Skipfish Web Application Security Tool

Last week, Slashdot had a link (http://code.google.com/p/skipfish/) to a Google project named skipfish, so I decided to download it. Today, I'm finally getting a chance to try it out. To stay out of trouble, I'm running a scan against my own web server.

Once it has completed its scan, I'll have an interactive site map, as web as a report to help me assess vulnerabilities of my web server. As it completed, it almost brought my system to a halt. It ended up causing hundreds of httpd processes to spawn on my system. This caused almost every bit of RAM and swap to get used up, and almost every application that I was running to be shut down. I have never seen such a high load average on my system, as it was over 80 on just a dual core!

In reading through the skipfish documentation, I came across some interesting links. First, http://code.google.com/p/browsersec/wiki/Part1, which is a document about web browser security. Second is this link to the Open Web Application Security Project (OWASP) http://www.owasp.org/index.php.

What is in an URI?


LDAP for Postfix Canonical Maps

I was very pleasantly surprised how easy it was to configure canonical maps for Postfix to use an LDAP server. Using the same OpenLDAP configuration that I just recently posted for aliases, I was able to add canonical maps in a matter of minutes. The benefit was that now if an email was sent from the command line, the map would rewrite the sending address to one that could be sent over the Internet and not just to other local users. I realized the need for this when I noticed that my girlfriend was trying to use Evolution to send mail (without configuring it) and it was being rejected by Internet mail servers because it appeared to originate from an invalid fedora.test domain.

First, I did it the traditional flat file way. I added this entry to /etc/postfix/canonical:

patricia cmtricia@gmail.com

Then, I added an entry into /etc/postfix/main.cf:

canonical_maps = hash:/etc/postfix/canonical

Now, I hashed the file using the command postmap /etc/postfix/canonical and reloaded the postfix service using the command service postfix reload.

Finally, I tested this by sending a mail from the command line while logged into the patricia account. This worked great! This would be the solution for the problem of my girlfriend trying to send mail without configuring a mail server.

However, I wanted to be able to extend this solution using my LDAP server for maps as well, so I changed my entry in /etc/postfix/main.cf to use LDAP for canonical lookups as well:

canonical_maps = hash:/etc/postfix/canonical, ldap:/etc/postfix/ldap-canonical.cf

Of course, I also needed an entry into my LDAP server, which I made with this:

[root@earth postfix]# ldapadd -x -D cn=Manager,dc=fedora,dc=test -W
Enter LDAP Password:
dn: cn=keith,ou=People,dc=fedora,dc=test
cn: keith
objectclass: nismailalias
objectclass: top
rfc822Mailmember: wright.keith@gmail.com

adding new entry "cn=keith,ou=People,dc=fedora,dc=test"

To create the /etc/postfix/ldap-canonical.cf, I copied the /etc/postfix/ldap-aliases-cf, which I blogged about an earlier post. Surprisingly, nothing in this file needed to change, but here it is for reference:

[root@earth postfix]# grep -v '^$' ldap-canonical.cf | grep -v '^#'
server_host = localhost.localdomain
server_port = 389
timeout = 10
bind = no
search_base = ou=People,dc=fedora,dc=test
result_attribute = rfc822MailMember
query_filter = (& (cn=%s)(objectClass=nisMailAlias))
debug_level = 4

Starting to test it, I executed:
[root@earth postfix]# service postfix reload
Reloading postfix: [ OK ]
[root@earth postfix]# postmap -q keith ldap:/etc/postfix/ldap-canonical.cf

Finally, I did the acid test. I logged into the keith account and sent and email out to one of my Internet email addresses. When I received the email, it indeed did appear to originate from wright.keith@gmail.com.

After further experimenting, I noticed that not just was the address rewritten outbound, but also inbound. This lead me to discover two other canonical maps. There is sender_canonical_maps and recipient_canonical_maps, as well as canonical_maps which applies to all mail in or out bound.

Ultimately, I changed the entry in the /etc/postfix/main.cf to just rewrite the address for outbound mail by using:

sender_canonical_maps = hash:/etc/postfix/canonical, ldap:/etc/postfix/ldap-canonical.cf

Now, I can still receive local mail as the user keith to my local mailbox, but when I send mail for the user keith, it always appear to come from wright.keith@gmail.com.


LDAP and Apache Integration

To integrate authentication to a specific location on my Apache web server with my OpenLDAP server, I used the following configuration in /etc/httpd/conf.d/ldapauth.conf:

LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/ca-bundle.crt
LDAPTrustedClientCert CERT_BASE64 /etc/pki/tls/certs/localhost.pem

Options Indexes FollowSymLinks
AuthType Basic
AuthName "LDAP Authentication"
AuthBasicAuthoritative off
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://localhost.localdomain/dc=fedora,dc=test?uid??"
AuthLDAPBindDN uid=Patricia,ou=People,dc=fedora,dc=test
AuthLDAPBindPassword supersecret
require valid-user

I did use the Makefile in /etc/pki/tls/certs to "make localhost.pem" and copy it to the /etc/pki/tls/private directory as well. Here was what was in my slapd.conf (before it got slurped into the /etc/openldap/slapd.d directory).

[root@earth openldap]# grep -v '^$' slapd.conf | grep -v '^#'
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/localhost.pem
TLSCertificateKeyFile /etc/pki/tls/private/localhost.pem
database bdb
suffix "dc=fedora,dc=test"
checkpoint 1024 15
rootdn "cn=Manager,dc=fedora,dc=test"
rootpw simple
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
database monitor
access to *
by dn.exact="cn=Manager,dc=fedora,dc=test" read
by * none

LDAP and Postfix Integration

After struggling a little while to make it happen, I finally asked the guy who was the speaker at SCALE 8x about LDAP integration about why my LDAP server wasn't working with my Postfix mail server to look up aliases. In just a few minutes, I got my response, and he was right. It can be good to ask for help!

Here was the setup:
I'm using Fedora 12. (postfix-2.6.5-2.fc12.i686 and

My account entry in LDAP:

[root@earth postfix]# ldapsearch -LLL -x uid=keith
>> dn: uid=keith,ou=People,dc=fedora,dc=test
>> uid: keith
>> cn: Keith Wright
>> objectClass: account
>> objectClass: posixAccount
>> objectClass: top
>> objectClass: shadowAccount
>> shadowLastChange: 13363
>> shadowMax: 99999
>> shadowWarning: 7
>> loginShell: /bin/bash
>> uidNumber: 500
>> gidNumber: 500
>> homeDirectory: /home/keith
>> userPassword:: bXXXXXXXXXXXE=
>> An entry for an alias:
>> [root@earth postfix]# ldapsearch -LLL -x '(&
>> (cn=wrightrocket)(objectclass=nismailalias))' rfc822MailMember
>> dn: cn=wrightrocket,ou=People,dc=fedora,dc=test
>> rfc822MailMember: keith
>> From reading the LDAP_README, I have this parameter set in my main.cf:
>> [root@earth postfix]# postconf alias_maps
>> alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
>> Here is my /etc/postfix/ldap-aliases.cf:
>> server_host = localhost.localdomain
>> # defaults to localhost
>> server_port = 389
>> # default
>> timeout = 10
>> # default
>> bind = no
>> # default
>> search_base = ou=People,dc=fedora,dc=test
>> # location where aliases are stored in tree
>> ldapalias_result_attribute = rfc822MailMember
>> query_filter = (& (cn=%s)(objectClass=nisMailAlias))
>> debug_level = 4

As you can see, I pasted this from my email. What was the one change that made it work? Instead of ldapalias_result_attribute (several lines up), the proper parameter to set was result_attribute, and everything worked!

About Me - WrightRocket

My photo

I've worked with computers for over 30 years, programming, administering, using and building them from scratch.

I'm an instructor for technical computer courses, an editor and developer of training manuals, and an Android developer.