CodeWatch

This post will step back from coding a bit to focus on what is usually a web server and scripting language configuration issue. Most, if not all, OWASP A9 issues can be resolved with appropriate configuration of Apache and PHP. Since this is mostly a development related blog, and this topic is not completely development related, I will finish this section all in this post. OWASP A9 is covered by the ASVS 10.x series of controls.

ASVS 10.1 Requirement:

Verify that a path can be built from a trusted CA to each Transport Layer Security (TLS) server certificate, and that each server certificate is valid.

ASVS 10.1 Solution:

SSL/TLS encryption is only as trustworthy and secure as the chain of certificates used to provide the encryption. It is essential that you purchase and install valid certificates from trustworthy CA’s. The certificate in use must be valid, must not have expired, must not have been revoked, must match the domains for which it is being used, must have been signed with a secure algorithm (not MD5), and must have been encrypted with a secure algorithm (RSA 2048 or AES 256 preferably).

ASVS 10.2 Requirement:

Verify that failed TLS connections do not fall back to an insecure connection.

ASVS 10.2 Solution:

This control can be accomplished by disabling all insecure encryption protocols in the Apache web server configuration. Add the following to your SSL settings in the Apache configuration:

  SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2

 
This will disable all protocols except for TLS.

ASVS 10.3 Requirement:

Verify that TLS is used for all connections (including both external and backend connections) that are authenticated or that involve sensitive data or functions.

ASVS 10.3 Solution:

Use the configuration example provided in the 10.2 solution on all of your web servers. Test all other connections to validate that SSLv3 or TLS is in use. This can be accomplished by attempting to connect with other protocols using the OpenSSL client. The following command can be used to test for SSLv2 for example:

  openssl s_client -ssl2 -connect <Server Name or IP>:<port_number>

 
The above command will result in a short error if the server to which you are connecting does not support SSLv2 (which is a good thing).

ASVS 10.4 Requirement:

Verify that backend TLS connection failures are logged.

ASVS 10.4 Solution:

Logging can be added to your VirtualHost configuration for the SSL connection. The configuration option should look something like this:

   CustomLog "/var/log/apache/ssl_request_log" \
     "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

 
This causes a custom log to be generated at the provided location. The %t will cause the time to be logged, %h logs the IP of the connecting host, %{SSL_PROTOCOL}x will log the protocol version, %{SSL_CIPHER}x will log the cipher used for the connection, %r will log the first line of the request (the GET/POST and page requested), and %b will log the size of the response minus HTTP headers in bytes.

ASVS 10.5 Requirement:

Verify that certificate paths are built and verified for all client certificates using configured trust anchors and revocation information.

ASVS 10.5 Solution:

Follow all of the recommendations for our ASVS 10.1 solution when implementing client certificates.

ASVS 10.6 Requirement:

Verify that all connections to external systems that involve sensitive information or functions are authenticated.

ASVS 10.6 Solution:

Review code within your application utilized to connect to external systems and validate that some form of authentication is used if sensitive information is transferred. Authentication can be in the form of certificates or usernames and passwords (for just a few examples).

ASVS 10.7 Requirement:

Verify that all connections to external systems that involve sensitive information or functions use an account that has been set up to have the minimum privileges necessary for the application to function properly.

ASVS 10.7 Solution:

Validate that the account that connects to the external systems has as limited access as possible to those servers or applications. The account should only be able to use the required external functions.

ASVS 10.8 Requirement:

Verify that there is a single standard TLS implementation that is used by the application that is configured to operate in an approved mode of operation (See http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf).

ASVS 10.8 Solution:

The easiest way to implement this control is to use a single encryption library (OpenSSL for example) and force the use of TLS through the solution to ASVS 10.2. In addition, disable the use of all weak or medium strength encryption algorithms. This can be accomplished in your Apache SSL configuration with the following line:

  SSLCipherSuite HIGH:!ADH:!aNULL:!eNULL:!MD5:!EDH

 
The above configuration only activates the strong encryption algorithms and then disables ciphers using anonymous Diffie-Hellman key exchange, the MD5 hashing algorithm, or NULL ciphers. I recommend taking this a step further and manually disabling 128bit and Triple-DES encryption algorithms such that the web server will only allow 256bit encryption algorithms. An example would be !SRP-RSA-AES-128-CBC-SHA. To block all low/medium strength ciphers, 128 bit ciphers, RC4 based ciphers, and only allow 256bit PFS ciphers consider something like:

  SSLCipherSuite HIGH:!ADH:!aNULL:!eNULL:!LOG:!EXP:!PSK:!SRP:!DSS:!MD5:
    !SEED:!DES:!3DES:!RC4:!AES128:!CAMELLIA:!AES256-GCM-SHA384:
    !AES256-SHA256:!AES256-SHA

 
You can check the list of ciphers supported by your system by running:

  openssl ciphers

 
ASVS 10.9 Requirement:

Verify that specific character encodings are defined for all connections (e.g., UTF-8).

ASVS 10.9 Solution:

The default character set can be configured for PHP by adding the following line to your php.ini file:

  default_charset = "UTF-8"

 
Minor Bonus:

There are some additional security controls that can be implemented in your server configuration to help secure web communication. These options include adding the “secure” flag to your cookies, using a strong dhparams value to protect the key exchange, redirecting to HTTPS for sensitive pages, and setting HTTP Strict Transport Security (HSTS).

We have already covered setting the “secure” flag in cookies so I am only going to cover setting strong dhparams values, redirecting to HTTPS, and setting the HSTS header.

In order to configure strong dhparams, you must first create a dhparams file in PEM format. This can be performed with OpenSSL like so:

  openssl dhparam -out dhparam4096.pem 4096

 
Note that this will take a long time to complete. If your Apache installation has been appropriately patched to support DH parameter values, then you can add the following to your configuration:

  SSLDHParametersFile /path/to/dh4096.pem

 
Certain sections of your site can be redirected from HTTP to HTTPS in Apache using the following directive:

  RewriteCond %{HTTPS} off
  RewriteRule (.*securearea.*) https://%{HTTP_HOST}%{REQUEST_URI}

 
The above tells Apache to rewrite the URL to use HTTPS when the original connection used HTTP and when the URL contains “securearea” in the URL. Rewrite rules can be written to be much more specific if necessary. More information can be found here.

The HSTS header can be added to your site as well. This will tell compliant web agents to replace HTTP links with HTTPS. This can be accomplished via PHP code or in your Apache configuration like so:

  // This can be added to your high-level Apache config,
  // virtual host configurations, specific directories, 
  // or within htaccess files to fine tune where the 
  // header is applied with Apache:
  Header always set Strict-Transport-Security "max-age=500; includeSubDomains"

  // PHP code to add to your top/header page:
  header('Strict-Transport-Security: max-age=500');

 
You should also enforce SSL on all login pages, pages that require authentication to access, and pages that perform other sensitive operations (such as password resets).

OWASP A9 isn’t super exciting stuff, nor does it require cool code (or any code for that matter), but it is important none the less. If you want a good and quick check, Qualys provides a free SSL scanning tool here.

Leave a Reply

Your email address will not be published. Required fields are marked *