Sunday, 13 April 2014

White Paper Research on htaccess

Importance of HtAccess - Muhammad Adeel

HtAccess - The Point of Discussion

HT(Hyper Text) Access File is Actually a Directory Level Configuration file Which supports a Handsome Number of Servers and Those WebServers Allow WebAdmins for Decentralized Management of Web Server Configuration. The original purpose of .htaccess—reflected in its name—was to allow per-directory access control, by for example requiring a password to access the content. Nowadays however, the .htaccess files can override many other configuration settings including content type and character set, CGI handlers, etc.

========================

Why .htaccess??

========================

As these Files Are Read by WebServer Every time when the Website is loaded. So the configuration of changes that are made in this file can effect immediately to the Server with Respect to main Configuration file of server.Sometimes WebServers have a Number of Users and You want to allow a Specific User to the Specific configuration files then htaccess is your best friend and can do this task in simply just a code of single line. Normally We Use HtAccess Files for Following Purposes:

1.Authorization & Authentication

A .htaccess file is often used to specify security restrictions for a directory, hence the filename "access" is used with .htaccess as its identity. The .htaccess file is often accompanied by a .htpasswd(I'll Discuss it Later , you Didnt need to be Worry about it at this time , Believe me.) file which stores valid usernames and their passwords.

2.RewritingUrls

Rewriting is Sometime used as conditional operator to add filter to block a specific word or string in a statement.

3.SSI

Also Used to Enable Server Side Includes , SSI can be Actually helpful to maintain a website dynamically using input parameters specified by the Admin.

4.Customizing the Error Responses

Changing the page that is shown when a server-side error occurs , If a 404 Error Occures on the Page then it should show which page as response that is the thing which also could be easily handled by .htaccess

and a lot of other things like Mime types,cache control Etc. This files needs to be used with utmost care because of its sensitiveness. even a single mistake can lead to security concerns and some other threats aswell so the user should be Completely Trusted on himself that he is doing well and thats it what .htaccess requires.

========================

Where .htaccess Should Be Placed?

========================

Ok Gentel Men Now its time to know that Actually where this .htaccess file should be stored to do quick and impressive task on specific files or directories for which the configuration is added in .htaccess file. Now Basically .htaccess is placed in root web directory so that it could have same effect on all the content with in the website but sometimes it is placed in a specific directory certainly to perform a specific task like Preventing of directory traversal and so on.

Now Lets Move to the Various Aspects of .htaccess file which should be discussed to get a complete idea behind the .htaccess scenario.

========================

Impact of .htaccess

========================

Advantages
As .htaccess files are read on every request, changes made in these files take immediate effect as opposed to the main configuration file which requires the server to be restarted for the new settings to take effect. and For servers with multiple users, it is often desirable to allow individual users the ability to alter their site configuration. The use of .htaccess files allows such individualization, and by unprivileged users – because the main server configuration files do not need to be changed.

Disadvantages
For each HTTP request, there are additional file-system accesses for parent directories when using .htaccess, to check for possibly existing .htaccess files in those parent directories which are allowed to hold .htaccess files. It is possible to programatically migrate directives from .htaccess to httpd.conf if this performance loss is a concern. Allowing individual users to modify the configuration of a server can cause security concerns if not set up properly

========================

How .htaccess Helps in Preventions

========================

Preventing From SQL injections. For Example if we have to Block / Filter the Order word so that the attacker would be not able to use order by command while performing his SQL injection attacks then the configuration file should look like this.



RewriteEngine on , here stands to Start out the fitering process and the rest of the code is syntax to filter out the specific word from the input url of malicious attacker. This will filter the word order , to add more words we can simply add a lot of other words in same configuration Technique. a Well Configured File to Prevent From SQLi can be seen Below as a Quick Example




Authorizing & Authentication

Htaccess is very helpful in Permiting or Denying a specific Person(s) From / to the web Address . Simply we have to use allow and Deny functions from htaccess. Let's say You want to deny a User from website and he have Ip adress A.B.C , You Have to add simply these lines in you htaccess file and you are done with your stuff completely. It have a very Powerful Impact on the web Server as in Previous Example I've shown the way to stop a Specific user from visiting the web site , in this way you can do a lot of stuff like Allow admin and Deny all from a site or Can Deny Admin and allow all Users to visit the site and so in. This htaccess file is somehow Similar to the old Configuration file (hhtpd.conf) of Apache WebServers and Almost Do Similar work . Some Commands of .htaccess Which Can Help a WebMaster a Lot. Redirect (redirect /location/anypage.html /var/www/404.php),Rewrite,Allow,Deny,Php_fla,gEtc


Password Protection

Adding a Password using htaccess actually takes 2 steps and is very very powerful and useful thing , Javascripts and other Configurations can also be used to Do this Job but Htaccess is More Reliable way to protect a specific Derectory. in Order to do that we Have to creat a .htpasswd file and a .htaccess file and Have to Configure Them Like This.

The Website Protected with .htaccess technique can be Accessed like this : http://username:password@www.website.com/directory/
and this is the way using which we can simply go ahead and use .htaccess for Password Protection Features


Hiding Errors

A single Line written in .htaccess file have more value than the Complete coding of website , In case of Any common Error Like SQLi,FPD(Full Path Disclosure),LFI,RFI and Any Specific configuration Error this Line can be used to hide those erros and Prevent Your websites from Poping out the usefull information to the attcker , although it is very simple but don't forget it is very powerful and can hide any type of errors from your Site to Keep it Silent Against The attacker.

Switches Used while working with Php Flag are : php_flag display_errors no/yes [on/off]
Obviously the Area of Usage of the .htaccess file is more wider than that I showed you guys just now but it is Almost Something to Make You guys Aware of Importance of .htaccess . Hope You guys will Like this Information.

========================

Refrences

========================

Oracle
wikipedia
freewebmaster
.htaccess

========================

About Author

========================

Muhammad Adeel is an independent Security researcher and White Hat Hacker , Currently Working on His Project Named UrduSecurity. He is Doing BS(cs) From GC University Faisalabad and Have Also Helped A Handsome Number of Web Admins to Improve Their Security.

Download the White Paper PDF !

Importance of HtAccess - Research Paper

Description: HtAccess is A common Configuration file Than Can be Very Help ful in Maintaining a webSite But These Days We See that NoOne Cares or even Know The Real PurPose of this File So I Just wrote a ReSearch Paper on The Importance of HtAccess File.(UrduSec)
  • Uploaded by: Unknown
  • Views:
  • Share

    6 comments:

    1. Great work bro :)

      ReplyDelete
    2. R.i.P English

      ReplyDelete
      Replies
      1. Yeah You are Right , My English is very Bad :D So sorry for this inconvinience.

        Delete
    3. Assalamoalikum ,
      Sir mein kafi time sy wordlist par search kar raha hoon like jaisa ky humien simple wordlist Crunch mein bnany sy mil jati hy Ess ky ilawa Jhon the Ripper ki bani bnai wordlist ,Opemwall waghera mil jati han but Mein nay kaheen Sql Waghera sy related koi wordlist ki video dekhi thi jo ky us video mein Xhydra ky liye use kar raha tah us Sql wali wordlist ko Mujhy thora bouth smajh to aya tha But sab kuch Samajh nahi sakka Coz Ap ko to andaza Ho ga hi Ky shook Jitna bhi Ho insan Utna Hi sekhta Hy jitni us ko Justajo hoti hy To meri Justaju Muj ko ap tak khench kar lai hy Wasey to mujhy pata hy ky Ap ji kam karty han es mein Kisi aor ko samjhna aor time daina bouth mushkil hota hy but ho sakta hy ap bahtar rehnumai kar deyn Muj ko brite foece ky liye wordlist bnani hy aor aysi wirdlist bnani hy jo ky ""PAKISTAN"" Mein kam kary Es ky ilawa ap ki Videos Dekhien MashAllah Ap ka knowledge bouth hy , Zaroor ap sy sekhna cahoonga
      Shukriya ,Ap ky jawab Ka Intezar Rahy Ga...

      ReplyDelete
      Replies
      1. First of all , thnx a lot For Your Valuable Feed Back I Hope You'll Mention us in Your community If We added Some thing to Your Knowledge.

        Coming to the Point , There Are Multiple Brute Force Scripts Which are Helpful Even in Any Country . and in Backtrack5r3 Usually 2 Wordlists are Present

        Darkc0de.lst
        rockyou.txt

        Personally I Prefer rockyou.txt and You can Find it in

        => /pentest/passwords/wordlists/rockyou.txt

        This Place , And Use it , I Hope Its Going to Help You a Lot. If You have still Any Confusion Please Let me Know.

        Delete

     
    Copyright © HACK | Designed by Muhammad Adeel | Founder UrduSecurity