Linux Blog

Securing PHP Web Applications Review

Filed under: General Linux — TheLinuxBlog.com at 11:43 am on Friday, February 27, 2009

Securing PHP Web Applications

As a somewhat seasoned PHP developer, I’m always looking for ways to improve code and keep up with the latest happenings. When I saw the book, “Securing PHP Web Applications” by Addison-Wesley, I thought I’d give it a look. PHP is known for its wide deployment and rapid development. Unfortunately, with such a large user base, it is not uncommon to see mistakes within development. Often developers are unaware that what they are doing is insecure. This book addresses important security concerns every developer should be aware of.

The first ten chapters are on programming practices of which, if you’re a system administrator, may not interest you. If you are a developer you should know, understand, be able to fix and, of course (the fun part), exploit for demonstration.

Chapters 11, 12 and 13 are essential reading to any system administrator who will be supporting a LAMP or WAMP stack.
The IIS chapter may not apply to those reading this blog since we all know that securing IIS is not necessary when you’re running Linux. The chapters on securing PHP, MySQL, and Apache outline the basic concepts and give some important pointers that may not be obvious to everyone.

Chapter 14 (Introduction to Automated Testing) and Chapter 15 (Introduction to Exploit Testing) have really opened my eyes to methods I have not used before. We’ve all heard of Selenium and PHPUnit but what about CAL9000 and PowerFuzzer? I’ll be off to try them soon. I can always appreciate applications designed to help secure applications. Nessus, Nikto and MetaSploit lack any mention in this book but now that you’ve read this review, you’ll know to look into those as well.

Chapter 16 is on designing secure applications and 17 is on patching, which would have been useful for me to explain to someone as to why they shouldn’t be working on their production site (to make things worse with no version control.)

There are so many products out there that are vulnerable to some of the attacks. We see them everyday in the security lists. I think that any company and developer of PHP based Web Applications should have a keen grasp on the concepts outlined within the pages of this book.

I do not think, however, that “Securing PHP Web Applications” is a book that is necessarily intended for every developer out there. I think its a great book for anyone with an active interest in security that has been developing for a while but would like some pointers on how to secure their web apps or a reference for developers in need.

For more information and a sample chapter, please visit the publisher page: http://www.informit.com/title/0321534344 or if you subscribe to Safari Books Online you can access the complete book here: http://techbus.safaribooksonline.com/9780321534347

Stop Copying Windows?

Filed under: General Linux — TheLinuxBlog.com at 9:10 am on Thursday, August 7, 2008

From InformationWeek I quote:

“Stop copying 2001 Windows. That’s not where the usability action is”

By this I think that Bob Sutor (VP of Open Source and Standards at IBM) meant that he didn’t want Linux developers to make a desktop OS. The article goes on to explain how he would like to see it further developments in Virtulization and making Linux more “green.” He believes that the Linux community has not done enough.

He’d like to see Linux take advantage of the small business market and help lower costs to businesses, but in order to do this “turnkey” applications have to be made that require little maintenance. I believe that small medium businesses can lower costs by running Linux technologies in the web applications market but not necessarily with desktop applications. Maybe this is something that should be leveraged? It would be hard to find open source developers that will work on a project that they have little interest in yet profits companies . But if an open source application became more mainstream then the developers would naturally follow as the application grew. Its sort of a catch 22. Who came first, the chicken or the egg?

Anyway, I thought it was an interesting article and I think that Bob Sutor should become an open source motivational speaker. Maybe IBM can fund a conference to get the Linux community to actually do something because they’re getting tired of waiting. I mean, how hard could it possibly be to motivate developers to create “turnkey business solutions” that will make IBM to ton of money?

Using Bash Scripts in Web Applications

Filed under: Shell Script Sundays — TheLinuxBlog.com at 2:22 pm on Sunday, May 25, 2008

Using bash scripts for web applications is not exactly rocket science, nor is it necessarily the best idea in the world but it can be handy to do if you already have a bash script and want to use its functionality on the web. There are a couple of ways to use bash scripts on the web.

The first that I know of is as a CGI. All that you have to do for this one is create a cgi-bin or allow files with the extension .cgi to be executed this is done with apache in your httpd.conf file.

The Second is to use another scripting language to call the script. The easiest way for me is to use PHP. A system call to the script file can my made using the exec() function. Just make sure that the file has execute rights for the user that your web server runs as. Here is an example of using the exec() function in PHP:

$output = exec('/usr/local/bin/yourscript.sh');

The Third method is to use Server Side Includes to include the script. I personally am not familiar with setting up SSI’s but this is how you execute a command from within a SSI:

<!--#exec cmd="/usr/bin/date" -->

Which ever method you choose precautions have to be taken. Make sure that all inputs are sanitized so that a user cannot escape the command, pipe output to another file or manipulate the system in another way. In PHP it is easy to do this, but I can not speak for CGI’s or SSI’s. I hope this shows some insights as to how you can run bash scripts in your web application. If you have any other methods such as using mod_python or maybe tcl, please post them as a comment!

Facts About Selenium

Filed under: General Linux,Linux Software — TheLinuxBlog.com at 9:22 pm on Friday, March 28, 2008

Selenium is a chemical element. What you may not know is that Selenium is also a powerful testing tool for web applications. Selenium runs its tests directly in a browser, just like real users do. It is cross platform and the developers plan to have it for the iPhone but thats another story. Selenium can run in one of two modes Core and Remote Control (RC). The RC method has a way of using distributed computing much like the way Samba allows cross compiling over multiple cpu’s. There is an IDE for Selenium that can be used to easily learn Selenium.

Enough Facts About Selenium already!

What exactly can you do with Selenium?

Well, the answer is simple. Pretty much anything that you can do with a browser Selenium can do. Its primary purpose is for developers to use as a quality assurance tool. For QA purposes you can create a test cases, run them and verify that the end result is what you expected. You can create test cases in Java, Ruby, Python, Perl, PHP or .NET.

I had a little trouble getting the Selenium driver for PHP installed so here is the how to:

sudo su
pear channel-update pear.php.net
pear install Testing_Selenium-beta
pear install PHPUnit
exit

The above allowed me to communicate with the Selenium Remote Control that I downloaded with PHP. Here is an example from their website that I have modified so that it works:

  <?php
 
set_include_path(get_include_path() . PATH_SEPARATOR . './PEAR/');
require_once 'Testing/Selenium.php';
require_once 'PHPUnit/TestCase.php';
 
class GoogleTest
{
private $selenium;
 
public function setUp()
{
$this->selenium = new Testing_Selenium("*firefox", "http://www.google.com");
$this->selenium->start();
}
 
public function tearDown()
{
$this->selenium->stop();
}
 
public function testGoogle()
{
$this->selenium->open("/");
$this->selenium->type("q", "hello world");
$this->selenium->click("btnG");
$this->selenium->waitForPageToLoad(10000);
$this->testCase("/Google Search/", $this->selenium->getTitle());
echo "<hr>";
$this->testCase("/Yeahh Search/", $this->selenium->getTitle());
 
}
 
public function testCase($regEx, $string) {
 
preg_match($regEx, $string, $matches);
 
print_r($matches);
 
}
 
}
 
$google = new GoogleTest();
 
$google->setUp();
$google->testGoogle();
$google->tearDown();
?>

Before attempting to run this you must make sure that you downloaded Selenium RC and that it is running. Selenium runs on Java so make sure that Java is installed download selenium from here, unzip and run the following in the directory that it is extracted to:

cd selenium-remote-control-1.0-beta-1
cd selenium-server-1.0-beta-1
java -jar selenium-server.jar -interactive

Once this is running you can start scripting with PHP to get Selenium to do anything that you want. Once you are done make sure that you exit the Selenium server by running the “exit” at the prompt.

I’m sorry about the format of this post, its been a while since I have used Selenium and I’m quite excited about it. If you have any questions about Selenium post them here and I will try to answer them for you.

Comments Are Back!

Filed under: The Linux Blog News — TheLinuxBlog.com at 4:03 am on Saturday, December 8, 2007

Ok, I’ve decided to add comments back to The Linux Blog. The idea behind commends is that people post comments for help, advice, questions, comments on the article or just to be nice. Before this was not happening so I turned them off. Now, I’ve re-added them back hoping that people will actually comment.

The spam problem has been fixed and we should not see any spammy comments since posters now have to be approved.

I’ll leave them on for a while and see how it does. In other news I’ve been writing like mad, trying to get some good articles written.

On the list of stuff to write are a couple of Shell Scripting articles, one about IP Soft Phones for Linux, Battery Life & Optimization, virtualization. I also have some tutorials that I would really like to write to help people out with WordPress and other web applications that run on open source software such as MediaWiki.

If you have any questions, or would like to request something, now you can actually just comment , so go ahead, leave a comment