Categories: Technology

by Incrust Software

Share

Websites are always prone to security risks. This may impact businesses. Strengthen your web portal’s security. Read through our article for some problems and actionable solutions to ensure your web portal is secured

OpenSSL 1.1 is considered outdated and vulnerable

Issue a new SSL certificate (CA) and update it in your apache SSL configuration file.

Supported TLS versions are v1.3, v1.2, v1.1 and v1.0.

Out of these, the last two are considered unsecured.

Open your apache SSL configuration file and add -TLSv1 -TLSv1.1 in SSLProtocol and SSLProxyProtocol.

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1

I have been able to access the contents of the .git directory at the following URLs

https://mysite.example.com/.git/config

https://mysite.example.com/.git/HEAD

Remove or restrict access from the internet to this type of files.

I have also been able to access the composer.lock file that contains the PHP dependencies of the server at: https://mysite.example.com/composer.lock .

Remove or restrict access from the internet to this type of files.

The web.config file was found accessible at: https://mysite.example.com/web.config

  • Remove or restrict access from the internet to this type of files

Laravel log file publicly accessible https://mysite.example.com/storage/logs/laravel.log

  • Remove or restrict access from the internet to this type of files
  • Open the file directory and add the .htaccess file with the following content including the specific file path.

# Hide a specific file

<Files filepath*>

Order allow,deny

Deny from all

</Files>

The value of the Access-Control-Allow-Origin Header is too permissive or Cross origin Resource Sharing Implemented With Public Access. (Access-Control-Allow-Origin: *)

This is a part of security, allowing only selected, trusted domains in the Access-Control-Allow-Origin header.

The server uses an access control origin header to inform which domains are authorized for the request. If you want to allow credentials, then your Access-Control-Allow-Origin must not use *.

Header (‘Access-Control-Allow-Origin: https://mysite.example.com’);

Apache2 and PHP versions are exposed on the server response header and the 403 error pages.

Steps:

  • Hide your Apache and PHP version From HTTP Headers
  • Edit your Apache server configuration file (httpd.conf) and remove the comment for below line
  • Set the server signature as off and server tokens as the Prod.

ServerSignature Off

ServerTokens Prod

For more details, Visit to https://httpd.apache.org/docs/2.4/mod/core.html#servertokens

The expose php setting is used to set whether information about the server’s PHP version should be shown to the users or not. If expose_php is set as on, an attacker can see the version of the PHP running on the application’s server. If the application runs on a vulnerable version of PHP, he will be able to exploit each and every vulnerability present in the server.

Disable expose_php in php.ini or .htaccess file

expose_php = off

Missing Response Headers: Content Security Policy, X-Frame-Options, HSTS, X-Content-Type-Options.

Update the CORS configuration in your application.

CORS allows browsers to enforce the same-origin policy, which is a security measure that prevents a malicious script from accessing resources. It allows restricted resources on a web page to be requested from another domain.

header(‘X-Frame-Options’, ‘SAMEORIGIN’, false);

header(‘X-Content-Type-Options’, ‘nosniff’);

header(‘X-XSS-Protection’, ‘1; mode=block’);

header(‘X-Frame-Options’, ‘DENY’);

header(‘Strict-Transport-Security’, ‘max-age=31536000; includeSubDomains’);

header(‘Content-Security-Policy’, “style-src ‘self’ ‘unsafe-inline'”);

Two vulnerable cookies in the dashboard response headers i.e., XSRF-TOKEN and laravel_session.

Both of them are without the secure flag which means that the cookie can be accessed via unencrypted connections.

The XSRF-TOKEN cookie is without the HttpOnly Flag.

The laravel_session cookie is without the SameSite Attribute which means that the cookie can be sent as a result of a ‘cross-site’ request.

Open the laravel session.php configuration file and update the below parameter to add secure, http only and same site flag in response header.

‘secure’ => env(‘SESSION_SECURE_COOKIE’, true),

‘http_only’ => true,

‘same_site’ => ‘strict’,

The Bootstrap version used is 3.3.7 i.e. vulnerable to XSS Attacks.

Bootstrap is a popular front-end framework for faster and easier web development. To fix [email protected] vulnerabilities, upgrade bootstrap to version 3.4.1, 4.3.1 or higher.

Disabling the weak ciphers currently offered by the TLS 1.2 protocol.

Update the apache SSL configuration file with the following configuration enables “strong encryption”. The strong encryption/ciphersuite will removed the weak ciphers from TLS1.2 protocol.

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

SSLProxyCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

User Input Validation

Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. All unwanted special characters should be excluded from the user input.

Web Application Potentially Vulnerable to LUCKY13

Steps

  • Disable lower versions of TLS (i.e TLS1.0, TLS 1.1)
  • Upgrade OpenSSL
  • Remove all cipher block chaining ciphers, AEAD cipher suites such as AES-GCM are recommended.

Cross-Site Tracing (XST) vulnerability

PUT, DELETE, CONNECT, OPTIONS, TRACK and TRACE methods must be disabled on your web server. These functions are a potential security risk.

Update your .htaccess file as per below.

#Remove some http request methods

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|PUT|DELETE|PATCH)

RewriteRule .* – [F]

Also, Update the Cross-Origin Request Headers(CORS) with PHP headers.

Header (‘Access-Control-Allow-Methods: GET, POST’);

http to https redirection.

Before you can set up an Apache redirect from http to https in virtual host file, do the following:

  • Make sure your SSL certificate is successfully installed so you can access https://www.yoursite.com
  • Make sure mod_rewrite is enabled in Apache

<VirtualHost *:80>

ServerName mysite.example.com

Redirect permanent / https://mysite.example.com/

</VirtualHost>

or

<VirtualHost *:80>

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]

</VirtualHost>

SSL Lab report

Use the https://www.ssllabs.com/ssltest/  to check the SSL report of a specific domain.  open the SSL lab website and enter the domain name (DNS)

STAY IN THE LOOP

Subscribe to our free newsletter.

Related Posts

View all
  • What is the Bet Stop and How does Bet Stop – the National Self-Exclusion Register™ work?   Bet Stop – the National Self-Exclusion Register™ is a safe and free Australian Government initiative to block yourself from all licensed Australian online and phone gambling providers in a single process. You can register at any time and you […]

    Continue reading
  • Continue reading
  • Continue reading
  • Continue reading