When writing an HTTP server or client in Go, timeouts are amongst the easiest and most subtle things to get wrong: there’s many to choose from, and a mistake can have no consequences for a long time, until the network glitches and the process hangs.
I may not actually use tumblr very often since I am actually working on a blogging site. The site is going to be self-hosted on my little machine. Let’s hopep it can take the traffic if there is any.
Итак, немножечко с задержкой, но мы продолжаем писать наше приложение чата на Node.JS. Мы уже вкратце познакомились с этой платформой и запустили свой первый веб-сервер на ней. Пора уже переходить к более серьезным вещам. в целом, если вы хоть немного почитали официальную документацию текущих знаний должно хватить, ну и немного терпения )
Давайте установим в наш проект еще парочку модулей которые…
Доброго вам дня! Как я говорил – не затягиваю со второй статьей. Если вы не читали первую, то советую перейти к ней, а потом вернуться сюда снова. Сегодня мы снова отойдем от разработки CMS и PHP в целом. Сегодня мы погрузимся в пучину Node.JS.
Итак, в прошлый раз мы остановились на том, что разобрались вкратце что такое Node.JS и узнали, что на JavaScript можно писать не хуже чем на PHP. Но…
The HAUNTBOX is a open source platform which is configured by web browser for haund and some projects.
“It is a system of parts. Sensors and outputs plug into your Hauntbox and it plugs into your network. You tell it what do by using your browser on your computer, iPad or smartphone on your home network with our simple visual interface.”
This post is part of a series of 3 topics introduced in the post “Quick security insights”.
Now that your server is up and running it’s time to move forward and deploy your web-app (remember, it’s going to change the world !). You tested it locally, everything works the way you want it to work, your bugs are fixed (at least, you think so)… You’re ready.
Are you sure?
Are you certain there are no XSS vulnerabilities? Injection flaws? If someone were to compromise your application, would he be stopped from messing around in your server’s system?
Maybe it’s time, again, to re-consider before going live.
After host-specific security, let’s ask ourselves new questions, and let’s try to figure out if we’re likely to be hacked… In this article, we will cover, from a high-level perspective, the following points:
Web-server security and configuration;
DIY penetration test (think like a bad guy).
As in the previous post, the main idea in terms of configuration remains the need-to-have basis. Users should only be allowed to perform a restricted set of actions. You don’t want your apache user to reboot your server, nor do you want your database user to install new software on your host. All the user accounts created in the context of your web-app have a well-defined purpose: they MUST stick to it.
So, continuing from our Linux-based examples, and considering we would like to run an Apache server, we should first restrict the context in which it will be running.
Chroot and jails
Unix-like systems offer a feature allowing the user to run processes within an isolated filesystem. This is done using the chroot command, which provides means to change the apparent root directory.
The basic idea here is to “use a system within the system”, and run the processes related to your web-app from within that confined environment. There are various approaches to this, so we’ll explain the basics and point you to some tutorials that will provide detailed, step-by-step ways to do this. In general, the approach is the following:
Create a “jail” directory (e.g. /var/jail/ ) that will serve as a basis directory for your chrooted environment;
Install a light Linux distribution into this directory – e.g. using the debootstrap program;
Install your web-server binaries into your jail directory;
Write scripts to start and stop your web-server in the chrooted environment;
Place these scripts in your /etc/init.d/ directory, and make them executable;
Start your web-server using these scripts.
As a result, you end up with a web-application server being controlled from your “top” system, but without access to it. This ensures - to a certain extent – that in the case of a breach on your web-app, the breach will be limited to the “jail” environment only.
Alternatives to, or based upon, chroot exist. Linux Containers (LXC), Docker, AppArmor, etc., also provide isolation/containment functionalities and can be easier to deploy depending on your needs. In the case you’re running a BSD-like system, BSD Jails can also be worth looking at. We provide the right links towards the end of this article.
Mod_security and web-server config
Next, you want to setup a web application Firewall. On Ubuntu, mod_security provides a rules engine that will reject suspicious queries related to potential hacking attempts (this web-application firewall is also available on Windows, by the way…).
#Install mod_security
admin@server:sudo apt-get install libapache2-modsecurity
#Use the default set of rules
admin@server:sudo mv /etc/modsecurity/modsecurity.conf{-recommended,}
#Enable mod_security
admin@server:sudo nano /etc/modsecurity/modsecurity.conf
#Change the following line:
SecRuleEngine DetectionOnly
#by:
SecRuleEngine on
#Reload the Apache server
admin@server:sudo service apache2 reload
Further customization is of course possible but this will get you started. Be careful not to define too many rules, as it might impair the performances of your web-server.
One last thing before going further: you don’t want to leave too much information for public eyes. By this, we mean server type and version, error stacks, etc. Therefore, make sure only generic 404 error messages are provided to your users and also remove all host-related information from the responses your users will get. On an Apache server, this is usually achieved by doing the following changes in your security.conf file:
ServerTokens ProductOnly
ServerSignature Off
The first directive will limit the information related to the server (i.e. the user will only know that you’re running Apache), while the second directive forbids a possible trailing footer from being added under certain contexts (e.g. error messages).
So, the fun part now…
Before starting with the pentest thing, you should have a look at the OWASP project (https://www.owasp.org) and their top 10 ranking of vulnerabilities. Our goal here is not to re-invent the wheel, but to give you a quick insight on how to look for common flaws.
There are a lot of free and/or open-source software that can help you in this process. In this post, we’ll use the OWASP ZAP Scanner along with BurpSuite (free version).
What a scanner does is basically crawl a site and tamper with all the input parameters it finds. As such, all kinds of inputs are subject to manipulations in order to attempt various types of attacks. Depending on the response received by the scanner, it can deduce with more or less confidence that the application is subject – or not - to a given number of vulnerabilities.
The following example was made using the OWASP ZAP scanner and a web-application called WebGoat, which is designed to be vulnerable.
Using ZAP is as easy as defining the URL of the target and click on the “Attack” button:
The third and final step is collecting the results:
Though in this case, we can be rather confident that those vulnerabilities are real (the application was designed to be vulnerable), in real life it is important to make manual checks in order to validate your scan results. For this, you need an intercepting proxy, such as BurpSuite, WebScarab, or Paros (this list is not extensive – ZAP also acts as a proxy). In our case, we will use BurpSuite.
Setting BurpSuite as a proxy is as simple as defining a listening port number (8080 by default) and clicking on “Intercept is on”. In your browser, you must then specify that you connect through a proxy, running on 127.0.0.1 and listening on the port number you gave. You can then intercept the requests you send:
And of course you can manipulate the value of each parameter before forwarding it to the application, in order to attempt various attacks:
BurpSuite is not limited to just intercept and manipulate. There are a number of very interesting attack features (e.g. the Intruder and Repeater tools) that can help you in performing multiple kinds of attacks, from enumerating user IDs to brute-forcing passwords, auto-replacing specific values in the requests or responses, etc. There are a lot of detailed, step-by-step tutorials out on the Web, and we recommend going through a few of them in order to grasp a better perspective of what this tool is offering.
BurpSuite tutorials: https://www.pentestgeek.com/2014/07/02/burp-suite-tutorial-1/ and http://www.securityninja.co.uk/hacking/burp-suite-tutorial-the-intruder-tool/
