Prevent DNS Injections Apache Web Server

To prevent DNS Injection attacks, 

which are attacks that can inject fake DNS names into your server's cache, you need to add another module to Apache. 
Follow these steps

Open a terminal window

Issue the command sudo apt-get -y install libapache2-mod-spamhaus

After the installation completes, issue the command sudo touch /etc/spamhaus.wl.

Issue the command sudo chown -R www-data:root /var/log/apache2/evasive.

With the module installed, open the /etc/apache2/apache2.conf file (using sudo and your favorite text editor) and append the following to the bottom of your configuration file:

  MS_METHODS POST,PUT,OPTIONS,CONNECT 
  MS_WhiteList /etc/spamhaus.wl 
  MS_CacheSize 256 

Save the apache2.conf file and restart Apache so the new module will take effect

Read more...

Prevent DDOS attacks in Apache Web Server

DDoS
There is an Apache module that was created to prevent a DDoS attack, although it's probably not installed by default. Follow these steps to install the module.

Open your terminal window.

Issue the command sudo apt-get -y install libapache2-mod-evasive.

Issue the command sudo mkdir -p /var/log/apache2/evasive.

Issue the command sudo chown -R www-data:root /var/log/apache2/evasive.

Open the /etc/apache2/mods-available/mod-evasive.load file (using sudo and your favorite text editor) and append the following to the bottom of that file (this is one configuration per line):

DOSHashTableSize 2048
DOSPageCount 20  # maximum number of requests for the same page
DOSSiteCount 300  # total number of requests for any object by the same client IP on the same listener
DOSPageInterval 1.0 # interval for the page count threshold
DOSSiteInterval 1.0  # interval for the site count threshold
DOSBlockingPeriod 10.0 # time that a client IP will be blocked for
DOSLogDir "/var/log/apache2/evasive"
DOSEmailNotify admin@domain.com

Save the apache2.conf file and restart Apache so the new module will take effect

Read more...

Ethical Hack Insufficient Session Destruction

1. Create a HttpSessionBindingListener

import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;

public class MySessionListener implements HttpSessionListener {
 public void sessionCreated(HttpSessionEvent evt) {
  HttpSession session = evt.getSession();
  session.getServletContext().log(
    "CREATED Session ID: " + session.getId() + "\t time: "
      + new java.util.Date());
 }

 public void sessionDestroyed(HttpSessionEvent evt) {
  HttpSession session = evt.getSession();
  session.getServletContext().log(
    "DESTROYED Session ID: " + session.getId() + "\t time: "
      + new java.util.Date());
 }
}

2. Configure this Session Listener in your web.xml

         com.pearson.cat.web.session.MySessionListener
    

3.So all you can do is to copy the method invalidate()from the above code into the logout.jsp and wait and see if the Listener is spilling the messages that the Session has been destroyed or not.

public void invalidate() {
        if (this.session != null) {
            this.cleanAttributes();
            this.session.invalidate();
        }
    }

    public void cleanAttributes() {
       if (this.session != null) {
            Enumeration attributes = session.getAttributeNames();
            while (attributes.hasMoreElements()) {
                String name = (String) attributes.nextElement();
                session.removeAttribute(name);
            }
        }
    }

Read more...

Remove TRace from web server

1. Disable trace OFF in web server (httpd.conf) file

          TraceEnable off

2. If the above does not work , here is a simple REDIRECT statement

           RewriteEngine On
           RewriteCond %{REQUEST_METHOD} ^TRAC(E|K)
           RewriteRule .* - [F]

3. Do this in the application server if not

Simply edit $TOMCAT/conf/server.xml, 
and for the  element, add an attribute: allowTrace="false". 
Restart Tomcat and enjoy

Read more...

Frameable response (potential Clickjacking)- Penetration testing - Fix

Detail :
CheatSheet :

Fix

    OWASP ClickjackFilter
    
        ClickjackFilterDeny
        org.owasp.filters.ClickjackFilter
        
            modeDENY
    
    
    
        ClickjackFilterSameOrigin
        org.owasp.filters.ClickjackFilter
        
            modeSAMEORIGIN
    
    
    
     
        ClickjackFilterDeny
        /*
    
    

Add the following java file to your classes

/**
 *  Software published by the Open Web Application Security Project (http://www.owasp.org)
 *  This software is licensed under the new BSD license.
 *
 * @author     Jeff Williams Aspect Security
 * @created    February 6, 2009
 */

package org.owasp.filters;
import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class ClickjackFilter implements Filter 
{

    private String mode = "DENY";
     
    /**
     * Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
     * decide to implement) not to display this content in a frame. For details, please
     * refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
     */
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse)response;
        res.addHeader("X-FRAME-OPTIONS", mode );   
        chain.doFilter(request, response);
    }
    
    public void destroy() {
    }
    
    public void init(FilterConfig filterConfig) {
        String configMode = filterConfig.getInitParameter("mode");
        if ( configMode != null ) {
            mode = configMode;
        }
    }
    
}

Read more...

SSL cookie without secure flag set- Penetration testing - Fix

web.xml changes
Servlet 3.0 (Java EE 6) introduced a standard way to configure secure attribute for the session cookie, this can be done by applying the following configuration in web.xml

  true

Read more...

Securing EXT-JS from CSRF

First, you need to have the JAR part of your WAR (pom.xml changes)

   org.owasp
   csrfguard
   3.0.0

Next you will need to modify your web.xml to add all the CSRF Servlets, Filters, and Configuration as this all works using standard servlet technology (web.xml changes)

   Owasp.CsrfGuard.Config   WEB-INF/csrfguard.properties

   Owasp.CsrfGuard.Config.Print   true


   CsrfGuard
   org.owasp.csrfguard.CsrfGuardFilter


   
   CsrfGuard
   *



   org.owasp.csrfguard.CsrfGuardServletContextListener


   org.owasp.csrfguard.CsrfGuardHttpSessionListener

 

   CsrfJavaScriptServlet
   org.owasp.csrfguard.servlet.JavaScriptServlet
   
      source-file      scripts/resources/csrfguard.js   
   
      inject-into-forms      true   
   
      inject-into-attributes      false   
   
      domain-strict      true   
   
      x-requested-with      OWASP CSRFGuard   



   CsrfJavaScriptServlet
   /CsrfJavaScriptServlet

Third We need to add the two CSRF files required above to the WAR file. The folder names are in line to what you have described in the web.xml and it is customizable

• scripts/resources/csrfguard.js (preferably under webapp\scripts\resources folder)
• /WEB-INF/csrfguard.properties (should be in your classpath)

One property that is critical in csrfguard.properties is "org.owasp.csrfguard.Ajax=true"

Lastly , in the main ExtJS launch page which is typically /index.html

Read more...