Reference no: EM132711609
Lab: Secure a LAMPP Web Server
Lab creates a web server along with several web pages. Once the web site is created, we can examine and later implement security features.
The Apache web server runs on a Linux operating system and is ‘the' most popular web server in use. When Linux (L) and Apache (A) are bundled with MySQL (or MariaDB; M) database and PHP (or Python or Perl; P), the bundle is commonly referred to as a LAMP web server.
An XAMPP server includes the A, the M, and both of the P's (Python and Perl). The X refers to the multiple platforms that this server can run on, including Windows OS, Mac OS, and Linux. Thus, a Windows server is sometimes referred to as WAMPP.
LAMP components can be easily installed individually with sudo apt-get commands. Instead, we will install a LAMPP server as a bundle that includes all the components. Throughout this document, our XAMPP server on a Linux platform will be referred to interchangeably as a LAMPP or XAMPP server.
Learning Exercises:
1. Install a LAMPP server
2. Create a web site
3. Consider web site security
Getting Started (optional, as needed)
If you created your Ubuntu VM with the default disk size of 10 GB, it will be necessary to free up disk space for future labs. Depending on the available disk storage on your particular host computer and virtual machine, consider any of the follow recommendations. Choose what works best for you, based on how you configured your virtual machine(s).
Cloning and/or Restoring Snapshot
1. If you want to be able to use the software currently installed on your Ubuntu VM, then clone your Ubuntu VM (with Metasploit, etc., installed). Next, on either the original or the clone VM, roll back (restore) the initial snapshot taken after your Ubuntu installation.
2. If you don't have a snapshot taken after the initial installation, and you need to free up disk space on your Ubuntu VM, then delete individual software packages as explained below.
Software that can be deleted:
For the remaining course security labs, you will no longer need:
1. OWASP Juice Shop
2. Metasploit
3. Searchsploit (presumably already deleted)
Therefore, you can delete those 3 software from your Ubuntu virtual machine. (Instructions on how are provided below.) If you still need disk space, you could also delete:
4. Dirb
5. Nikto
Ideally, you are able to keep nmap and wireshark installed on your Ubuntu VM in case we use it again. However, if you still need even more disk space after deleting dirb and nikto, then you can delete the following packages. Both are easy to reinstall if necessary:
• Wireshark
• Nmap
#1. Install a LAMPP web server
1. Open the web browser in your Ubuntu VM and download the XAMPP server for Linux on your Ubuntu VM. When prompted, choose "save" instead of open.
2. Verify the Sha1 checksum (aka hash) value provided matches the Sha1 hash value you generate.
3. Assign access permissions to the XAMPP and run the server following these instructions:
a) At the terminal prompt, type:
• cd Downloads
• chmod 755 xampp-linux-x64-7.2.34-0-installer.run (assigns permissions)
• sudo ./xampp-linux-x64-7.2.34-0-installer.run (runs the installer file)
• We install both the XAMPP core and developer files.
• We will not install any Bitnami add-ons.
b) At the end of the install, keep the default setting to Launch the XAMPP server.
c) Note: after you're comfortable that the LAMPP server is installed and running fine, you can delete the installer.run file that was downloaded since it takes up 152 MB disk space.
4. Confirm the Apache server was installed:
a. In your browser within Ubuntu, go to: localhost
b. The XAMPP banner page should display in the browser window
c. Take a screen shot showing the XAMPP banner page
5. Within the terminal window, return to the root directory: cd
Start the XAMPP Control Panel
(Return to the instructions in this step whenever you want to start up XAMPP.
6. Bring up the XAMPP control panel. It may already be open in Ubuntu from the previous section when you created an XAMPP web server. In that case, toggle (Ctrl + Tab) over to that window.
o Otherwise, launch the XAMPP control panel. From the root directory, type:
sudo /opt/lampp/manager-linux-x64.run
• When the control panel appears, click on the Manage Servers tab.
• We need both the Apache web server and MySQL database started. It's fine to either leave the ProFTPD service running or stop it.
#2. Create a MySQL Database
"phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL and MariaDB. Frequently used operations (managing databases, tables, columns, relations, indexes, users, permissions, etc) can be performed via the user interface, while you still have the ability to directly execute any SQL statement."
7. Open phpMyAdmin. At the browser address bar, go to: localhost/phpmyadmin
The phpMyAdmin console appears:
8. Create a database. Enter as the database name "yourFirstName_db", changing "yourFirstName to your actual first name. Click on "Create"
a) For the table name, type: users
b) Set "Number of columns" to 3 and click on "Go".
c) Define 3 columns (id; username; and password) in the users table using the following column names, data type, and max length. For the "id" column, scroll to the right side of the window and select "AI" for "auto-increment." The table schema will look like:
d) On the table structure page, click on the checkbox to select the id column, and then click on the Primary icon.
9. Create a new table within the yourFirstName-cyber-db database. In the left-side navigation bar within the phpMyAdmin console, click on "New."
a) For the table name, type: list
b) Set "Number of columns" to 7 and click on "Go".
c) Define 7 columns as follows and then click on Save. (The second column name is "topic". Also notice that the first column "id" has a checkbox in the "A_I" column. A_I stands for auto-increment.)
datetop
By default, the root user in phpMyAdmin does not use a password.
However, a database password is needed for "mysqli" commands. So, we need to assign a password to phpMyAdmin. I used "ist656". (When you get to the PHP code in the steps below, notice how this password must be included in mysqli commands within the PHP code and the $link parameter.)
The issue now is once you close the browser window with PHPMyAdmin loaded, the next time you try to login, you'll receive a password-related error message. In order to get past this error message, we have to edit the PHPMyAdmin config file and add the password to the file. Yes, this is horrible!!! In general, it is very bad practice to hardcode a password in configuration (or any other) files. This may only be required when using an XAMPP package; I'm not sure. So, in a real-world setting, we would need to figure out how to make this work without hard-coding a password into the config file. In searching on how to resolve the error message, adding the password to the config file is the common recommendation . So for now, let's do that so we can continue with the lab.
cd /opt/lamp/phpmyadmin
ls
sudo nano
add the lines shown in the following screen shot. Also set "AllowNoPassword" to false.
#3. Add data to the database
10. In the Ubuntu VM's browser, go to the PHPMyAdmin interface: localhost/phpMyAdmin
11. Within the PHPMyAdmin browser interface, click on the SQL tab. Copy and paste the following SQL statement into the text box, and click on Go.
INSERT INTO `list` (`id`, `topic`, `date_posted`, `time_posted`, `date_edited`, `time_edited`, `public`) VALUES
(2, ' Application security ', 'November 17, 2020', '13:48:18', '', '00:00:00', 'no'),
(3, ' Network security ', 'November 17, 2020', '04:47:49', '', '00:00:00', 'yes'),
(4, 'Mobile device security', 'November 17, 2020', '04:48:11', '', '00:00:00', 'yes'),
(5, 'IoT security', 'November 17, 2020', '04:48:26', '', '00:00:00', 'yes'),
(6, ' Penetration testing ', 'November 17, 2020', '04:49:23', '', '00:00:00', 'no'),
(7, ' Cyber threat intelligence ', 'November 17, 2020', '04:49:49', '', '00:00:00', 'no');
12. Take screen shot of data added to the list table. You can click on the "SQL" tab and type "select * from list." Alternatively, click on the table name from the side navigation bar, and then click on the Browse tab. In your screen shot, include the data as well as the URL in the browser that should display your database name.
#4. Create Web Pages in PHP
13. Open a terminal window in Ubuntu and change directory to the location of the LAMPP server: cd /opt/lampp
14. View the contents of the lampp directory: ls -l
15. In an XAMPP server, files are served from the "htdocs" sub-directory by default. Let's go to that directory: cd htdocs (this assumes you were already in /opt/lampp directory)
16. Create a sub-directory within the htdocs directory:
a) sudo mkdir /yourFirstName-cybertalk (replace "yourFirstName" with your actual first name)
b) go to the directory: cd /yourFirstName-cybertalk
17. Download from Blackboard and save the following .php files in the /opt/lamp/htdocs/yourFirstName-cybertalk directory on your Ubuntu VM:
Index.php
Register.php
Login.php
Checklogin.php
Home.php
Add.php
Edit.php
Delete.php
• The PHP code in these files originated from Kristian Guevara at https://www.codeproject.com/articles/759094/step-by-step-php-tutorials-for-beginners-creating. The original code is available at https://github.com/kristianguevara/MyFirstWebsite. Code changes were made for this lab in order to convert Guevara's use of mysql_connect() and related commands from PHP version 5.4 to mysqli_connected and related files used in PHP version 7 . Several bug fixes were made. A couple security features were added. The code was also slightly adapted to a ‘cybersecurity' theme.
• The add.php and edit.php web pages allow you to click on the add or edit button and do not produce any error messages. However, these pages don't actually result in a topic being added or edited (i.e., don't work properly). That's fine for our purposes. However, if you get either working, submit the revised code on Blackboard with the code revisions highlighted, and make a note in your homework document. Extra credit is possible.
18. Open each of the .php files in gedit ("sudo gedit filename").
• The first file you open within the gedit text editor, change "plain text" to "PHP" so that the text is color-coded in accordance with PHP coding keywords:
19. Edit each .php file as needed to:
• Search and replace "Gypsy" (my Ubuntu username) with your Ubuntu username
• replace the database name "gypsy_db" with your username_db (note: use an underscore, because a hyphen in the database name will not work.)
• make any desired enhancements (optional)
• Notice the PHP code. For explanations to various PHP commands, https://www.codeproject.com/articles/759094/step-by-step-php-tutorials-for-beginners-creating. Keep in mind that the tutorial used an older version of PHP, so it is possible that a command shown has been deprecated (e.g., all the mysql commands are now mysqli).
As an example, in the following code, you would edit the title:
<html>
<head>
<title>yourFirstName's Cyber Talk</title>
</head>
<body>
<?php
echo "<p>Hello Cybersecurity Enthusiasts!</p>";
?>
<a href="login.php"> Click here to login
<br>
<br>
<a href="register.php"> Click here to register
</body>
</html>
20. Register a new user on the web page.
a. Use your first name as the username and any password you'd like.
b. Take a screen shot of the popup box indicating the registration was successful.
21. Log into the site using your new username and password.
22. Confirm that your web site works.
a) In your Ubuntu VM's browser, type: localhost/yourFirstName-cybertalk, replacing "yourFirstName" with the name of your web site's directory
b) Take a screen shot of each of the following web pages that includes the browser URL and the web page content:
I. Home.php
II. edit.php
III. Index.php
23. When finished with XAMPP, "stop all" services on the "Manage Servers" tab and close window.
Post-Lab Questions
24. In the web pages that accept user input, what command is used to prevent a SQL injection attack? ________
25. In the web pages that accept user input, what is the difference between using the GET or the POST command? Which is better for security?
26. View the OWASP Top 10 for the "Broken Authentication" (A2 risk) at https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/. Moreover, see "Scenario 3" (p. 8) that describes session timeout vulnerabilities. The code in Lab 8 only ends an authenticated (i.e., logged-in) user's session when the user clicks on the "logout" button that subsequently calls the logout.php code. How and where can the security be improved once a session is established with PHP's session_start() command? For example, is there session timeout command or parameter that can be used? If so, where? Or are there other solutions that can prevent the OWASP Top 10 A2 risk?
27. Does mysqli used in PHP version 7 offer any security advantages over the deprecated mysql? Provide a URL to the source of your answer.
28. The autocomplete attribute was added to the HTML form command in the login.php code. Why was this needed? In other words, how was security improved by adding this attribute on this particular web page?
29. Have you noticed any other security vulnerabilities or areas where security could be improved for this web site?
Attachment:- Secure a LAMPP Web Server.rar