END TO END WEB

SECURITY

TAKE YOUR HEAD OUT OF THE SAND AND

DELIVER YOUR WEB PAGES SECURELY

Beginners guide

http://map.norsecorp.com/#/

GEORGE BOOBYERDRUPAL: iAUGUR

GEORGE@BLUE-BAG.COM TWITTER: iBLUEBAG

www.blue-bag.com

Established in 2000

WEB SECURITY

Threats, culprits & examplesThreats & how they work

How can we guard against them

Server Environment Security

Application level security

Transport Security

Browser based security

Questions

HACKERS: WHO / WHAT ARE THEYDefacers

Content injection

Data Breaches

"Hactivists"

Intruders: Parasites / Squatters / Malware Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood

DEFACED SITES

Examples redacted

Home page replaced with hacker's banner

HACKERS: WHAT ARE THEYDefacers / Malicious

Content injection

Data Breaches

"Hactivists"

Intruders: Parasites / Squatters / Malware Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood

CONTENT INJECTION PARASITES

<script> location.href='http://www.fashionheel-us.com/';</script>

Body overwritten with redirect

CONTENT INJECTION PARASITES

USER AGENT SPECIFIC PARASITES

User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html)

USER AGENT SPECIFIC PARASITES

User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html)

User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) Chrome/51.0.2704.84 Safari/537.36

HACKERS: WHAT ARE THEYDefacers / Malicious

Content injection

Data Breaches

"Hactivists"

Intruders: Parasites / Squatters / Malware Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood

SOME EXAMPLESData breach Vulnerable systems

HIGH PROFILE DATA BREACHES

@TROYHUNT

HACKERS: WHAT ARE THEYDefacers / Malicious

Content injection

Data Breaches

"Hactivists"

Intruders: Parasites / Squatters / Malware Angler EK / Nautilus / Necurs / Locky Layer 4 & 7 attacks - HTTP flood

HACKERS: HACKER ON HACKERHacking team vs Phineas

Albanian hitman

http://pastebin.com/raw/0SNSvyjJ

HACKERS: HACKER ON TERRORAnonymous

HACKERS: WHAT ARE THEY

Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders / Botnets Layer 4 & 7 attacks - HTTP flood

INTRUDERS / BOTNETS

Parasites / Squatters Malware / Ransomeware Angler EK / Nautilus Necurs / Locky

HACKERS: WHAT ARE THEY

Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders / Botnets Ransom: Layer 4 & 7 attacks - HTTP flood

DDOS / FLOOD ATTACKS

LAYER 4 LAYER 7UDP Flood

SYN Flood

DNS Attacks

XML-RPC

HTTP GET/POST

SLOWLORIS

IP Stressers, Booters and shells

HACKERS: THEY HAVE IT EASYOpen configuration files

Browsable folders

Out of date CMS

Phishing / Social Engineering

Leverage other breaches / password reuse

Search Engines

MISCONFIGURATIONS: SAVED COPIES OF SENSITIVE FILES

MISCONFIGURATIONS: DIRECTORY BROWSING

navigable / readable config files

HTTPS KEEPS YOU SAFE - RIGHT?

not if your settings.php is readable

HACKERS: THEY HAVE IT EASYOpen configuration files

Browsable folders

Out of date CMS

Phishing / Social Engineering

Leverage other breaches / password reuse

Search Engines

Shells

ANYTHING BUT COSMETIC: TAKING CONTROL

HACKERS: THEY HAVE IT EASYOpen configuration files

Browsable folders

Out of date CMS

Phishing / Social Engineering

Leverage other breaches / password reuse

Search Engines

HACKERS: THEY HAVE IT EASYOpen configuration files

Browsable folders

Out of date CMS

Phishing / Social Engineering

Leverage other breaches / password reuse

Search Engines

HACKERS: HOW THEY FEED - LOW HANGING FRUIT

Internet of things: shodan.io

Google Dorks

Exploit-db

Drive by

Show off: zone-h

Internet of things: shodan.io

Google Dorks

Exploit-db

Drive by / Trawlers

Show off: zone-h

Example to locate Drupalgeddon vulnerable sites - redacted

HACKERS: HOW THEY FEED - LOW HANGING FRUIT

Normal day: Attempts to use known hacks by 255 hosts were logged 753 time(s)

/admin/fckeditor/editor/filemanager/upload/php/upload.php/wp-config.php.bak /wp-login.php/backup.sql/Ringing.at.your.dorbell!/admin/assets/ckeditor/elfinder/php/connector.php/wp-admin/admin-ajax.php?action=revslider_ajax_action//phpMyAdmin/scripts/setup.php/SQLite/SQLiteManager-1.2.4/main.php/jenkins/login /joomla/administrator/wp-content/plugins/sell-downloads/sell-downloads.php?file=../../.././wp-config.php/modules/coder/LICENSE.txt/modules/restws/LICENSE.txt/sites/all/modules/webform_multifile/LICENSE.txt

SSHD Illegal users: adminnagiosubnt fluffyguest

infolibrarylinuxoracleshell

test unix webmaster .....

HACKERS: HOW THEY FEED - TRAWLERS

Internet of things: shodan.io

Google Dorks

Exploit-db

Drive by / Trawlers

Show off: zone-h

HACKERS: HOW THEY FEED - LOW HANGING FRUIT

WEB SECURITY

How can we guard against threats

Server Environment Security

Application level security

Transport Security

Browser based security

ATTACK SURFACES

Coffee shop wifi

XSSCSRF

FramesClickjackingSSL stripping

SPHERES OF PROTECTION

CMS

mod_security

mod_evasive

Apache

Network / FW

WAFTLS 'At Large' Security

3rd Parties

Browser:

WAN Network

Secure HeadersXSS/CSRF Protection

Info. DisclosureHTTPS

ATTACK SURFACES

Server (Layer 3) Other servers (backup, monitoring, local) Application / Layer 7 In transit The browser

SERVER: PORTS ARE OPEN DOORSKnow what ports you have open, what is listening on them

and who can access.

On the server:

0.0.0.0:9080 LISTEN 1804/varnishd127.0.0.1:25 LISTEN 2583/exim4144.76.185.80:443 LISTEN 1037/pound0.0.0.0:2812 LISTEN 1007/monit127.0.0.1:6082 LISTEN 1799/varnishd0.0.0.0:3306 LISTEN 1727/mysqld127.0.0.1:11211 LISTEN 849/memcached127.0.0.1:6379 LISTEN 946/redis-server 120.0.0.0:10000 LISTEN 2644/perl144.76.185.80:80 LISTEN 1037/pound0.0.0.0:22 LISTEN 851/sshd0 :::9080 LISTEN 1804/varnishd0 ::1:25 LISTEN 2583/exim40 :::8443 LISTEN 1779/apache20 :::8080 LISTEN 1779/apache20 :::22 LISTEN 851/sshd

$netstat -nlp | grep tcpFrom outside:$nmap xxx.xxx.xxx.xxx

Not shown: 990 filtered portsPORT STATE SERVICE80/tcp open http443/tcp open https554/tcp open tsp7070/tcp open realserver8080/tcp open http-proxy8443/tcp open https-alt9080/tcp open glrpc10000/tcp open snet-sensor-mgmt

Red: IP / MAC restricted Grey: Router proxies

SERVER: CONFIGURE YOUR FIREWALL

Allow if:

White listed

Allowed port

Not blocked

Rate ok

Otherwise:Reject / Drop

NETWORK: ATTACKS & BLOCK LISTS

The IP 195.154.47.128 has just been banned by Fail2Ban after3 attempts against ssh.

Firewall

195.154.47.12

CVE-2016-2118 (a.k.a. BADLOCK)

SSH Brute force

Block

Blocklist

Drop

Firewall

IPSET

IPSET

Any Port

1

2

3

4

5

Log

Report to blocklist

Source/share lists of bad ips

Block on first visit

Init

ial

Serv

er Any

othe

rSe

rver

Compromised Zombie

Exclude whitelist

SERVER: INFORMATION LEAKAGE

HTTP/1.1 200 OKDate: Wed, 15 Jun 2016 10:49:58 GMT Server: Apache/2.4.10 (Debian PHP 5.6.22-0+deb8u1 OpenSSL 1.0.1t)Last-Modified: Tue, 19 Apr 2016 17:02:36 GMTContent-Type: text/html; charset=UTF-8Content-Language: en-gbX-Powered-By: PHP/5.6.22-0+deb8u1X-Generator: Drupal 7 (http://drupal.org)

HTTP/1.1 200 OKDate: Wed, 15 Jun 2016 10:49:58 GMT Server: ApacheLast-Modified: Tue, 19 Apr 2016 17:02:36 GMTContent-Type: text/html; charset=UTF-8Content-Language: en-gb

After:

;;;;;;;;;;;;;;;;;; Miscellaneous ;;;;;;;;;;;;;;;;;;

expose_php = Off

# ServerTokensServerTokens ProdServerSignature Off

php.ini

Apache Config:

Header always unset 'X-Powered-By'

$curl -I http://www.yoursite.com

ATTACK SURFACES

Server (Layer 3) Other servers (backup, monitoring, local) Application / Layer 7 In transit The browser

APPLICATION LEVEL ATTACKS

https://blog.sucuri.net/2016/05/sucuri-hacked-report-2016q1.html

DRUPAL SECURITY

https://www.drupal.org/security-advisory-policy

CONTROL YOUR APPLICATION ENVIRONMENT

Migrate all .htaccess to vhosts

Get a static IP

Limit what files can be read

Limit where PHP can be 'run'

Restrict file permissions (640 / 440)

Update your CMS

DENY ACCESS TO SENSITIVE FILES

# Protect files and directories from prying eyes.<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$"> Require all denied</FilesMatch>

Disallow access to files by type

Disallow access to hidden directories (i.e. git)<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC] RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)\." - [F]</IfModule>

<Directorymatch "^/.*/\.git+/"> Require all denied</Directorymatch>

.well-known use for standard files: favicon, DNT, letsencrypt etcsee: https://tools.ietf.org/html/rfc5785https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtmlhttps://www.drupal.org/node/2408321

LIMIT PHP EXECUTION

<Directory /var/www/yoursite/htdocs/sites/default/files> # Turn off all options we don't need. Options None Options +SymLinksIfOwnerMatch

# Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 <Files *> # Override the handler again if we're run later in the evaluation list. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 </Files>

# If we know how to do it safely, disable the PHP engine entirely. <IfModule mod_php5.c> php_flag engine off </IfModule></Directory>

Protect folders: tmp, files and private folders and any others.

Note you will need these in the folders as .htaccess too just to stop Drupal complaining

No PHP files other than index.php No text files other than robots.txt

<FilesMatch "([^index].php|[^myrobots|robots].*\.txt)$"> AuthName "Restricted" AuthUserFile /etc/apache2/.htpasswds/passwdfile AuthType basic Require valid-user Require ip 123.123.123.123 <- Your static IP Require ip 127.0.0.1</FilesMatch>

LIMIT PHP EXECUTION

DO YOUR PHP FILES NEED TO BE IN THE DOCROOT?

https://www.drupal.org/node/2767907

APPLICATION LEVEL ATTACKS

Requires Configuration

Slowloris

Know your traffic levels

MOD EVASIVE

Requires Configuration

Know your application patterns

Cautious whitelisting

MOD SECURITY

APPLICATION LEVEL ATTACKS

Blocklistmod_evasive

syslog

Apache logs

Firewall

mod_security

Server

Server

Server

Immune system

HTTPS EVERYWHERE

http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html

http://www.httpvshttps.com

I don't take credit cards

It's slower?

What about http resources

Can't afford wildcard SSL and letsencrypt doesn't do wildcards

https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives

SECURE IN TRANSIT

Setup HTTPS / TLS

Free certificates

Strong Ciphers

Upgrade insecure requests

Strict Transport Security (HSTS)

Pin public keys

Audit TLS

TLS AUDIT

Not just for the A+

Consider other browsers / agentse.g. Screaming frog on OSX / Java

CASE STUDY

Your page is everyone's canvas<style type="text/css">.gm-style .gm-style-cc span,.gm-style .gm-style-cc a,.gm-style .gm-

style-mtc div{font-size:10px}</style>

<ifram

e> <script>

BROWSER BASED ATTACKS

Cross-site scripting - XSS

Cross-site request forgery - CSRF

Click jacking - Frames

Check out: https://mathiasbynens.github.io/rel-noopener/

SECURE HEADERS

X-Content-Type-Options: nosniff Guards against "drive-by download attacks" by preventing IE & Chrome from MIME-sniffing a response away from the declared content-type.

X-Frame-Options: DENY Provides Clickjacking protection

X-Xss-Protection: 1; mode=block Configures the XSS audit facilities in IE & Chrome

X-Permitted-Cross-Domain-Policies: none Adobe specific header that controls whether Flash & PDFs can access cross domain data - read the crossdomain.xml

XSS - CROSS SITE SCRIPTINGCross-Site Scripting (XSS) attacks are a type of injection,

in which malicious scripts are injected into otherwise benign and trusted web sites.

X-XSS-Protection: 0

X-XSS-Protection: 1

X-XSS-Protection: 1; mode=block(do not render the document if XSS is found)

(disable XSS filter/auditor)

(remove unsafe parts; this is the default setting if no X-XSS-Protection header is present)

http://blog.innerht.ml/the-misunderstood-x-xss-protection/

SECURE HEADERSStrict-Transport-Security: max-age=31536000; includeSubDomains env=HTTPS Informs the UA that all communications should be treated as HTTPS. Prevents MiTM & SSL-stripping attacks

Public-Key-Pins By specifying the fingerprint of certain cryptographic identities, you can force the UA to only accept those identities going forwards.

Content-Security-Policy: Provides details about the sources of resources the browser can trust. e.g. Images, scripts, CSS, frames (both ancestors & children)

See https://securityheaders.io

CSRF - CROSS SITE REQUEST FORGERYan attack that forces an end user to execute unwanted

actions

Drupal protects you against this

CONTENT SECURITY POLICY

Connect SourceMedia SourceObject SourceForm ActionUpgrade Insecure Requests

Block All Mixed ContentSandboxReflected XSSBase URIManifest Source

Plugin TypesReferrer

How to test: Default SourceScript SourceStyle SourceImage SourceFont SourceChild SourceFrame Ancestors

Report OnlyReport URI

Others:

Typical elements:

Audit!

CONTENT SECURITY POLICY

Content-Security-Policy: default-src 'self'; img-src * data:; style-src 'self' 'unsafe-inline' *.googleapis.com f.fontdeck.com; font-src 'self' *.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google-analytics.com *.googleapis.com *.jquery.com *.google.com google.com *.newrelic.com *.nr-data.net connect.facebook.net; connect-src 'self'; frame-ancestors 'self' *.facebook.com; frame-src 'self' *.facebook.com; report-uri https://xyz.report-uri.io/r/default/csp/enforcehttps://report-uri.io/account/reports/csp/

CONTENT SECURITY POLICYPolicy contraventions are reported by the browser :

https://report-uri.io/account/reports/csp/

X-Frame-Options: DENYX-Xss-Protection: 1; mode=blockCache-Control: max-age=2592000X-Content-Type-Options: nosniffContent-Security-Policy: default-src 'self'; img-src 'self' data: *.gravatar.com *.google.com *.googleapis.com www.google-analytics.com syndication.twitter.com *.gstatic.com; style-src 'self' 'unsafe-inline' *.googleapis.com; font-src 'self' *.googleapis.com *.gstatic.com; script-src 'self' 'unsafe-inline' www.google-analytics.com s7.addthis.com platform.twitter.com *.googleapis.com *.gstatic.com *.google.com google.com ; connect-src 'self';frame-src 'self' platform.twitter.com syndication.twitter.com;X-Permitted-Cross-Domain-Policies: noneContent-Language: en-gbAge: 95666X-Cache: HITX-Cache-Hits: 40Server: cloudflare-nginx

SECURITY HEADERS

@Scott_Helme

CONTENT SECURITY POLICY

Mozilla CSP Policy directives

CSP Builder

https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives

https://report-uri.io/home/generate

Drupal Moduleshttps://www.drupal.org/project/seckit

SECURITY THREATS & MEASURES

Bruteforcing

Phishing

XSS

Click Jacking

CSRF

SSL Stripping

Firewall

Keys/2FA

Headers

CSP

Tokens

HSTS

FINAL THOUGHTSBake your principles into practices - Ansible - immutable infrastructure

•Follow some Opsec people:@Scott_Helme, @troyhunt, @ivanristic, @briankrebs

•Does your site have to be dynamic? •Letsencrypt - https.  •Security is a department - not a one off •Learn your attack surface, test on Tor •VPN, Password apps, 2Factor Authentication •Work together (bad ips, honeypot, block list) -

don't hit back

DON'T HIT BACK

QUESTIONS