Slides from "Web Applications Automated Security Testing in a Continuous Delivery Pipeline" workshop, made during Drupal Developers Days 2017 at Seville, Spain
14. Current situation for Drupal 8
● https://www.drupal.org/docs/8/security/writing-secure-code-for-drupal-8
a. Sanitizing on output to avoid Cross Site Scripting (XSS) attacks : t(), Html::escape
Xss::filter() or Xss::filterAdmin()
b. Checking URLs UrlHelper::stripDangerousProtocols(), UrlHelper::filterBadProtocol(),
SafeMarkup::format().
c. Use the database abstraction layer to avoid SQL injection attacks
15. Bad code example - SQL Injection
db_query('SELECT foo FROM {table} t WHERE t.name = '. $_GET['user']);
Exploit example : https://www.exploit-db.com/exploits/34993/
20. Existing projects in PHP world
Damn Vulnerable Web Application (DVWA)
http://www.dvwa.co.uk/
Mutillidae
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10
WebGoatPHP
https://github.com/shivamdixit/WebGoatPHP
buggy web application
http://www.itsecgames.com/
21. And even standalone distribution
Metasploitable
https://sourceforge.net/projects/metasploitable/
31. OWASP ZAP - Simple scan
zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true'
http://127.0.0.1/
zap-cli --api-key coeoobt6fof9k4g3iajshtnp7v quick-scan --self-contained
--spider -r http://127.0.0.1/
* API key could be found in ~/.ZAP/config.xml of current user.
33. OWASP ZAP - Running as a daemon
/opt/zaproxy/zap.sh -daemon -host 0.0.0.0 -port 8480
Also, Docker usage possible : https://github.com/zaproxy/zaproxy/wiki/Docker
34. OWASP ZAP - Plugins management
Install all plugins, take some time :
su jenkins /opt/zaproxy/zap.sh -daemon -host 0.0.0.0 -port 8480 -addoninstallall
Install selected plugin :
su jenkins /opt/zaproxy/zap.sh -daemon -host 0.0.0.0 -port 8480 -addoninstall exportreport
* Plugins will be installed in the ~/.ZAP folder of user, who launches ZAP.
** Plugins keys could be found here :
https://github.com/zaproxy/zap-extensions/releases
37. Ubuntu server VM
Jenkins CI
Server
Drupalxploitable
Owasp ZED
Attack Proxy
Report results
Run security scan
Drupal automated security testing model
38. Jenkins - Plugins used
● Official OWASP ZAP Jenkins Plugin
● Environment Injector Plugin
41. Special thanks
● To my company @AgenceStratis, which shares our view of the importance
of opensource culture
● To Mikke Schirén (@mikkdroid) from wunderkraut, which really helped us
with Jenkins 2 configuration during the workshop day
● To Drupal Developer Days Sevilla team for great organization of the event.