Utveckling

Secure a Windows Server running Apache XAMPP

I recently installed a new WordPress website running in XAMPP on a Windows Server. This is how I configured it to pass the Nessus Vulnerability Scanner.

  • PHP 5.6.x < 5.6.13 Multiple Vulnerabilities

    Upgrade the php engine in XAMPP to the latest version

    Downloading the latest php Thread Safe zip version and unzip the files to a folder named php_version example C:\xampp\php_5.6.14. Edit all references to the old php catalog in this file: C:\xampp\apache\conf\extra\httpd-xampp.conf

  • Web Application Potentially Vulnerable to Clickjacking

    The remote web server does not set an X-Frame-Options response header in all content responses. This could potentially expose the site to a clickjacking or UI Redress attack wherein an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions. X-Frame-Options has been proposed by Microsoft as a way to mitigate clickjacking attacks and is currently supported by all major browser vendors. Note that while the X-Frame-Options response header is not the only mitigation for clickjacking, it is currently the most reliable method to detect through automation. Therefore, this plugin may produce false positives if other mitigation
    strategies (e.g frame-busting JavaScript) are deployed or if the page does not perform any security-sensitive transactions.

    http://www.nessus.org/u?1bced8d9
    https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
    http://en.wikipedia.org/wiki/Clickjacking

    I choosed to put the settings at the top level of the XAMPP environment so the X-Frame options is added to the header in all sites and all files.
    C:\xampp\apache\conf\httpd.conf
    Put this line at the end of the file:

    Header always append X-Frame-Options SAMEORIGIN

    You can easily test if your settings really worked by trying to iframe your site using jsfiddle.net

  • HTTP TRACE / TRACK Methods Allowed

    The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that
    are used to debug web server connections.

    To disable these methods, add the following lines for each virtual host in your configuration file :

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]</p>

    I choosed to put the settings at the top level of the XAMPP environment at the end of this file:
    C:\xampp\apache\conf\httpd.conf

    # To turn off track and trace methods globally on the server add the following line:
    TraceEnable Off

By  -      


Kommentera

E-postadressen publiceras inte. Obligatoriska fält är märkta *