Category: Security

How i optimised my WordPress website ?

Some days back, I was brewing up some plans to optimise my website source codes, HTTP headers, latency and other security aspects. I had to carry out some analysis and research using some tools available on the internet. I should admit that, at first, it looked pretty simple, but it was not. For instance, I did not permit myself to directly modify the production environment. So, I had to migrate it on a pre-production environment. Page caching was yet another issue which could trick oneself after modifications.

Since my website is behind Cloudflare, which is already an advantage in terms of security, performance, reliability and insight, it does not mean that the website cannot be hacked. According to sucuri.net, websites using WordPress CMS are constantly being hacked. Of course, it depends on the mode of attack and the infection impact.

Photo credits: sucuri.net
Photo credits: sucuri.net

Migrating to TLS

Migrating a CMS which already has several articles posted can be an issue as the URLs are already recorded in the database as well as in the source code itself. Also, there were links on the website which were not pointed on HTTPS. After moving to the HTTPS version, errors such as “Mixed content” could be noticed when accessing the website. One of the interesting free feature of Cloudflare is that everyone can have a free SSL certificate issued by Comodo. You will have to generate your certificate and your private key from Cloudflare and point it on your Virtual Host.

Some corrections on WordPress source code needed to be added in the wp-config file as follows:

define('WP_HOME','https://tunnelix.com/');

define('WP_SITEURL','https://tunnelix.com/');

On top of that, there seemed to be lots of URLs on the database itself that needed corrections using the following commands:

update wp_options set option_value = replace(option_value, ‘http://www.tunnelix.com’, ‘https://www.tunnelix.com’) where option_name = ‘siteurl’;


update wp_posts set guid = replace(guid, 'http://www.tunnelix.com', 'https://www.tunnelix.com');

update wp_posts set post_content = replace(post_content, 'http://www.tunnelix.com', 'https://www.tunnelix.com');

However, there are some tricks to identify those non-HTTPS URLs by making a dump of the database and do a “Grep” in it, followed by a “Sed” to eliminate those unwanted parameters. Once the “Mixed Content” errors have been identified, I launched a scan on the Qualys SSL Labs website. The result was an “A+”. You can also use the Htbridge free SSL server test which is pretty fascinating especially to verify PCI DSS Compliance, HIPAA compliance, NIST guidelines and industry best practice in general. If all those criteria have been met, then you would score an “A+” rather than an “A” or worse a “F”.

Source code optimisation and Page speed verification

This can be verify using the GTmetrix tool available for free online. I noticed that my rank was a “C”. This was caused due to lack of minified HTML and CSS, and Image dimension. To handle the minify HTML errors, I enabled the plugin Minify HTML Markup on WordPress itself which corrected these errors. To tweak the Image dimension i downloaded the tool Optipng from Epel repository:

optipng.x86_64                  0.7.6-1.el6                        @epel        

For example, if you want to optimize a specific image, use the following command:

optipng -o2 Screen-Shot-2016-12-24-at-1.04.45-AM.png

Another verification was made on GTmetrix website and i noticed that the result was then an “A”

from GTMETRIX.COM

Tweaking the Web server HTTP headers

Htbridge will surely give you an overview of the web server security and will accompany you step by step to get a better result.

Of course, since the website is behind cloudflare,  it is limited to certain security tweaks such as Public-key-pins.The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of Man-in-the-Middle (MITM) attacks with forged certificates. I found an interesting article on https://raymii.org which explained how to activate the HPKP. 

Once you are in possession of your certificate and Private key, you can create the public key and a token will be received to activate the HPKP extension. The following commands can be used to get the token and the public key.

# openssl x509 -noout -in certificate.pem -pubkey | openssl asn1parse -noout -inform pem -out public.key;

# openssl dgst -sha256 -binary public.key | openssl enc -base64
 4vr+koFuogsfghGjgvpsqQIIikg5KowHTIGNQ5Prspc=

However, it looked that HPKP is not supported on Cloudflare. But, there are other issues such as HSTS. HTTP Strict Transport Security (HSTS, RFC 6797) is a web security policy technology designed to help secure HTTPS web servers against downgrade attacks. HSTS is a powerful technology which is not yet widely adopted. CloudFlare aims to change this. I enabled it as per recommendations by Cloudflare.

A curl on the url https://tunnelix.com now prompts the following headers :

No system is perfectly secure, but I believe that these modifications are worth to adventure around. I should say I was really impressed by free tools such as the Qualys SSL test, HTbridge free SSL and Web security test and Gtmetrix in terms of page speed.

 Hello Tunnelers, this is my first article for the year 2017, I seize this opportunity to wish my readers a Happy New Year 2017 and wish you all lots of prosperity. – TheTunnelix


Web Security Fundamentals by Varonis

Some days back, i received an invitation to attend an online course by Varonis on Web Security Fundamentals which has been conducted by Troy Hunt. I should say though this course is for beginners, its worth watching and pretty interesting. Troy Hunt is a security developer and author of PluralSight tutorials. You can join the course at Web Security Fundamental on Varonis website.

Some world biggest data breach examples were enumerated at the beginning of the mini course followed by some statistics and the impact of web security. The following points were enumerated:

  1. SQL Injections
  2. Insufficient Transport Layer Security
  3. Insecure Password Storage
  4. Cross site Scripting (XSS)
  5. Weak account management

The course composed of the impact of the risk, how it works with examples and demos as well as defense techniques to be used to strengthen  the system.

SQL Injection

screenshot-from-2016-10-15-09-38-54
Photo credits: varonis.com

An example given using tool such as Havij to automate SQL injection. This tool is a GUI pretty straight forward such as to enter the URL, followed by the tables, columns etc.. to retrieve information from a database. This will result in leaking of information from a website is same is not secured. Several ways to defend against SQL injection attack is to :

  • Validate untrusted data – Has the user provided valid input to the system?
  • Parameterize queries – Seperate the query and the data
  • Lock down the Database permission – Apply the ‘principle of least permission’
  • Apply ‘Defence in depth’ – Web application firewall and cryptographic storage

 Transport Layer Security

screenshot-from-2016-10-15-09-56-00
Photo credits: varonis.com

This part was elaborated on the lack of encryption on network layer such as missing HTTPS security, especially how the risk manifest. An example of a key logger was used to retrieve information from a web page. Defense of such type of attacks were emphasized on the following points:

  • Apply TLS – Literally apply TLS to encrypt by default
  • Strengthen TLS – Ensure it is a strong implementation of TLS
  • Lock down Application – Use construct that disallow  communication over insecure connections.
  • Apply the same control internally – Attacks on the Transport layer can occur behind firewall too

Insecure Password Storage

screenshot-from-2016-10-15-10-07-12
Photo credits: varonis.com

Encryption and Decryption mechanism need to be mastered at this level as this is the basic concept of preventing attacks on insecure password storage. An example of brute force attack was demonstrated. One of the tool is Hashcat which was used as proof of concept. To prevent such types of attacks:

  • Always hash and never encrypt – This work on the assumption that the entire system may be compromised.
  • Choose the right algorithm – Get the balance between workload and performance right.
  • Enforce password rules – Stronger password are significantly harder to crack.
  • Encourage strong password – Do not place arbitrary limits on password strength

Cross-Site Scripting (XSS)

A demo was shown on this aspect using a “search” example on a website search engine. The aim is to search  mechanism that can be exploited.

screenshot-from-2016-10-15-10-18-04
Photo credits: varonis.com
  • Defense against such type of attacks were on the following points:
  • Validate untrusted data – Has the user provide valid input to the system?
  • Always Encore output – Ensure that any reflected input is rendered in the browser
  • Encode for the correct context – HTML / HTML attribute / CSS / JavaScript are all different
  • Protecting cookies – Flag cookies as ‘http only’ so they cannot be accessible by client script.

Weak Account Management

screenshot-from-2016-10-15-10-33-15
Photo credits: varonis.com

To manage weak accounts, the following factors need to be taken into consideration:

  • Poor password rules
  • Lack of brute force protection
  • Insecure ‘remember me’ feature
  • Vulnerable password change feature
  • Enumerable password resets

Here are some tips against account enumeration attacks:

  • Always respond identically – Return the same message to anonymous users
  • Use email for verification – Email the address and confirm or deny account existence there
  • Consider other enumeration vectors – Login and registration are other common channels for disclosure.
  • Consider the risk in context – Different application have different levels of privacy expectation.

To resume, its important to grasp the fact that good security is ‘defense in depth’. Security needs to be considered in the context of cost as well as usability as many of these attacks provide vectors into the internal network. Security goes well beyond. The tutorial ensures that questions are being asked at all levels to ensure security such as:

  • Is access to data logged and auditable?
  • Do you have visibility to resource accessible via access controls?
  • How many of these permissions excessive?
  • Is anyone actually reviewing entitlements?
  • How are you prioritizing security efforts?

 


Introducing MariaDB MaxScale 2.0 – Webinar

Today, i attended a webinar conference on MariaDB MaxScale carried out by Roger Bodamer at 10.00 AM PDT. That was really interesting and i strongly feel the future of system and database administrators are going to be enhanced with this technology.

It started with a thorough introduction about challenges faced by the IT industry today especially larged firms to market agility, system integration, real-time insights, security and high availability. Some basic explanations on both application (customer centric front-end) and database(transaction focused back-end) levels were addressed. At the application level, this deal mainly with continuous delivery of the application, microservices and modular deployment whereas at database level, it lays emphasis on security, scalability, high availability and high quality data management.

“MariaDB MaxScale makes it easy to handle the scalability and availability of your database cluster, and also secure it and manage the maintenance downtime. MaxScale is a next generation database proxy that goes well beyond routing, with advanced filtering, enhanced security and authentication. It is a multi-threaded, event-driven engine, that has its main functionality provided by plugins loaded at runtime. With MaxScale’s innovative architecture you can update the data layer on scale-out architectures, without impacting application performance.” – MariaDB

Photo Credits: MariaDB MaxScale
Photo Credits: MariaDB MaxScale

There are so many features in MaxScale that have really amazed me in the security pillar such as data motion, data in use and the DB firewall. Emphasis was laid on the type of job MaxScale that can be performed compared to simple master-slaves environments. MaxScale is really good at replication when it comes on one master having hundreds of slaves which prevents load on the master which means that MaxScale can take great care of replication issues. Another feature of MaxScale is when database is used to store information, a specific route can be defined for traffic within the database itself. Keymaps also comes into a great feature to manage those issues. Schemas can be updated. The goal is high availability. Another feature is data streaming which can be controlled. I noticed a heavy emphasis on security especially when it comes to whitelisting/blacklisting at database level to reduce DDOS attack drastically at database level.

A demo was then displayed live showing some interesting features of MariaDB MaxScale. An interesting GUI web interface called MaxPanel is used to connect with the servers Master-Slave-Slave (All three instances on docker instances) which give indications about the server names, addresses, ports, connections, and status (Server running). A load was generated on of the slave server where writes were configured on the master and read only on the slaves. The tool which was used to generate the load is HammerDB. In the conf file, under the dbfw-blacklist, rules can be inserted there to prevent certain type of query for example a “select * from tablename” which if the table have too many records, this will consume heavy amount of resources. To remediate this issue, a rule can be specified to use the “where” statement. An example of such entry is rule safe_order deny no_where_clause on_queries select which means that no select to be made with a where clause. Also rule query_regex deny regex ‘*.orders*’ which is going to be applied on the table called orders.

After the demo, the questions and answers session were tossed out. This includes different architectures where plugging architectures can be used with specific protocols. Some answers still need to be cleared out as regards to MUSL compatibility with MaxScale which was pointed by me. Some days back, hackers.mu have enhanced MariaDB to be MUSL compatible. That was really an interesting and educational session for MariaDB MaxScale especially for administrators. I am looking forward for MariaDB MaxScale installation soon.


Counter DNS Attack: Enabling DNSSEC

To reach another person on the Internet you have to type an address into your computer – a name or a number. That address has to be unique so computers know where to find each other. ICANN coordinates these unique identifiers across the world. Without that coordination we wouldn’t have one global Internet. When typing a name, that name must be first translated into a number by a system before the connection can be established. That system is called the Domain Name System (DNS) and it translates names like www.icann.org into the numbers – called Internet Protocol (IP) addresses. ICANN coordinates the addressing system to ensure all the addresses are unique. – ICANN

Screenshot from 2016-07-23 20-56-11

Finally, i decided to enable DNSSEC on Tunnelix.com. It can be tested on the http://dnssec-debugger.verisignlabs.com link and its really cool. This is just another security addons to kept away from being attacked. For example, an attacker can take control of the session with the aim to make the user believe that the hijacker deceptive website is the right one. We also need to understand the basics of how  DNS traffic work. We are normally like three players in the normal DNS world that is your computer, the ISP’s recursive DNS servers, and the website’s authoritative DNS servers. Of course there are cached DNS servers that facilitate the DNS query. So to get into more detail how the attack goes on is where the attacker try to trick the resolver making it to believe that, lets say, tunnelix.com lives at the IP xx.xx.xx.xx and even to remember it for lets say 7 days. Its important to understand that since most of the traffic pass on UDP, it is kind difficult to prevent attackers from sending a flood of responses to the resolver.

DNSSEC is a technology which acts as a security layer on top of the DNS traffic by means of cryptographic tools to re-assure you that the website you are visiting is the real one. In 2008, Dan Kaminsky revealed a flaw that could allow attackers to easily perform cache poisoning attacks on most nameservers. Here is a link from the ISC (Internet System Consortium) which shed lots of interesting material about the DNSSEC technology. For bloggers behing Cloudfare, you can easily activate DNSSEC on for your domain, of course, if the root domain name is supporting DNSSEC, otherwise its impossible to achieve it. For example .mu domain does not support DNSSEC. On cloudflare, the steps are easy. You just need to activate the DNSSEC with a simple click and save all those informations like DS records, Digest, Digest type, Algorithm uses, Public key etc.. and feed it to the domain name registrar. The information will be verified by Cloudflare after which you are happily DNSSEC enabled domain owner.

Screenshot from 2016-07-23 21-48-53

To test out on your linux  terminal if a domain is signed use the following command:

[email protected]:~# dig tunnelix.com +dnssec

; <<>> DiG 9.10.3-P4-Ubuntu <<>> tunnelix.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36645
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;tunnelix.com. IN A

;; ANSWER SECTION:
tunnelix.com. 177 IN A 104.18.41.96
tunnelix.com. 177 IN A 104.18.40.96
tunnelix.com. 177 IN RRSIG A 13 2 300 20160724190355 20160722170355 35273 tunnelix.com. L5t/xVbsuB99HntpdpHkYu4ig52YL9QA+Vvi509KFgdgKrtY3pvZfKfD LGjtT0Ev0UFEn73TObofJyOmzIEmUg==

;; Query time: 46 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sat Jul 23 22:05:57 MUT 2016
;; MSG SIZE rcvd: 181

“To fix this, all major DNS servers implemented Source Port Randomization, as both djbdns and PowerDNS had before. This fix is widely seen as a stopgap measure, as it only makes the attack up to 65,536 times harder. An attacker willing to send billions of packets can still corrupt names. DNSSEC has been proposed as the way to bring cryptographic assurance to results provided by DNS, and Kaminsky has spoken in favor of it.” – blackhat.com

Domain owners might consider enabling DNSSEC on their domains to increase the security of letsencrypt in their infrastructure for ACME, as there is a return on investment in terms of security. Loganaden of Hackers.mu

Other article i wrote on BIND: Anatomy of a simple dig result 

 


HTTPoxy – Is your nginx affected?

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:

  • RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now.httpoxy.org

httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry. A number of CVEs have been assigned, covering specific languages and CGI implementations:

Screenshot from 2016-07-20 22-45-54

After receiving the updates from hackers.mu, i immediately started some heavy research. For Nginx users, to defeat the attack, modifications can be carried out in the fastcgi_params file.

1.Create a file called test.php containing the following codes in the source code.

[[email protected]]# cat test.php

<?php
 echo getenv ('HTTP_PROXY')
 ?>

2. Launch a CURL as follows:

As you can see its “Affected”

[[email protected]]# curl -H 'Proxy: AFFECTED' http://127.0.0.1:/test.php
 AFFECTED

3. Add the following parameters in the /etc/nginx/fastcgi_params file

 fastcgi_param  HTTP_PROXY  "";

4. Stop and start the Nginx Service

5. Conduct the test again. You should be vulnerable by now.

Several links available already explaining this vulnerability :

References:

  • https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
  • https://www.kb.cert.org/vuls/id/797896
  • https://access.redhat.com/solutions/2442861
  • https://httpoxy.org/#history
  • http://www.theregister.co.uk/2016/07/18/httpoxy_hole/
  • https://blogs.akamai.com/2016/07/akamai-mitigates-httpoxy-vulnerability.html
  • http://www.zdnet.com/article/15-year-old-httpoxy-flaw-causes-developer-patch-scramble/
  • https://access.redhat.com/solutions/2435541