If you can see this check that

Main Page

Week 8A - Apache


Apache Web Application Configuration

User:
Password:

This tutorial is concerned with the configuration of an http server, namely Apache, in the kali environment.

Question 1: Run the apache server

Each time you make a configuration change to the Apache server you must restart (or at the very least reload) the http service. Remember to start apache for the first time do:

service apache2 start
And if you make changes to the configuration file as you answer the questions, you should reload the configuration by doing:
service apache2 reload

Now get the web server running...

Tests - not attempted
Run apache UNTESTED

Question 2: Add user directories

Apache allows you do have a URL which starts with /~username. This redirects the server to look for files in /home/username/public_html/. So for instance http://machine/~dave/hello.html would look for a file in /home/dave/public_html/hello.html. This feature is called userdir.

Enable the userdir feature by doing

a2enmod userdir
service apache2 restart

To demonstrate this feature, create a user called "dave".

adduser dave
If asked set his password to whatever you like, and for all other pieces of information just stick to the defaults.

When you need to do something AS a particular user (e.g. dave) you should "su - dave". You will then log in as that user. When you want to go back to being "root", just press CTRL+D. You can check who you are at any particular moment by doing "whoami". Note, pressing CTRL+D ends the current session, so if you press it twice it will log you out! If you get "permission denied" then you are probably "su"ed to a normal user and you are trying to do a "root" level command.

Create a public_html directory in dave's home directory, and create a file hello.html in the public_html. The contents of this file should be:

<html>
<body>
<h1>HOST</h1>
<p>
I am clever
</p>
</body>
</html>

The "/home/dave" and "/home/dave/public_html" must be executable by others, and the "/home/dave/public_html/hello.html" file must be readable by other. This should be the default. However if needed you can always do this manually:

chmod 701 /home/dave /home/dave/public_html
chmod o+r /home/dave/public_html/hello.html

You can direct your browser to see this page by using the URL

http://yourmachinename/~dave/hello.html
Replace "yourmachinename" with the output of running the "hostname" command, eg
[root@host-19-17 dave]# hostname
host-19-17.linuxzoo.net
Note that, once working, you can access your linuxzoo web pages just by doing http:// in front of your hostname, or your virtual hostnames, followed by the rest of your URL as normal.

Tests - not attempted
UserDir enabled UNTESTED
Dave exists UNTESTED
Dave has a public_html which he owns UNTESTED
Dave has a home directory executable by others UNTESTED
Dave has a public_html executable by others UNTESTED
Dave has a file hello.html which he owns UNTESTED
hello.html is readable by others and owned by dave UNTESTED
hello.html contains the word HOST (case sensitive) UNTESTED
http://host/~dave/hello.html actually works UNTESTED

Question 3: Add two new directories/files

Create the following directories, owned by dave (so su - dave first), each of which must be executable for other:

  • /home/dave/public_html/web
  • /home/dave/public_html/vm

It is much much easier to su to dave before trying to create these accounts.

In each of these new directories create a file called "hello.html", similar to hello.html from /home/dave/public_html, except in "web/hello.html" replace the word HOST with WEB. In "vm/hello.html" replace the word HOST with VM. Case is important.

Tests - not attempted
Can read http://../~dave/web/hello.html UNTESTED
http://../~dave/web/hello.html contains WEB UNTESTED
Can read http://../~dave/vm/hello.html UNTESTED
http://../~dave/web/hello.html contains VM UNTESTED

Question 4: Create 2 virtual hosts

You now need to create a virtual host file to hold your virtual hosts. Create a file called "mysite" in "/etc/apache2/sites-available/". Put your virtual host definition into that file.

Using the <VirtualHost> tags in this mysite file (add them into the file) create two VirtualHosts. Remember this file is "/etc/apache2/sites-available/mysite"

Once the file exists you need to activate it using

a2ensite mysite
Remember to reload your apache2 service after enabling the site, and after every configuration change.

The names of your virtual hosts have to be worked out by yourself from your current hostname. Type in the command "hostname" and you will get something like:

host-3-2.linuxzoo.net

Your machine is known by this name in DNS. It is also known by two other names, where the word "host" has been replaced with "web" and "vm". In this example of host-3-2, this machine is also known as:

web-3-2.linuxzoo.net
vm-3-2.linuxzoo.net

IMPORTANT: Do not just copy this example, as your machine number is likely to be entirely different. Use "hostname" and work your machine names out for yourself. Note too that your hostname can change each time you reboot, so double check each time you reboot!

Once you have your web and vm machine names, create a virtual host entry for each of web-?-?.linuxzoo.net and vm-?-?.linuxzoo.net, so that the DocumentRoot of web is /home/dave/public_html/web and the DocumentRoot of vm is /home/dave/public_html/vm.

Each VirtualHost tagged area (you need 2) looks something like:

<VirtualHost *:80>
    ServerAdmin me@grussell.org
    DocumentRoot /home/gordon/public_html/db/public_html/activesql
    ServerName sql.grussell.org
</VirtualHost>
Remember to set the ServerName and the DocumentRoot. The other fields are not important. Remember DocumentRoot is a directory not a file.

It is easy to make a syntax error in the config file. If you have problems you can check for syntax errors using the command:

apache2ctl -t

You should now be able to view your own pages by using your browser, opening a new window, and visiting e.g. http://vm-?-?.linuxzoo.net/hello.html, after replacing the "?" with the actual numbers. Try it for "web" too.

Tests - not attempted
mysite enabled UNTESTED
VirtualHost detected for web-?-?.linuxzoo.net UNTESTED
VirtualHost detected for vm-?-?.linuxzoo.net UNTESTED
http://web-?-?.linuxzoo/hello.html contains WEB UNTESTED
http://vm-?-?.linuxzoo/hello.html contains VM UNTESTED

Question 5: Basic Authentication

These questions are concerned with the configuration of Basic Authentication in apache.

Build a user called "tom" to experiment with. Use

adduser tom

You also need to have the apache service (httpd) running. This question uses UserDir, but you should have already enabled that above.

Now create a user called "tom", create a public_html directory in tom's home directory, and create a file p1.html in the public_html. Make use of the "su - tom" command to keep ownership correct. The contents of this file should be:

<html>
<body>
<h1>TOM</h1>
<p>
Document body goes here.
</p>
</body>
</html>

The default permissions on the /home/tom directories and files should be sufficient, but if not then these should always allow the apache user to access the files and directories.

Use can if needed use the chmod commands from earlier, except this time on tom and on p1.html rather than hello.html. Again much easier to "su" to tom.

Tests - not attempted
Apache Running UNTESTED
UserDir enabled UNTESTED
Tom exists UNTESTED
Tom has a public_html which he owns UNTESTED
Tom has a home directory executable by others UNTESTED
Tom has a public_html executable by others UNTESTED
Tom has a file p1.html which he owns UNTESTED
p1.html is readable by others UNTESTED
p1.html contains the word TOM (case sensitive) UNTESTED
http://host/~tom/p1.html actually works UNTESTED

Question 6: Add two new directories/files

Create the following directories, each of which must be executable by others:

  • /home/tom/public_html/richard
  • /home/tom/public_html/harry

In each of these new directories create a file similar to p1.html, but called:

  • /home/tom/public_html/richard/p2.html
  • /home/tom/public_html/harry/p3.html

In "richard/p2.html" replace the word TOM with RICHARD. In "harry/p3.html" replace the word TOM with HARRY. Case is important.

Tests - not attempted
Can read http://../~tom/richard/p2.html UNTESTED
http://../~tom/richard/p2.html contains RICHARD UNTESTED
Can read http://../~tom/harry/p3.html UNTESTED
http://../~tom/harry/p3.html contains HARRY UNTESTED

Question 7: Basic Auth file

Create a password file for basic authentication. Best to be "tom" to do this properly.

The htpasswd command allows you to create the file, and to add users to the file. Use it to create a basic authentication password file called "/home/tom/webpasswd". Put into this file two users with the following passwords:

User: richard              Password: pass1
User: harry                Password: pass2
Tests - not attempted
/home/tom/webpasswd exists and seems readable UNTESTED
Contents semi-sensible for richard? UNTESTED
Contents semi-sensible for harry? UNTESTED

Question 8: Secure richard/

Secure the public_html/richard directory by using an appropriate .htaccess file in that directory so only a user with the basic authentication details of richard, password pass1, can access the files.

Confim the behaviour by visiting with your browser your secured page: http://host-1-1.linuxzoo.net/~tom/richard/p2.html
Remember to replace the "1-1" with your host number.

Tests - not attempted
Basic Auth needed on ~tom/richard/p2.html UNTESTED
Basic Auth using richard/pass1 works for ~tom/richard/p2.html UNTESTED
Basic Auth using harry/pass2 fails for ~tom/richard/p2.html UNTESTED

Question 9: Secure harry/

Secure the public_html/harry directory so only a user with the basic authentication details of group "magic" can access the contents.

To answer this question, create a group file "/home/tom/webgroup" with the following contents:

magic: richard harry

Make sure in the .htaccess file in the harry directory you use only "Require group" and not some sort of "Require user" command.

Once working try accessing these resources using your browser.

Tests - not attempted
/home/tom/webgroup exists and seems readable UNTESTED
/home/tom/webgroup contains right magic: definition UNTESTED
No Require User in .htaccess UNTESTED
Using Require Group magic in .htaccess UNTESTED
Basic Auth needed on ~tom/harry/p3.html UNTESTED
Basic Auth using richard/pass1 works for ~tom/harry/p3.html UNTESTED
Basic Auth using harry/pass2 works for ~tom/harry/p3.html UNTESTED

Question 10: Server Side Scripting

Now we will create a simple server-side script. Firstly, run

chmod o+w /usr/lib/cgi-bin
This is not a "secure" thing to do, but this is only a quick example.

With an editor and while you are user dave (so return to root again and then su - to dave), edit /usr/lib/cgi-bin/hack.htm and insert the following code.

#!/usr/bin/perl
use strict;
use CGI qw(:standard);
import_names("Q");
print header('-X-XSS-Protection'=>0);
print '<body>';
print h1 "Welcome to hack";
print p "Glad to have you back $Q::user\n";
print '</body>';

You also need to "chmod o+x /usr/lib/cgi-bin/hack.htm".

You can access this via the browser using "http://YOURHOSTNAME/cgi-bin/hack.htm?user=Gordon", where YOURHOSTNAME is the string given when you type "hostname". The string "Gordon" can be replaced with any name you like. Try it.

Once complete, test the change with the "alert" javascript injection and see what happens.

Tests - not attempted
dave can edit things in cgi-bin UNTESTED
Can read http://../cgi-bin/hack.htm?user=me UNTESTED
Script is dynamic UNTESTED

This script hosts a cross-scripting issue. If "user=gordon" become something more risks, like

hack.htm?user=gordon<script>alert("YouAreHacked")</script>
Then when you run this you get to run arbitary javascript on the page. This can be adapted to ask for passwords on sites hosted by banks, or make spoof pages look like they are genuine. Try it (you should get a popup alert if it works).

Note that in chrome (and presumably others) it detecte this as an XSS problem and protected the browser automatically. I had to disable this safety check using a flag in the script.

The right thing to do here is to sanitise the script. To do this edit the file and delete the last two lines:

print p "Glad to have you back $Q::user\n";
print '</body>';
and change them to:
my $u=$Q::user;
$u = "hacker" if $u !~ m/^[a-zA-Z0-9]+$/;
print p "Glad to have you back $u\n";
print '</body>';

Tests - not attempted
Can read http://../cgi-bin/hack.htm?user=me UNTESTED
Script is dynamic UNTESTED
Script validates illegal user UNTESTED


Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net SELinux1 SELinux2 fwall DNS diag Apache1 Apache2 Mail
Caine 6.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7a | 7b | 8a | 8b | WebBrowserA | WebBrowserB | Registry | Browser
Digital Investigation: Editing | Email | Logs | Strength
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Linuxzoo created by Gordon Russell.
@ Copyright 2004-2017 Edinburgh Napier University