You are here: Sysadmins of the North » Web applications » Web application security

Web application security

Web application security is the process of protecting websites and online services against different security threats that exploit vulnerabilities in an application’s code. Common targets for web application attacks are content management systems (e.g., WordPress), database administration tools (e.g., phpMyAdmin) and SaaS applications.

You are here: Sysadmins of the North » Web applications » Web application security

Disallow direct access to PHP files in wp-content/uploads/

Set PHP handler accessPolicy (Request Restrictions) to Read in IIS

It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows Server IIS, and here is how.

WordPress .htaccess security best practices in Apache 2.4.6+

Security?

Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?…

Protect WordPress from brute-force XML-RPC attacks

WordPress XMLPRC

The WordPress XML-RPC API has been under attack for many years. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from these xmlrpc.php attacks, optionally still being able to use (some of) its functionality like Jetpack? This post gives you some insights.

Check WordPress Core files integrity

brown wooden blocks on white surface

Check WordPress integrity and verify WordPress Core files’ md5 checksums against WordPress’ checksums API, using this standalone PHP file. I chose to use a standalone PHP script to check the md5sum of WordPress Core files against the API so you’re not dependent on a possibly hacked WordPress installation. This kind of guarantees the result can be trusted, as opposed to using a WordPress plugin. I think this is a better integrity check of WordPress Core files.

WordPress advisory: Akal premium theme XSS vulnerability

Security?

Over the course of one week I had the opportunity to audit two hacked WordPress websites. I could quickly discover two vulnerabilities: a Cross Site Scripting, or XSS, in a premium WordPress theme Akal, and a Denial-of-Service in an undisclosed newsletter plugin. This post describes the Akal premium WordPress theme XSS vulnerability.

“How we broke PHP, hacked Pornhub and earned $20,000”

This is a very interesting read on how Dario Weißer (@haxonaut), cutz and Ruslan Habalov (@evonide) were able to find a PHP unserialize bug to exploit and gain remote code execution on Pornhub. Pornhub’s bug bounty program is at Hackerone. Instead of actively attacking Pornhub, they took another road and attacked what Pornhub is built upon: PHP.

Cracking PHP rand()

Sjoerd Langkemper writes about Cracking PHP rand(): Webapps occasionaly need to create tokens that are hard to guess. For example for session tokens or CSRF tokens, or in forgot password functionality where you get a token mailed to reset your password. These tokens should be cryptographically secure, but are often made by calling rand() multiple times and transforming the output to a string. This post will explore how hard it is to predict a token made with rand().

Add a delay to your WordPress login form

Or why *not* to add a delay … ! It is important to protect your WordPress website from brute-force attacks, and various security plugins exist in doing so. For the purpose of this article, I modified the WordPress Login Delay plugin with a fixed delay of three seconds for my wp-login.php page. This provides you with an easy to use method of protecting your WordPress login form (but do read the caveats!).

Joomla websites abused as open proxy for Denial-of-Service attacks

Denial of Service (DoS) Attack

Joomla websites using the Googlemaps plugin for Joomla are actively abused as open proxy for launching Denial-of-Service (DoS) attacks. Even though the Googlemaps plugin vulnerability plugin_googlemap2_proxy.php was released over one and a half (1,5) years ago, I still see these DoS-attacks happening on a regular basis…

Exploit PHP’s mail() to get remote code execution

Exploit PHP’s mail() function to perform remote code execution, under rare circumstances. Security Sucks wrote about an interesting way to exploit PHP’s mail() function for remote code execution. Apparently, if you are able to control the 5th parameter of the mail() function ($options), you have the opportunity to execute arbitrary commands.

Test SMTP Authentication and StartTLS

This post shows you how to test an StartTLS/TLS connection to an SMTP server to investigate SMTP over TLS connection issues. For this you use the OpenSSL tool (program). You also learn how to create base64 encoded logon information to verify SMTP authentication over this opportunistic TLS connection. All that from the Linux and Windows command line. This comes in very handy when investigating SMTP authentication issues, particular those over TLS encrypted connections. Investigate SMTP authentication issues like a boss using OpenSSL on your command line.

Scroll to Top