ad

Exclusive Updates from 'Rafay Hacking Articles'

When Cloud Makes Sense

Learn some of the benefits of cloud computing. Click here to download
[Sponsored]

Latest News Apr 17, 2014

What is the .htaccess file and what do I use it for?


.htaccess - The Point of DiscussionHT(Hyper Text) access file is actually a directory level configuration file which supports handsome number of servers and those webservers allow administrators for decentralized management of Web Server Configuration. The original purpose of .htaccess " is reflected inside its name was to allow per-directory access control, for example: requiring a password to access the a directory or file. Nowadays it is used for various other purposes, as .htaccess files can override many other configuration settings including content type and character set, CGI handlers, etc it could very useful for penetration testers as well as webmasters. ...

Read more... Twitter Facebook Linkedin

DOM XSS Explained - Part 1


Cross Site scripting (XSS) has been a problem for well over a decade now, XSS just like other well known security issues such as SQL, XPATH, LDAP Injection etc fells inside the category of input validation attacks. An xss vulnerability occurs when an input taken from the user is not filtered/santized before it's returned back to the user. The XSS can be divided into the following three categories: ...

Read more... Twitter Facebook Linkedin

Hacker's Dome - First Blood CTF



When it comes to Information Security, there's a great way to learn, train and keep sharp your skills. This can be done using gamification mechanics to speed up the learning curve and improve retention rate. Capture The Flag competitions use gamification mechanics and represent one of the best ways to learn security hands on. ...

Read more... Twitter Facebook Linkedin

A Tale Of A DOM Based XSS In Paypal

Introduction

We have already disclosed lots of findings related to DOM Based XSS and this article talks about a pretty interesting DOM Based XSS vulnerability i found long time back inside paypal. A DOM Based xss vulnerability also known as the third type of XSS vulnerability or type 0. This vulnerability occurs due to the fact that developers don't sanitize the input before it reaches a sink. A Sink is defined as anything that generates HTML, not every sink is considered as dangerous, however there are some common sinks that should be avoided and are mentioned at DOM Based XSS wiki . ...

Read more... Twitter Facebook Linkedin

Introduction To SQLmap And Firewall Bypassing




ABSTRACT

Most cyber-attacks in the world that involve websites occurs due to lack of updates and the failure to validate the user input. Starting from buffer overflow vulnerability, which is a system level vulnerability up to the vulnerabilities that exist today, the fundamental problem has always been the input validation. One of the main threats is SQL Injection that left many worried about their application and databases. The problem is more then a decade old, but still is present inside lots of websites. SQL injection like all other major web application security problems fall in the category of input validation attacks. ...

Read more... Twitter Facebook Linkedin

IT Disaster Recovery Best Practices and Lessons Learned from Hurricane Sandy

Learn how to keep IT services running, should a disaster strike. Click here to download
[Sponsored]

This email was sent to youbeeub.fbhacking123@blogger.com. You are receiving this newsletter because you opted-in to receive relevant communications from Rafay Hacking Articles. If you would like to manage your newsletter preferences or if you no longer wish to receive this newsletter, please click here.

Rafay Hacking Articles, Karachi, Pakistan 44000
Contact: rafayhackingarticles@gmail.com

The Hacking Articles

The Hacking Articles


Online Heartbleed vulnerability scanner (CVE-2014-0160)

Posted: 16 Apr 2014 12:38 PM PDT

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

 

 

Heartbleed Test

 

Following are some links which you can use to online scan and test if your server is vulnerable to heartbleed vulnerability.

https://filippo.io/Heartbleed/

http://tif.mcafee.com/heartbleedtest

https://lastpass.com/heartbleed/

Hacking and Cracking

Hacking and Cracking


What is the .htaccess file and what do I use it for?

Posted: 15 Apr 2014 12:29 PM PDT


.htaccess - The Point of DiscussionHT(Hyper Text) access file is actually a directory level configuration file which supports handsome number of servers and those webservers allow administrators for decentralized management of Web Server Configuration. The original purpose of .htaccess " is reflected inside its name was to allow per-directory access control, for example: requiring a password to access the a directory or file. Nowadays it is used for various other purposes, as .htaccess files can override many other configuration settings including content type and character set, CGI handlers, etc it could very useful for penetration testers as well as webmasters.

Why .htaccess??

The WebServer reads these files every time when the website is loaded. So the changes to the .htaccess file can immediately effect the Server with respect to main Configuration file of server. .htaccess can also be used to authorization/authentication i.e. permitting or denying a user to access a certain content.


1.Authorization & Authentication


A .htaccess file is often used  for both authentication and authorization i.e. to specify security restrictions for a certain resource. The .htaccess file is often accompanied by a .htpassword file which stores valid usernames and their passwords for authentication purposes. We will see examples of both of them (Authorization and Authentication) in later part of this article.

2.Rewriting Urls

Rewriting is sometimes used as conditional operator to add filter to block a specific word or string in a statement.

3.SSI

SSI can be actually helpful to maintain a website dynamically using input parameters specified by the administrators. SSI directories can be defined within the .htaccess itself.

4.Customizing the Error Responses


A .htaccess file can also be used to customize error messages. For example -  What to do if a 404 error occur?, Shall it be redirected to the homepage?, we can also control other things such as Mime types, cache control etc.

Where .htaccess Should Be Placed?

So, we have already discussed about various uses of  .htaccess, now its time to know where .htaccess file should be placed for optimal performance. .htaccess should be placed inside root web directory of the webserver,  so that it could have same effect on all the content within the website but sometimes, it could be placed in a specific directory to perform a task.

For example - A hosting company has described the maximum upload limit of 100mb per image, however in case if one of the customers wanted to upload a picture that is of 110mb what should he do?, He would contact the hosting company ofcourse, now instead of allowing the upload of 110mb from the server for all users, the company would ask the user to place a .htaccess file inside the directory and set the upload limit to 110mb.

Note:This files needs to handled with utmost care because of its sensitiveness. Even a single mistake can lead you to some serious security concerns, So if you don't know what you are doing, we would recommend not to play with it.

Advantages

One of the main advantages of a .htaccess file is that the changes made to this file would take immediate effect on the webserver as opposed to making changes in the main configuration file which often requires the server to be restarted and hence a downtime might occur.  Also, as we explained from the above example that .htaccess allows unprivileged user to perform a privileged action without need to change the main configuration file.

Disadvantages

There are two main disadvantages of .htaccess, one it creates performance loss, second it raises security concerns as you are allowing an unprivileged users to modify the configuration changes. For example - System administrator has disabled the use of the "Symbolic links", however the overrides are allowed, in case if an attacker compromises a single website on the server, he could create a custom .htaccess which would allow symlinks if they are not enabled by default and hence it would allow an attacker to read files outside the user's home directory. The folllowing .htaccess file would allow an attacker to enable and follow symlinks:

OPTIONS  Indexes Includes ExecCGI FollowSymLinksAddHandler txt .phpAddHandler cgi-script .cgiAddHandler cgi-script .plOPTIONS  Indexes Includes ExecCGI FollowSymLinksOptions Indexes FollowSymLinksAddType txt .phpAddType text/html .shtmlOptions AllOptions All

As regards with the performance impact, guys at drupal groups have provided a great explanation. "Here are some excerpts from Wrox's 'Professional Apache' in the chapter on improving Apache's performance:"

"If AllowOverride is set to anything other than 'None', Apache will check for directives in .htaccess files for each directory from the root all the way down to the directory in which the requested resource resides, after aliasing has been taken into account. This can be extremely time consuming since Apache does this check every time a URL is requested, so unless absolutely needed, always (set AllowOverride to 'None')"

Source - https://groups.drupal.org/node/22864

How .htaccess can help in improving security? 

Preventing Common Attacks (But not fully). .htacess can be used to define a blacklist of keywords that you would like to block when it arrives the server. Take a look at the following example

"RewriteEngine on" is responsible for starting the filtering process followed by the specific keyword word you would like to block, which in this case is "order". In this way .htaccess can be used to create a blacklist to filter out malicious inputs for attacks such as SQLi, XSS, LFI, RFI etc. However, this approach is not recommended as blacklist has never been the solution for any security related problem, instead the best option is to fix the vulnerabilities from within the code, the vulnerabilities can be detected via static or dynamic code analysis.


The following screenshots give examples on creating a blacklist with the help of .htaccess:

























Authorization

As discussed before .htaccess could be very helpful for "Authorization" i.e. we can define who is authorized to access the content, in simpler words we can permit or deny a specific Person(s) based upon his IP address .

All we have to do is to simply use allow and deny keywords with in the .htaccess. This feature could be used as a security for admins to only allow their IP to access the administrator page .

Authentication

.htaccess can also be used to password protect a directory, for that we would also need an .htpasswd file. A .htpasswd contains the username and password for basic authentication of users. The following is a great website that could be used to generate .htpasswd files:

  • http://www.htaccesstools.com/htpasswd-generator/
The Protected content could be accessed as follows: http://username:password@www.website.com/directory/


The following screenshot demonstrates the usage of .htaccess by etsy.com to protect wp-admin page for wordpress.


Hiding Errors

This approach is also not recommended and it's called as security through obsecurity, which means that if an attacker cannot find something he is less likely to exploit it.  The idea behind this technique is to turn of php errors, which would not return errors for common vulnerabilities such as SQLi, FPD, LFI etc. However, this approach would only prevent script kiddies not real penetration testers.

Switches Used while working with Php Flag are : php_flag display_errors no/yes [on/off]









Last but not least, we would recommend following video, in case you are really interested in learning more about this topic.

Conclusion

 In this article, we precisely tried to cover various aspects of the .htaccess file, however this topic is far from over, based upon your comments and feedback we might come up with it's part 2.

About Author

This article was original written by Muhammad Adeel (independent Security researcher), however it was later modified by "Rafay Baloch" to make it more clear and understandable.