Index
Symbols
$ (dollar sign), 59
* (star), 63
A
a-zA-Z, regular expressions, 59
Access Control List (ACL), securing Web root, 179
Actors diagram
designing security with, 260, 262
identifying points of failure in, 272
Acunetix Web Vulnerability Scanner testing interface, 247–254
Administrative Tools folder, 102–103, 108–109
Administrative Tools Services MMC, 177–178
changing username/password on
MySQL, 163–164
granting privileges to, 100–101, 115
viewing and deleting user accounts/comments, 14
workflow diagrams for, 260–262, 272
Advanced button, Windows properties, 80–82
AES encryption, 124
Alerts
automated testing, 235
intrusion detection system, 73
keeping up with security, 144
for latest stable version of Web server, 147
ModSecurity, 215
paying attention to latest security, 44–46
reviewing during scanning, 252–253
system test, 223
Algorithm strength, 123–124
Allow permission, 77–79
allow_url_fopen directive, php.ini file, 72–73, 90–91
allowing access to Web site, 180
allowing comments from, 13–15
authentication systems vs., 269
no need to authenticate, 100–101
removing from SQL Server, 202–204
workflow diagram for, 260–262, 272
Apache server, 147–159
disabling unneeded options, 153–154
enabling ModSecurity, 154–159
giving own user and group to, 149–151
hiding version number/other information, 151
restricting to own directory structure, 152–153
upgrading or installing latest version, 147–149
using SuExec for shared hosting, 214–215
API (Application Programming Interface)
for authentication, 119–120
customizing for system calls, 31–32
customizing for user input validation, 32
defined, 289
sanitizing data to prevent buffer over-flows, 49
for user-uploaded image files, 88–90
Application pools, 181–184
Application Programming Interface. See API (Application Programming Interface)
data sources for, 48
gaining access to server through insecure, 5–6, 10
hackers targeting minor, 9
hardening your, 6–7
making life difficult for spammers, 22–23
Applications, designing securely from the beginning, 257–271
concept summary, 257–260
data design, 260–267
file upload, 270
filesystem access, 271
identifying points of failure, 269
infrastructure functions, 267–268
login and logout, 269–270
user input, 270–271
workflow and actors diagram, 260
Applications, securing existing, 273–278
hardening checklist, 276–277
having code peer-reviewed, 278
using three-stage deployment, 273–275
using version control, 275–276
variable sanitation, 277
Arbitrary code attacks, from buffer over-flows, 42
Asymmetric (public) key encryption, 121–122
Authentication
adding encryption to. See encryption
directory-based, 101–114
goals of creating, 95
identifying login/logout points of failure, 269–270
image recognition, 99–100
patching application for, 117–120
privileges, 100–101
SQL Server, 192
storing information in user database table, 114–115
storing usernames and passwords, 115–117
types of, 95–97
usernames and passwords, 97–99
using Web Vulnerability Scanner, 250–251
writing with Zend, 208
AutoAttack tool, CAL9000 toolkit, 245
Automated testing. See Testing, automated
B
Backup
length constraints on database, 56
storing information in user database, 118–119
Basic Multilingual Plane, 43, 289
Biometric analysis, 96
Blank input
brainstorming boundary conditions, 18–19
overview of, 15–18
Blowfish encryption, 124
Books, as resources, 286–288
Boundary conditions
automated testing of, 219–220, 223–224
as buffer overflow, 45
building error-handling mechanism for, 23–26
determining, 18–19
Breach Security Labs, 155–159
Buffer overflows, 37–52
computer science of, 39–41
consequences of, 42
with excessively long input, 55
fuzz testing for, 227
identifying points of failure, 270–271
memory allocation and PHP, 42–44
overview of, 37–39
patching application, 49–52
paying attention to latest security alerts, 44–46
sanitizing variables to prevent, 46–49
C
C libraries, underlying PHP, 39
CAL9000 toolkit AutoAttack tool, 245
Cheat Sheets tool, 242–243
Checklist tool, 244–245
Encode/Decode tool, 237–239
HTTP Requests tool, 239
HTTP Responses tool, 240–241
Misc Tools, 243–244
obtaining, 234–235
Scratch Pad tool, 242
using, 235
XSS Attacks tool, 236–237
CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart), 99–100, 289
CERT (Computer Emergency Response Team), 9, 46–47
CGIs, and SuExec, 215
changeFilePrivs( ) function, 88–89
Character class (within regular expression), 59–61, 289
Cheat Sheets tool, CAL9000 toolkit, 242–243
Checklist tool, CAL9000 toolkit, 244–245
checkToken() function, 134
chmod( ) function, 87
Classes, security alert, 45
Commas, and spammers, 22–23
Comments, 56–57
Completely Automated Public Turing
Test to tell Computers and Humans
Computer Browser Properties dialog, IIS, 178
Computer Emergency Response Team (CERT), 9, 46–47
Computer Management, Administrative Tools folder, 102–103
Consistency
in building error-handling mechanism, 19–23
in naming, 281
when writing self-documenting code, 280–281
Constraints, database and logical, 56–57
Cookie button, PowerFuzzer, 231
createSalt( ) function, 127
Creative Commons license, 207, 289
Cross-site scripting. See XSS (cross-site scripting)
Cryptography. See Encryption
CVS, 275–276
D
Data
basing encryption type on, 124–125
checking length of, 48–49
choosing for testing, 223–224
designing security for, 260–267
making assumptions about user, 55
sanitizing to prevent buffer overflows, 48–49
sources of, 48
tainted, 57–58
Data dictionary
database constraints and, 56
identifying points of failure, 269
setting up, 264–266
Databases
deleting sample MySQL, 165
deleting sample SQL Server, 204–205
placing constraints on length of stored data, 56
running latest stable version of server, 49–50
securing SQL Server. See SQL Server
storing authentication information in, 114–115
Databases Security Uses folder, SSMSE, 202–203
Decoding plain text, with CAL9000 toolkit, 238
deleteToken() function, 134
Deny permission
changing in Windows, 77
directory-based authentication, 107
overriding Allow permission, 78–79
Deployment, of existing applications, 273–275
Design phase. See Applications, designing
security at beginning
Development box, 273–274
Development releases, PHP, 212
Directory-based authentication, 101–114
Directory structure
hackers navigating, 7–8
opening local files, 70–71
restricting Apache to its own, 152–153
securing Web root, 179
storing needed files in separate directory within, 70–71
Directory traversal attack, 153
display_errors, hardening php.ini, 217–218
Documentation
of length constraints on database, 56
writing self-documenting code, 280–281
Dollar sign ($), 59
DoS (denial-of-service) attacks
from buffer overflows, 42
defined, 289–290
fuzz testing for, 227
using system resources for, 29
Download mirror
MySQL, 161–162
PowerFuzzer, 229
E
Editing, object in Windows file permissions, 86–87
Encapsulation
allowing file uploads using, 89
data design using, 263
error handling with, 32
in filesystem access, 70
Encode/Decode tab, CAL9000 toolkit, 237–239
Encryption, 121–128
choosing type of, 123–125
defining, 121–123
password security, 125
patching application to encrypt passwords, 125–127
username and password, 115
encryptPassword( ) function, 127
Error handling, 13–26
brainstorming boundary conditions, 18–19
building mechanism for, 19–23
encountering erroneous data, 23–24
guestbook application, 13–15
making system easy to use, 24–26
SQL injection attack, 16–18
Error-logging, SQL Server, 194
Error messages, writing, 23–24
escapeshellarg( ) command, 30–31
escapeshellcmd( ) command, 30
Execute permissions, 76
Exploit testing. See Testing, exploit
expose_php, hardening php.ini, 217
Extensibility, with custom API, 31
F
Features
disabling unnecessary SQL Server, 197
keeping tight rein on new, 279–280
file_get_contents( ) function, 71
Filenames
checking variable sanitation, 51–52
escapeshellcmd( ) and escapeshellarg( ) securing, 30–31
malicious users of system calls and, 28
opening local files, 71
security myth of changing, 7–9
validating user input, 32–34
$_FILES Superglobal array, 74
Filesystem access, 69–91
allowing user-uploaded image files, 88–90
creating and storing files, 73–75
designing security from beginning, 271
opening local files, 69–71
opening remote files, 71
permissions in PHP, 87
permissions in UNIX, Linux and MAC OS X, 76
permissions in Windows. See Windows
file permissions, changing
Filesystem access (continued)
preventing remote attacks, 72–73
summary review, 90–91
Filters
for malicious code in user input, 139
testing effectiveness of. See testing, exploit
Firefox, for CAL9000 toolkit, 234
Firewalls, 5–6
Fixation sessions. See Session fixation
Footprint
defined, 290
reducing IIS server, 177–178
Forms
for user-uploaded image files, 90
for users to upload files, 74–75
Fuzz testing
installing and configuring PowerFuzzer, 227–230
overview of, 226–227
using PowerFuzzer, 231–233
G
Generally Available Release, 160, 290
_generateSessionID() function, 134
_generateTokenID() function, 134–135
Gibson Research Corporation (GRC), password generator, 164
Glossary, 289–292
Granularity, of Windows file permissions, 77–79, 85–87
GRC (Gibson Research Corporation), password generator, 164
Greedy modifiers, regular expressions, 63
Groups
authentication, 102–106
for each application in Apache, 149–151
Web file authentication, 111–114
Windows file authentication, 104–110
Guestbook application
adding buffer overflow prevention, 49–52
adding encryption, 125–127
adding session security, 133–136
adding system calls API, 32–33
adding user authentication, 117–119
allowing user-uploaded files, 88–90
concept summary for, 258–259
defined, 13
designing data dictionary, 264–266
designing infrastructure functions, 267
designing long-term data storage, 263–267
designing workflow, 260–262
preventing XSS attacks, 138
primary code listing, 14–15
program summary, 13–14
GUI, setting permissions using, 83–85
H
Hackers
defined, 290
targeting minor applications, 9
targeting sessions, 9
use of term in this book, 4–5
using insecure applications, 5–7
using obfuscation against, 7–9
Hard drive, Web root on nonsystem, 179
Harden an application checklist, 276–277
defined, 290
tools for programmers, 6
Hardened-PHP Group, 4
Hardened-PHP Project, 42–43, 46
Hardware, Optional updates, 187–188
High priority Windows updates, 187
Hijacking, session
defending against, 131–133
identifying login/logout points of failure, 270
patching application for, 133–136
Home Directory tab, 186–187
.htaccess files, 101
HTML
accepting from users safely, 21
preventing XSS attacks, 138–139
stripping from user input, 20–21
HTML Purifier filter, 139
htmlentities( ) function, 21, 42–44
htmlspecialchars( ) function, 21, 42–44
HTTP Requests tool, CAL9000 toolkit, 239, 244
HTTP Responses tool, CAL9000 toolkit, 240–241
HTTP, stateless, 129
httpd.conf file, Apache
copying old version of, 149
creating users and groups, 149–151
disabling unneeded options, 153–154
hiding version number/other information, 151
restricting to own directory structure, 152–153
I
IDE (integrated development environment)
defined, 290
resources for, 288
writing code using, 281–282
Identity dialog box, 181–182
IDS (intrusion detection system)
defined, 290
for malicious code, 139
for self-created files, 73
using ModSecurity as, 215–216
if( ) statement, 51–52
IIS (Internet Information Server)
reducing footprint on Web, 177–178
securing Web root, 179–187
securing Windows server environment, 167
updating operating system, 168–177
IIS Manager
creating Web sites in, 179–180
enabling only needed Web services, 185–187
setting permissions on existing sites, 109
setting up sandboxes for each Web site, 181–184
Image files
creating upload form for, 90
patching application to allow user uploaded, 88–89
testing that file is correct type, 74–75
Image recognition, for authentication, 99–100
Infrastructure functions, designing, 267–268
Inheritance, Windows, 79–82
Initialization, variable, 33
Injection attack
from buffer overflows, 42
checking length of inputs to detect, 55
cross-site scripting as, 137–139
defined, 290
identifying points of failure, 270–271
session poisoning as, 133
Input validation, 53–67
assumptions about expected user data, 55
common patterns of, 65–67
database constraints, 56
logical constraints, 56–57
patching guestbook application, 32
regular expressions and, 58–65
tainted data, 57–58
testing effectiveness of. See testing, exploit
users signing guestbook comments, 53–54
users who give you more than you asked for, 54–55
Install Updates button, Windows, 174–175
Integrated development environment. See IDE (integrated development environment)
Internet Information Server. See IIS (Internet Information Server)
Intrusion detection system. See IDS (intrusion detection system)
IP address verification, 132–133
IP Encoder tool, CAL9000 toolkit, 244
isAdmin column, user database, 114–115, 118
ISPs, and IP address verification, 133
is_uploaded_file( ) function, 74–75
K
Kernel, 145–146
L
Lazy modifiers, regular expressions, 64
Library functions, writing code using, 281
Licenses
SQL Server, 188
Windows Updates, 176
Linux
changing file permissions in, 76–87
securing server environment, 144–146
username and password system in, 101
Local filesystem, accessing, 69–71
Local vulnerability, and security alerts, 45
Logical constraints, 56–57
Login, identifying points of failure, 269–270
logout() function, 134
Logout, identifying points of failure, 269–270
Lost passwords, 98–99
M
MAC OS X
file permissions, 76–87
securing server, 144–146
username and password system, 101
Maintenance, of self-created files, 73
MAX_FILE_SIZE directive, upload forms, 90
mcrypt() function, 123–124
Memory allocation, 40–44
Metacharacters, and regular expressions, 60
Misc Tools tab, CAL9000 toolkit, 243–244
ModSecurity
as IDS for self-created files, 73
installing/enabling for Apache, 154–159
securing PHP with, 215–216
move_uploaded_file( ) function, 75
movieFile( ) function, 32–33, 88–90
Multilayered security approach, 4
mv command, movieFile( ) function, 32–33
My Computer, securing Web root, 179
MySQL
changing admin username and password, 163–164
creating new accounts for each application, 164–165
deleting default database users, 164
deleting sample databases, 165
disabling remote access, 163
upgrading or installing latest version, 159–163
N
Name field
assumptions about expected data, 55
placing logical constraints on, 56–57
signing guestbook comments, 53–54
testing for excessively long input, 54–55
Naming conventions
separating tainted from validated data, 57–58
writing self-documenting code using consistency, 281
NetBIOS, disabling for IIS server, 177
New Scan button, Web Vulnerability
Scanner, 248
NTFS permissions, Web file authentication, 112
O
Obfuscation
security myth of, 7–9
using encryption vs., 124
writing self-documenting code vs., 280–281
OCR (optical character reader), 100, 290
One-way encryption, 123
open_basedir, hardening php.ini, 217
Opening
local filesystem, 69–71
remote filesystem, 71
Operating systems
inherent insecurity of, 143–144
installing latest version of MySQL, 160–162
updating, 168–177
updating UNIX, Linux or MAC OS X, 145–146
verifying running of latest stable version, 49–50
Optical character reader (OCR), 100, 290
OptionCart, 9
OWASP PHP filters, 139
P
Passwords. See also Usernames and passwords
identifying login/logout points of failure, 269
password retention policy, 125, 290
securing SQL Server SA account, 200–202
Patterns, input validation, 65
PCRE (Perl Compatible Regular Expressions) library, 66–67, 290
PEAR (PHP Extension and Application Repository)
CAPTCHA libraries, 100
defined, 290
overview of, 285–286
Penetration testing, 225–226
Performance, ModSecurity and, 216
Perl Compatible Regular Expressions
changing safely, 76
denying to users, 107–108
PHP, 87
restrictive, 75
selecting for groups, 109–110
UNIX, Linux and MAC OS X, 76
user-uploaded image files, 88–89
Windows. See Windows file permissions, changing
PHP
buffer overflow vulnerabilities in, 37–39
changing file permissions in, 87
as inherently insecure language, 3–4
memory allocation and, 42–44
verifying running of latest stable version, 49–51
PHP Extension and Application Repository. See PEAR (PHP Extension and Application Repository)
PHP IDS Web site, 139
PHP, securing on server, 207–218
hardening php.ini, 216–218
with ModSecurity, 215–216
using latest version, 207–208, 212–213
using safe_mode, 213–214
using SuExec, 214–215
using Suhosin patch and extension, 213
using Zend Framework and Optimizer, 208–211
php.ini file
disabling PHP access to remote files, 71
hardening, 216–218
preventing remote filesystem attacks, 72–73, 90–91
session fixation defense in, 130–131
storing uploaded files in, 74
using ModSecurity to secure, 216
using safe_mode in, 213–214
ping flood attacks, 291
Points of failure, designing security, 269
Poisoning, session, 133
PowerFuzzer, 227–233
preg_match( ) function, 65–66
Primary code listing, guestbook application, 14–15
Privileges, 100–101
Programmer, becoming better, 279–284
avoid feature creep, 279–280
finding good peer reviewer, 283–284
using right tools, 282–283
write self-documenting code, 280–281
Programming languages, inherent insecurity of, 143–144
Properties. See also Permissions
configuring Web file authentication, 111–114
configuring Windows file authentication, 102–110
securing SQL Server, 200–201
benefits and features of, 246
overview of, 246
scanning application with, 247–254
Public (asymmetric) key encryption,
121–122
Published alerts, 46
R
Read permissions, 76
Really Bad Idea (term), 71
reflected XSS attacks, 137–138
Registered (authenticated) users, granting privileges to, 100–101
register_globals, hardening php.ini, 216, 217
Regular expressions (regex)
character classes, 60–61
defined, 291
greedy modifiers, 63
input validation patterns, 65–67
lazy modifiers, 64
metacharacters, 60–62
overview of, 58–59
preventing spammers with, 22–23
testing with CAL9000 toolkit, 236
Releases
MySQL, 159
PHP development, 212
UNIX, Linux or MAC OS X, 145
Remote access, disabling MySQL, 163
Remote exploits, from buffer overflows, 42
Remote filesystem
accessing, 71
preventing attacks on, 72–73
Remote vulnerability, security alerts, 45
Report button, Web Vulnerability Scanner, 252–254
Reporting style, Web Vulnerability Scanner Reporter, 252–253
Resetting passwords, 99
Resources
Apache, current release of, 147–148
Apache, disabling unneeded options, 154
CAL9000 toolkit, 234
CAPTCHA libraries, 100
CVS, 276
filters for malicious code, 139
Gibson Research Corporation password
generator, 164
ModSecurity, 155, 159, 215–216
MySQL, current release of, 159–160
PEAR, 285–286
SQL Server Management Studio
Express, 198
Suhosin patch and extension, 213
Visual SourceSafe, 275
Zend Core Website, 209–211
Review Other Updates button, Windows, 170
Rootkit
defined, 291
remote filesystem access, 71
as uploading vulnerability, 270
ROTX bit manipulation, avoiding, 124
S
safe_mode, securing PHP, 213–214, 217
Sandboxes
defined, 291
securing existing applications, 273–274
setting up for each Web site, 181–184
Sanitation, data
creating custom API for system call, 31–32
preventing remote filesystem attacks, 72–73
Sanitation, variable. See Variable sanitation
Scan button, PowerFuzzer test, 232
Scan wizard, Web Vulnerability Scanner, 248–252
Scratch Pad tab, CAL9000 toolkit, 242
Scripts
defeating spammers with CAPTCHA, 100
methodically traversing directory structures with, 7–9
preventing XSS attacks, 138–139
Scroogle Search tool, CAL9000 toolkit, 244
Security advisory sources, 45–47
Security badges, 96
Security, common misconceptions, 3–10
about minor applications, 9
about native session management, 9
about obscurity, 7–9
about single points of failure, 10
reality check, 3–5
as server issue, 5–7
Security Logins folder, SSMSE, 200–201
Security tab, Windows GUI, 83–84
Security tab, Windows properties, 80–82
Security updates, 187–188
SecurityFocus, 45–46
Self-created files, preventing attacks on, 73
Self-documenting code, writing, 280–281
Semicolons, and spammers, 22–23
Servers, 143–166
Apache. See Apache server
application hardening checklist, 276
MySQL, 159–165
programming languages, OS and, 143–144
securing UNIX, Linux or MAC OS X, 144–146
security myth, 5–6
verifying latest stable version, 49–50
ServerSignature to Off, Apache, 151
ServerTokens to Prod, Apache, 151
Service packs, updating operating system, 168–177
Services
disabling unneeded IIS server, 177–178
disabling unneeded SQL Server, 196
installing updates for necessary Windows, 172–173
Session fixation, 130–131, 133–136
Session hijacking
defending against, 131–133
identifying login/logout points of failure, 270
patching application for, 133–136
Session IDs, in session fixation, 130–131
Session poisoning, 133
Session security, 129–136
defining session variables, 129
patching application for, 133–136
session fixation, 130
session hijacking, 131–133
session poisoning, 133
types of session attacks, 129–130
Session variables, 129
session.cookie_lifetime, hardening php.ini, 217
SessionID column, user database, 114–115, 118
session_regenerate_id function, 130–131
Set User ID (SUID) bit, 28, 29
SHA algorithm, 125
SimpleTest framework, 221
SMP, disabling for IIS server, 177
Software, Optional updates, 187–188
Spammers
checking length of inputs to detect, 55
making life difficult for, 22–23
using image recognition to defeat automated scripts of, 99–100
Speed, encryption based on, 124–125
SQL injection
defined, 291
fuzz testing for, 227
how it works, 16–18
identifying points of failure, 270
on stored usernames and passwords, 117
defined, 187
installing SQL Server Management Studio Express, 198–200
installing/upgrading to latest version, 187–200
securing Windows server environment, 167
setting up DMZ, 200
steps in hardening, 200–205
updating operating system, 168–177
SQL Server Enterprise Edition, 188–198
SQL Server Express Edition, 188–198
SQL Server Management Studio Express
(SSMSE), 198–200
Square brackets ([ ]), 59
SSL/TSL, 131
SSMSE (SQL Server Management Studio Express), 198–200
Star (*), 63
Stateless, defined, 291
Stateless HTTP, 129
Storage
designing long-term, 263–267
safe file, 75
of self-created files in separate filesystem, 73
storing data securely, 278
Stored XSS attacks, 138
striptags( ) function, 20–21
strlen( ) function, 48–49
Subdirectories, setting permissions on, 110
SuExec, securing PHP with, 214–215
Suhosin patch and extension, to PHP, 213
SUID (Set User ID) bit, 28, 29
Surface Area Configuration tool, SQL Server, 195–198
Swipe cards, 96
Symmetric key encryption, 122–123
System calls, 27–34
defined, 27
encapsulating, 278
overview of, 27–28
patching guestbook application, 32–34
securing with escapeshellarg( ), 30–31
securing with escapeshellcmd( ), 30
using system binaries with SUID bit or sudo, 28–29
using system resources, 29–30
System calls API, 31–32, 51–52
System functions, validating data from, 48
System resources, system calls using, 29–30
System tests, 222–223
T
Tainted_prefix, 58
Test suites. See Proprietary test suites
penetration, 225–226
securing existing applications with, 274–275
for unexpected input, 20–21
Testing, automated, 219–224
choosing solid data, 223–224
framework for, 220–221
performing system tests, 223
performing unit tests, 222–223
resources for, 288
security implications of, 219–220
Testing, exploit, 225–254
defining, 225–226
fuzzing, overview of, 226–227
installing and configuring PowerFuzzer, 227–230
resources for, 288
testing toolkits, 233–234
using CAL9000 toolkit. See CAL9000 toolkit
using PowerFuzzer, 231–233
using proprietary test suites, 246–254
warnings about tools of, 226
Testing toolkits, 233–234. See also CAL9000 toolkit
Third-party libraries, encryption, 123–124
3DES Encryption, 124
/tmp Directory, 74–75
tmp_name variable, 74
Token verification, 132–136
Trust, Internet security and, 4
U
UNIX
changing file permissions in, 76–87
securing server environment in, 144–146
username and password system in, 101
Uploads
creating form for, 90
identifying points of failure, 270
opening local files, 70–71
patching application to allow image files, 88–90
securing application against file, 73–74
User accounts
creating in Zend, 210–211
securing MySQL by deleting default, 164–165
User agent verification, 132
User database table
adding encryption to, 126
adding to guestbook application, 118–119
storing authentication information in, 114–115
User input
identifying points of failure, 270–271
preventing XSS attacks, 138–139
sanitizing variables, 46
as source of data, 48
validating, 32
User instances, enabling in SQL Server, 194
accessing vulnerability of, 117
configuring Web file authentication, 111–114
configuring Windows file authentication, 114–115
encrypting, 115
overview of, 97–99
password encryption, 125
password strength, 116–117
placing .htaccess text file, 101
securing MySQL, 163–164
setting up sandboxes for Web sites, 182
storing information in user database, 114–115, 118–119
as “what you know” authentication, 95–96
Users. See also Administrative users;
Anonymous users
building error-handling mechanism, 19–23
configuring Web file authentication, 111–114
configuring Windows file authentication, 104–110
creating for each application in Apache, 149–151
designing security for data, 260–267
V
validateUsernamePassword( ) function, 119–120
Validation
creating authentication API, 119–120
input. See Input validation
preventing XSS attacks, 138–139
checking, 51–52
creating authentication API, 119–120
to prevent buffer overflows, 46–49
preventing XSS attacks, 138–139
securing existing applications, 277
using regular expressions for, 65–67
Variables
initializing, 33
session, 129
Verification
file upload, 74–75
IP address, 133
preventing remote filesystem attacks with, 72–73
token, 133
user agent, 132
of Windows Updates, 175
Version control system, 275–276
Versions
Apache, hiding information on, 151
Apache, using latest, 147–149
MySQL, using latest, 159–163
PHP, finding latest stable, 212–213
PHP, using latest, 207–208
SQL Server, using latest, 187–200
UNIX/Linux/MAC OS X, using latest, 145–146
verifying latest stable, 49–50
Windows, finding latest, 185
Windows, using latest, 167
Virtual directories, setting permissions on, 110
Visitors. See Anonymous users
Visual impairment, accessibility issues, 100
Visual SourceSafe, 275
VPN tokens, 96
Vulnerabilities
alerts notifying of, 46
application hardening checklist, 276–277
automated scanning of, 247–254
PowerFuzzer report on, 233
W
Web Authors group, 179
Web file access, 111–114
Web hosts, secure, 144
Web root
creating Web sites in IIS Manager, 179–180
Web root (continued)
enabling only needed Web services, 185–187
setting up on nonsystem drive, 179
setting up sandboxes for each site, 181–184
Web servers, inherent insecurity of, 143–144
Web Service Extensions folder, 185–187
Web Site Creation Wizard, 180
"What you are" authentication, 96
"What you have" authentication, 96
"What you know" authentication, 96
Windows Explorer, securing Web root, 179
Windows file permissions, changing, 77–87
configuring authentication, 102–110
explicitly selecting, 85–87
granularity of, 77–79
setting using GUI, 83–85
use of inheritance, 79–82
Windows Web server, 167, 168–177
Workflow diagram, 260–261, 272
Write permissions, 76
X
XOR bit manipulation, 124
XSS Attacks tab, CAL9000 toolkit, 236–237
defined, 137
fuzz testing for, 227
patching application to prevent, 138–139
reflected, 137–138
stored, 138
Z
Zend, 208–211
extending PHP, 207–208
Framework and Optimizer, 208–211