blackicedbear/weba
1
0
Fork 0
mirror of https://github.com/bpetschowitsch/weba.git synced 2026-06-01 16:39:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

...

Browse Source
This commit is contained in:
bpetschowitsch
2026-04-16 09:23:11 +02:00
parent 435a48878d
commit 740c1e79ca
3 changed files with 0 additions and 271 deletions
Download Patch File Download Diff File Expand all files Collapse all files
05_php_addressbook.md
-99
View File
@@ -1,99 +0,0 @@
# Enable PHP in Nginx
run in bash:
```bash
sudo apt install php-fpm -y
```
get php version/sock
```bash
ls -l /run/php/*.sock
```
add to nginx config (server section):
```nginx
# pass PHP scripts to FastCGI server
#
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.4-fpm.sock; # <-- use version from output above!
}
```
validate nginx configuration & restart if ok:
```bash
sudo nginx -t
sudo systemctl reload nginx
```
create Demo-App:
```bash
sudo vi /var/www/*domain-name*/*webapp*.php
```
## Demo Webapp (Addressbook)
```php
<?php
// Wir simulieren eine einfache Speicherung in einer Textdatei
$db_file = 'names.txt';
// 1. Speichern, wenn das Formular abgeschickt wurde
if (isset($_POST['name'])) {
file_put_contents($db_file, $_POST['name'] . PHP_EOL, FILE_APPEND);
}
// 2. Auslesen der Namen
$names = file_exists($db_file) ? file($db_file) : [];
?>
<!DOCTYPE html>
<html>
<head>
<title>Demo: Addressbook</title>
</head>
<body>
<h2>Einfaches Adressbuch</h2>
<form method="POST">
<input type="text" name="name" placeholder="Name eingeben..." required>
<button type="submit">Speichern</button>
</form>
<hr>
<h3>Eintr&auml;ge:</h3>
<?php foreach ($names as $name): ?>
<div class="entry">
Benutzer: <?php echo $name; ?>
</div>
<?php endforeach; ?>
<p><small><a href="?clear=1">Liste leeren</a></small></p>
<?php if(isset($_GET['clear'])) { file_put_contents($db_file, ""); } ?>
</body>
</html>
```
create txt file (as database):
```bash
cd /var/www/*domain-name*
sudo touch names.txt
sudo chown www-data:www-data names.txt
sudo chown www-data:www-data *webapp*
```
testing the webapp:
```
http://*domain-name*/*webapp*.php
```
06_xss_demo.md
-25
View File
@@ -1,25 +0,0 @@
# XSS/CSP Demo
## Environment
Demo App -> [Addressbook](enable_php.md)
## Demo
check that csp is not set in nginx
## Browser
add following name & press "Speichern":
```html
Charlie <div id="out"></div><script>document.onkeypress = function(e) {document.getElementById('out').innerHTML += e.key};</script>
```
and now type on your keyboard...
## CSP
set CSP in nginx config
```nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self';" always;
```
repeat the Demo.
07_CSP.md
-147
View File
@@ -1,147 +0,0 @@
# CSP
## XSS/CSP Demo
Using Demo-App [Addressbook](enable_php.md)
Using Instructions [XSS-Demo](xss_demo.md)
## Preparing Website for exercise
as simple playground...add following code-block to the index.html (or index.nginx-debian.html) before **`</body>`**
```html
<input id="hello_world" type="button" value="Hello World!" />
<script nonce="nginx_nonce">
document.getElementById("hello_world").addEventListener('click', hello);
function hello() {
alert("hello world!");
}
</script>
```
and add a style tag (within head-section):
```html
<style nonce="nginx_nonce">
h1 {color:red;}
</style>
```
## CSP general
Set the Content Security Policy. Edit the site configuration.
```nginx
server {
[...]
add_header Content-Security-Policy "default-src 'self';" always; # only resources from our webserver are loaded. Inline script/css tags are blocked as well!
[...]
}
```
afterwards compare the website to before (comment/uncomment the CSP header).
## CSP nonce
a simple example to generate a dynamic nonce per request...
edit the site configuration.
```nginx
server {
[...]
# nonce
set $nonce $request_id;
add_header Content-Security-Policy "default-src 'self' 'nonce-$nonce';" always; # only resources from our webserver are loaded
sub_filter 'nginx_nonce' "$nonce";
sub_filter_once off;
sub_filter_types text/html;
[...]
}
```
Note: *nginx_nonce* has to match to the value provided in the *script* and *style* tag.
Note2: Test the website again. The style and script tags should now be allowed, as they are whitelisted by using the nonce tag.
## CSP hash
nonce requires will and option to modify the source code of webapp...
another option is using hash-values in the CSP header.
comment the lines from above to have the style and script stop working again.
get hash-values from the debug-console of the browser and add it to the CSP instruction.
![firefox debug-console](./images/get_csp_hash.png)
```nginx
server {
[...]
# csp hash
add_header Content-Security-Policy "default-src 'self' 'nonce-$nonce' 'sha256-4qxDpGEJUcxjIP3NOEWlTKBLTDQ5y6fmRuEEO6ZT9Q0=' 'sha256-IKS/bMyKMqxTwEMnsaKruaZIbhySJGL+EebDepTqwUM=';" always; # only resources from our webserver are loaded
[...]
}
```
Note: Test the website again. The style and script tags should now be allowed, as they are whitelisted by providing their hash-value.
## CSP hash - external ressource
Example Ressource to integrate (can be internal or external hosted !):
```url
https://code.jquery.com/jquery-3.7.1.min.js
```
Note: jquery is (was) a popular library supporting in handling of events, dom-manipulation and request handling.
for external resources, calculate the hash using:
```bash
curl -s https://*domain*/*path-to-resource* | openssl dgst -sha256 -binary | openssl base64 -A
```
integrate the library to your website, by adding following script-tag:
```html
[...]
<script src="https://code.jquery.com/jquery-3.7.1.min.js"
integrity="sha256-/JqT3SQfawRcv/BIHPThkBvs0OEvtFFmqPF/lYI/Cxo="
crossorigin="anonymous">
</script>
</body>
</html>
```
Explanation:
- src: is the URL for fetching the resource
- integrity: the hash value of resource (to ensure it is exactly the expected resource) -> mandatory when combined with CSP hash
- crossorigin: explicit usage of CORS. Note: Legacy tags like "script", "img", ... historically do not use CORS, but are limited in usage (e.g. browser blocks full access to resources -> in case of bug, you see script failure but not what exactly). For usage of integrity, CORS is mandatory.
### Verify
refresh your website and use the development console (network analyse) to verify the resource is loaded.
enable CSP:
```nginx
server {
[...]
add_header Content-Security-Policy "default-src 'self';" always; # only resources from our webserver are loaded. Inline script/css tags are blocked as well!
[...]
}
```
Verify again. The ressource is no longer loaded, as it is blocked by CSP.
### enable external ressources
modify the CSP header:
```nginx
server {
[...]
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'sha256-/JqT3SQfawRcv/BIHPThkBvs0OEvtFFmqPF/lYI/Cxo=';" always;
[...]
}
```
Verify again. The ressource will now be loaded again as it is whitelisted using its hash-value.