn’t end there, OWASP is such an awesome project that occasionally there will be extra talks or training sessions put on for paid up members by way of a thank you.  That is just bloody awesome, to get to talk to some of the top security professionals in the world or to get trained by them, $50 is a steal.

Sign up now. (or do what I did and ask your company to sign you up!)

Whilst I will be providing examples throughout I will not labour on certain points, I will however attempt to provide many sources that you can use to read up more on the various topics.

For this post I want to talk about some general PHP setup Gotchas that you might want to look out for. There is a tendancy amongst some people (especially if they haven’t had to install PHP) to assume that the default setting that their hosts provided them is the most secure. There are three things wrong with thinking like that.

1. It is lazy (and worst of all, boring)
2. The standard settings may not be the most secure for your setup.
3. Who said they gave you the standard settings?

You should always check out your Apache/MySQL/PHP settings on any new server.

Register Globals

The first setting you should be looking up in php.ini is register_globals and making sure it is set to 0. This is the default setting but it is worth having a quick look because this little blighter could get you into a world of trouble (if you are a bad coder).

The reason I say if you are a bad coder is because there is nothing inherently wrong with having it turned on but if your code isn’t tight enough then having register_globals on can let people type something like…

http://yoursite.com/page.php?newVar=h@xx0r

This newVar variable is now set in your code, it doesn’t take a security expert to realise what crap that could land you in.

If you don’t have access to the php.ini file on your server you can include that parameter in your .htaccess file that should be located in the root of your web folder. The line you would need to add is..

php_flag register_globals on

Whilst it is best practice to turn them off in order to try and keep your code a little less vulnerable you should really be turning on Error Reporting to point you in the right direction from time to time, which leads me very nicely onto my next heading…

Error Reporting

Error Reporting is concerned with what errors PHP will record, where it will store them, and if it will display them.  There are essentially four settings we should be concerning ourselves with, like with register_globals these can be set in php.ini, in a .htaccess file or in your php code.

• error_reporting (Which I think should be set to E_ALL | E_STRICT *)
• display_errors (On for an internal DEV server or your home setup, Off for a client setup)
• log_errors (You should always have this set to On)
• error_log (You set this to where you want the logs to be stored eg /location/to/log **)

*E_ALL in  basically means report everything, E_STRICT means be damned strict about it, errors and warnings alike will be picked up by PHP.

** Obviously your logs shouldn’t be anywhere close to being inside the www folder, error notifications could really help a potential hacker.

You can set up your own error handling within PHP, but my suggestion would be use a framework to do this for you, only roll your own if you are confident in your abilities because if there is an error in your error handler, well…

Closing Up

You could write a small book on how to securely set up a server, and of course by the time you have written it the tips will be obsolete.  I will leave this post here with those 2 categories for now because these are the main ones that keep cropping up when people mention PHP setup and Security.

When I start writing my next post (entitled Forms and Filtering) there will be a lot more content to get your teeth into, because if you can write bullet proof code your app should be able to stand up on all but the most flaky of server setups!

Resources

• Register Globals Is Not Evil
• More Information On Register Globals
• PHP’s Error Configuration

If you thought this post was in any way useful, please share it amongst others who you think would also benifit.

When I tried to make the file whilst running Ubuntu 9.10 I was presented with the following error:

cc -L/usr/local/lib/ -L/opt/local/lib skipfish.c -o skipfish -O3 -Wno-format -Wall -funsigned-char -g -ggdb -I/usr/local/include/ -I/opt/local/include/ -D_FORTIFY_SOURCE=0 \
http_client.c database.c crawler.c analysis.c report.c -lcrypto -lssl -lidn -lz
In file included from crawler.h:26,
from skipfish.c:39:
http_client.h:26:25: error: openssl/ssl.h: No such file or directory
In file included from crawler.h:26,
from skipfish.c:39:
http_client.h:189: error: expected specifier-qualifier-list before ‘SSL_CTX’
skipfish.c: In function ‘main’:
skipfish.c:154: warning: implicit declaration of function ‘SSL_library_init’
http_client.c:37:25: error: openssl/ssl.h: No such file or directory
http_client.c:38:25: error: openssl/err.h: No such file or directory
http_client.c:39:18: error: idna.h: No such file or directory
http_client.c:40:18: error: zlib.h: No such file or directory
In file included from database.h:29,
from http_client.c:45:
http_client.h:189: error: expected specifier-qualifier-list before ‘SSL_CTX’
http_client.c: In function ‘parse_url’:
http_client.c:285: warning: implicit declaration of function ‘idna_to_ascii_8z’
http_client.c:285: error: ‘IDNA_SUCCESS’ undeclared (first use in this function)
http_client.c:285: error: (Each undeclared identifier is reported only once
http_client.c:285: error: for each function it appears in.)
http_client.c: In function ‘parse_response’:
http_client.c:1516: error: ‘z_stream’ undeclared (first use in this function)
http_client.c:1516: error: expected ‘;’ before ‘d’
http_client.c:1521: error: ‘d’ undeclared (first use in this function)
http_client.c:1531: warning: implicit declaration of function ‘inflateInit2’
http_client.c:1531: error: ‘Z_OK’ undeclared (first use in this function)
http_client.c:1532: warning: implicit declaration of function ‘inflateEnd’
http_client.c:1537: warning: implicit declaration of function ‘inflate’
http_client.c:1537: error: ‘Z_FINISH’ undeclared (first use in this function)
http_client.c:1540: error: ‘Z_BUF_ERROR’ undeclared (first use in this function)
http_client.c:1540: error: ‘Z_STREAM_END’ undeclared (first use in this function)
http_client.c: In function ‘destroy_unlink_conn’:
http_client.c:1636: error: ‘struct conn_entry’ has no member named ‘q’
.

.

. SNIP SNIP!

.


http_client.c:2188: error: ‘struct conn_entry’ has no member named ‘next’
http_client.c:2192: error: ‘struct conn_entry’ has no member named ‘q’
In file included from database.c:33:
http_client.h:26:25: error: openssl/ssl.h: No such file or directory
In file included from database.c:33:
http_client.h:189: error: expected specifier-qualifier-list before ‘SSL_CTX’
In file included from crawler.c:30:
http_client.h:26:25: error: openssl/ssl.h: No such file or directory
In file included from crawler.c:30:
http_client.h:189: error: expected specifier-qualifier-list before ‘SSL_CTX’
In file included from analysis.c:28:
http_client.h:26:25: error: openssl/ssl.h: No such file or directory
In file included from analysis.c:28:
http_client.h:189: error: expected specifier-qualifier-list before ‘SSL_CTX’
analysis.c: In function ‘maybe_xsrf’:
analysis.c:397: warning: implicit declaration of function ‘time’
In file included from report.c:33:
http_client.h:26:25: error: openssl/ssl.h: No such file or directory
In file included from report.c:33:
http_client.h:189: error: expected specifier-qualifier-list before ‘SSL_CTX’
make: *** [skipfish] Error 1


Some digging about made me realise this is a fairly common problem even if your machine has a fairly good set of dependencies downloaded.

If you run the following command it should act as a catchall and set you up to be able to play with this tool.

sudo apt-get install libssl-dev build-essential zlibc zlib-bin libidn11-dev libidn11


Apache

• Securing Apache Checklist
• How to find out what user Apache is running as

PHP

• Securing PHP
• Why $_REQUEST is dangerous
• 7 PHP security blunders
• Web App security checklist
• Hardening PHP

MySQL

• Hashing is not enough

As the title of this post suggests, I am only beginning my journey and am pretty much assuming no prior knowledge and I am taking nothing for granted, with that in mind I figured the first thing I should be doing is getting me an education in web app security.  Obviously this is a huge sphere with many caveats and it would be impossible for me to become a security ninja in all aspects but I hope to be able to know my way around most of the major security concerns we face as an industry.

Like any self-respecting nerd the first thing I did was google ‘website security’ from then on I started refining my search, following links, reading articles and setting myself up with a bit of a knowledge base, I thought I would share with you some really useful sites and stuff I have found.

App Sec Street Fighter
Tao Security
Mozilla.com
Ha.ckers
McKeay

The most useful site I have found though has to be OWASP it is absolutely jam packed with really excellent information about Web Application Security, I was able to join the mailing list for the Irish chapter (something I have yet to really start looking into but plan to get involved really soon).  They also have an excellent Podcast, well worth checking out.

If you are reading this and feel like helping me on my security adventures by recommending links or whatever please get in touch in the comments.