| |
| |
Preface | |
| |
| |
| |
Apache Security Principles | |
| |
| |
Security Definitions | |
| |
| |
Essential Security Principles | |
| |
| |
Common Security Vocabulary | |
| |
| |
Security Process Steps | |
| |
| |
Threat Modeling | |
| |
| |
System-Hardening Matrix | |
| |
| |
Calculating Risk | |
| |
| |
Web Application Architecture Blueprints | |
| |
| |
User View | |
| |
| |
Network View | |
| |
| |
Apache View | |
| |
| |
| |
Installation and Configuration | |
| |
| |
Installation | |
| |
| |
Source or Binary | |
| |
| |
Static Binary or Dynamic Modules | |
| |
| |
Folder Locations | |
| |
| |
Installation Instructions | |
| |
| |
Configuration and Hardening | |
| |
| |
Setting Up the Server User Account | |
| |
| |
Setting Apache Binary File Permissions | |
| |
| |
Configuring Secure Defaults | |
| |
| |
Enabling CGI Scripts | |
| |
| |
Logging | |
| |
| |
Setting Server Configuration Limits | |
| |
| |
Preventing Information Leaks | |
| |
| |
Changing Web Server Identity | |
| |
| |
Changing the Server Header Field | |
| |
| |
Removing Default Content | |
| |
| |
Putting Apache in Jail | |
| |
| |
Tools of the chroot Trade | |
| |
| |
Using chroot to Put Apache in Jail | |
| |
| |
Using the chroot(2) Patch | |
| |
| |
Using mod_security or mod_chroot | |
| |
| |
| |
PHP | |
| |
| |
Installation | |
| |
| |
Using PHP as a Module | |
| |
| |
Using PHP as a CGI | |
| |
| |
Choosing Modules | |
| |
| |
Configuration | |
| |
| |
Disabling Undesirable Options | |
| |
| |
Disabling Functions and Classes | |
| |
| |
Restricting Filesystem Access | |
| |
| |
Setting Logging Options | |
| |
| |
Setting Limits | |
| |
| |
Controlling File Uploads | |
| |
| |
Increasing Session Security | |
| |
| |
Setting Safe Mode Options | |
| |
| |
Advanced PHP Hardening | |
| |
| |
PHP 5 SAPI Input Hooks | |
| |
| |
Hardened-PHP | |
| |
| |
| |
SSL and TLS | |
| |
| |
Cryptography | |
| |
| |
Symmetric Encryption | |
| |
| |
Asymmetric Encryption | |
| |
| |
One-Way Encryption | |
| |
| |
Public-Key Infrastructure | |
| |
| |
How It All Falls into Place | |
| |
| |
SSL | |
| |
| |
SSL Communication Summary | |
| |
| |
Is SSL Secure? | |
| |
| |
Open | |
| |
| |
SSL | |
| |
| |
Apache and SSL | |
| |
| |
Installing mod_ssl | |
| |
| |
Generating Keys | |
| |
| |
Generating a Certificate Signing Request | |
| |
| |
Signing Your Own Certificate | |
| |
| |
Getting a Certificate Signed by a CA | |
| |
| |
Configuring SSL | |
| |
| |
Setting Up a Certificate Authority | |
| |
| |
Preparing the CA Certificate for Distribution | |
| |
| |
Issuing Server Certificates | |
| |
| |
Issuing Client Certificates | |
| |
| |
Revoking Certificates | |
| |
| |
Using Client Certificates | |
| |
| |
Performance Considerations | |
| |
| |
Open | |
| |
| |
SSL Benchmark Script | |
| |
| |
Hardware Acceleration | |
| |
| |
| |
Denial of Service Attacks | |
| |
| |
Network Attacks | |
| |
| |
Malformed Traffic | |
| |
| |
Brute-Force Attacks | |
| |
| |
SYN Flood Attacks | |
| |
| |
Source Address Spoofing | |
| |
| |
Distributed Denial of Service Attacks | |
| |
| |
Reflection DoS Attacks | |
| |
| |
Self-Inflicted Attacks | |
| |
| |
Badly Configured Apache | |
| |
| |
Poorly Designed Web Applications | |
| |
| |
Real-Life Client Problems | |
| |
| |
Traffic Spikes | |
| |
| |
Content Compression | |
| |
| |
Bandwidth Attacks | |
| |
| |
Cyber-Activism | |
| |
| |
The Slashdot Effect | |
| |
| |
Attacks on Apache | |
| |
| |
Apache Vulnerabilities | |
| |
| |
Brute-Force Attacks | |
| |
| |
Programming Model Attacks | |
| |
| |
Local Attacks | |
| |
| |
PAM Limits | |
| |
| |
Process Accounting | |
| |
| |
Kernel AuditingTraffic-Shaping Modules | |
| |
| |
DoS Defense Strategy | |
| |
| |
| |
Sharing Servers | |
| |
| |
Sharing Problems | |
| |
| |
File Permission Problems | |
| |
| |
Dynamic-Content Problems | |
| |
| |
Sharing Resources | |
| |
| |
Same Domain Name Problems | |
| |
| |
Information Leaks on Execution Boundaries | |
| |
| |
Distributing Configuration Data | |
| |
| |
Securing Dynamic Requests | |
| |
| |
Enabling Script Execution | |
| |
| |
Setting CGI Script Limits | |
| |
| |
Using su | |
| |
| |
EXEC | |
| |
| |
Fast | |
| |
| |
CGI | |
| |
| |
Running PHP as a Module | |
| |
| |
Working with Large Numbers of Users | |
| |
| |
Web Shells | |
| |
| |
Dangerous Binaries | |
| |
| |
| |
Access Control | |
| |
| |
Overview | |
| |
| |
Authentication Methods | |
| |
| |
Basic Authentication | |
| |
| |
Digest Authentication | |
| |
| |
Form-Based Authentication | |
| |
| |
Access Control in Apache | |
| |
| |
Basic Authentication Using Plaintext Files | |
| |
| |
Basic Authentication Using DBM Files | |
| |
| |
Digest Authentication | |
| |
| |
Certificate-Based Access Control | |
| |
| |
Network Access Control | |
| |
| |
Proxy Access Control | |
| |
| |
Final Access Control Notes | |
| |
| |
Single Sign-on | |
| |
| |
Web Single Sign-on | |
| |
| |
Simple Apache-Only Single Sign-on | |
| |
| |
| |
Logging and Monitoring | |
| |
| |
Apache Logging Facilities | |
| |
| |
Request Logging | |
| |
| |
Error Logging | |
| |
| |
Special Logging Modules | |
| |
| |
Audit Log | |
| |
| |
Performance Measurement | |
| |
| |
File Upload Interception | |
| |
| |
Application Logs | |
| |
| |
Logging as Much as Possible | |
| |
| |
Log Manipulation | |
| |
| |
Piped Logging | |
| |
| |
Log Rotation | |
| |
| |
Issues with Log Distribution | |
| |
| |
Remote Logging | |
| |
| |
Manual Centralization | |
| |
| |
Syslog Logging | |
| |
| |
Database Logging | |
| |
| |
Distributed Logging with the Spread Toolkit | |
| |
| |
Logging Strategies | |
| |
| |
Log Analysis | |
| |
| |
Monitoring | |
| |
| |
File Integrity | |
| |
| |
Event Monitoring | |
| |
| |
Web Server Status | |
| |
| |
| |
Infrastructure | |
| |
| |
Application Isolation Strategies | |
| |
| |
Isolating Applications from Servers | |
| |
| |
Isolating Application Modules | |
| |
| |
Utilizing Virtual Servers | |
| |
| |
Host Security | |
| |
| |
Restricting and Securing User Access | |
| |
| |
Deploying Minimal Services | |
| |
| |
Gathering Information and Monitoring Events | |
| |
| |
Securing Network Access | |
| |
| |
Advanced Hardening | |
| |
| |
Keeping Up to Date | |
| |
| |
Network Security | |
| |
| |
Firewall Usage | |
| |
| |
Centralized Logging | |
| |
| |
Network Monitoring | |
| |
| |
External Monitoring | |
| |
| |
Using a Reverse Proxy | |
| |
| |
Apache Reverse Proxy | |
| |
| |
Reverse Proxy by Network Design | |
| |
| |
Reverse Proxy by Redirecting Network Traffic | |
| |
| |
Network Design | |
| |
| |
Reverse Proxy Patterns | |
| |
| |
Advanced Architectures | |
| |
| |
| |
Web Application Security | |
| |
| |
Session Management Attacks | |
| |
| |
Cookies | |
| |
| |
Session Management Concepts | |
| |
| |
Keeping in Touch with Clients | |
| |
| |
Session Tokens | |
| |
| |
Session Attacks | |
| |
| |
Good Practices | |
| |
| |
Attacks on Clients | |
| |
| |
Typical Client Attack Targets | |
| |
| |
Phishing | |
| |
| |
Application Logic Flaws | |
| |
| |
Cookies and Hidden Fields | |
| |
| |
POST Method | |
| |
| |
Referrer Check Flaws | |
| |
| |
Process State Management | |
| |
| |
Client-Side Validation | |
| |
| |
Information Disclosure | |
| |
| |
HTML Source Code | |
| |
| |
Directory Listings | |
| |
| |
Verbose Error Messages | |
| |
| |
Debug Messages | |
| |
| |
File Disclosure | |
| |
| |
Path Traversal | |
| |
| |
Application Download Flaws | |
| |
| |
Source Code Disclosure | |
| |
| |
Predictable File Locations | |
| |
| |
Injection Flaws | |
| |
| |
SQL Injection | |
| |
| |
Cross-Site Scripting | |
| |
| |
Command Execution | |
| |
| |
Code Execution | |
| |
| |
Preventing Injection Attacks | |
| |
| |
Buffer Overflows | |
| |
| |
Evasion Techniques | |
| |
| |
Simple Evasion Techniques | |
| |
| |
Path Obfuscation | |
| |
| |
URL Encoding | |
| |
| |
Unicode Encoding | |
| |
| |
Null-Byte Attacks | |
| |
| |
SQL Evasion | |
| |
| |
Web Application Security Resources | |
| |
| |
General Resources | |
| |
| |
Web Application Security Resources | |
| |
| |
| |
Web Security Assessment | |
| |
| |
Black-Box Testing | |
| |
| |
Information Gathering | |
| |
| |
Web Server Analysis | |
| |
| |
Web Application Analysis | |
| |
| |
Attacks Against Access Control | |
| |
| |
Vulnerability Probing | |
| |
| |
White-Box Testing | |
| |
| |
Architecture Review | |
| |
| |
Configuration Review | |
| |
| |
Functional Review | |
| |
| |
Gray-Box Testing | |
| |
| |
| |
Web Intrusion Detection | |
| |
| |
Evolution of Web Intrusion DetectionIs Intrusion Detection the Right Approach? | |
| |
| |
Log-Based Web Intrusion Detection | |
| |
| |
Real-Time Web Intrusion Detection | |
| |
| |
Web Intrusion Detection Features | |
| |
| |
Using mod_securityIntroduction | |
| |
| |
More Configuration Advice | |
| |
| |
Deployment Guidelines | |
| |
| |
Detecting Common Attacks | |
| |
| |
Advanced Topics | |
| |
| |
Appendix: Tools | |
| |
| |
Index | |