DrupalCamp London 2017 - Web site insecurity

1. WEB SITE INSECURITY How your CMS site will get hacked and how to prevent it

2. WEB SECURITY ➤ Common threats to web security with real world case studies of compromised sites, ➤ A 'dissection' of a typical common exploit tool and how it operates, ➤ Simple approaches to mitigating common threats/vulnerabilities, ➤ Defence in depth – an overview of the various components of web security, ➤ Drupal speciﬁc measures that standard penetration testing often does not account for. ➤ An overview of how to beneﬁt from: ➤ Security monitoring and log analysis ➤ Intrusion Detection Systems & Firewalls ➤ Security headers and Content Security Policies (CSP).

3. GEORGE BOOBYER Drupal: iAugur  george@blue-bag.com twitter: @iBluebag WWW.BLUE-BAG.COM Established in 2000

4. WHY IS THE WEB INSECURE? ➤ Security is perceived to be complex or someone else's domain, ➤ The web is a playground of the well-meaning/naïve and   the ill-disposed or malevolent, ➤ It is also a place of automated exploitation, ➤ Web software / infrastructure is often insecure by default, ➤ Often our goals (budgets) end at site launch, ➤ We don’t often look after sites once live - we check the visible content and cross our ﬁngers it is safe. ➤ Security is not hard and any eﬀort will be rewarded

5. INVEST IN SECURITY ➤ What is at risk? ➤ Loss of business ➤ Reputation (you / your client) ➤ Sensitive data ➤ Personal data - enumeration ➤ SEO ranking ➤ Blacklisting ➤ Ransom ➤ Model your costs: ➤ Spend 37% of your expected losses on security   Diminishing returns (Gordon–Loeb model) ➤ Automate - Ansible - Immutable Infrastructure

6. ➤ Defacers ➤ SEO Spam - content injection ➤ Data Breaches ➤ Hactivists ➤ Recruiters (Botnet orchestration) ➤ Ransomware botnets ➤ Layer 7 Attacks - DDOS ➤ Unintentional - Application level vulnerabilities HACKERS - WHO ARE THEY?

7. DEFACERS

8. DEFACERS

9. DEFACERS

10. DEFACERS

11. DEFACERS

12. DEFACERS

13. CONTENT INJECTION <script> location.href='http://www.fashionheel-us.com/';</script> Body overwritten with redirect

14. CONTENT INJECTION - USER AGENT SPECIFIC User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html)

15. DATA BREACHES

16. DATA BREACHES @TROYHUNT

17. HACKIVISTS Hacking team vs Phineas Albanian hitman http://pastebin.com/raw/0SNSvyjJ

18. BOTNET RECRUITS "Investigation of the attack uncovered 49,657 unique IPs which hosted Mirai- infected devices. As previously reported, these were mostly CCTV cameras—a popular choice of DDoS botnet herders. Other victimized devices included DVRs and routers."  https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

19. BOTNET RECRUITS [FREE] World's Largest Net:Mirai Botnet, Client, Echo Loader, CNC source code release - Anna-senpai - 09-30-2016 11:50 AM Preface Greetz everybody, When I first go in DDoS industry, I wasn't planning on staying in it long. I made my money, there's lots of eyes looking at IOT now, so it's time to GTFO. However, I know every skid and their mama, it's their wet dream to have something besides qbot. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping. So, I am your senpai, and I will treat you real nice, my hf-chan. And to everyone that thought they were doing anything by hitting my CNC, I had good laughs, this bot uses domain for CNC. It takes 60 seconds for all bots to reconnect, lol Also, shoutout to this blog post by malwaremustdie http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html https://web.archive.org/web/20160930230210/http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html <- backup in case low quality reverse engineer unixfreaxjp decides to edit his posts lol Had a lot of respect for you, thought you were good reverser, but you really just completely and totally failed in reversing this binary. "We still have better kung fu than you kiddos" don't make me laugh please, you made so many mistakes and even confused some different binaries with my. LOL Let me give you some slaps back - 1) port 48101 is not for back connect, it is for control to prevent multiple instances of bot running together 2) /dev/watchdog and /dev/misc are not for "making the delay", it for preventing system from hanging. This one is low-hanging fruit, so sad that you are extremely dumb 3) You failed and thought FAKE_CNC_ADDR and FAKE_CNC_PORT was real CNC, lol "And doing the backdoor to connect via HTTP on 65.222.202.53". you got tripped up by signal flow ;) try harder skiddo 4) Your skeleton tool sucks ass, it thought the attack decoder was "sinden style", but it does not even use a text-based protocol? CNC and bot communicate over binary protocol 5) you say 'chroot("/") so predictable like torlus' but you don't understand, some others kill based on cwd. It shows how out-of-the-loop you are with real malware. Go back to skidland http://pastebin.com/raw/mevDFPg6

20. EXPLOITING THE EXPLOITABLE

21. OPEN ACCESS

22. OPEN ACCESS It's a hydroelectric control system!

23. VAST RESOURCE OF VULNERABLE DEVICES https://press.avast.com/avast-exposes-internet-of-things-attack-risk-in-barcelona-home-of-mobile-world-congress-2017

24. HACKERS: THEY HAVE IT EASY ➤ Insecure Servers & open ports ➤ Default settings and passwords ➤ Open conﬁguration ﬁles ➤ Browsable folders ➤ Out of date CMS (insecure plugins) ➤ SQL Injection ➤ Phishing / Social Engineering ➤ Leverage other breaches / password reuse ➤ Search Engines / Exploit databases & resources ➤ Botnets / Proxies

25. OUT OF DATE SOFTWARE ➤ Out of date CMS core ➤ Vulnerable plugins / modules https://www.drupal.org/security-advisory-policy

26. MISCONFIGURATIONS: SAVED COPIES OF SENSITIVE FILES

27. MISCONFIGURATIONS: SAVED COPIES OF SENSITIVE FILES navigable / readable conﬁg ﬁles

28. MISCONFIGURATIONS: VISIBLE SENSITIVE FILES

29. ANYTHING BUT COSMETIC: TAKING CONTROL

33. UPLOAD A SHELL function drupal_bootstrap($phase = NULL, $new_phase = TRUE) { ….   case DRUPAL_BOOTSTRAP_SESSION:  require_once DRUPAL_ROOT . '/' . variable_get('session_inc', 'includes/session.inc');  drupal_session_initialize();  break; In the session_inc variable include a malicious ﬁle from the /tmp/ folder: https://blog.sucuri.net/2016/05/ﬁnding-conditional-drupal-database-spam.html

34. HACKERS: HOW THEY FEED - LOW HANGING FRUIT ➤ Internet of things: shodan.io

35. HACKERS: HOW THEY FEED - LOW HANGING FRUIT inurl:CHANGELOG.txt intext:drupal intext:"SA-CORE" -intext:7.32 - site:github.com -site:drupal.org ➤ Internet of things: shodan.io ➤ Google Dorks

36. HACKERS: HOW THEY FEED - LOW HANGING FRUIT ➤ Internet of things: shodan.io ➤ Google Dorks ➤ Exploit-db

37. HACKERS: HOW THEY FEED - LOW HANGING FRUIT ➤ Internet of things: shodan.io ➤ Google Dorks ➤ Exploit-db ➤ Show off: zone-h

38. HACKERS: HOW THEY FEED - LOW HANGING FRUIT ➤ Internet of things: shodan.io ➤ Google Dorks ➤ Exploit-db ➤ Show off: zone-h ➤ Trawlers / chancers

39. THE GREPS OF WRATH A story of one failed exploit

40. ROUTINE LOG/EVENT ANALYSIS ➤ Ideally ship and aggregate logs ➤ Routine analysis of logs for 40x and 5xx ➤ Review requests by status code ➤ Routine analysis of big hitters ➤ Routine analysis of hits by status code # get a list of 404s by ip and target grep "HTTP/1.1" 404" access.log | awk '{print $1 " " $8 } ' | sort | uniq -c | sort -n # get the pages that cause 500 grep "HTTP/1.1" 500" access.log | awk '{print $8 } ' | sort | uniq -c | sort -n # list CMS hackers grep -E -i -w 'wp-(admin|content|includes|login)' access.log.1 | awk '{print $1 " " $8}' | sort | uniq -c | sort -nr

41. INVESTIGATE A SPECIFIC EVENT ➤ Get the big hitters from the past hour or so ➤ Get the requests for speciﬁc IPs #Get big hitters along with their agent string zcat pound.log.1.gz | awk -v OFS='t' '{print $7, substr($0, index($0,$18))}' | sort | uniq -c | sort -nk1 # top 50 hitters with counts (ignore static assets) tail -100000 access.log|egrep -i -v "jpg|png|js|css" | awk '{print $2}'|sort | uniq -c | sort -nk1 | tail -50 # hits per hour awk -F: '{print $2}' access_log | sort | uniq -c # hits per hour by an ip grep -w {ipaddress} logfile | awk -F: '{print $2}' | sort | uniq -c # hits for a period awk '$5>"[20/Sep/2015:16:00:" && $5<"[20/Sep/2015:18:23:"' access.log | less # hit count by ip for a period awk '$5>"[20/Sep/2015:16:00:" && $5<"[20/Sep/2015:18:23:"' access.log | awk '{print $2}'|sort | uniq -c | sort -nk1

42. CMS EXPLOIT - SMELLING A RAT ➤ Routine analysis shows a pattern /vmskdl44rededd /N0Wccvvd333.php /N0Wccvvd333.php /N0WaY/N0WaY1bb2/N0WaY123.php /N0WaY/N0WaY1bb2/N0WaY123.php /wp-login.php /wp-config.php /configuration.php /administrator /user /CHANGELOG.txt /?q=admin/views/ajax/autocomplete/user/N0t3xstgg12394

43. RESEARCH AND PROTECTION ➤ In the case of a speciﬁc exploit - do some research ➤ In our example we have an exploit: ➤ That is coming from multiple ips ➤ Appears to follows a typical pattern ➤ Characteristics are the same on unrelated servers Look for non existent file: N0WaY/N0WaY1bb2/N0WaY123.php see how the site reacts... Determine CMS CMS Specific exploit attempts wp-login  wp-admin joomla.xml CHANGELOG.txt def DruCore(self): if LooseVersion("7") <= LooseVersion(str(self.DruVersion)) <= LooseVersion("7.31"): msg = "Drupal Vulnerable to SA-CORE-2014-005"; report.high(msg)

44. SEARCH FOR KEY CHARACTERISTICS ➤ Github ➤ Exploit Databases ➤ Penetration test tools CMSMap

45. CAUGHT RAT: CMS MAP ➤ Tests for CMS ➤ Tests for CMS version ➤ Multiple exploits ➤ Updates from Exploit DB ➤ Upload shell ➤ Call back to host ➤ Protect vulnerabilities ➤ Update regularly ➤ Block signature ➤ Ban known baddies 2.92.230.173 5.165.47.132 37.15.2.6 46.119.108.124 46.219.247.129 62.183.85.176 77.52.98.181 77.122.3.232 79.172.7.23 82.149.151.12 91.202.27.239 95.139.232.62 95.28.120.251 95.70.43.209 95.167.1.250 109.87.102.147 109.184.1.245 176.69.113.104 178.67.152.248 195.230.129.226 Disclaimer Usage of CMSmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume NO liability and are NOT responsible for any misuse or damage caused by this program.

46. PROTECTION MEASURES ➤ Control Leakage ➤ Restrict access to ﬁles ➤ Layered Defence

47. INFORMATION LEAKAGE != OBFUSCATION Cons: ➤ Security through obscurity is pointless ➤ There are many ways that you can determine the CMS and its version https://www.drupal.org/node/766404

48. Pros: ➤ A layered defence has this as a component ➤ Many exploits are reliant on simple version determination for version speciﬁc exploits ➤ Simple process to place eﬀective hurdle in the path of script kiddies ➤ A component of defence only INFORMATION LEAKAGE != OBFUSCATION Cons: ➤ Security through obscurity is pointless ➤ There are many ways that you can determine the CMS and its version https://www.drupal.org/node/766404

49. SECURITY MISCONCEPTIONS ➤ Port reassignment  Use port 2020, 2222 etc in place of 22  Bad Idea! ➤ Waste of time: port scanners (nmap) will ﬁnd it ➤ False sense of security: Better spend time doing real security  RSA keys, IP restriction, AllowGroups, no Root login  IDS or other activity pattern matching. ➤ Poor Security:  Ports below 1024 are privileged ports  Above 1024 are not - easy to mimic ssh and listen. ➤ Non standard - Other security measures won’t guard it.

50. DEFENCE LEVEL 1 - PORT LEVEL CONTROL Know what ports you have open, what is listening on them and who can access. On the server: 0.0.0.0:9080 LISTEN 1804/varnishd 127.0.0.1:25 LISTEN 2583/exim4 144.76.185.80:443 LISTEN 1037/pound 0.0.0.0:2812 LISTEN 1007/monit 127.0.0.1:6082 LISTEN 1799/varnishd 0.0.0.0:3306 LISTEN 1727/mysqld 127.0.0.1:11211 LISTEN 849/memcached 127.0.0.1:6379 LISTEN 946/redis-server 12 0.0.0.0:10000 LISTEN 2644/perl 144.76.185.80:80 LISTEN 1037/pound 0.0.0.0:22 LISTEN 851/sshd 0 :::9080 LISTEN 1804/varnishd 0 ::1:25 LISTEN 2583/exim4 0 :::8443 LISTEN 1779/apache2 0 :::8080 LISTEN 1779/apache2 0 :::22 LISTEN 851/sshd $netstat -nlp | grep tcp From outside: $nmap xxx.xxx.xxx.xxx Not shown: 990 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 554/tcp open tsp 7070/tcp open realserver 8080/tcp open http-proxy 8443/tcp open https-alt 9080/tcp open glrpc 10000/tcp open snet-sensor-mgmt Red: IP / MAC restricted  Grey: Router proxies

51. DEFENCE LEVEL 1 - FIREWALL BLOCK LISTS The IP 195.154.47.128 has just been banned by Fail2Ban after 3 attempts against ssh. Firewall 195.154.47.12 CVE-2016-2118 (a.k.a. BADLOCK) SSH Brute force Block Blocklist Drop Firewall IPSET IPSET Any Port 1 2 3 4 5 Log Report to blocklist Source/share lists  of bad ips Block on first visit Initial  Server Anyother  Server Compromised Zombie Exclude whitelist

52. DEFENCE LEVEL 2 - HARDEN SOFTWARE ➤ Configure ➤ mod_negotiation  -Multiviews ➤ mod_indexes  -Indexes ➤ Modules To Disable ➤ mod_status ➤ mod_userdir ➤ mod_info ➤ PHP ➤ enable_dl = Off ➤ allow_url_fopen = Off ➤ register_globals = Off ➤ disable_functions = openlog ➤ open_basedir = /var/www/ ➤ upload_tmp_dir = /var/www/tmp $ curl -Ikis "http://localhost/dump" -H "Accept: Accio/dumps" HTTP/1.1 406 Not Acceptable Date: Mon, 27 Feb 2017 17:40:36 GMT Server: Apache/2.4.25 (Unix) PHP/5.6.29 Alternates:   {"dump.sql" 1 {type application/x-sql} {length 104857600}},  {"dump.txt" 1 {type text/plain} {length 104857600}} Vary: negotiate,accept TCN: list Content-Type: text/html; charset=iso-8859-1

53. DEFENCE LEVEL 2 - FILE PROTECTION MEASURES All public folders (files) php_flag engine off All private files: php_flag engine off Require all denied All public folders (document root) AllowOverride None  Options -Indexes +SymLinksIfOwnerMatch -MultiViews Deny access to txt files and php files other than specific ones: <FilesMatch "([^(xxrobots|robots)].*.txt|[^(index|channel)].*.php)$"> Require all denied Require ip {your-static-ip} Require ip 127.0.0.1 Require valid-user Require group {your secure group}

54. Deny access to hidden (DVCS) files: <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} "!(^|/).well-known/([^./]+./?)+$" [NC] RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)." - [F] </IfModule> Deny access to files by type: <FilesMatch ".(engine|inc|info|install|make|module|profile|test|po| sh|.*sql|theme|tpl(.php)?|xtmpl)(~|.sw[op]|.bak|.orig|.save)?$| ^(..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|.php(~| .sw[op]|.bak|.orig.save)$"> Require all denied DEFENCE LEVEL 2 - FILE PROTECTION MEASURES

55. DEFENCE LEVEL 2 - CONTROL ACCESS ➤ Can't access TXT or PHP ➤ Restrict all sensitive ﬁle types - whether you use them or not ➤ Restrict PHP to speciﬁc folders /vmskdl44rededd /N0Wccvvd333.php /N0Wccvvd333.php /N0WaY/N0WaY1bb2/N0WaY123.php /N0WaY/N0WaY1bb2/N0WaY123.php /wp-login.php /wp-config.php /configuration.php /administrator /user /CHANGELOG.txt /?q=admin/views/ajax/autocomplete/user/N0t3xstgg12394

56. DEFENCE LEVEL 3 - ANALYSE ACCESS PATTERNS ➤ Analyse activity patterns ➤ Protect admin paths ➤ Clearly here our rat is sniﬃng for copies of settings.php ➤ Often it is database dumps. ➤ Don't dump on production!

57. DEFENCE LEVEL 3 - ANALYSE ACCESS PATTERNS ➤ Analyse activity patterns ➤ Protect admin paths ➤ Clearly here our rat is sniﬃng for copies of settings.php ➤ Often it is database dumps. ➤ Don't dump on production! # Examples of real attempts to access sensitive files and backups /sites/default/settings /sites/default/settings.php~ /sites/default/settings.php.txt /sites/default/settings.php.old /sites/default/settings.php_old /sites/default/settings.php-old /sites/default/settings.php.save /sites/default/settings.php.swp /sites/default/settings.php.swo /sites/default/settings.php_bak /sites/default/settings.php-bak /sites/default/settings.php.original /sites/default/settings.php.orig /sites/default/settings.php.bak /sites/default/settings.save /sites/default/settings.old /sites/default/settings.bak /sites/default/settings.orig /sites/default/settings.original /sites/default/settings.txt

58. DEFENCE LEVEL 3 - ANALYSE ACCESS PATTERNS ➤ Analyse activity patterns ➤ Protect admin paths ➤ Clearly here our rat is sniﬃng for copies of settings.php ➤ Often it is database dumps. ➤ Don't dump on production! # Examples of real attempts to access sensitive files and backups /sites/default/settings /sites/default/settings.php~ /sites/default/settings.php.txt /sites/default/settings.php.old /sites/default/settings.php_old /sites/default/settings.php-old /sites/default/settings.php.save /sites/default/settings.php.swp /sites/default/settings.php.swo /sites/default/settings.php_bak /sites/default/settings.php-bak /sites/default/settings.php.original /sites/default/settings.php.orig /sites/default/settings.php.bak /sites/default/settings.save /sites/default/settings.old /sites/default/settings.bak /sites/default/settings.orig /sites/default/settings.original /sites/default/settings.txt All of the following had UA of "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "GET /backup.zip "GET /backup.rar "GET /backup.tar.gz "GET /backup.sql "GET /backup.sql.gz "GET /backup "GET /public_html.tar.gz "GET /public_html.tar.bz2 "GET /public_html.zip "GET /public_html.rar "GET /dump.sql "GET /dump.sql.gz "GET /dump.sql.bz2 "GET /dump.sql.zip "GET /dump.zip "GET /dump "GET /mysqldump "GET /mysqldump.sql "GET /pma "GET /phpmyadmin "GET /myadmin

59. DEFENCE LEVEL 4 - REACTIVE ➤ mod_evasive ➤ mod_security ➤ Fail2ban ➤ Logwatch ➤ ELK ➤ IPTABLES / IPSET [Definition] # Option: failregex # Notes.: regex to match the N0WaY settings.bak attack. # Values: TEXT # Test : fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/ apache-cmsnoway.conf '^<HOST> .*(/admin/reports/dblog).*$' failregex = ^<HOST> .* "GET .*(/N0WaY/N0WaY1bb2/ N0WaY123.php|settings.(php.)?(php~|sw(p|o)|txt|swo|php(-old|- bak|_bak)|php_old|bak|old|save|orig(inal)?)|wp-config.php).* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex = '^<HOST> .*(/admin/reports/dblog).*$'

60. DEFENCE LEVEL 5 - INTRUSION DETECTION SYSTEM ➤ Host based Intrusion detection system ➤ log analysis ➤ file integrity checking, ➤ policy monitoring, ➤ rootkit detection, ➤ real-time alerting and ➤ active response OSSEC HIDS Notification. 2017 Jan 19 13:57:11 Received From: server-005-023->syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s): Integrity checksum changed for: '/var/www/www.somesite.com/live/htdocs/sites/ default/settings.php' Permissions changed from 'r--r-----' to 'rw-r-----' --END OF NOTIFICATION http://ossec.github.io/

61. CMS - NOWAY - DEFENCE IN DEPTH Settings.php.bak File extension denied Access pattern blocked Origin IP blocked File permissions 0444 disallow php/bak Fail2ban / HIDS IPSET M o n i t o r Best protection - File is not there in the first place!!

62. ATTACK SURFACES Coffee shop wiﬁ XSS  CSRF  Frames  Clickjacking  SSL stripping

63. SPHERES OF PROTECTION mod_security mod_evasive Apache Network / FW WAF TLS 'At Large' Security 3rd Parties Browser: WAN Network Secure Headers  XSS/CSRF Protection  Info. Disclosure  HTTPS

64. NOTHING IS PERFECT

65. SECURITY IN THE BROWSER ➤ HTTPS ➤ Cross-site scripting - XSS ➤ Cross-site request forgery - CSRF ➤ Click jacking - Frames ➤ Secure Cookies https://pokeinthe.io https://scotthelme.co.uk/ Adoption in Alexa   top million websites

66. CHECK LIST FOR WEB SECURITY https://wiki.mozilla.org/Security/Guidelines/Web_Security

67. ➤ X-Content-Type-Options: nosniff  Guards against "drive-by download attacks" by preventing IE & Chrome from MIME-sniffing a response away from the declared content-type. ➤ X-Frame-Options: DENY  Provides Clickjacking protection ➤ X-Xss-Protection: 1; mode=block  Configures the XSS audit facilities in IE & Chrome ➤ Strict-Transport-Security: max-age=31536000; includeSubDomains; preload   Informs the UA that all communications should be treated as HTTPS. Prevents MiTM & SSL-stripping attacks SECURITY IN THE BROWSER beware the consequences!

68. SECURE COOKIES FOIL CSRF ➤ Set Cookie as: ➤ HTTP only ➤ Secure ➤ SameSite Header edit Set-Cookie ^(.*)$ $1;HttpOnly;SameSite=lax; Apache Configuration: ini_set('session.cookie_httponly', 1); if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') { ini_set('session.cookie_secure', 1); } Drupal Configuration: In Drupal 8 httpOnly and Secure are set by default

69. SECURE HEADERS ➤ Subresource Integrity  Provide SHA hash of inline or CDN scripts. ➤ Public-Key-Pins  By specifying the ﬁngerprint of certain cryptographic identities, you can force the UA to only accept those identities going forwards. ➤ Content-Security-Policy:  Provides details about the sources of resources the browser can trust. e.g. Images, scripts, CSS, frames (both ancestors & children) See https://securityheaders.io

70. CONTENT SECURITY POLICY Connect Source Media Source Object Source Form Action Upgrade Insecure Requests Block All Mixed Content Sandbox Reflected XSS Base URI Manifest Source Plugin Types Referrer How to test: Default Source Script Source Style Source Image Source Font Source Child Source Frame Ancestors Report Only Report URI Others: Typical elements: Audit!

71. CONTENT SECURITY POLICY Content-Security-Policy:  default-src 'self';  img-src * data:;  style-src 'self' 'unsafe-inline' *.googleapis.com f.fontdeck.com;  font-src 'self' *.gstatic.com;  script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google- analytics.com *.googleapis.com *.jquery.com *.google.com google.com *.newrelic.com *.nr-data.net connect.facebook.net;   connect-src 'self';  frame-ancestors 'self' *.facebook.com;  frame-src 'self' *.facebook.com;  report-uri https://xyz.report-uri.io/r/default/csp/enforce https://report-uri.io/account/reports/csp/

72. CONTENT SECURITY POLICY Policy contraventions are reported by the browser : https://report-uri.io/account/reports/csp/

73. CONTENT SECURITY POLICY Mozilla CSP Policy directives https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives Drupal Modules https://www.drupal.org/project/seckit CSP Builders

74. MOST COMMON REASONS YOU GET HACKED ➤ Don't have a security policy / budget ➤ Software outdated ➤ Relying on default setup (conﬁg and passwords) ➤ In suﬃcient access controls ➤ Password reuse ➤ Phishing and human error ➤ No IDS / Firewall / CSP etc ➤ No Monitoring and evaluation ➤ No response prepared

75. ➤ Regularly review ➤ Audit attack surfaces ➤ Test defences ➤ Structured defences ➤ Avoid complacency ➤ Rebuild regularly ➤ Security Research ➤ Event monitoring SO - WHAT DO WE DO ABOUT ALL THIS!

76. FINAL THOUGHTS - ANY SECURITY IS BETTER THAN NONE Bake your principles into practices - Ansible - immutable infrastructure ➤ Security is a department - not a one oﬀ -   Push for a budget! ➤ Deﬁne areas of responsibility with hosting ➤ Prepare response ➤ Learn your attack surface, test on Tor ➤ Monitor & test regularly ➤ Follow some Opsec people:  @Scott_Helme, @troyhunt, @ivanristic,   @briankrebs @aprilmpls ➤ Letsencrypt - HTTPS. ➤ Work together (bad ips, honeypot, block list) - don't hit back

DrupalCamp London 2017 - Web site insecurity

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

DrupalCamp London 2017 - Web site insecurity

Plus De Contenu Connexe

Diaporamas pour vous (20)

Les utilisateurs ont également aimé (20)

Similaire à DrupalCamp London 2017 - Web site insecurity (20)

Plus récents (20)