SlideShare une entreprise Scribd logo

DrupalCamp London 2017 - Web site insecurity

George Boobyer
George Boobyer

Common threats to web security with real world case studies of compromised sites, - A 'dissection' of a typical common exploit tool and how it operates, - Simple approaches to mitigating common threats/vulnerabilities, - Defence in depth – an overview of the various components of web security, - Drupal specific measures that standard penetration testing often does not account for. An overview of how to benefit from: - Security monitoring and log analysis - Intrusion Detection Systems & Firewalls - Security headers and Content Security Policies (CSP). see Drupal Camp London for full details: http://drupalcamp.london/session/web-site-insecurity-how-your-cms-site-will-get-hacked-and-how-prevent-it

Technologie
1  sur  76
Télécharger pour lire hors ligne
WEB SITE INSECURITY How your CMS site will get hacked and how to prevent it
WEB SECURITY ➤ Common threats to web security with real world case studies of compromised sites, ➤ A 'dissection' of a typical common exploit tool and how it operates, ➤ Simple approaches to mitigating common threats/vulnerabilities, ➤ Defence in depth – an overview of the various components of web security, ➤ Drupal specific measures that standard penetration testing often does not account for. ➤ An overview of how to benefit from: ➤ Security monitoring and log analysis ➤ Intrusion Detection Systems & Firewalls ➤ Security headers and Content Security Policies (CSP).
GEORGE BOOBYER Drupal: iAugur
 george@blue-bag.com twitter: @iBluebag WWW.BLUE-BAG.COM Established in 2000
WHY IS THE WEB INSECURE? ➤ Security is perceived to be complex or someone else's domain, ➤ The web is a playground of the well-meaning/naïve and 
 the ill-disposed or malevolent, ➤ It is also a place of automated exploitation, ➤ Web software / infrastructure is often insecure by default, ➤ Often our goals (budgets) end at site launch, ➤ We don’t often look after sites once live - we check the visible content and cross our fingers it is safe. ➤ Security is not hard and any effort will be rewarded
INVEST IN SECURITY ➤ What is at risk? ➤ Loss of business ➤ Reputation (you / your client) ➤ Sensitive data ➤ Personal data - enumeration ➤ SEO ranking ➤ Blacklisting ➤ Ransom ➤ Model your costs: ➤ Spend 37% of your expected losses on security 
 Diminishing returns (Gordon–Loeb model) ➤ Automate - Ansible - Immutable Infrastructure
➤ Defacers ➤ SEO Spam - content injection ➤ Data Breaches ➤ Hactivists ➤ Recruiters (Botnet orchestration) ➤ Ransomware botnets ➤ Layer 7 Attacks - DDOS ➤ Unintentional - Application level vulnerabilities HACKERS - WHO ARE THEY?
DEFACERS
DEFACERS
DEFACERS
DEFACERS
DEFACERS
DEFACERS
CONTENT INJECTION <script> location.href='http://www.fashionheel-us.com/';</script> Body overwritten with redirect
CONTENT INJECTION - USER AGENT SPECIFIC User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html)
DATA BREACHES
DATA BREACHES @TROYHUNT
HACKIVISTS Hacking team vs Phineas Albanian hitman http://pastebin.com/raw/0SNSvyjJ
BOTNET RECRUITS "Investigation of the attack uncovered 49,657 unique IPs which hosted Mirai- infected devices. As previously reported, these were mostly CCTV cameras—a popular choice of DDoS botnet herders. Other victimized devices included DVRs and routers."
 https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
BOTNET RECRUITS [FREE] World's Largest Net:Mirai Botnet, Client, Echo Loader, CNC source code release - Anna-senpai - 09-30-2016 11:50 AM Preface Greetz everybody, When I first go in DDoS industry, I wasn't planning on staying in it long. I made my money, there's lots of eyes looking at IOT now, so it's time to GTFO. However, I know every skid and their mama, it's their wet dream to have something besides qbot. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping. So, I am your senpai, and I will treat you real nice, my hf-chan. And to everyone that thought they were doing anything by hitting my CNC, I had good laughs, this bot uses domain for CNC. It takes 60 seconds for all bots to reconnect, lol Also, shoutout to this blog post by malwaremustdie http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html https://web.archive.org/web/20160930230210/http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html <- backup in case low quality reverse engineer unixfreaxjp decides to edit his posts lol Had a lot of respect for you, thought you were good reverser, but you really just completely and totally failed in reversing this binary. "We still have better kung fu than you kiddos" don't make me laugh please, you made so many mistakes and even confused some different binaries with my. LOL Let me give you some slaps back - 1) port 48101 is not for back connect, it is for control to prevent multiple instances of bot running together 2) /dev/watchdog and /dev/misc are not for "making the delay", it for preventing system from hanging. This one is low-hanging fruit, so sad that you are extremely dumb 3) You failed and thought FAKE_CNC_ADDR and FAKE_CNC_PORT was real CNC, lol "And doing the backdoor to connect via HTTP on 65.222.202.53". you got tripped up by signal flow ;) try harder skiddo 4) Your skeleton tool sucks ass, it thought the attack decoder was "sinden style", but it does not even use a text-based protocol? CNC and bot communicate over binary protocol 5) you say 'chroot("/") so predictable like torlus' but you don't understand, some others kill based on cwd. It shows how out-of-the-loop you are with real malware. Go back to skidland http://pastebin.com/raw/mevDFPg6
EXPLOITING THE EXPLOITABLE
OPEN ACCESS
OPEN ACCESS It's a hydroelectric control system!
VAST RESOURCE OF VULNERABLE DEVICES https://press.avast.com/avast-exposes-internet-of-things-attack-risk-in-barcelona-home-of-mobile-world-congress-2017
HACKERS: THEY HAVE IT EASY ➤ Insecure Servers & open ports ➤ Default settings and passwords ➤ Open configuration files ➤ Browsable folders ➤ Out of date CMS (insecure plugins) ➤ SQL Injection ➤ Phishing / Social Engineering ➤ Leverage other breaches / password reuse ➤ Search Engines / Exploit databases & resources ➤ Botnets / Proxies
OUT OF DATE SOFTWARE ➤ Out of date CMS core ➤ Vulnerable plugins / modules https://www.drupal.org/security-advisory-policy
MISCONFIGURATIONS: SAVED COPIES OF SENSITIVE FILES
MISCONFIGURATIONS: SAVED COPIES OF SENSITIVE FILES navigable / readable config files
MISCONFIGURATIONS: VISIBLE SENSITIVE FILES
ANYTHING BUT COSMETIC: TAKING CONTROL
ANYTHING BUT COSMETIC: TAKING CONTROL
ANYTHING BUT COSMETIC: TAKING CONTROL
ANYTHING BUT COSMETIC: TAKING CONTROL
UPLOAD A SHELL function drupal_bootstrap($phase = NULL, $new_phase = TRUE) { …. 
 case DRUPAL_BOOTSTRAP_SESSION:
 require_once DRUPAL_ROOT . '/' . variable_get('session_inc', 'includes/session.inc');
 drupal_session_initialize();
 break; In the session_inc variable include a malicious file from the /tmp/ folder: https://blog.sucuri.net/2016/05/finding-conditional-drupal-database-spam.html
HACKERS: HOW THEY FEED - LOW HANGING FRUIT ➤ Internet of things: shodan.io
HACKERS: HOW THEY FEED - LOW HANGING FRUIT inurl:CHANGELOG.txt intext:drupal intext:"SA-CORE" -intext:7.32 - site:github.com -site:drupal.org ➤ Internet of things: shodan.io ➤ Google Dorks
HACKERS: HOW THEY FEED - LOW HANGING FRUIT ➤ Internet of things: shodan.io ➤ Google Dorks ➤ Exploit-db
HACKERS: HOW THEY FEED - LOW HANGING FRUIT ➤ Internet of things: shodan.io ➤ Google Dorks ➤ Exploit-db ➤ Show off: zone-h
HACKERS: HOW THEY FEED - LOW HANGING FRUIT ➤ Internet of things: shodan.io ➤ Google Dorks ➤ Exploit-db ➤ Show off: zone-h ➤ Trawlers / chancers
THE GREPS OF WRATH A story of one failed exploit
ROUTINE LOG/EVENT ANALYSIS ➤ Ideally ship and aggregate logs ➤ Routine analysis of logs for 40x and 5xx ➤ Review requests by status code ➤ Routine analysis of big hitters ➤ Routine analysis of hits by status code # get a list of 404s by ip and target grep "HTTP/1.1" 404" access.log | awk '{print $1 " " $8 } ' | sort | uniq -c | sort -n # get the pages that cause 500 grep "HTTP/1.1" 500" access.log | awk '{print $8 } ' | sort | uniq -c | sort -n # list CMS hackers grep -E -i -w 'wp-(admin|content|includes|login)' access.log.1 | awk '{print $1 " " $8}' | sort | uniq -c | sort -nr
INVESTIGATE A SPECIFIC EVENT ➤ Get the big hitters from the past hour or so ➤ Get the requests for specific IPs #Get big hitters along with their agent string zcat pound.log.1.gz | awk -v OFS='t' '{print $7, substr($0, index($0,$18))}' | sort | uniq -c | sort -nk1 # top 50 hitters with counts (ignore static assets) tail -100000 access.log|egrep -i -v "jpg|png|js|css" | awk '{print $2}'|sort | uniq -c | sort -nk1 | tail -50 # hits per hour awk -F: '{print $2}' access_log | sort | uniq -c # hits per hour by an ip grep -w {ipaddress} logfile | awk -F: '{print $2}' | sort | uniq -c # hits for a period awk '$5>"[20/Sep/2015:16:00:" && $5<"[20/Sep/2015:18:23:"' access.log | less # hit count by ip for a period awk '$5>"[20/Sep/2015:16:00:" && $5<"[20/Sep/2015:18:23:"' access.log | awk '{print $2}'|sort | uniq -c | sort -nk1
CMS EXPLOIT - SMELLING A RAT ➤ Routine analysis shows a pattern /vmskdl44rededd /N0Wccvvd333.php /N0Wccvvd333.php /N0WaY/N0WaY1bb2/N0WaY123.php /N0WaY/N0WaY1bb2/N0WaY123.php /wp-login.php /wp-config.php /configuration.php /administrator /user /CHANGELOG.txt /?q=admin/views/ajax/autocomplete/user/N0t3xstgg12394
RESEARCH AND PROTECTION ➤ In the case of a specific exploit - do some research ➤ In our example we have an exploit: ➤ That is coming from multiple ips ➤ Appears to follows a typical pattern ➤ Characteristics are the same on unrelated servers Look for non existent file: N0WaY/N0WaY1bb2/N0WaY123.php see how the site reacts... Determine CMS CMS Specific exploit attempts wp-login
 wp-admin joomla.xml CHANGELOG.txt def DruCore(self): if LooseVersion("7") <= LooseVersion(str(self.DruVersion)) <= LooseVersion("7.31"): msg = "Drupal Vulnerable to SA-CORE-2014-005"; report.high(msg)
SEARCH FOR KEY CHARACTERISTICS ➤ Github ➤ Exploit Databases ➤ Penetration test tools CMSMap
CAUGHT RAT: CMS MAP ➤ Tests for CMS ➤ Tests for CMS version ➤ Multiple exploits ➤ Updates from Exploit DB ➤ Upload shell ➤ Call back to host ➤ Protect vulnerabilities ➤ Update regularly ➤ Block signature ➤ Ban known baddies 2.92.230.173 5.165.47.132 37.15.2.6 46.119.108.124 46.219.247.129 62.183.85.176 77.52.98.181 77.122.3.232 79.172.7.23 82.149.151.12 91.202.27.239 95.139.232.62 95.28.120.251 95.70.43.209 95.167.1.250 109.87.102.147 109.184.1.245 176.69.113.104 178.67.152.248 195.230.129.226 Disclaimer Usage of CMSmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume NO liability and are NOT responsible for any misuse or damage caused by this program.
PROTECTION MEASURES ➤ Control Leakage ➤ Restrict access to files ➤ Layered Defence
INFORMATION LEAKAGE != OBFUSCATION Cons: ➤ Security through obscurity is pointless ➤ There are many ways that you can determine the CMS and its version https://www.drupal.org/node/766404
Pros: ➤ A layered defence has this as a component ➤ Many exploits are reliant on simple version determination for version specific exploits ➤ Simple process to place effective hurdle in the path of script kiddies ➤ A component of defence only INFORMATION LEAKAGE != OBFUSCATION Cons: ➤ Security through obscurity is pointless ➤ There are many ways that you can determine the CMS and its version https://www.drupal.org/node/766404
SECURITY MISCONCEPTIONS ➤ Port reassignment
 Use port 2020, 2222 etc in place of 22
 Bad Idea! ➤ Waste of time: port scanners (nmap) will find it ➤ False sense of security: Better spend time doing real security
 RSA keys, IP restriction, AllowGroups, no Root login
 IDS or other activity pattern matching. ➤ Poor Security:
 Ports below 1024 are privileged ports
 Above 1024 are not - easy to mimic ssh and listen. ➤ Non standard - Other security measures won’t guard it.
DEFENCE LEVEL 1 - PORT LEVEL CONTROL Know what ports you have open, what is listening on them and who can access. On the server: 0.0.0.0:9080 LISTEN 1804/varnishd 127.0.0.1:25 LISTEN 2583/exim4 144.76.185.80:443 LISTEN 1037/pound 0.0.0.0:2812 LISTEN 1007/monit 127.0.0.1:6082 LISTEN 1799/varnishd 0.0.0.0:3306 LISTEN 1727/mysqld 127.0.0.1:11211 LISTEN 849/memcached 127.0.0.1:6379 LISTEN 946/redis-server 12 0.0.0.0:10000 LISTEN 2644/perl 144.76.185.80:80 LISTEN 1037/pound 0.0.0.0:22 LISTEN 851/sshd 0 :::9080 LISTEN 1804/varnishd 0 ::1:25 LISTEN 2583/exim4 0 :::8443 LISTEN 1779/apache2 0 :::8080 LISTEN 1779/apache2 0 :::22 LISTEN 851/sshd $netstat -nlp | grep tcp From outside: $nmap xxx.xxx.xxx.xxx Not shown: 990 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 554/tcp open tsp 7070/tcp open realserver 8080/tcp open http-proxy 8443/tcp open https-alt 9080/tcp open glrpc 10000/tcp open snet-sensor-mgmt Red: IP / MAC restricted
 Grey: Router proxies
DEFENCE LEVEL 1 - FIREWALL BLOCK LISTS The IP 195.154.47.128 has just been banned by Fail2Ban after 3 attempts against ssh. Firewall 195.154.47.12 CVE-2016-2118 (a.k.a. BADLOCK) SSH Brute force Block Blocklist Drop Firewall IPSET IPSET Any Port 1 2 3 4 5 Log Report to blocklist Source/share lists
 of bad ips Block on first visit Initial
 Server Anyother
 Server Compromised Zombie Exclude whitelist
DEFENCE LEVEL 2 - HARDEN SOFTWARE ➤ Configure ➤ mod_negotiation
 -Multiviews ➤ mod_indexes
 -Indexes ➤ Modules To Disable ➤ mod_status ➤ mod_userdir ➤ mod_info ➤ PHP ➤ enable_dl = Off ➤ allow_url_fopen = Off ➤ register_globals = Off ➤ disable_functions = openlog ➤ open_basedir = /var/www/ ➤ upload_tmp_dir = /var/www/tmp $ curl -Ikis "http://localhost/dump" -H "Accept: Accio/dumps" HTTP/1.1 406 Not Acceptable Date: Mon, 27 Feb 2017 17:40:36 GMT Server: Apache/2.4.25 (Unix) PHP/5.6.29 Alternates: 
 {"dump.sql" 1 {type application/x-sql} {length 104857600}},
 {"dump.txt" 1 {type text/plain} {length 104857600}} Vary: negotiate,accept TCN: list Content-Type: text/html; charset=iso-8859-1
DEFENCE LEVEL 2 - FILE PROTECTION MEASURES All public folders (files) php_flag engine off All private files: php_flag engine off Require all denied All public folders (document root) AllowOverride None
 Options -Indexes +SymLinksIfOwnerMatch -MultiViews Deny access to txt files and php files other than specific ones: <FilesMatch "([^(xxrobots|robots)].*.txt|[^(index|channel)].*.php)$"> Require all denied Require ip {your-static-ip} Require ip 127.0.0.1 Require valid-user Require group {your secure group}
Deny access to hidden (DVCS) files: <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} "!(^|/).well-known/([^./]+./?)+$" [NC] RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)." - [F] </IfModule> Deny access to files by type: <FilesMatch ".(engine|inc|info|install|make|module|profile|test|po| sh|.*sql|theme|tpl(.php)?|xtmpl)(~|.sw[op]|.bak|.orig|.save)?$| ^(..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|.php(~| .sw[op]|.bak|.orig.save)$"> Require all denied DEFENCE LEVEL 2 - FILE PROTECTION MEASURES
DEFENCE LEVEL 2 - CONTROL ACCESS ➤ Can't access TXT or PHP ➤ Restrict all sensitive file types - whether you use them or not ➤ Restrict PHP to specific folders /vmskdl44rededd /N0Wccvvd333.php /N0Wccvvd333.php /N0WaY/N0WaY1bb2/N0WaY123.php /N0WaY/N0WaY1bb2/N0WaY123.php /wp-login.php /wp-config.php /configuration.php /administrator /user /CHANGELOG.txt /?q=admin/views/ajax/autocomplete/user/N0t3xstgg12394
DEFENCE LEVEL 3 - ANALYSE ACCESS PATTERNS ➤ Analyse activity patterns ➤ Protect admin paths ➤ Clearly here our rat is sniffing for copies of settings.php ➤ Often it is database dumps. ➤ Don't dump on production!
DEFENCE LEVEL 3 - ANALYSE ACCESS PATTERNS ➤ Analyse activity patterns ➤ Protect admin paths ➤ Clearly here our rat is sniffing for copies of settings.php ➤ Often it is database dumps. ➤ Don't dump on production! # Examples of real attempts to access sensitive files and backups /sites/default/settings /sites/default/settings.php~ /sites/default/settings.php.txt /sites/default/settings.php.old /sites/default/settings.php_old /sites/default/settings.php-old /sites/default/settings.php.save /sites/default/settings.php.swp /sites/default/settings.php.swo /sites/default/settings.php_bak /sites/default/settings.php-bak /sites/default/settings.php.original /sites/default/settings.php.orig /sites/default/settings.php.bak /sites/default/settings.save /sites/default/settings.old /sites/default/settings.bak /sites/default/settings.orig /sites/default/settings.original /sites/default/settings.txt
DEFENCE LEVEL 3 - ANALYSE ACCESS PATTERNS ➤ Analyse activity patterns ➤ Protect admin paths ➤ Clearly here our rat is sniffing for copies of settings.php ➤ Often it is database dumps. ➤ Don't dump on production! # Examples of real attempts to access sensitive files and backups /sites/default/settings /sites/default/settings.php~ /sites/default/settings.php.txt /sites/default/settings.php.old /sites/default/settings.php_old /sites/default/settings.php-old /sites/default/settings.php.save /sites/default/settings.php.swp /sites/default/settings.php.swo /sites/default/settings.php_bak /sites/default/settings.php-bak /sites/default/settings.php.original /sites/default/settings.php.orig /sites/default/settings.php.bak /sites/default/settings.save /sites/default/settings.old /sites/default/settings.bak /sites/default/settings.orig /sites/default/settings.original /sites/default/settings.txt All of the following had UA of "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "GET /backup.zip "GET /backup.rar "GET /backup.tar.gz "GET /backup.sql "GET /backup.sql.gz "GET /backup "GET /public_html.tar.gz "GET /public_html.tar.bz2 "GET /public_html.zip "GET /public_html.rar "GET /dump.sql "GET /dump.sql.gz "GET /dump.sql.bz2 "GET /dump.sql.zip "GET /dump.zip "GET /dump "GET /mysqldump "GET /mysqldump.sql "GET /pma "GET /phpmyadmin "GET /myadmin
DEFENCE LEVEL 4 - REACTIVE ➤ mod_evasive ➤ mod_security ➤ Fail2ban ➤ Logwatch ➤ ELK ➤ IPTABLES / IPSET [Definition] # Option: failregex # Notes.: regex to match the N0WaY settings.bak attack. # Values: TEXT # Test : fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/ apache-cmsnoway.conf '^<HOST> .*(/admin/reports/dblog).*$' failregex = ^<HOST> .* "GET .*(/N0WaY/N0WaY1bb2/ N0WaY123.php|settings.(php.)?(php~|sw(p|o)|txt|swo|php(-old|- bak|_bak)|php_old|bak|old|save|orig(inal)?)|wp-config.php).* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex = '^<HOST> .*(/admin/reports/dblog).*$'
DEFENCE LEVEL 5 - INTRUSION DETECTION SYSTEM ➤ Host based Intrusion detection system ➤ log analysis ➤ file integrity checking, ➤ policy monitoring, ➤ rootkit detection, ➤ real-time alerting and ➤ active response OSSEC HIDS Notification. 2017 Jan 19 13:57:11 Received From: server-005-023->syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s): Integrity checksum changed for: '/var/www/www.somesite.com/live/htdocs/sites/ default/settings.php' Permissions changed from 'r--r-----' to 'rw-r-----' --END OF NOTIFICATION http://ossec.github.io/
CMS - NOWAY - DEFENCE IN DEPTH Settings.php.bak File extension denied Access pattern blocked Origin IP blocked File permissions 0444 disallow php/bak Fail2ban / HIDS IPSET M o n i t o r Best protection - File is not there in the first place!!
ATTACK SURFACES Coffee shop wifi XSS
 CSRF
 Frames
 Clickjacking
 SSL stripping
SPHERES OF PROTECTION mod_security mod_evasive Apache Network / FW WAF TLS 'At Large' Security 3rd Parties Browser: WAN Network Secure Headers
 XSS/CSRF Protection
 Info. Disclosure
 HTTPS
NOTHING IS PERFECT
SECURITY IN THE BROWSER ➤ HTTPS ➤ Cross-site scripting - XSS ➤ Cross-site request forgery - CSRF ➤ Click jacking - Frames ➤ Secure Cookies https://pokeinthe.io https://scotthelme.co.uk/ Adoption in Alexa 
 top million websites
CHECK LIST FOR WEB SECURITY https://wiki.mozilla.org/Security/Guidelines/Web_Security
➤ X-Content-Type-Options: nosniff
 Guards against "drive-by download attacks" by preventing IE & Chrome from MIME-sniffing a response away from the declared content-type. ➤ X-Frame-Options: DENY
 Provides Clickjacking protection ➤ X-Xss-Protection: 1; mode=block
 Configures the XSS audit facilities in IE & Chrome ➤ Strict-Transport-Security: max-age=31536000; includeSubDomains; preload 
 Informs the UA that all communications should be treated as HTTPS. Prevents MiTM & SSL-stripping attacks SECURITY IN THE BROWSER beware the consequences!
SECURE COOKIES FOIL CSRF ➤ Set Cookie as: ➤ HTTP only ➤ Secure ➤ SameSite Header edit Set-Cookie ^(.*)$ $1;HttpOnly;SameSite=lax; Apache Configuration: ini_set('session.cookie_httponly', 1); if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') { ini_set('session.cookie_secure', 1); } Drupal Configuration: In Drupal 8 httpOnly and Secure are set by default
SECURE HEADERS ➤ Subresource Integrity
 Provide SHA hash of inline or CDN scripts. ➤ Public-Key-Pins
 By specifying the fingerprint of certain cryptographic identities, you can force the UA to only accept those identities going forwards. ➤ Content-Security-Policy:
 Provides details about the sources of resources the browser can trust. e.g. Images, scripts, CSS, frames (both ancestors & children) See https://securityheaders.io
CONTENT SECURITY POLICY Connect Source Media Source Object Source Form Action Upgrade Insecure Requests Block All Mixed Content Sandbox Reflected XSS Base URI Manifest Source Plugin Types Referrer How to test: Default Source Script Source Style Source Image Source Font Source Child Source Frame Ancestors Report Only Report URI Others: Typical elements: Audit!
CONTENT SECURITY POLICY Content-Security-Policy:
 default-src 'self';
 img-src * data:;
 style-src 'self' 'unsafe-inline' *.googleapis.com f.fontdeck.com;
 font-src 'self' *.gstatic.com;
 script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google- analytics.com *.googleapis.com *.jquery.com *.google.com google.com *.newrelic.com *.nr-data.net connect.facebook.net; 
 connect-src 'self';
 frame-ancestors 'self' *.facebook.com;
 frame-src 'self' *.facebook.com;
 report-uri https://xyz.report-uri.io/r/default/csp/enforce https://report-uri.io/account/reports/csp/
CONTENT SECURITY POLICY Policy contraventions are reported by the browser : https://report-uri.io/account/reports/csp/
CONTENT SECURITY POLICY Mozilla CSP Policy directives https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives Drupal Modules https://www.drupal.org/project/seckit CSP Builders
MOST COMMON REASONS YOU GET HACKED ➤ Don't have a security policy / budget ➤ Software outdated ➤ Relying on default setup (config and passwords) ➤ In sufficient access controls ➤ Password reuse ➤ Phishing and human error ➤ No IDS / Firewall / CSP etc ➤ No Monitoring and evaluation ➤ No response prepared
➤ Regularly review ➤ Audit attack surfaces ➤ Test defences ➤ Structured defences ➤ Avoid complacency ➤ Rebuild regularly ➤ Security Research ➤ Event monitoring SO - WHAT DO WE DO ABOUT ALL THIS!
FINAL THOUGHTS - ANY SECURITY IS BETTER THAN NONE Bake your principles into practices - Ansible - immutable infrastructure ➤ Security is a department - not a one off - 
 Push for a budget! ➤ Define areas of responsibility with hosting ➤ Prepare response ➤ Learn your attack surface, test on Tor ➤ Monitor & test regularly ➤ Follow some Opsec people:
 @Scott_Helme, @troyhunt, @ivanristic, 
 @briankrebs @aprilmpls ➤ Letsencrypt - HTTPS.  ➤ Work together (bad ips, honeypot, block list) - don't hit back

Recommandé

End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Hacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav BishtHacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav BishtRaghav Bisht
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 

Recommandé

End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Hacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav BishtHacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav BishtRaghav Bisht
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsYan Cui
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and familyFrancois Marier
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...OW2
 
URL to HTML
URL to HTMLURL to HTML
URL to HTMLFrancois Marier
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Sinn und Unsinn von SSL
Sinn und Unsinn von SSLSinn und Unsinn von SSL
Sinn und Unsinn von SSLWalter Ebert
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockBGA Cyber Security
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
URL to HTML
URL to HTMLURL to HTML
URL to HTMLFrancois Marier
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data LandJeremy Brown
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Securitywremes
 
Get the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngGet the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngPeter Czanik
 
Importing and synchronizing content using Feeds
Importing and synchronizing content using FeedsImporting and synchronizing content using Feeds
Importing and synchronizing content using FeedsPeter Vanhee
 

Contenu connexe

Tendances

20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsYan Cui
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and familyFrancois Marier
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...OW2
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Sinn und Unsinn von SSL
Sinn und Unsinn von SSLSinn und Unsinn von SSL
Sinn und Unsinn von SSLWalter Ebert
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockBGA Cyber Security
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Francois Marier
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data LandJeremy Brown
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Securitywremes
 

Tendances (20)

20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark Arts
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and family
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
Hammr Project Update: Machine Images and Docker Containers for your Cloud, OW...
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
Sinn und Unsinn von SSL
Sinn und Unsinn von SSLSinn und Unsinn von SSL
Sinn und Unsinn von SSL
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShock
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data Land
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 

En vedette

Get the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngGet the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngPeter Czanik
 
Importing and synchronizing content using Feeds
Importing and synchronizing content using FeedsImporting and synchronizing content using Feeds
Importing and synchronizing content using FeedsPeter Vanhee
 
Chapter 14 Publishing a Web Site (649.0K)
Chapter 14 Publishing a Web Site (649.0K)Chapter 14 Publishing a Web Site (649.0K)
Chapter 14 Publishing a Web Site (649.0K)webhostingguy
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 
2.Format Strings
2.Format Strings2.Format Strings
2.Format Stringsphanleson
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le netAAT's
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyRyan LaBouve
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Canada
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...sanghwan ahn
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web SecurityBill Condo
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyEli Nesterov
 

En vedette (20)

Get the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngGet the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ng
 
Importing and synchronizing content using Feeds
Importing and synchronizing content using FeedsImporting and synchronizing content using Feeds
Importing and synchronizing content using Feeds
 
Chapter 14 Publishing a Web Site (649.0K)
Chapter 14 Publishing a Web Site (649.0K)Chapter 14 Publishing a Web Site (649.0K)
Chapter 14 Publishing a Web Site (649.0K)
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
2.Format Strings
2.Format Strings2.Format Strings
2.Format Strings
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le net
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and Cloud
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
 
Web Security
Web SecurityWeb Security
Web Security
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Web Security
Web SecurityWeb Security
Web Security
 
Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Study: State of Web Security
Cisco Study: State of Web Security
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web Security
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
 

Similaire à DrupalCamp London 2017 - Web site insecurity

Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityGeorge Boobyer
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Adversary tactics config mgmt-&amp;-logs-oh-my
Adversary tactics config mgmt-&amp;-logs-oh-myAdversary tactics config mgmt-&amp;-logs-oh-my
Adversary tactics config mgmt-&amp;-logs-oh-myJesse Moore
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Stefano Maccaglia
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!Nahidul Kibria
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 

Similaire à DrupalCamp London 2017 - Web site insecurity (20)

Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurity
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Adversary tactics config mgmt-&amp;-logs-oh-my
Adversary tactics config mgmt-&amp;-logs-oh-myAdversary tactics config mgmt-&amp;-logs-oh-my
Adversary tactics config mgmt-&amp;-logs-oh-my
 
Flipping the script
Flipping the scriptFlipping the script
Flipping the script
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Bsides final
Bsides finalBsides final
Bsides final
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
2023-May.pptx
2023-May.pptx2023-May.pptx
2023-May.pptx
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 

Dernier

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Dernier (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

DrupalCamp London 2017 - Web site insecurity

  • 1. WEB SITE INSECURITY How your CMS site will get hacked and how to prevent it
  • 2. WEB SECURITY ➤ Common threats to web security with real world case studies of compromised sites, ➤ A 'dissection' of a typical common exploit tool and how it operates, ➤ Simple approaches to mitigating common threats/vulnerabilities, ➤ Defence in depth – an overview of the various components of web security, ➤ Drupal specific measures that standard penetration testing often does not account for. ➤ An overview of how to benefit from: ➤ Security monitoring and log analysis ➤ Intrusion Detection Systems & Firewalls ➤ Security headers and Content Security Policies (CSP).
  • 3. GEORGE BOOBYER Drupal: iAugur
 george@blue-bag.com twitter: @iBluebag WWW.BLUE-BAG.COM Established in 2000
  • 4. WHY IS THE WEB INSECURE? ➤ Security is perceived to be complex or someone else's domain, ➤ The web is a playground of the well-meaning/naïve and 
 the ill-disposed or malevolent, ➤ It is also a place of automated exploitation, ➤ Web software / infrastructure is often insecure by default, ➤ Often our goals (budgets) end at site launch, ➤ We don’t often look after sites once live - we check the visible content and cross our fingers it is safe. ➤ Security is not hard and any effort will be rewarded
  • 5. INVEST IN SECURITY ➤ What is at risk? ➤ Loss of business ➤ Reputation (you / your client) ➤ Sensitive data ➤ Personal data - enumeration ➤ SEO ranking ➤ Blacklisting ➤ Ransom ➤ Model your costs: ➤ Spend 37% of your expected losses on security 
 Diminishing returns (Gordon–Loeb model) ➤ Automate - Ansible - Immutable Infrastructure
  • 6. ➤ Defacers ➤ SEO Spam - content injection ➤ Data Breaches ➤ Hactivists ➤ Recruiters (Botnet orchestration) ➤ Ransomware botnets ➤ Layer 7 Attacks - DDOS ➤ Unintentional - Application level vulnerabilities HACKERS - WHO ARE THEY?
  • 14. CONTENT INJECTION - USER AGENT SPECIFIC User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html)
  • 17. HACKIVISTS Hacking team vs Phineas Albanian hitman http://pastebin.com/raw/0SNSvyjJ
  • 18. BOTNET RECRUITS "Investigation of the attack uncovered 49,657 unique IPs which hosted Mirai- infected devices. As previously reported, these were mostly CCTV cameras—a popular choice of DDoS botnet herders. Other victimized devices included DVRs and routers."
 https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
  • 19. BOTNET RECRUITS [FREE] World's Largest Net:Mirai Botnet, Client, Echo Loader, CNC source code release - Anna-senpai - 09-30-2016 11:50 AM Preface Greetz everybody, When I first go in DDoS industry, I wasn't planning on staying in it long. I made my money, there's lots of eyes looking at IOT now, so it's time to GTFO. However, I know every skid and their mama, it's their wet dream to have something besides qbot. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping. So, I am your senpai, and I will treat you real nice, my hf-chan. And to everyone that thought they were doing anything by hitting my CNC, I had good laughs, this bot uses domain for CNC. It takes 60 seconds for all bots to reconnect, lol Also, shoutout to this blog post by malwaremustdie http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html https://web.archive.org/web/20160930230210/http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html <- backup in case low quality reverse engineer unixfreaxjp decides to edit his posts lol Had a lot of respect for you, thought you were good reverser, but you really just completely and totally failed in reversing this binary. "We still have better kung fu than you kiddos" don't make me laugh please, you made so many mistakes and even confused some different binaries with my. LOL Let me give you some slaps back - 1) port 48101 is not for back connect, it is for control to prevent multiple instances of bot running together 2) /dev/watchdog and /dev/misc are not for "making the delay", it for preventing system from hanging. This one is low-hanging fruit, so sad that you are extremely dumb 3) You failed and thought FAKE_CNC_ADDR and FAKE_CNC_PORT was real CNC, lol "And doing the backdoor to connect via HTTP on 65.222.202.53". you got tripped up by signal flow ;) try harder skiddo 4) Your skeleton tool sucks ass, it thought the attack decoder was "sinden style", but it does not even use a text-based protocol? CNC and bot communicate over binary protocol 5) you say 'chroot("/") so predictable like torlus' but you don't understand, some others kill based on cwd. It shows how out-of-the-loop you are with real malware. Go back to skidland http://pastebin.com/raw/mevDFPg6
  • 22. OPEN ACCESS It's a hydroelectric control system!
  • 23. VAST RESOURCE OF VULNERABLE DEVICES https://press.avast.com/avast-exposes-internet-of-things-attack-risk-in-barcelona-home-of-mobile-world-congress-2017
  • 24. HACKERS: THEY HAVE IT EASY ➤ Insecure Servers & open ports ➤ Default settings and passwords ➤ Open configuration files ➤ Browsable folders ➤ Out of date CMS (insecure plugins) ➤ SQL Injection ➤ Phishing / Social Engineering ➤ Leverage other breaches / password reuse ➤ Search Engines / Exploit databases & resources ➤ Botnets / Proxies
  • 25. OUT OF DATE SOFTWARE ➤ Out of date CMS core ➤ Vulnerable plugins / modules https://www.drupal.org/security-advisory-policy
  • 26. MISCONFIGURATIONS: SAVED COPIES OF SENSITIVE FILES
  • 27. MISCONFIGURATIONS: SAVED COPIES OF SENSITIVE FILES navigable / readable config files
  • 29. ANYTHING BUT COSMETIC: TAKING CONTROL
  • 30. ANYTHING BUT COSMETIC: TAKING CONTROL
  • 31. ANYTHING BUT COSMETIC: TAKING CONTROL
  • 32. ANYTHING BUT COSMETIC: TAKING CONTROL
  • 33. UPLOAD A SHELL function drupal_bootstrap($phase = NULL, $new_phase = TRUE) { …. 
 case DRUPAL_BOOTSTRAP_SESSION:
 require_once DRUPAL_ROOT . '/' . variable_get('session_inc', 'includes/session.inc');
 drupal_session_initialize();
 break; In the session_inc variable include a malicious file from the /tmp/ folder: https://blog.sucuri.net/2016/05/finding-conditional-drupal-database-spam.html
  • 34. HACKERS: HOW THEY FEED - LOW HANGING FRUIT ➤ Internet of things: shodan.io
  • 35. HACKERS: HOW THEY FEED - LOW HANGING FRUIT inurl:CHANGELOG.txt intext:drupal intext:"SA-CORE" -intext:7.32 - site:github.com -site:drupal.org ➤ Internet of things: shodan.io ➤ Google Dorks
  • 36. HACKERS: HOW THEY FEED - LOW HANGING FRUIT ➤ Internet of things: shodan.io ➤ Google Dorks ➤ Exploit-db
  • 37. HACKERS: HOW THEY FEED - LOW HANGING FRUIT ➤ Internet of things: shodan.io ➤ Google Dorks ➤ Exploit-db ➤ Show off: zone-h
  • 38. HACKERS: HOW THEY FEED - LOW HANGING FRUIT ➤ Internet of things: shodan.io ➤ Google Dorks ➤ Exploit-db ➤ Show off: zone-h ➤ Trawlers / chancers
  • 39. THE GREPS OF WRATH A story of one failed exploit
  • 40. ROUTINE LOG/EVENT ANALYSIS ➤ Ideally ship and aggregate logs ➤ Routine analysis of logs for 40x and 5xx ➤ Review requests by status code ➤ Routine analysis of big hitters ➤ Routine analysis of hits by status code # get a list of 404s by ip and target grep "HTTP/1.1" 404" access.log | awk '{print $1 " " $8 } ' | sort | uniq -c | sort -n # get the pages that cause 500 grep "HTTP/1.1" 500" access.log | awk '{print $8 } ' | sort | uniq -c | sort -n # list CMS hackers grep -E -i -w 'wp-(admin|content|includes|login)' access.log.1 | awk '{print $1 " " $8}' | sort | uniq -c | sort -nr
  • 41. INVESTIGATE A SPECIFIC EVENT ➤ Get the big hitters from the past hour or so ➤ Get the requests for specific IPs #Get big hitters along with their agent string zcat pound.log.1.gz | awk -v OFS='t' '{print $7, substr($0, index($0,$18))}' | sort | uniq -c | sort -nk1 # top 50 hitters with counts (ignore static assets) tail -100000 access.log|egrep -i -v "jpg|png|js|css" | awk '{print $2}'|sort | uniq -c | sort -nk1 | tail -50 # hits per hour awk -F: '{print $2}' access_log | sort | uniq -c # hits per hour by an ip grep -w {ipaddress} logfile | awk -F: '{print $2}' | sort | uniq -c # hits for a period awk '$5>"[20/Sep/2015:16:00:" && $5<"[20/Sep/2015:18:23:"' access.log | less # hit count by ip for a period awk '$5>"[20/Sep/2015:16:00:" && $5<"[20/Sep/2015:18:23:"' access.log | awk '{print $2}'|sort | uniq -c | sort -nk1
  • 42. CMS EXPLOIT - SMELLING A RAT ➤ Routine analysis shows a pattern /vmskdl44rededd /N0Wccvvd333.php /N0Wccvvd333.php /N0WaY/N0WaY1bb2/N0WaY123.php /N0WaY/N0WaY1bb2/N0WaY123.php /wp-login.php /wp-config.php /configuration.php /administrator /user /CHANGELOG.txt /?q=admin/views/ajax/autocomplete/user/N0t3xstgg12394
  • 43. RESEARCH AND PROTECTION ➤ In the case of a specific exploit - do some research ➤ In our example we have an exploit: ➤ That is coming from multiple ips ➤ Appears to follows a typical pattern ➤ Characteristics are the same on unrelated servers Look for non existent file: N0WaY/N0WaY1bb2/N0WaY123.php see how the site reacts... Determine CMS CMS Specific exploit attempts wp-login
 wp-admin joomla.xml CHANGELOG.txt def DruCore(self): if LooseVersion("7") <= LooseVersion(str(self.DruVersion)) <= LooseVersion("7.31"): msg = "Drupal Vulnerable to SA-CORE-2014-005"; report.high(msg)
  • 44. SEARCH FOR KEY CHARACTERISTICS ➤ Github ➤ Exploit Databases ➤ Penetration test tools CMSMap
  • 45. CAUGHT RAT: CMS MAP ➤ Tests for CMS ➤ Tests for CMS version ➤ Multiple exploits ➤ Updates from Exploit DB ➤ Upload shell ➤ Call back to host ➤ Protect vulnerabilities ➤ Update regularly ➤ Block signature ➤ Ban known baddies 2.92.230.173 5.165.47.132 37.15.2.6 46.119.108.124 46.219.247.129 62.183.85.176 77.52.98.181 77.122.3.232 79.172.7.23 82.149.151.12 91.202.27.239 95.139.232.62 95.28.120.251 95.70.43.209 95.167.1.250 109.87.102.147 109.184.1.245 176.69.113.104 178.67.152.248 195.230.129.226 Disclaimer Usage of CMSmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume NO liability and are NOT responsible for any misuse or damage caused by this program.
  • 46. PROTECTION MEASURES ➤ Control Leakage ➤ Restrict access to files ➤ Layered Defence
  • 47. INFORMATION LEAKAGE != OBFUSCATION Cons: ➤ Security through obscurity is pointless ➤ There are many ways that you can determine the CMS and its version https://www.drupal.org/node/766404
  • 48. Pros: ➤ A layered defence has this as a component ➤ Many exploits are reliant on simple version determination for version specific exploits ➤ Simple process to place effective hurdle in the path of script kiddies ➤ A component of defence only INFORMATION LEAKAGE != OBFUSCATION Cons: ➤ Security through obscurity is pointless ➤ There are many ways that you can determine the CMS and its version https://www.drupal.org/node/766404
  • 49. SECURITY MISCONCEPTIONS ➤ Port reassignment
 Use port 2020, 2222 etc in place of 22
 Bad Idea! ➤ Waste of time: port scanners (nmap) will find it ➤ False sense of security: Better spend time doing real security
 RSA keys, IP restriction, AllowGroups, no Root login
 IDS or other activity pattern matching. ➤ Poor Security:
 Ports below 1024 are privileged ports
 Above 1024 are not - easy to mimic ssh and listen. ➤ Non standard - Other security measures won’t guard it.
  • 50. DEFENCE LEVEL 1 - PORT LEVEL CONTROL Know what ports you have open, what is listening on them and who can access. On the server: 0.0.0.0:9080 LISTEN 1804/varnishd 127.0.0.1:25 LISTEN 2583/exim4 144.76.185.80:443 LISTEN 1037/pound 0.0.0.0:2812 LISTEN 1007/monit 127.0.0.1:6082 LISTEN 1799/varnishd 0.0.0.0:3306 LISTEN 1727/mysqld 127.0.0.1:11211 LISTEN 849/memcached 127.0.0.1:6379 LISTEN 946/redis-server 12 0.0.0.0:10000 LISTEN 2644/perl 144.76.185.80:80 LISTEN 1037/pound 0.0.0.0:22 LISTEN 851/sshd 0 :::9080 LISTEN 1804/varnishd 0 ::1:25 LISTEN 2583/exim4 0 :::8443 LISTEN 1779/apache2 0 :::8080 LISTEN 1779/apache2 0 :::22 LISTEN 851/sshd $netstat -nlp | grep tcp From outside: $nmap xxx.xxx.xxx.xxx Not shown: 990 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 554/tcp open tsp 7070/tcp open realserver 8080/tcp open http-proxy 8443/tcp open https-alt 9080/tcp open glrpc 10000/tcp open snet-sensor-mgmt Red: IP / MAC restricted
 Grey: Router proxies
  • 51. DEFENCE LEVEL 1 - FIREWALL BLOCK LISTS The IP 195.154.47.128 has just been banned by Fail2Ban after 3 attempts against ssh. Firewall 195.154.47.12 CVE-2016-2118 (a.k.a. BADLOCK) SSH Brute force Block Blocklist Drop Firewall IPSET IPSET Any Port 1 2 3 4 5 Log Report to blocklist Source/share lists
 of bad ips Block on first visit Initial
 Server Anyother
 Server Compromised Zombie Exclude whitelist
  • 52. DEFENCE LEVEL 2 - HARDEN SOFTWARE ➤ Configure ➤ mod_negotiation
 -Multiviews ➤ mod_indexes
 -Indexes ➤ Modules To Disable ➤ mod_status ➤ mod_userdir ➤ mod_info ➤ PHP ➤ enable_dl = Off ➤ allow_url_fopen = Off ➤ register_globals = Off ➤ disable_functions = openlog ➤ open_basedir = /var/www/ ➤ upload_tmp_dir = /var/www/tmp $ curl -Ikis "http://localhost/dump" -H "Accept: Accio/dumps" HTTP/1.1 406 Not Acceptable Date: Mon, 27 Feb 2017 17:40:36 GMT Server: Apache/2.4.25 (Unix) PHP/5.6.29 Alternates: 
 {"dump.sql" 1 {type application/x-sql} {length 104857600}},
 {"dump.txt" 1 {type text/plain} {length 104857600}} Vary: negotiate,accept TCN: list Content-Type: text/html; charset=iso-8859-1
  • 53. DEFENCE LEVEL 2 - FILE PROTECTION MEASURES All public folders (files) php_flag engine off All private files: php_flag engine off Require all denied All public folders (document root) AllowOverride None
 Options -Indexes +SymLinksIfOwnerMatch -MultiViews Deny access to txt files and php files other than specific ones: <FilesMatch "([^(xxrobots|robots)].*.txt|[^(index|channel)].*.php)$"> Require all denied Require ip {your-static-ip} Require ip 127.0.0.1 Require valid-user Require group {your secure group}
  • 54. Deny access to hidden (DVCS) files: <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} "!(^|/).well-known/([^./]+./?)+$" [NC] RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)." - [F] </IfModule> Deny access to files by type: <FilesMatch ".(engine|inc|info|install|make|module|profile|test|po| sh|.*sql|theme|tpl(.php)?|xtmpl)(~|.sw[op]|.bak|.orig|.save)?$| ^(..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|.php(~| .sw[op]|.bak|.orig.save)$"> Require all denied DEFENCE LEVEL 2 - FILE PROTECTION MEASURES
  • 55. DEFENCE LEVEL 2 - CONTROL ACCESS ➤ Can't access TXT or PHP ➤ Restrict all sensitive file types - whether you use them or not ➤ Restrict PHP to specific folders /vmskdl44rededd /N0Wccvvd333.php /N0Wccvvd333.php /N0WaY/N0WaY1bb2/N0WaY123.php /N0WaY/N0WaY1bb2/N0WaY123.php /wp-login.php /wp-config.php /configuration.php /administrator /user /CHANGELOG.txt /?q=admin/views/ajax/autocomplete/user/N0t3xstgg12394
  • 56. DEFENCE LEVEL 3 - ANALYSE ACCESS PATTERNS ➤ Analyse activity patterns ➤ Protect admin paths ➤ Clearly here our rat is sniffing for copies of settings.php ➤ Often it is database dumps. ➤ Don't dump on production!
  • 57. DEFENCE LEVEL 3 - ANALYSE ACCESS PATTERNS ➤ Analyse activity patterns ➤ Protect admin paths ➤ Clearly here our rat is sniffing for copies of settings.php ➤ Often it is database dumps. ➤ Don't dump on production! # Examples of real attempts to access sensitive files and backups /sites/default/settings /sites/default/settings.php~ /sites/default/settings.php.txt /sites/default/settings.php.old /sites/default/settings.php_old /sites/default/settings.php-old /sites/default/settings.php.save /sites/default/settings.php.swp /sites/default/settings.php.swo /sites/default/settings.php_bak /sites/default/settings.php-bak /sites/default/settings.php.original /sites/default/settings.php.orig /sites/default/settings.php.bak /sites/default/settings.save /sites/default/settings.old /sites/default/settings.bak /sites/default/settings.orig /sites/default/settings.original /sites/default/settings.txt
  • 58. DEFENCE LEVEL 3 - ANALYSE ACCESS PATTERNS ➤ Analyse activity patterns ➤ Protect admin paths ➤ Clearly here our rat is sniffing for copies of settings.php ➤ Often it is database dumps. ➤ Don't dump on production! # Examples of real attempts to access sensitive files and backups /sites/default/settings /sites/default/settings.php~ /sites/default/settings.php.txt /sites/default/settings.php.old /sites/default/settings.php_old /sites/default/settings.php-old /sites/default/settings.php.save /sites/default/settings.php.swp /sites/default/settings.php.swo /sites/default/settings.php_bak /sites/default/settings.php-bak /sites/default/settings.php.original /sites/default/settings.php.orig /sites/default/settings.php.bak /sites/default/settings.save /sites/default/settings.old /sites/default/settings.bak /sites/default/settings.orig /sites/default/settings.original /sites/default/settings.txt All of the following had UA of "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "GET /backup.zip "GET /backup.rar "GET /backup.tar.gz "GET /backup.sql "GET /backup.sql.gz "GET /backup "GET /public_html.tar.gz "GET /public_html.tar.bz2 "GET /public_html.zip "GET /public_html.rar "GET /dump.sql "GET /dump.sql.gz "GET /dump.sql.bz2 "GET /dump.sql.zip "GET /dump.zip "GET /dump "GET /mysqldump "GET /mysqldump.sql "GET /pma "GET /phpmyadmin "GET /myadmin
  • 59. DEFENCE LEVEL 4 - REACTIVE ➤ mod_evasive ➤ mod_security ➤ Fail2ban ➤ Logwatch ➤ ELK ➤ IPTABLES / IPSET [Definition] # Option: failregex # Notes.: regex to match the N0WaY settings.bak attack. # Values: TEXT # Test : fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/ apache-cmsnoway.conf '^<HOST> .*(/admin/reports/dblog).*$' failregex = ^<HOST> .* "GET .*(/N0WaY/N0WaY1bb2/ N0WaY123.php|settings.(php.)?(php~|sw(p|o)|txt|swo|php(-old|- bak|_bak)|php_old|bak|old|save|orig(inal)?)|wp-config.php).* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex = '^<HOST> .*(/admin/reports/dblog).*$'
  • 60. DEFENCE LEVEL 5 - INTRUSION DETECTION SYSTEM ➤ Host based Intrusion detection system ➤ log analysis ➤ file integrity checking, ➤ policy monitoring, ➤ rootkit detection, ➤ real-time alerting and ➤ active response OSSEC HIDS Notification. 2017 Jan 19 13:57:11 Received From: server-005-023->syscheck Rule: 550 fired (level 7) -> "Integrity checksum changed." Portion of the log(s): Integrity checksum changed for: '/var/www/www.somesite.com/live/htdocs/sites/ default/settings.php' Permissions changed from 'r--r-----' to 'rw-r-----' --END OF NOTIFICATION http://ossec.github.io/
  • 61. CMS - NOWAY - DEFENCE IN DEPTH Settings.php.bak File extension denied Access pattern blocked Origin IP blocked File permissions 0444 disallow php/bak Fail2ban / HIDS IPSET M o n i t o r Best protection - File is not there in the first place!!
  • 62. ATTACK SURFACES Coffee shop wifi XSS
 CSRF
 Frames
 Clickjacking
 SSL stripping
  • 63. SPHERES OF PROTECTION mod_security mod_evasive Apache Network / FW WAF TLS 'At Large' Security 3rd Parties Browser: WAN Network Secure Headers
 XSS/CSRF Protection
 Info. Disclosure
 HTTPS
  • 65. SECURITY IN THE BROWSER ➤ HTTPS ➤ Cross-site scripting - XSS ➤ Cross-site request forgery - CSRF ➤ Click jacking - Frames ➤ Secure Cookies https://pokeinthe.io https://scotthelme.co.uk/ Adoption in Alexa 
 top million websites
  • 66. CHECK LIST FOR WEB SECURITY https://wiki.mozilla.org/Security/Guidelines/Web_Security
  • 67. ➤ X-Content-Type-Options: nosniff
 Guards against "drive-by download attacks" by preventing IE & Chrome from MIME-sniffing a response away from the declared content-type. ➤ X-Frame-Options: DENY
 Provides Clickjacking protection ➤ X-Xss-Protection: 1; mode=block
 Configures the XSS audit facilities in IE & Chrome ➤ Strict-Transport-Security: max-age=31536000; includeSubDomains; preload 
 Informs the UA that all communications should be treated as HTTPS. Prevents MiTM & SSL-stripping attacks SECURITY IN THE BROWSER beware the consequences!
  • 68. SECURE COOKIES FOIL CSRF ➤ Set Cookie as: ➤ HTTP only ➤ Secure ➤ SameSite Header edit Set-Cookie ^(.*)$ $1;HttpOnly;SameSite=lax; Apache Configuration: ini_set('session.cookie_httponly', 1); if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') { ini_set('session.cookie_secure', 1); } Drupal Configuration: In Drupal 8 httpOnly and Secure are set by default
  • 69. SECURE HEADERS ➤ Subresource Integrity
 Provide SHA hash of inline or CDN scripts. ➤ Public-Key-Pins
 By specifying the fingerprint of certain cryptographic identities, you can force the UA to only accept those identities going forwards. ➤ Content-Security-Policy:
 Provides details about the sources of resources the browser can trust. e.g. Images, scripts, CSS, frames (both ancestors & children) See https://securityheaders.io
  • 70. CONTENT SECURITY POLICY Connect Source Media Source Object Source Form Action Upgrade Insecure Requests Block All Mixed Content Sandbox Reflected XSS Base URI Manifest Source Plugin Types Referrer How to test: Default Source Script Source Style Source Image Source Font Source Child Source Frame Ancestors Report Only Report URI Others: Typical elements: Audit!
  • 71. CONTENT SECURITY POLICY Content-Security-Policy:
 default-src 'self';
 img-src * data:;
 style-src 'self' 'unsafe-inline' *.googleapis.com f.fontdeck.com;
 font-src 'self' *.gstatic.com;
 script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google- analytics.com *.googleapis.com *.jquery.com *.google.com google.com *.newrelic.com *.nr-data.net connect.facebook.net; 
 connect-src 'self';
 frame-ancestors 'self' *.facebook.com;
 frame-src 'self' *.facebook.com;
 report-uri https://xyz.report-uri.io/r/default/csp/enforce https://report-uri.io/account/reports/csp/
  • 72. CONTENT SECURITY POLICY Policy contraventions are reported by the browser : https://report-uri.io/account/reports/csp/
  • 73. CONTENT SECURITY POLICY Mozilla CSP Policy directives https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives Drupal Modules https://www.drupal.org/project/seckit CSP Builders
  • 74. MOST COMMON REASONS YOU GET HACKED ➤ Don't have a security policy / budget ➤ Software outdated ➤ Relying on default setup (config and passwords) ➤ In sufficient access controls ➤ Password reuse ➤ Phishing and human error ➤ No IDS / Firewall / CSP etc ➤ No Monitoring and evaluation ➤ No response prepared
  • 75. ➤ Regularly review ➤ Audit attack surfaces ➤ Test defences ➤ Structured defences ➤ Avoid complacency ➤ Rebuild regularly ➤ Security Research ➤ Event monitoring SO - WHAT DO WE DO ABOUT ALL THIS!
  • 76. FINAL THOUGHTS - ANY SECURITY IS BETTER THAN NONE Bake your principles into practices - Ansible - immutable infrastructure ➤ Security is a department - not a one off - 
 Push for a budget! ➤ Define areas of responsibility with hosting ➤ Prepare response ➤ Learn your attack surface, test on Tor ➤ Monitor & test regularly ➤ Follow some Opsec people:
 @Scott_Helme, @troyhunt, @ivanristic, 
 @briankrebs @aprilmpls ➤ Letsencrypt - HTTPS.  ➤ Work together (bad ips, honeypot, block list) - don't hit back