Web Security

Exercise HTTP

Install XAMPP

Download XAMPP from ApacheFriends server:
Xampp project by Apache-friends. XAMPP contains a minimal setup for working on the web: Apache, PHP, MySQL, Perl, etc.
Extract the content of this file in any of your directories. For instance Q:\MyDir\.
Execute the file setup-xampp.bat in the installation directory (in our example Q:\MyDir\xampp\).
You can start xampp using the programm: xampp_start.exe
You can stop xampp using the programm: xampp_stop.exe
You can restart xampp using the programm: xampp_restart.exe
Test your server by clicking on : http://localhost.
You can now install your php arborescence in the directory Q:\MyDir\xampp\htdocs\.
Write a file called hello.html in the directory Q:\MyDir\xampp\htdocs\.
Content of the file:
```
<html><body>
<h1>Hello World</h1>
</body></html>
```
Now test that it works: http://localhost/hello.html

The instructions given hier are only valid for windows, Unix users will follow the instructions for their particular OS (Linux/Unix/Mac-OS X). The instructions given on apachefriends are precise enough.
Be carefull, XAMPP is not intended for a productive environment. In a productive environment, you have to setup everything and control everything.

Securize your XAMPP

Since the default for xampp is to be open, you have to close some doors:

Visit the Xampp home-page localhost/xampp/, then click on Security/Sicherheit.
You can see the obvious vulnerabilities of your system
Do like recommended:
On unix: /opt/lampp/lampp security
On Windows I don't know, but something similar should exist
You should also verify your firewall.

Generate your first requests

In order to generate some requests, you will use the telnet on the port 80 of a server. Under Unix start a console, on Windows, a cmd shell. Then execute the telnet telnet www.benoist.ch 80 where 80 is the port you want to connect and www.benoist.ch the site you want to connect.
Unfortunately, the Windows telnet client does not provide any way to see one's input. It is therefore convenient to write the input you want to type inside an editor (for instance edit) and then to copy/paste the code inside the telnet application.

Connect (using telnet on the port 80) the server www.benoist.ch. Write a request for the resource /WebSecurity/ , the answer must have the status 200. If the status is not 200, try again.
Write a small PHP containing a form with one field (username), and displaying the variable sent by this form of this form ("Hello $_REQUEST['username']"); you can also use the following PHP file: http-exercise-form.php (this file is a .PHPS(for source file), just rename it as a .PHP. This file must be placed in a directory in the htdocs/ directory of your web server.
Connect your localhost web-site (telnet port 80) and send a request for using a GET method for your page containing a username.
Connect your web-site and send a request for using a POST method for your page containing a username. YOu have to insert a content-length header (do not forget to count the content before sending it).
Connect the google web-site and send a request for "HTTP Tutorial" using a GET method. You have to URL encode your request.

Monitor HTTP trafic

Install Firefox Add-on for monitoring http headers: liveHTTPHeaders. Start the add-on: Menu Tools/live HTTP Headers. Start to trace HTTP headers.
Monitor the trafic with your php script.
Connect to the page http://staff.ti.bfh.ch/bie1. Count the number of requests (just for the page itself, not for images or css) and try to understand what appends.