Part2: Securing web apps — command execution + firewall
This article helps in building a understanding of how to create firewall rules for webapp, how command execution works, and secure programming.
In Previous article, we deactivated firewall and SELinux policies in our system. That is obviously a bad practice.
So now we will bring firewall back into action.
$ sudo systemctl start firewalld
First, let’s try understanding firewalld here. (https://firewalld.org/documentation/man-pages/firewalld.html)
Now we have a idea of how this firewall works … Time to make a rule to allow http services through it.
This can be done easily by firewall-cmd ( https://firewalld.org/documentation/man-pages/firewall-cmd.html )
$ sudo firewall-cmd --add-service=http --permanent
Running the above command will give you a success.
Now firewalld will allow any packet to go through which belongs to http service and is authenticated.
In this article, I’ll be focusing on command execution vulnerability.
Command injection is basically injection of operating system commands to be executed through a web-app.
Now let’s check if our app is vulnerable to command execution or not by passing this input to it.
126.96.36.199;echo “bang bang”;
Yoohooo… looking at the output above we are sure that echo “bang bang” had executed succesfully.
let’s try some more commands now.
Now let’s try to create a file in remote server.
188.8.131.52;echo “batman_was_here” >knock_knock.txt
It seems like we don’t have enough permissions to create a file here.
But wait … aren’t there dedicated folders in every OS for temporarily created files and folders? Oh yes! there it is.
In Linux/Unix platforms, /tmp directory has full permissions. Basically, it’ll allow me to read, write, and execute anything from that directory.
drwxrwxrwt. 19 root root 4096 Mar 27 09:40 tmp
So let’s give it a try.
184.108.40.206;echo “batman_was_here” >/tmp/knock_knock.txt
This didn’t gave any error. That means it executed succesfully.
Let’s try to read the file here.
This is very bad as a hacker can create, read and execute files from our server.
Enough of having fun with the weak. Let’s try to stop it.
For that we’ll need to modify our code to check for potentially malicious characters like below in our input.
Now our LOGIC CODE section looks like this.
## LOGIC CODE
import subprocess as sb
import cgidata = cgi.FieldStorage() # read the field Storage or mini field storage for the cgi scriptif data.getvalue(“target_ip”):
data_target_ip = data.getvalue(“target_ip”)
data_target_ip = “220.127.116.11” # default set to google DNS#SANITIZE INPUTdata_target_ip = data_target_ip.replace(“;”,””).replace(“&”,””)
data_target_ip = data_target_ip.replace(“|”,””).replace(“`”,””)cmd_status = sb.getoutput(“sudo ping -c 3 “+data_target_ip)
cmd_status = cmd_status.replace(“\n”,”<br>”)
Let’s try if our app is still processing the malicious input.
18.104.22.168;echo “bang bang”;
Now our app is secure from such malicious inputs.. But complete security is still a myth.
There are some strings which can still be malicious. (Those are not in the scope of this article)
But there is still something you should be curious about. It will help you in understanding those advanced malicious strings better.
Look at the above image carefully.. I’ve provided a complete integer to ping command and it got converted to an valid IP. These type of notations are called integer notations for IP.
But there is something more to this…
Carefully look at these above IP patterns and I am sure you’ll get some new insights.
If you want to read more about command execution, Go here(https://owasp.org/www-community/attacks/Command_Injection).