How To Make Full Website Backup With Your Own Website Backup Script

Posted on by
1

We always instruct our clients to backup their data before doing website security scanning – just in case… A fresh backup stored in a safe place could save your day sometime. Recently we have received a couple of queries from clients on how to quickly backup their websites.

Backups could be done in many ways. Various control panels (like Plesk or cPanel) provide their own tools. Your hosting provider may have some other tools readily available for you. However sometimes it’s wise to have your own backup script or other method for backuping a website. Here are some advantages:

  • more granular control on what you backup and when you backup
  • easy access to backup files – very easy do create a backup and restore it on your own PC (WAMP/LAMP environment)
  • easy to restore individual files or the whole website
  • no need to ask hosting provider for help on restoring website

In this post I will provide my method of doing backups. I’ve been using this script for many years on a couple of websites. It’s simple, informative, quick and it worked just fine.

One remark: you should have a right to create and modify cron jobs to run this script. If you are not sure look for “cron” or “cron jobs” signs in the control panel or ask your hosting provider.

First you need to know where you are going to store backup files. Usually it’s somewhere inside /private folder. Then you need to know the absolute paths to that folder and your website main folder. Absolute path is a full path inside server directory structure. There are many ways to find an absolute path. An easy method is to put a simple php script inside your website root and access it using web browser. Below are two scripts that could be used for this purpose. Copy the one of them to new file called path.php, uploads that file to the website root and access it using www.yourdomain.com/path.php.

First script:

<?php
echo realpath(dirname(__FILE__));
?>

and the other:

<?php
echo getcwd();
?>

When you know the absolute path you can use the bash scripts provided below for easy backuping and restoring of your websites. We put nicedomain.com as an example in the scripts. What you need to do is (on the backup script):

  • change date format if needed – Line 4 (optional)
  • change file name – Line 5 (optional)
  • change the absolute paths to the folder you want to backup (Line 6) and where you want to store your backups (Line 7)
  • change database name (DBNAME), username (USR) and password (PSW) – Line 19

If you are going to use restore script as well, change it accordingly.

Backup script:

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Set the parameters
DATE=`date +%Y%m%d`
FILE=nicedomain_com__SERVER__$DATE
BackupDir="/home/nicedomain/public_html/"
UploadDir="/home/nicedomain/private"

echo Starting the backup of http://www.nicedomain.com \($DATE\):

# Let's go to the folder where the backups will be stored
cd $UploadDir

# Starting files backup
tar czf $FILE.tar.gz -C $BackupDir .
echo File backup successful

# Start MySQL database backup
/usr/bin/mysqldump --opt -u USR -pPSW DBNAME > $UploadDir/$FILE.sql
echo MySQL backup successful

Restore script

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Set the parameters
DATE=`date +%Y%m%d`
FILE=nicedomain_com

echo Starting to restore http://www.nicedomain.com \($DATE\):

# Delete current data
rm -r /home/nicedomain/public_html/*

# Restore files
tar -zxf /home/nicedomain/private/$FILE.tar.gz -C /home/nicedomain/public_html/
echo Files restored successfully

# Restore MySQL
mysql --user="USR" --pass="PSW" --host="localhost" DBNAME < /home/nicedomain/private/$FILE.sql
echo MySQL restored successfully

That’s it. Now upload the script to the server and create a cron job pointing to the script, for example:

/var/www/vhosts/nicedomain.com/private/backups/backup.sh

You can schedule the job as you want – one time, daily, weekly, etc. Also when creating cron job make sure you provide your email address. When script finishes it will send an email with all the output (either successful or unsuccessful). This makes the tracking of backups very easy.

Best tools to check website security

Posted on by
2

Website security is a complex beast. To do a comprehensive vulnerability assessment you need to have right software, experience, patience and sometimes luck. We will provide you some guidance on selecting the best tools to check website security.

Whenever you approach a new website or just want to test your own website, the first thing is basically to scan it using your favorite security tool(s). Of course, if you’re not familiar with the website the first thing must be simply to browse it, to get the look and feel, to analyze its structure and to gather as much data as possible.

There are bunch of security scanning tools available – ranging from very expensive to free, from full-featured to very specialized. Previous blog post provides some hints on whether an expensive security testing tool is a good idea. Here we will try to show what software we use and will provide some guidance on choosing the right tools for your job.

Here is our quick top seven list:

1) W3af

Full featured and actively used framework which could be used both for audit and exploitation. It is extremely popular, powerful, flexible and easy to use framework for finding and exploiting web application vulnerabilities. It has dozens of web assessment and exploitation plugins. In some ways it is like a web-focused Metasploit.

2) BurpSuite Pro

Burp Suite is an integrated platform for attacking web applications. It contains many tools all of them sharing the same framework for handling and displaying HTTP messages, persistence, authentication, proxies, logging, alerting and extensibility.

It’s an indispensable tool for performing web application assessments. You can read web traffic and then manipulate it as much as you desire. There is a limited free version.

3) Websecurify

Ease to use tool that shows great potential. With websecurify you can do automatic and manual vulnerability testing.

4) ZAP

The Zed Attack Proxy (ZAP) is an OWASP project and is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

5) SkipFish

Skipfish is an active web application security reconnaissance tool. It’s an excellent tool for automated initial quick assessment of the website. Written in C it is incredibly fast and can generate/analyze thousands of requests per second.

Skipfish prepares an interactive sitemap of the targeted website by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. After that the report is prepared which is meant to serve as a foundation for professional web application security assessment.

6) Wapiti

A tool written in python that scans the web pages of the webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

7) Nikto

Nikto is a Perl script which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. From this perspective Nikto is kind of “signature based” tools. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated.

Nikto won’t find all the bugs in your web app, but it will warn you about poorly configured web servers and will reveal other interesting things to poke at.

That’s all. To test website security may look simple however it’s always wise to play with the tools for some time to get the understanding what you’re doing. So called “point-and-shoot” scanning method could definitely tell you something, but it won’t reveal all the vulnerabilities.

Vulnerable web applications for hacking practice

Posted on by
Reply

Vulnerable web applications for hacking practiceWhenever you want to test your hacking skills you need to find some websites to get your hands on. Be careful – don’t play with real sites! Either you should have permission (better – written) of the site owner to do so, or you should find another alternative.

The alternative is to use so called vulnerable web applications. They are deliberately made vulnerable to help security professionals test their skills and tools in a legal environment. Such applications also serve as a good resource for web developers helping them better understand the processes of securing web applications and also for teachers/students to teach/learn web application security in a classroom environment.

Before we dive into the list, one last remark – some applications are online based where you can start testing your skills immediately and others are downloadable – you’ll have to install them on your web server. If you do not already have a web server setup, download and install XAMPP, WAMP or LAMP, depending on your preferences.

So, where are those damn vulnerable web applications?

Here is the list:

Online

Offline

  • http://code.google.com/p/wivet/ – it’s yet another project at Google. Wivet main goal is to analyze link extraction/crawling ability of your web application security scanner. It’s a good tool to compare various scanners and see which has the best crawling capabilities (which finds most urls and other injection points). You have to download and install Wivet on your server.
  • http://www.dvwa.co.uk – Damn Vulnerable Web Application (DVWA). Great application for learning web application security, testing vulnerability scanners, learning how to write a better code. It has three security levels. You can change the level and see how it changes PHP code, how it changes scanners ability to discover vulnerabilities and so on. Good starting point. You have to download and install DVWA on your server.
  • https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project – WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. This is great resource for learning web application security principles. You have to download and install WebGoat on your server.

Where to start? If you’re eager to start immediately, chose one of online websites. However, we encourage you to try WebGoat or DVWA. Those applications will help you to form good security basics.

That’s about it. If you know some more vulnerable apps – please share.

Web Application Scanners comparison – is more expensive always better

Posted on by
1
Tools - expensive or free?

Tools – expensive or free?

Web application security scanners can cost from a hundred to tens of thousands of dollars. And they can be free as well. There are many tools or apps that can be used in web application assessments. It could be very hard to decide which tool is the right one. Some of them are better used alongside a manual test, where others are more designed for non-security specialist IT staff as more “black box” scanning tools. On top of that there are scripts and point-and-click tools that can be used to assess specific areas of web application security.

So when considering specific scanner first of all you should answer such questions as:

  • Do I need comprehensive scanner for testing whole web application or just a scanner that is good at some specific area? This relates to other question: many scanners vs one.
  • Am I going to play with setup, parameters, request manipulation or do I need a simple so called point-and-click tool?
  • Will I use this scanner for actually exploiting web application?
  • What kind of reporting I want?
  • And finally: am I going to pay for it?

The best way to choose appropriate scanner is to play with it. Then you see if it fits your needs or not. After testing multiple scanners, tools, scripts you’ll get experience and intuitively see what is good and what is not, what suits for one situation and what for another, etc.

Scanners comparison charts could also serve as a good point of reference. Tools are benchmarked on how they are able to detect (in some cases – and exploit) security vulnerabilities. Usually scanners are compared on certain points:

  1. How much vulnerabilities they managed to detect on specially crafted web application?
  2. How much manual input was required?
  3. False positive rate (scanner indicates a vulnerability when actually it doesn’t exit)
  4. False negative rate (missed vulnerabilities) – inversely proportional to first point.
  5. How much time it took to scan an application?

By looking at some comparison charts it’s clear that the most expensive scanners are not necessary the best in all situations. As a rule of thumb, expensive scanners have many features, full scan coverage (in terms of types of vulnerabilities, scanning methods, etc.), nice looking user interface and great reports.

Free open-source web application scanners, on the other hand, usually are harder to configure, have poorer GUI and miss good reporting capabilities. However, their vulnerability detection rate could be the same or even better than their commercial counterparts.

Shay Chen has a great blog post where he compares 60 (!) commercial and open-source black box web application vulnerability scanners.

Looking at the comparison charts we can see that open source tools presented very good results. Indeed, some of them are at the top in the charts. As Mr. Chen concludes, “the distance between open source tools and commercial tools is not as big as it used to be”.

However, it was also mentioned that open source tools tend to have more false positives and be relatively unstable when compared to most commercial tools. Besides, open source tools are usually more difficult to install and use, and still require fine-tuning in various fields.

So if your background is rather technical, you can safely use open source tools with great success. However, if you don’t have much technical experience and don’t want to learn all the bits and pieces and prefer decent usage experience – stay on the safer side and use commercial products (some have free limited versions).

The good news is that if you have limited budged and still want to do vulnerability assessments or pen-testing, you won’t be left alone. There is a wide variety of open-source tools that are not worse than their commercial alternatives – all you need is to put some more work into it.  We’ll present some How-To’s and recommendations regarding specific tools in future articles.

For better results it’s common to combine various tools – from both commercial and open-source sides. One tool might be easier to use, another one might be more accurate, third one – faster. Mix everything and see what works and what not.

Good look!