CST 620 Project 3: Web Application Security Controls

Hands-on Instructions: Web Application Security Controls

During this lab we will install a web server call WAMP. This lab will show you have to install a web server and enable secure communications with the web server

Download and Install WAMP

Before starting, you will need to visit the WAMP server official website and download the latest version of WAMP on your Windows VM in MARS. Follow the below steps to install it:

Download and Install WAMP

  1. Use this link to download the latest version of WAMP on your server in MARS.
  2. Once the WAMP server is downloaded on your server. Double click on the downloaded file to start the installation. You should see the language selection screen:
  3. Select your language and click on the OK button. You will be asked to read and accept the license agreement in the following screen:
  4. Read and accept the license agreement then click on the Next button. You should see the WAMP information screen:
  5. Read the WAMP important information then click on the Next button. You will be asked to define the installation folder location:
  6. Define your installation folder and click on the Next button. You will be redirected to the component selection screen:
  7. Select your required WAMP components such as, Apache, PHP, MySQL, MariaDB then click on the Next button. You will be asked to select the startmenu folder:
  8. Select your startmenu folder then click on the Next button. You should see the WAMP ready to install screen:
  9. Review all settings then click on the Install button to start the WAMP installation. You will be asked to select the default web browser.
  10. Click on the No button if you don’t want to continue with internet explorer browser. You will be asked to define the path of your browser exe file:
  11. Define the path of your Chrome browser and click on the Open button. You will be asked to set the notepad as the default editor:
  12. Click on the Yes to set the notepad as a default editor. Once the WAMP server has been installed on your server. You should see the complete setup screen:
  13. Click on the Finish button to complete the WAMP server installation and click the installation screen.

Verify WAMP Server

At this point, the WAMP server is installed on your server. Now. It’s time to test whether it is working or not.

To test the WAMP server, double click on the WAMP server icon on your desktop to start all WAMP services. Once all the services are started. Open your web browser and type the URL http://localhost on your Windows VM. You should see the WAMP server test page:

WAMP Test Page
WAMP Test Page

Access phpMyAdmin

Please open your web browser and type the URL http://localhost/phpmyadmin. You should see the phpMyAdmin login screen:

Provide default username as root, and leave the password field blank then click on the Go button. You should see the phpMyAdmin dashboard on the following screen:

Now that the WAMP server is up and working, we want to ensure you can reach the WAMP server over HTTP from the KALI VM.

Step 1: setting permissions to allow other users to access your server

In WAMP server version 3.0.6 you’ll need to modify the permissions that are found within Apache’s https-vhosts.conf file which can be found by clicking the WAMP icon in task bar and hovering over the “Apache” dropdown.

For this particular version of WAMP, this file dictates the general permissions for accessing the server, unlike earlier versions where settings had to modified in the httpd.conf file.If you have WAMP installed in the directory C:/wamp64, then by default your https-vhosts.conf file should look similar to the following:

<VirtualHost *:80>  
	ServerName localhost  
	DocumentRoot C:/wamp64/www  
	<Directory  "C:/wamp64/www/">  
		Options +Indexes +Includes +FollowSymLinks +MultiViews  
		AllowOverride All  
		Require local  

These settings- specifically “Require local”- currently only allow local connections from the computer on which the server is running, this should be modified to “Require all granted” which will allow any computer to connect to your server.

<VirtualHost *:80>  
	ServerName localhost  
	DocumentRoot C:/wamp64/www  
	<Directory  "C:/wamp64/www/">  
		Options +Indexes +Includes +FollowSymLinks +MultiViews  
		AllowOverride All  
		Require all granted  

This isn’t exactly great for security as you should rather only be allowing the specific IP’s that you want to connect with, but for this tutorial we’ll stick to this simple solution.

Step 2: Allowing connections to your server through your firewall

Currently, connections to port 80 (the port on which the server listens for connections) should be blocked by your firewall. To allow connections through this port you need to create a new inbound rule for your firewall. To do this you’ll need to navigate to your firewall’s advanced settings which can be found in the side-panel at:

Control Panel -> System and Security -> Windows Firewall

A window should now open that looks like the following:

From here we need to create a new inbound rule which can be done by navigating to the “Inbound rules” section and clicking “New rule…”.

Now in the window that appears you should select the following in the order they appear:

  • For rule type select “port”
  • For protocol select “TCP”
  • For ports select specific local port 80
  • Select “allow the connection”
  • For when the rule applies, select “public”, “private” and “domain”
  • Enter a name for the new rule, you can name it something similar to “WAMP”
  • Add the new rule

Once this inbound rule has been added, you should be able to connect to your WAMP server from you Kali VM.

In this next section of the lab, we want to evaluate the new WAMP server for vulnerabilities. We want to run some scans from the Kali VM to identify potential vulnerabilities on the WAMP server.

  1. From your Kali VM open a terminal window and enter in the below commandNamp –Pn [enter your windows VM IP]
  2. Review the results of the scan looking for the open ports You should see that port 80 is now open

For the next portion of the lab, we will enable SSL for the WAMP server. This will require software installation and the modification of several configuration files. Please take care to carefully read through the instructions and watch the video. Also please remember, DO NOT copy/paste commands from the document. You can inadvertently capture characters that do not below.

  1. Download OpenSSL from this URL https://slproweb.com/products/Win32OpenSSL.html
  2. After downloading the software start the installation wizard and leave all of the default configurations in place.
  3. After the software is downloaded, we need to create a certificate to be used for secure communication with the web application.
    1. Open a command prompt windows
    2. Enter the command “cd c:/program files/openssl-win64/bin/
    3. Next enter “openssl genrsa -aes256 -out private.key 2048”

Take Note

You will be asked to enter a pass phrase after entering this command. Ensure you write down the pass phrase or make it easy to remember. You will need it in later steps.

  1. Enter “openssl rsa -in private.key -out private.key” Ensure you enter the pass phrase from the previous step.

Take Note

After you enter the next command you will see an on screen prompt. You can just press the enter key through all of the options with the exception of the Common Name field. You need to enter “localhost” when you are prompted for the Common Name”.

  1. Lastly, type “openssl req -new -x509 -nodes -sha1 -key private.key -out certificate.crt -days 36500”

  1. Create a folder named “key” in the c:/wamp64/bin/apache/apache2.4.52.2/conf/ directory.

Take Note

The version of Apache may have changed since the writing of this lab guide. Please note the version of apache you have installed.

  1. Navigate to c:/program files/openssl-win64/bin/ to find the crt and private.key that you just created. Both of these need to be moved to the new folderc:/wamp64/bin/apache/apache2.4.52.2/conf/key/
  2. Open c:/wamp64/bin/apache/apache2.4.52.2/conf/httpd.conf and un-comment (remove the #) the following 3 lines:LoadModule ssl_module modules/mod_ssl.so
    Include conf/extra/httpd-ssl.conf
    LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

  1. Open c:/wamp64/bin/apache/apache2.4.41/conf/extra/httpd-ssl.conf and change all the parameters to the ones shown below.DocumentRoot “c:/wamp64/www”
    ServerName localhost:443
    ServerAdmin [email protected]
    ErrorLog “${SRVROOT}/logs/error.log”
    TransferLog “${SRVROOT}/logs/access.log”
    SSLSessionCache “shmcb:${SRVROOT}/logs/ssl_scache(512000)”
    SSLCertificateFile “${SRVROOT}/conf/key/certificate.crt”
    SSLCertificateKeyFile “${SRVROOT}/conf/key/private.key”
    CustomLog “${SRVROOT}/logs/ssl_request.log”

  1. Restart the WAMP server services and validate you can reach the server from your Windows VM
  2. Next we need to modify the virtual hosts file Open an D:\wamp64\bin\apache\apache2.4.46\conf\extra\httpd-vhosts.conf and update your virtual host
  3. Change the port :80 to :443 and add the following lines into the VirtualHost.SSLEngine on
    SSLCertificateFile “${SRVROOT}/conf/key/certificate.crt”
    SSLCertificateKeyFile “${SRVROOT}/conf/key/private.key”
  4. Now, we are done. Let’s restart a wamp server. If you see a green WAMP icon everything should be right. If the icon is orange there is a problem with your syntax somewhere.

Now that we have validated we can reach the WAMP server over HTTPS we want to disable the firewall rule that allows traffic on the insecure HTTP protocol and we want to create a new rule that allows HTTPS. Follow the next few steps to create a new firewall rule and validate things work.

  1. Use the search feature to locate the Windows Defender Firewall
  2. Select the menu item to add a new rule
  3. Follow the same process you completed earlier to create the WAMP rule except this time enter the port “443” instead of port “80”
  4. Locate the WAMP rule we created earlier and disable the rule
  5. Test your access again from both the Windows and Kali VMs

© 2023 University of Maryland Global Campus

All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity of information located at external sites.

Answer Preview: Web Application Security Controls