Dan Nicholson

Web Application Security Considerations

Dan — Thu, 03 May 2012 14:49:10 +0000

Securing a web application can sometimes feel like an endless task, so here is a list of considerations that should help you cover the basics. Note that not all will apply to every application.

Server Security

Firewall restrict IP access to FTP, SSH, database and control panel.
Passwords are string, non-dictionary based.
Version information hidden in request headers (PHP, Apache etc.)

Web Application Security

SQL injection prevention.
XSS filtering.
Cookies sent via secure connection.
Cookies encrypted.
Session IP matching.
Session user agent matching.
SSL enabled on all areas handling user or login data.
Code injection in input forms prevented (malicious strings removed).
CSRF protection.
User & admin passwords encrypted in database.
Admin accounts in separate table from user accounts.
No folder permissions set to 777.
Folder browsing forbidden.

User Authentication

Bespoke authentication and password hashing models, using crypt.
Separate salts for user and admin logins.
Session destroyed and recreated on permission level change.
Session destroyed on browser close.
DOS / Brute force attack prevention. Maximum 5 login attempts before ‘cool down period’.
IP logging.

User File Uploading

Allowed file types restricted.
Stored outside of root directory, cannot be accessed directly.
Virus scanned on upload.
Accessible via authentication only, if user does not have permission to access that specific file, file not found is displayed.

Redirect aspx pages to new site in .htaccess

Dan — Fri, 27 Apr 2012 09:40:14 +0000

If you are looking to redirect search engine results from an old aspx site to a new, more search engine friendly site, the following code added to your .htaccess file should help:

RewriteRule ^(.+)\.aspx$ http://www.example.org/$1/ [QSA,NC,R=301,L]

This will redirect http://www.example.org/here.aspx to http://www.example.com/here/.

For a direct redirect from aspx to php, use the following:

RewriteRule ^(.+)\.aspx$ http://www.example.org/$1\.php [QSA,NC,R=301,L]

This will redirect http://www.example.org/here.aspx to http://www.example.com/here.php

Note that both of these rules also apply to longer urls:

http://www.example.org/home/something/this/here.aspx will become http://www.example.com/home/something/this/here.php

Don’t forget to enable redirects:
RewriteEngine On RewriteBase /

Codeigniter – Configuring htaccess to force SSL / non-SSL

Dan — Thu, 26 Apr 2012 12:56:17 +0000

I spent a considerable amount of time looking for the correct configuration that would allow me to force SSL for certain controllers in Codeigniter and force non-SSL for the others. The solution for those interested is included below:

#Force SSL for controllers admin, account & application RewriteCond %{SERVER_PORT} 80 RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} ^/(admin|account|application) RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [L]


#Force non-SSL for folders not admin, account or application

RewriteCond %{SERVER_PORT} 443

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteCond %{REQUEST_URI} !^/(admin|account|application)

RewriteRule ^(.*)$ http://%{SERVER_NAME}/$1 [L]

# If not in list, run URL through Codeigniter RewriteCond $1 !^(index\.php|assets|robots\.txt) RewriteRule ^(.*)$ /index.php/$1 [L]

You will need to replace the REQUEST_URI controller names with your own, and also add any files or folders that need direct access to the last RewriteCond

Installing a Self-Signed SSL Certificate on Apache

Dan — Wed, 25 Apr 2012 14:59:26 +0000

Execute the following command (substitute ‘mysitename’ for the domain)
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt
Find the key and certificate file on the server (if you don’t know where it has been stored)
$ find /folder -type f -name mysitename.key
Open /etc/httpd/httpd.conf or vhosts file (depending on configuration)
$ nano /etc/httpd/httpd.conf
Add:
DocumentRoot /var/www/website ServerName www.domain.com SSLEngine on SSLCertificateFile /etc/ssl/crt/ mysitename.crt SSLCertificateKeyFile /etc/ssl/crt/ mysitename.key
Save. Close
Restart apache
$ service httpd restart

Possible Error
[warn] _default_ VirtualHost overlap on port 443, the first has precedence.

Fix
Add NameVirtualHost *:443 to httpd.conf

Managing Expectations

Dan — Mon, 23 Apr 2012 19:47:38 +0000

Whether you develop for external or internal clients, managing their expectations can often be one of the most difficult aspects of project management.

The problem we developers face is that, although a client will have a general idea of what they would like the project to include, it will rarely be specific enough to write a brief at the beginning of the project.

This in itself would not be an issue except for the fact that we need to be able to assess the time required to complete any project and without a formal and structured list of features and functionality it is often difficult to estimate completion times. So what is the solution?

Get it in writing

One of the most effective methods of managing your client’s expectations is to spend a significant amount of time at the beginning of the project in discussions, this is necessary for the project but is also key to creating a comprehensive deliverables document. An agreement needs to be reached between the developer and client about what the project will deliver and in what format.

I often find that deliverables documents evolve through several versions before a final specification is agreed upon, and this is often once the compromise has been reached that although more features are required, the deadline the client has for the project will not allow for the addition of these. In cases such as this we would usually split the project into different phases, where the main launch would be considered ‘phase one’ and any additional features could be added into phase two, including revisions of functionality and design.

This approach keeps mid-development changes to a minimum as it allows the client to create a list of ‘phase two’ features, rather than them expecting every last-minute thought and addition to be incorporated into the original project specification.

Get it in detail

The problem that often occurs with this approach is that assumptions are made on both sides about features that are added to the deliverables document. This can often lead to complications as the client may expect that “Search Page for X” will include the ability to search for A, B and C, when being able to search for C alone will add several weeks worth of work to the project. This is a fault on both sides as clarifications were not made at the beginning about this.

Some obscurity is useful from the developer’s point of view as it can often afford them the freedom to change how a certain area is scripted in response to other factors, but as the project manager it is your role to ensure that all of the important details are included in the deliverables document to avoid any issues down the line.

This sounds simple but it will often involve planning the project to a very detailed degree before development even begins, although this in itself will usually be a benefit.

Communicate

Finally, the most important aspect of managing the client’s expectation is to communicate with them throughout the course of the project’s development. It may be easy to shy away from keeping the client involved to avoid them requesting additions that will not be possible, but managed correctly the client will be more comfortable with the progress of the project if they are kept involved as much as possible and are allowed to query if simple revisions can be made.
You will find that your relationship with the client will suffer more from lack of communication than from telling them ‘no’ but explaining why.

Fixing WordPress’s White Screen of Death

Dan — Thu, 19 Apr 2012 11:34:05 +0000

I had an issue recently where one of my WordPress sites returned a blank page when I tried to access it. As far as I was aware nothing had changed, I hadn’t even been on the site for a few weeks.

It turned out it was an issue caused by one of the the plugins. To disable the plugins in order to access WordPress’s back-end, follow these steps:

Log into your database.
“SELECT option_value FROM wp_options WHERE option_name = ’active_plugins’ LIMIT 1″
Remove all data from the field ‘option_value’. That will disable all plugins.
Log in to the wp-admin.
Update all plugins, and reactive.
Cross fingers

HTML displaying Â£ instead of £

Dan — Mon, 31 Oct 2011 13:42:55 +0000

Another quick fix – if you are finding that your html page is outputting Â£ instead of £ it is more than likely because you need to specify the content type meta tag:

HeidiSQL query results hidden

Dan — Thu, 27 Oct 2011 09:26:22 +0000

If you are trying to run a query in HeidiSQL and find that the results are not displaying, it is probably because the box has been pushed off the bottom by the query editor window. This can be caused by resizing of the various windows.

To fix this issues:

Close all instances of HeidiSQL
Open regedit.exe
Delete the entry \\HKEY_CURRENT_USER\Software\HeidiSQL\querymemoheight
Restart HeidiSQL

Adding CSS3 Support to IE 9

Dan — Fri, 21 Oct 2011 10:16:24 +0000

If you have been developing your first CSS3 theme in a non-IE browser such as Google Chrome, you might find that when you preview your new design in IE 9 there is still no support.

Luckily the solution is simple, all you need to do is add the following tag to yoursection and you should be good to go:

Install subversion on Oracle Enterprise Linux 5.7

Dan — Mon, 10 Oct 2011 11:26:21 +0000

INSTALL SUBVERSION

$ yum -y install subversion

CHECK INSTALLATION

$ svn –version

$ svnadmin –version

CHECKOUT REPOSITORY

$ svn checkout file:///tmp/repos/test folder

UPDATE FROM REPOSITORY (navigate to folder)

$ svn update

COMMIT TO REPOSITORY (navigate to folder)

$ svn commit -m “your commit message here”