2021 OWASP top 5: security configuration error

stay Web Application , Security problems caused by security configuration errors are common , Common security configurations by Apache Configure security issues 、Nginx Configure security issues and Tomcat Configure security issues . Here we briefly describe the configuration of these three server software .

1、Apache Security configuration issues

Apache The configuration file for is named httpd.conf, We are starting our own Web Before application , First, you need to modify its configuration .

If we want to ,Apache When encountering extension PHP Page file , Use it x-httpd-php Parsing , Then we can add code to the configuration file AddHandler application/x-httpd-php .php

Before further analysis , We need to know a Apache The basic characteristics of , That's it apache Allow files to have multiple suffixes , And support to execute different parsing programs for different suffixes . When we configure the above option , If our file suffix contains l.php The suffix , that apache Will call PHP Parser to parse the file .

Here we use the shooting range as an example ：

First upload test. test.php.xyz.jpg , The content of the document is ：<?php phpinfo();?>

According to normal logic , We should show the results in a picture format .

But at this time we modify apache Profile contents , add to ： AddHandler application/x-httpd-php .php. And then restart Apache2 service .

Then visit the files we uploaded , The response content obtained becomes as follows ：

Here you can see , We uploaded malicious PHP The code has been executed . At this point Web Applications are no longer safe .

so , If our web If the application manager configures this option , Then our attackers can use this configuration to bypass upload restrictions , thus getshell.

2、Nginx Security configuration issues

Nginx Is a high-performance HTTP And reverse proxy Web The server , We can do it in Unix as well as Linux Run it in . It's widely used , It's second only to apache Of web Server software , And the utilization rate is rising year by year , There's a lot to catch up with apache The trend of .

When our nginx When it's not configured properly , The same can cause security problems .

The following code is a Nginx Configuration file of a virtual host of ：

server {
    
       listen 8080;
       root /usr/share/nginx/html;
       index index.html;
       server_name _;
       location / {
    
       return 302 https://$host$uri;
   }
}

In this Nginx In profile , The problematic configuration is on the last line , We only need to pay attention to this part ：

return 302 https://$host$uri;

$host, It can be simply understood as host Information , and $uri Is the key to safety problems , It represents the decoded request path in the request . If the attacker will request URL The information is set as follows ：

http://ip:port/%0a%0dSet-Cookie:%20a=test

This URL in ,%0a After decoding, it is CR,%0d After decoding, it is LF,%20 After decoding, the corresponding space . therefore Nginx In the face of $uri When decoding , Will %0a%0d Decoding for CRLF, It will lead to the HTTP Message line feed , Then launch Set-Cookie Request , This is it. CRLF The effect of Injection .

Let's do a test , Yes 127.0.0.1:8080/%0a%0dSet-Cookie:%20a=test Visit , I found that I jumped to https, But the response found our Set-cookie The content of , Explain our CRLF Injection has been successful .

3、Tomcat Security configuration issues

Tomcat The server is a free open source Web application server , Application servers are lightweight , It is widely used in small and medium-sized systems and where there are not many concurrent users . actually ,Tomcat yes Apache Extension of the server , But at runtime it runs independently , So when you run Tomcat when , It's actually as a relationship with Apache Independent processes run independently .

Tomcat There is a well-known security configuration problem in , It is CVE-2017-12615. The specific problems are , When Tomcat Running on the Windows On a host , And in conf/web.xml In the configuration file of DefaultServlet readonly Set to false, So if it is enabled HTTP PUT Request method , It will lead to the security problem of writing arbitrary files . It's kind of like IIS Of PUT Upload the loopholes .

Here, let's actually test , Open our target plane , Display is Tomcat 8.5.19：

Then we use vulnerability scanning tool to scan vulnerabilities ：

The scanning results are visible , Our target aircraft has multiple security vulnerabilities , And it also scanned our Tomcat PUT Loophole , And then we use Tomcat PUT Exploit tools to exploit vulnerabilities ：

It can be seen that the use is successful , And obtained administrator permission .

4、 Security configuration principle

To avoid security configuration errors , We're configuring Web There are several principles to follow when applying ：

• Minimum service principle

 We need to  Web  Apply unnecessary services to shut down or restrict , Prevent attackers from launching malicious acts through these services  

• General error reporting settings

 take  Web  The error information of the application is set in a general way , So that the error information does not contain the details of the error , Prevent the leakage of sensitive information caused by this 

• Modify the default account information

 take  Web  Apply the default account information to modify , Try to make the account password complex , Otherwise, the attacker will easily guess the account information , Landing in  Web  Application management background