This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "SCG WS Apache"

From OWASP
Jump to: navigation, search
(Misconfigurations)
Line 5: Line 5:
  
  
== Common Misconfigurations ==
+
== Apache Server Information ==
  
=== Misconfiguration 1 ===
+
=== Server Token ===
 
==== Description ====
 
==== Description ====
 
+
By Default Apache ServerToken directive revelas the below information.
%ProductName% allows unauthorized attacker to list all users of the system ...
+
<pre>
 
+
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5
// Detailed description of the impact. Is it enabled by default? Vulnerable versions.
+
<pre>
 
+
This allows attackers to identify webservers details greatly and increases the effieciency of any attack,as security vulnerabilities
 +
are dependent upon specific software versions.
 
==== How to test ====
 
==== How to test ====
 
+
In order to test for ServerToken configuration, one should check the apache configuration file.
In order to test for %Misconfiguration_1%, one should ...
+
==== Misconfiguration ====
 
+
ServerTokens Full
// Proof-of-concept here. Please include the screenshots and widely known tools/scanners!
 
 
 
 
==== Remediation ====
 
==== Remediation ====
 
+
Configure the ServerTokens directive in the apache configurattion to value of Prod or ProductOnly
Initial/common value of parameter "listUsers" from config.xml is set to "true".
 
 
 
To assess the vulnerability it is enough to change the value to false:
 
 
 
 
<pre>
 
<pre>
<security>
+
ServerTokens Prod
<listUsers>false</listUsers>
+
or
</security>
+
ServerTokens ProductOnly
 
</pre>
 
</pre>
  
 
== Misconfigurations ==
 
 
'''Server-status'''
 
Common misconfiguration is to have server-status enabled.
 
When navigating to website's url/server-status
 
an html page showing all ip's connected to server and software running on the server is shown.
 
This can be very embarrassing, and can be dangerous for people running websites using tor hidden services, because it will reveal their IP address.
 
 
Read more about it here:
 
*[http://httpd.apache.org/docs/2.2/mod/mod_status.html Mod Status Apache]
 
*[http://blog.sucuri.net/2012/10/popular-sites-with-apache-server-status-enabled.html Blog Post on server Status showing some sites with server-status enabled]
 
 
1. Version details disclosed in headers
 
disable apache tokens
 
 
 
2. Proper SSL cipher selection
 
Cipher orders
 
Disable specific ciphers
 
 
3. Guidelines on how to store ssl private keys on server
 
stuff like not to store private keys on /var/www/
 
 
4. Detailing about various authentication types
 
 
basic, digest, X509, LDAP or others.
 
 
Detailing about authoentication types and which one to use in which situation.
 
  
 
== References ==
 
== References ==

Revision as of 16:31, 5 October 2015

This article is part of the OWASP Secure Configuration Guide.
Back to the OWASP Secure Configuration Guide ToC: https://www.owasp.org/index.php/Secure_Configuration_Guide Back to the OWASP Secure Configuration Guide Project: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide


Summary

The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.


Apache Server Information

Server Token

Description

By Default Apache ServerToken directive revelas the below information.

Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5
<pre>
This allows attackers to identify webservers details greatly and increases the effieciency of any attack,as security vulnerabilities
are dependent upon specific software versions.
==== How to test ====
In order to test for ServerToken configuration, one should check the apache configuration file.
==== Misconfiguration ====
ServerTokens Full
==== Remediation ====
Configure the ServerTokens directive in the apache configurattion to value of Prod or ProductOnly
<pre>
ServerTokens Prod
or
ServerTokens ProductOnly


References

https://httpd.apache.org/docs/current/misc/security_tips.html

https://wiki.debian.org/Apache/Hardening