Live Coding #1: Fixing Website Security Vulnerabilities
Apr 18, 2019
Tech Editor @ WTTJ
In this live coding session, Gwendal Le Coguic, a white hat who works as a freelancer at the bug bounty platform Yogosha, details 5 of the most common security vulnerabilities found on web applications and explains how to fix them as a developer.
GitHub issue
This vulnerability refers to credential leaks on GitHub. A simple search on GitHub using DB_PASSWORD filename:wp-config.php
, for example, quickly returns the credentials of thousands of WordPress websites.
How to prevent this vulnerability issue as a developer
Instead of publishing your credentials on repositories, configure environment variables.
1/ Get the values in your code (here in PHP):
$_config['DB_USER'] = getenv('THEGARDEN_USER');$_config['DB_PASS'] = getenv('THEGARDEN_PASS');
2/ Set the values in your web server:
SetEnv THEGARDEN_USER testSetEnv THEGARDEN_PASS test
3/ Commit changes.
4/ Remove the credentials from your code.
5/ Delete the GitHub history using this step-by-step tutorial.
Best practice: Rather than configuring your environment variables manually, use a deployment tool such as Deployer which will set the environment variables for you.
.git issue
Files and directories containing private information created by Git are sometimes deployed in Production. For example, a malicious user would be able to download the source code of a website through the .git directory simply by entering $ ./gitpillage.sh thegarden.local.net
.
How to prevent this vulnerability issue as a developer
To avoid this issue, you need to:
1/ Forbid access to the .git directory in .htaccess, using:
RedirectMatch 403 /\\.git(/.*|$)
2/ Set a new rule in your vhost file:
<DirectoryMatch "/\.git"> Require all denied</DirectoryMatch>
Best practice: It is recommended to avoid deploying the .git directory in Production as it’s only useful during application development.
Directory-listing vulnerability
Directories can also be found by black hats by browsing the code of a website manually or by using a fuzzer to access directories using “brute force.”
How to prevent this vulnerability issue as a developer
There are two ways to fix this vulnerability:
1/ Empty the index.html file, or
2/ Disable the option in the .htaccess or vhost files, using Options -Indexes
404 error
Displaying the version number of your web server or language, as well as returning the error code 403, can help malicious users to find an exploit and directories to access files.
How to prevent this vulnerability issue as a developer
You should redirect everything to the same page by following these steps.
1/ Create a custom page for the HTTP code in .htaccess:
ErrorDocument 403 /404.phpErrorDocument 404 /404.phpErrorDocument 500 /404.php
2/ Set up the 404 error code in your code (here in PHP) just before redirection:
header( 'HTTP/1.0 404 Not Found' );
IDOR
IDOR—insecure direct object reference—is a common vulnerability on web applications and was ranked fifth in the OWASP Top 10 Application Security Risks in 2017. It allows you to access objects that don’t belong to you.
How to prevent this vulnerability issue as a developer
Make sure that the user who performs the request owns the object by checking the proper authorization. In our application, we would use the following code (here in PHP) for example:
if( $object->getUserId() != $_user->getId() ) { header( 'Location: /404.php', 404 ); exit();}
Best practice: Don’t hesitate to use a reliable and robust framework like Symphony for example, as this type of authorization check is often already implemented and easy to perform.
Yogosha is the first private bug bounty platform in Europe, helping organizations to detect and fix vulnerabilities before criminals exploit them. Sign up if you’re interested in joining their platform as a hacker. You will have to pass an entry exam that will challenge your pedagogical and technical skills. Each time a new challenge is released, you will be notified by email. You can also follow them on Twitter to learn about the upcoming challenges.
This article is part of Behind the Code, the media for developers, by developers. Discover more articles and videos by visiting Behind the Code!
Want to contribute? Get published!
Follow us on Twitter to stay tuned!
Illustrations by WTTJ
More inspiration: Offbeat
Thinking outside the box once in a while is essential while coding. Take a step back on your day-to-day developer tasks and discover how other people use the same technologies and tools as you to create amazing things.
Poem #4: Firefighting
Enjoy this poem program written in the Python programming language that generates an ASCII art fire animation.
Dec 19, 2019
Poem #3: Avalanche of Stars
Enjoy this poem program written in the C programming language that generates ASCII art mountainscapes.
Nov 12, 2019
4 Things to Expect When You’re the Only Security Engineer on a Developers Team
Here are some things security engineers need to be aware of before their first day if they’re going to survive on a team of developers.
Oct 29, 2019
Poem #2: Alphanumeric
Enjoy this poem program written in the Julia language that uses a simple statistical model to generate endless paragraphs of redacted text.
Oct 03, 2019
Tired of Chrome? Try These Six Browsers
Are you tired of Chrome, Safari and Firefox? Here are six alternative browsers to consider if you’re looking for a different Internet experience!
Oct 01, 2019
The newsletter that does the job
Want to keep up with the latest articles? Twice a week you can receive stories, jobs, and tips in your inbox.
Looking for your next job?
Over 200,000 people have found a job with Welcome to the Jungle.
Explore jobs