From eBabel wiki
Jump to: navigation, search

Secure a single file with .htaccess and .htpasswd

Create a user and its password in a new .htpasswd file

htpasswd -mbc .htpasswd yourUsername yourPassword

Locate your httpd.conf file

todo: where is it on Ubuntu?

On Mac OS X, the httpd.conf file is there:

sudo vi /private/etc/apache2/httpd.conf

After the default <Directory /> tag, place your own:

<Directory /path/to/where/file/to/protect/is/>
  AuthType Basic
  AuthName "Login"
  AuthUserFile /path/to/where/file/to/protect/is/.htpasswd
  Require yourUsername

Testing for Anti-Clickjacking (X-Frame-Options in http header) from Apache

<syntaxhighlight lang="html4strict" line> <!DOCTYPE html> <html> <head> <title>Clickjacking security measure</title>

<style> iframe {

       width: 900px;
       height: 450px;

} </style> </head>



Check if website can be returned within a frame or if this blocked by anti-clickjacking http header.

<iframe src="http://www.google.com/" />

</body> </html> </syntaxhighlight>

now there was a redirect to www.google.nl (as the test was run from Amsterdam):

 Request URL:https://www.google.nl/
 Request Method:GET
 Status Code:200 OK
 Request Headersview source
 cookie:PREF=ID=f3d605bcd4f4d23c:U=149f681acce97428:FF=0:LD=en:TM=1302362664:LM=1352449080:S=z6aq0sRgmFWsYKz8; SID=DQAAAL8AAABhMXV-Iu9m3ZF_W84HP2Uotf7nCa7W1RtkG6Y7n8KB5HTQCHH2VW-nvi-w6Q7PxX_hDM9djXU9MxyYHWZqttIt47HK-Lnb0pvAfiJkkKc-mKEw8N_kz9UYzjHLQ6yLBdVPPyCfLRPEwzwpBSueJvSR-x3Xay6rclQTs6cUJILMBIVECp_DGB45VEZ98pueZnxnY1zKUK5jJQOEkgZ5YLdfGo_BjVaKO94X0Ic4tF7mVWVOFCEq5zABa9brZZFVftE;   HSID=AoHOgMNytb_ghlPgk; SSID=ACGsHcKKPZvToiWhk; APISID=BXREbK9pL02yz8jK/AFAfPmKhxULvluptX; SAPISID=vSkikJkRkVA4n1gi/ACSYc63DapF1F_XlL;   NID=65=QiunY0z7XYhORUAzzagpzAu2DMUWi_rY5JO5f4XGPSeNCkFy7cqJ4MND9Y6T3Na5kzrD68bEGaDriN6TGQAhlb1Prn0SDGaQbK4yVNiLfX6CkBpgyN8__RWjf8pD6SDjFCenLmo8P4KtfWl2U-boMqerq-FlSw5rOdZsG1ibtq7q8ufsgWEVK7hqgg
 referer:                 << local apache webserver, with iFrame test
 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.27 Safari/537.17

but they key part is that we are blocked:

 Response Headersview source
 cache-control:private, max-age=0
 content-type:text/html; charset=UTF-8
 date:Sun, 02 Dec 2012 11:41:21 GMT
 status:200 OK    << interesting this is status 200
 x-xss-protection:1; mode=block    << we are being *blocked* !!

Automated testing for Anti-Clickjacking (i.e. X-Frame-Options in http header) via curl

The above tests allow use to manually test from a simple iframe run from a simple apache localhost page.

However this test can be automate via curl.

Google are safe:

 $ curl -i www.google.com | grep -i X-Frame-Options
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
 100   218  100   218    0     0   6036      0 --:--:-- --:--:-- --:--:--  9478
 X-Frame-Options: SAMEORIGIN

as they have the X-Frame-Options in the http header.

However amazon.com is not looking so good:

 $ curl -i www.amazon.com | grep -i X-Frame-Options
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
 100  159k    0  159k    0     0   109k      0 --:--:--  0:00:01 --:--:--  171k

and indeed we can inbed Amazon in an iFrame ... i.e. rerunning the first test but replacing www.google.com with www.amazon.com!

Apache on Mac OSX

These are my notes, from following:


Starting apache on Mac OSX


 sudo apachectl start

then in chrome:



<syntaxhighlight lang="html4strict" line>

It works!

=== Default Apache Guest.conf ===
The standard / default Mac OSX config is  

 $ ls -ltr /etc/apache2/users/
 total 8
 -rw-r--r--  1 root  wheel  141 Jul 27 09:35 Guest.conf
 $ cat /etc/apache2/users/Guest.conf
 <Directory "/Users/Guest/Sites/">
   Options Indexes MultiViews
   AllowOverride None
   Order allow,deny
   Allow from all
=== Setting up non-Guest Apache conf file ===
 $ sudo cp /etc/apache2/users/Guest.conf /etc/apache2/users/euterpe.conf
 $ sudo vi /etc/apache2/users/euterpe.conf 
 $ cat /etc/apache2/users/euterpe.conf
 <Directory "/Users/euterpe/Sites/">
   Options Indexes MultiViews
   AllowOverride None
   Order allow,deny
   Allow from all
 $ ls /Users/euterpe/Sites
 ls: /Users/euterpe/Sites: No such file or directory
 $ mkdir -p /Users/euterpe/Sites

then restart apache:


Testing hello.htm

Adding a simple webpage:

 $ cat /Users/euterpe/Sites/hello.html 
 <syntaxhighlight lang="html4strict" line>

Hello World </syntaxhighlight> then in chrome: view-source: returns: <syntaxhighlight lang="html4strict" line> <p> Hello World </syntaxhighlight>