SlideShare une entreprise Scribd logo

DDD17 - Web Applications Automated Security Testing in a Continuous Delivery Pipeline

Fedir RYKHTIK
Fedir RYKHTIK

Slides from "Web Applications Automated Security Testing in a Continuous Delivery Pipeline" workshop, made during Drupal Developers Days 2017 at Seville, Spain

Technologie
1  sur  41
Télécharger pour lire hors ligne
Web Applications Automated Security Testing in a Continuous Delivery Pipeline At #DrupalDevDaysSeville by @FedirFr
About this workshop ● Duration 2 hours ● 100% open source powered ● Intermediate technical level required ● Oriented Developers / QA / Operations / CTO / ... ● Interactive, study-oriented ...
Workshop content ● Theoretical part ● Introduction to Web security ○ Major security risks ○ Pentesting types ● Insecure code ● Drupalxploitable project ● Practical part ● Vulnerable site create / study ● Manual security testing with scanners ● Manual security testing using Zed Attack Proxy GUI ● Automated security testing
Introduction in Web Security
Major Risks
Pentesting methods - Black-box ● We don't know what is inside ● Testing as an external user
Pentesting methods - Grey-box ● We have advanced access to the project
Pentesting methods - White-box ● We know all about the project ● We have the access to the project code
Manual Penetration Testing Scanner Target
Manual Penetration Testing with Proxy Web browser Attack Proxy Target
Automating Penetration Testing Web browser Attack Proxy Target Security Framework CI Bugtraceker
Classical continuous delivery model - https://en.wikipedia.org/wiki/Continuous_delivery
How to write (in)secure code for Drupal 8
Current situation for Drupal 8 ● https://www.drupal.org/docs/8/security/writing-secure-code-for-drupal-8 a. Sanitizing on output to avoid Cross Site Scripting (XSS) attacks : t(), Html::escape Xss::filter() or Xss::filterAdmin() b. Checking URLs UrlHelper::stripDangerousProtocols(), UrlHelper::filterBadProtocol(), SafeMarkup::format(). c. Use the database abstraction layer to avoid SQL injection attacks
Bad code example - SQL Injection db_query('SELECT foo FROM {table} t WHERE t.name = '. $_GET['user']); Exploit example : https://www.exploit-db.com/exploits/34993/
Bad code example - XSS exploits - --- modules/system/system.admin.inc 2013-04-03 17:29:52.000000000 -0400 +++ modules/system/system.admin.inc 2013-08-07 10:47:29.277279676 -0400 @@ -979,10 +979,10 @@ function _system_modules_build_row($info ); // Set the basic properties. $form['name'] = array( - - '#markup' => $info['name'], + '#markup' => check_plain($info['name']), ); $form['description'] = array( - - '#markup' => t($info['description']), + '#markup' => t("@desc", array('@desc' => $info['description'])), ); $form['version'] = array( '#markup' => $info['version'], http://seclists.org/fulldisclosure/2013/Aug/158
There are much more risks ... SQL, HTML, iFrame, SSI, OS Command, PHP, XML, XPath, LDAP, Host Header and SMTP injections Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF) AJAX and Web Services issues (jQuery/JSON/XML/SOAP/WSDL) Authentication, authorization and session issues, file upload flaws and backdoor files Arbitrary file access, directory traversals, local and remote file inclusions (LFI/RFI) Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,... HTTP parameter pollution, HTTP response splitting and HTTP verb tampering Insecure DistCC, FTP, NTP, Samba, SNMP, VNC and WebDAV configurations HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues XML External Entity attacks (XXE) and Server Side Request Forgery (SSRF) Heartbleed and Shellshock vulnerability (OpenSSL), Denial-of-Service (DoS) attacks Parameter tampering, cookie and password reset poisoning ...
Drupalxploitable
About Drupalxploitable ● Purposefully vulnerables Drupal installation ● Basically : “a very crappy Drupal site” ● Open source (github)
Existing projects in PHP world Damn Vulnerable Web Application (DVWA) http://www.dvwa.co.uk/ Mutillidae http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 WebGoatPHP https://github.com/shivamdixit/WebGoatPHP buggy web application http://www.itsecgames.com/
And even standalone distribution Metasploitable https://sourceforge.net/projects/metasploitable/
Practical part
Used infrastructure ● Virtualbox ○ Ubuntu 16.04 LTS server 64 bit ○ Jenkins CI ○ OWASP ZAP, sqlmap ○ Drupalxploitable vulnerable site
SSH Access from host by 2222 port (mapped to 22) ssh drupal@127.0.0.1 -p 2222 root / password Jenkins Access from the host: http://127.0.0.1:8180/ Internal VM access: http://127.0.0.1:8080/ Admin credentials : admin / password Drupal / Apache Access from the host: http://127.0.0.1:8280/ Internal VM access: http://127.0.0.1/ Admin credentials : drupal / drupal Virtualbox - Services description
sqlmap python sqlmap.py -v 2 --url=http://127.0.0.1/user/ --user-agent=SQLMAP --delay=1 --retries=2 --keep-alive --threads=5 --batch --dbms=MySQL --os=Linux --level=5 --risk=2 --banner --is-dba --dbs --tables --technique=BEUST -s /tmp/scan_report.txt --flush-session -t /tmp/scan_trace.txt --fresh-queries
CMSmap python cmsmap.py -t http://127.0.0.1 -f D https://github.com/Dionach/CMSmap
droopescan droopescan scan drupal -u http://127.0.0.1/ -t 8 https://github.com/droope/droopescan
gauntlt https://github.com/gauntlt/gauntlt https://github.com/gauntlt/gauntlt-demo/tree/master/examples Uses natural language in a Given, When, Then Gherkin syntax to describe security requirements as features.
bdd-security https://github.com/continuumsecurity/bdd-security https://www.continuumsecurity.net/bdd-security/ Selenium + OWASP ZAP + Nessus + SSLyze + Internal security tools
OWASP ZAP
OWASP ZAP - Simple scan zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true' http://127.0.0.1/ zap-cli --api-key coeoobt6fof9k4g3iajshtnp7v quick-scan --self-contained --spider -r http://127.0.0.1/ * API key could be found in ~/.ZAP/config.xml of current user.
OWASP ZAP - Simple scan with ZAPR zapr --debug --summary http://127.0.0.1
OWASP ZAP - Running as a daemon /opt/zaproxy/zap.sh -daemon -host 0.0.0.0 -port 8480 Also, Docker usage possible : https://github.com/zaproxy/zaproxy/wiki/Docker
OWASP ZAP - Plugins management Install all plugins, take some time : su jenkins /opt/zaproxy/zap.sh -daemon -host 0.0.0.0 -port 8480 -addoninstallall Install selected plugin : su jenkins /opt/zaproxy/zap.sh -daemon -host 0.0.0.0 -port 8480 -addoninstall exportreport * Plugins will be installed in the ~/.ZAP folder of user, who launches ZAP. ** Plugins keys could be found here : https://github.com/zaproxy/zap-extensions/releases
OWASP ZAP https://github.com/zaproxy/zaproxy/wiki/Docker zap.sh -daemon -host 0.0.0.0 -port 8480 zap-x.sh -daemon -host 0.0.0.0 -port 8080 zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true' http://target
Configure Jenkins CI security project
Ubuntu server VM Jenkins CI Server Drupalxploitable Owasp ZED Attack Proxy Report results Run security scan Drupal automated security testing model
Jenkins - Plugins used ● Official OWASP ZAP Jenkins Plugin ● Environment Injector Plugin
Jenkins - OWASP ZAP Plugin - Configuration https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin
Ressources ● https://martijnvanlambalgen.wordpress.com/2015/10/18/automating-your-vulnerability-scan-with-owasp-zap/ ● https://www.securify.nl/blog/SFY20150303/automating_security_tests_using_owasp_zap_and_jenkins.html ● https://tools.pentestbox.org/ ● https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project ● http://connect.ed-diamond.com/MISC/MISC-087/Pourquoi-inclure-la-securite-dans-votre-pipeline-DevOps ● https://www.owasp.org/index.php/Automated_Audit_using_SQLMap ● https://myexploit.wordpress.com/information-gathering-sqlmap/ ● https://insights.sei.cmu.edu/devops/2016/01/adding-security-to-your-devops-pipeline.html ● https://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015 ● https://es.slideshare.net/StephendeVries2/automating-security-tests-for-continuous-integration ● https://www.drupal.org/docs/8/security/writing-secure-code-for-drupal-8 ● https://www.drupal.org/node/101496 ● https://www.drupal.org/taxonomy/term/127 ● https://www.owasp.org/index.php/How_to_write_insecure_code ● https://es.slideshare.net/StephendeVries2/continuous-and-visible-security-testing-with-bddsecurity ● https://theagileadmin.com/2015/12/03/security-tooling-delivered-by-docker/
Special thanks ● To my company @AgenceStratis, which shares our view of the importance of opensource culture ● To Mikke Schirén (@mikkdroid) from wunderkraut, which really helped us with Jenkins 2 configuration during the workshop day ● To Drupal Developer Days Sevilla team for great organization of the event.

Recommandé

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1ITAS VIETNAM
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 

Recommandé

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1ITAS VIETNAM
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Josef Cacek
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Decompiling Android
Decompiling AndroidDecompiling Android
Decompiling AndroidGodfrey Nolan
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsMikhail Egorov
 
Password Security
Password SecurityPassword Security
Password SecurityCSCJournals
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧Orange Tsai
 
SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015Daniel Miessler
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
Внедрение SDLC в боевых условиях / Егор Карбутов (Digital Security)
Внедрение SDLC в боевых условиях / Егор Карбутов (Digital Security)Внедрение SDLC в боевых условиях / Егор Карбутов (Digital Security)
Внедрение SDLC в боевых условиях / Егор Карбутов (Digital Security)Ontico
 
Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014University of Toronto Libraries - Information Technology Services
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 

Contenu connexe

Tendances

Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Josef Cacek
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsMikhail Egorov
 
Password Security
Password SecurityPassword Security
Password SecurityCSCJournals
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧Orange Tsai
 
SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015Daniel Miessler
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
Внедрение SDLC в боевых условиях / Егор Карбутов (Digital Security)
Внедрение SDLC в боевых условиях / Егор Карбутов (Digital Security)Внедрение SDLC в боевых условиях / Егор Карбутов (Digital Security)
Внедрение SDLC в боевых условиях / Егор Карбутов (Digital Security)Ontico
 

Tendances (20)

Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning Talk
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Decompiling Android
Decompiling AndroidDecompiling Android
Decompiling Android
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applications
 
Password Security
Password SecurityPassword Security
Password Security
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧
 
SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015SecLists @ BlackHat Arsenal 2015
SecLists @ BlackHat Arsenal 2015
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данных
 
Внедрение SDLC в боевых условиях / Егор Карбутов (Digital Security)
Внедрение SDLC в боевых условиях / Егор Карбутов (Digital Security)Внедрение SDLC в боевых условиях / Егор Карбутов (Digital Security)
Внедрение SDLC в боевых условиях / Егор Карбутов (Digital Security)
 

Similaire à DDD17 - Web Applications Automated Security Testing in a Continuous Delivery Pipeline

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Slides
SlidesSlides
Slidesvti
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersJavan Rasokat
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoAditya K Sood
 

Similaire à DDD17 - Web Applications Automated Security Testing in a Continuous Delivery Pipeline (20)

Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Slides
SlidesSlides
Slides
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San Francisco
 

Plus de Fedir RYKHTIK

TYPO3 as Mobile Application Management System
TYPO3 as Mobile Application Management SystemTYPO3 as Mobile Application Management System
TYPO3 as Mobile Application Management SystemFedir RYKHTIK
 
Monolithic installs VS single responsibilities networks
Monolithic installs VS single responsibilities networksMonolithic installs VS single responsibilities networks
Monolithic installs VS single responsibilities networksFedir RYKHTIK
 
Building websites with TYPO3 Neos
Building websites with TYPO3 NeosBuilding websites with TYPO3 Neos
Building websites with TYPO3 NeosFedir RYKHTIK
 
DevOps for TYPO3 Teams and Projects
DevOps for TYPO3 Teams and ProjectsDevOps for TYPO3 Teams and Projects
DevOps for TYPO3 Teams and ProjectsFedir RYKHTIK
 
Raspberry PI pour les agents secrets
Raspberry PI pour les agents secretsRaspberry PI pour les agents secrets
Raspberry PI pour les agents secretsFedir RYKHTIK
 
TYPO3 as Things Management System
TYPO3 as Things Management SystemTYPO3 as Things Management System
TYPO3 as Things Management SystemFedir RYKHTIK
 
Comparision of CMS : Improving TYPO3 functionality
Comparision of CMS : Improving TYPO3 functionalityComparision of CMS : Improving TYPO3 functionality
Comparision of CMS : Improving TYPO3 functionalityFedir RYKHTIK
 

Plus de Fedir RYKHTIK (10)

TYPO3 as Mobile Application Management System
TYPO3 as Mobile Application Management SystemTYPO3 as Mobile Application Management System
TYPO3 as Mobile Application Management System
 
Intro docker
Intro dockerIntro docker
Intro docker
 
Monolithic installs VS single responsibilities networks
Monolithic installs VS single responsibilities networksMonolithic installs VS single responsibilities networks
Monolithic installs VS single responsibilities networks
 
Building websites with TYPO3 Neos
Building websites with TYPO3 NeosBuilding websites with TYPO3 Neos
Building websites with TYPO3 Neos
 
StealMyData App
StealMyData AppStealMyData App
StealMyData App
 
DevOps for TYPO3 Teams and Projects
DevOps for TYPO3 Teams and ProjectsDevOps for TYPO3 Teams and Projects
DevOps for TYPO3 Teams and Projects
 
Raspberry PI pour les agents secrets
Raspberry PI pour les agents secretsRaspberry PI pour les agents secrets
Raspberry PI pour les agents secrets
 
Vagrant
VagrantVagrant
Vagrant
 
TYPO3 as Things Management System
TYPO3 as Things Management SystemTYPO3 as Things Management System
TYPO3 as Things Management System
 
Comparision of CMS : Improving TYPO3 functionality
Comparision of CMS : Improving TYPO3 functionalityComparision of CMS : Improving TYPO3 functionality
Comparision of CMS : Improving TYPO3 functionality
 

Dernier

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Dernier (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

DDD17 - Web Applications Automated Security Testing in a Continuous Delivery Pipeline

  • 1. Web Applications Automated Security Testing in a Continuous Delivery Pipeline At #DrupalDevDaysSeville by @FedirFr
  • 2. About this workshop ● Duration 2 hours ● 100% open source powered ● Intermediate technical level required ● Oriented Developers / QA / Operations / CTO / ... ● Interactive, study-oriented ...
  • 3. Workshop content ● Theoretical part ● Introduction to Web security ○ Major security risks ○ Pentesting types ● Insecure code ● Drupalxploitable project ● Practical part ● Vulnerable site create / study ● Manual security testing with scanners ● Manual security testing using Zed Attack Proxy GUI ● Automated security testing
  • 6. Pentesting methods - Black-box ● We don't know what is inside ● Testing as an external user
  • 7. Pentesting methods - Grey-box ● We have advanced access to the project
  • 8. Pentesting methods - White-box ● We know all about the project ● We have the access to the project code
  • 10. Manual Penetration Testing with Proxy Web browser Attack Proxy Target
  • 11. Automating Penetration Testing Web browser Attack Proxy Target Security Framework CI Bugtraceker
  • 12. Classical continuous delivery model - https://en.wikipedia.org/wiki/Continuous_delivery
  • 13. How to write (in)secure code for Drupal 8
  • 14. Current situation for Drupal 8 ● https://www.drupal.org/docs/8/security/writing-secure-code-for-drupal-8 a. Sanitizing on output to avoid Cross Site Scripting (XSS) attacks : t(), Html::escape Xss::filter() or Xss::filterAdmin() b. Checking URLs UrlHelper::stripDangerousProtocols(), UrlHelper::filterBadProtocol(), SafeMarkup::format(). c. Use the database abstraction layer to avoid SQL injection attacks
  • 15. Bad code example - SQL Injection db_query('SELECT foo FROM {table} t WHERE t.name = '. $_GET['user']); Exploit example : https://www.exploit-db.com/exploits/34993/
  • 16. Bad code example - XSS exploits - --- modules/system/system.admin.inc 2013-04-03 17:29:52.000000000 -0400 +++ modules/system/system.admin.inc 2013-08-07 10:47:29.277279676 -0400 @@ -979,10 +979,10 @@ function _system_modules_build_row($info ); // Set the basic properties. $form['name'] = array( - - '#markup' => $info['name'], + '#markup' => check_plain($info['name']), ); $form['description'] = array( - - '#markup' => t($info['description']), + '#markup' => t("@desc", array('@desc' => $info['description'])), ); $form['version'] = array( '#markup' => $info['version'], http://seclists.org/fulldisclosure/2013/Aug/158
  • 17. There are much more risks ... SQL, HTML, iFrame, SSI, OS Command, PHP, XML, XPath, LDAP, Host Header and SMTP injections Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF) AJAX and Web Services issues (jQuery/JSON/XML/SOAP/WSDL) Authentication, authorization and session issues, file upload flaws and backdoor files Arbitrary file access, directory traversals, local and remote file inclusions (LFI/RFI) Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,... HTTP parameter pollution, HTTP response splitting and HTTP verb tampering Insecure DistCC, FTP, NTP, Samba, SNMP, VNC and WebDAV configurations HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues XML External Entity attacks (XXE) and Server Side Request Forgery (SSRF) Heartbleed and Shellshock vulnerability (OpenSSL), Denial-of-Service (DoS) attacks Parameter tampering, cookie and password reset poisoning ...
  • 19. About Drupalxploitable ● Purposefully vulnerables Drupal installation ● Basically : “a very crappy Drupal site” ● Open source (github)
  • 20. Existing projects in PHP world Damn Vulnerable Web Application (DVWA) http://www.dvwa.co.uk/ Mutillidae http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 WebGoatPHP https://github.com/shivamdixit/WebGoatPHP buggy web application http://www.itsecgames.com/
  • 21. And even standalone distribution Metasploitable https://sourceforge.net/projects/metasploitable/
  • 23. Used infrastructure ● Virtualbox ○ Ubuntu 16.04 LTS server 64 bit ○ Jenkins CI ○ OWASP ZAP, sqlmap ○ Drupalxploitable vulnerable site
  • 24. SSH Access from host by 2222 port (mapped to 22) ssh drupal@127.0.0.1 -p 2222 root / password Jenkins Access from the host: http://127.0.0.1:8180/ Internal VM access: http://127.0.0.1:8080/ Admin credentials : admin / password Drupal / Apache Access from the host: http://127.0.0.1:8280/ Internal VM access: http://127.0.0.1/ Admin credentials : drupal / drupal Virtualbox - Services description
  • 25. sqlmap python sqlmap.py -v 2 --url=http://127.0.0.1/user/ --user-agent=SQLMAP --delay=1 --retries=2 --keep-alive --threads=5 --batch --dbms=MySQL --os=Linux --level=5 --risk=2 --banner --is-dba --dbs --tables --technique=BEUST -s /tmp/scan_report.txt --flush-session -t /tmp/scan_trace.txt --fresh-queries
  • 26. CMSmap python cmsmap.py -t http://127.0.0.1 -f D https://github.com/Dionach/CMSmap
  • 27. droopescan droopescan scan drupal -u http://127.0.0.1/ -t 8 https://github.com/droope/droopescan
  • 28. gauntlt https://github.com/gauntlt/gauntlt https://github.com/gauntlt/gauntlt-demo/tree/master/examples Uses natural language in a Given, When, Then Gherkin syntax to describe security requirements as features.
  • 31. OWASP ZAP - Simple scan zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true' http://127.0.0.1/ zap-cli --api-key coeoobt6fof9k4g3iajshtnp7v quick-scan --self-contained --spider -r http://127.0.0.1/ * API key could be found in ~/.ZAP/config.xml of current user.
  • 32. OWASP ZAP - Simple scan with ZAPR zapr --debug --summary http://127.0.0.1
  • 33. OWASP ZAP - Running as a daemon /opt/zaproxy/zap.sh -daemon -host 0.0.0.0 -port 8480 Also, Docker usage possible : https://github.com/zaproxy/zaproxy/wiki/Docker
  • 34. OWASP ZAP - Plugins management Install all plugins, take some time : su jenkins /opt/zaproxy/zap.sh -daemon -host 0.0.0.0 -port 8480 -addoninstallall Install selected plugin : su jenkins /opt/zaproxy/zap.sh -daemon -host 0.0.0.0 -port 8480 -addoninstall exportreport * Plugins will be installed in the ~/.ZAP folder of user, who launches ZAP. ** Plugins keys could be found here : https://github.com/zaproxy/zap-extensions/releases
  • 35. OWASP ZAP https://github.com/zaproxy/zaproxy/wiki/Docker zap.sh -daemon -host 0.0.0.0 -port 8480 zap-x.sh -daemon -host 0.0.0.0 -port 8080 zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true' http://target
  • 36. Configure Jenkins CI security project
  • 37. Ubuntu server VM Jenkins CI Server Drupalxploitable Owasp ZED Attack Proxy Report results Run security scan Drupal automated security testing model
  • 38. Jenkins - Plugins used ● Official OWASP ZAP Jenkins Plugin ● Environment Injector Plugin
  • 39. Jenkins - OWASP ZAP Plugin - Configuration https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin
  • 40. Ressources ● https://martijnvanlambalgen.wordpress.com/2015/10/18/automating-your-vulnerability-scan-with-owasp-zap/ ● https://www.securify.nl/blog/SFY20150303/automating_security_tests_using_owasp_zap_and_jenkins.html ● https://tools.pentestbox.org/ ● https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project ● http://connect.ed-diamond.com/MISC/MISC-087/Pourquoi-inclure-la-securite-dans-votre-pipeline-DevOps ● https://www.owasp.org/index.php/Automated_Audit_using_SQLMap ● https://myexploit.wordpress.com/information-gathering-sqlmap/ ● https://insights.sei.cmu.edu/devops/2016/01/adding-security-to-your-devops-pipeline.html ● https://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015 ● https://es.slideshare.net/StephendeVries2/automating-security-tests-for-continuous-integration ● https://www.drupal.org/docs/8/security/writing-secure-code-for-drupal-8 ● https://www.drupal.org/node/101496 ● https://www.drupal.org/taxonomy/term/127 ● https://www.owasp.org/index.php/How_to_write_insecure_code ● https://es.slideshare.net/StephendeVries2/continuous-and-visible-security-testing-with-bddsecurity ● https://theagileadmin.com/2015/12/03/security-tooling-delivered-by-docker/
  • 41. Special thanks ● To my company @AgenceStratis, which shares our view of the importance of opensource culture ● To Mikke Schirén (@mikkdroid) from wunderkraut, which really helped us with Jenkins 2 configuration during the workshop day ● To Drupal Developer Days Sevilla team for great organization of the event.