Building a Secure Web Server and Application

1
Building a Secure Web Server and Application

• Allan Raymond

2
Recap Motivation

• Im Working nights at a coffee house.
• Its a great job.
• Free coffee
• Interesting people
• A few drawbacks, the worst being scheduling.

3
Solution to the Scheduling Problem

• A web application should streamline things.
• Desired functionality
• Multiple Users
• Each is able to add and edit availabilities
• Each cannot edit the availabilities of others
• Does this sound familiar?

4
A Calendar!

• A multi-user, web based calendar.
• Originally, I wanted to build one from scratch.
• A Google search found many CGI, open-source
  options
• Better to start with something than nothing,
  right?
• Minor Changes to calendar setup.
• Not events or appointments, but availabilities.
• Should not be too tough to change a calendar to
  do this.

5
The Original Plan

• Build a web server
• Linux Based
• Install and setup Apache, Perl, and MySQL
• Figure out calendar
• Find something open source that is appropriate
• Bend it to my needs
• Secure the entire setup

6
Desired Security

• Server
• Built with Ubuntu, so only one user
• Linux is usually safe if kept up to date
• Application
• Users should not be able to modify files
• Users should not be able to log into server
• Users should only have access to their stuff

7
Finding the right Calendar

• I did some searches for a calendar
• Found and decided on FrameCal
• Built with Perl
• Seemed very simple at first sight
• No SQL required

8
Server Setup

• Ubuntu is designed to be an easy set up
• I downloaded LAMP server edition
• Thought this meant LAMP would be preinstalled
• Wrong
• Everything installed pretty simply
• CGI gave me a few hassles

9
Application Setup

• FrameCal was a complicated setup
• Hand editing many, many setup files
• Permissions had to be set by hand
• Things that seemed to be working were not
• Initial FrameCal finally up and running
• Still appointments, events, etc not avails.
• More source file editing

10
Changes Made

• Fixed some bugs
• One that kept the calendar from working
• Users could not really delete or edit events
• Another that was not what I wanted
• Events moved to availabilities
• Changed some of the formatting of the webpage

11
What I never finished

• Server still stores all session info
• Easy DoS attack
• All data is still sent in clear
• Clear passwords, session numbers, etc
• Not so bad, but still and issue
• Can be fixed with OpenSSL, but I ran out of
  time..