Live Coding #1: Fixing Website Security Vulnerabilities

In this live coding session, Gwendal Le Coguic, a white hat who works as a freelancer at the bug bounty platform Yogosha, details 5 of the most common security vulnerabilities found on web applications and explains how to fix them as a developer.

GitHub issue

This vulnerability refers to credential leaks on GitHub. A simple search on GitHub using DB_PASSWORD filename:wp-config.php, for example, quickly returns the credentials of thousands of WordPress websites.

How to prevent this vulnerability issue as a developer

Instead of publishing your credentials on repositories, configure environment variables.

1/ Get the values in your code (here in PHP):

$_config['DB_USER'] = getenv('THEGARDEN_USER');$_config['DB_PASS'] = getenv('THEGARDEN_PASS');

2/ Set the values in your web server:

SetEnv THEGARDEN_USER testSetEnv THEGARDEN_PASS test

3/ Commit changes.

4/ Remove the credentials from your code.

5/ Delete the GitHub history using this step-by-step tutorial.

Best practice: Rather than configuring your environment variables manually, use a deployment tool such as Deployer which will set the environment variables for you.

.git issue

Files and directories containing private information created by Git are sometimes deployed in Production. For example, a malicious user would be able to download the source code of a website through the .git directory simply by entering $ ./gitpillage.sh thegarden.local.net.

How to prevent this vulnerability issue as a developer

To avoid this issue, you need to:

1/ Forbid access to the .git directory in .htaccess, using:

RedirectMatch 403 /\\.git(/.*|$)

2/ Set a new rule in your vhost file:

<DirectoryMatch "/\.git">   Require all denied</DirectoryMatch>

Best practice: It is recommended to avoid deploying the .git directory in Production as it’s only useful during application development.

Directory-listing vulnerability

Directories can also be found by black hats by browsing the code of a website manually or by using a fuzzer to access directories using “brute force.”

How to prevent this vulnerability issue as a developer

There are two ways to fix this vulnerability:

1/ Empty the index.html file, or

2/ Disable the option in the .htaccess or vhost files, using Options -Indexes

404 error

Displaying the version number of your web server or language, as well as returning the error code 403, can help malicious users to find an exploit and directories to access files.

How to prevent this vulnerability issue as a developer

You should redirect everything to the same page by following these steps.

1/ Create a custom page for the HTTP code in .htaccess:

ErrorDocument 403 /404.phpErrorDocument 404 /404.phpErrorDocument 500 /404.php

2/ Set up the 404 error code in your code (here in PHP) just before redirection:

header( 'HTTP/1.0 404 Not Found' );

IDOR

IDOR—insecure direct object reference—is a common vulnerability on web applications and was ranked fifth in the OWASP Top 10 Application Security Risks in 2017. It allows you to access objects that don’t belong to you.

How to prevent this vulnerability issue as a developer

Make sure that the user who performs the request owns the object by checking the proper authorization. In our application, we would use the following code (here in PHP) for example:

if( $object->getUserId() != $_user->getId() ) {    header( 'Location: /404.php', 404 );    exit();}

Best practice: Don’t hesitate to use a reliable and robust framework like Symphony for example, as this type of authorization check is often already implemented and easy to perform.

Yogosha is the first private bug bounty platform in Europe, helping organizations to detect and fix vulnerabilities before criminals exploit them. Sign up if you’re interested in joining their platform as a hacker. You will have to pass an entry exam that will challenge your pedagogical and technical skills. Each time a new challenge is released, you will be notified by email. You can also follow them on Twitter to learn about the upcoming challenges.

This article is part of Behind the Code, the media for developers, by developers. Discover more articles and videos by visiting Behind the Code!

Want to contribute? Get published!

Follow us on Twitter to stay tuned!

Illustrations by WTTJ