End to end web security
-
Upload
george-boobyer -
Category
Technology
-
view
211 -
download
0
Transcript of End to end web security
END TO END WEB
SECURITY
TAKE YOUR HEAD OUT OF THE SAND AND
DELIVER YOUR WEB PAGES SECURELY
Beginners guide
http://map.norsecorp.com/#/
GEORGE BOOBYERDRUPAL: iAUGUR
[email protected] TWITTER: iBLUEBAG
www.blue-bag.com
Established in 2000
WEB SECURITY
Threats, culprits & examplesThreats & how they work
How can we guard against them
Server Environment Security
Application level security
Transport Security
Browser based security
Questions
HACKERS: WHO / WHAT ARE THEYDefacers
Content injection
Data Breaches
"Hactivists"
Intruders: Parasites / Squatters / Malware Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood
DEFACED SITES
Examples redacted
Home page replaced with hacker's banner
HACKERS: WHAT ARE THEYDefacers / Malicious
Content injection
Data Breaches
"Hactivists"
Intruders: Parasites / Squatters / Malware Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood
CONTENT INJECTION PARASITES
<script> location.href='http://www.fashionheel-us.com/';</script>
Body overwritten with redirect
CONTENT INJECTION PARASITES
USER AGENT SPECIFIC PARASITES
User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html)
USER AGENT SPECIFIC PARASITES
User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html)
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) Chrome/51.0.2704.84 Safari/537.36
HACKERS: WHAT ARE THEYDefacers / Malicious
Content injection
Data Breaches
"Hactivists"
Intruders: Parasites / Squatters / Malware Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood
SOME EXAMPLESData breach Vulnerable systems
HIGH PROFILE DATA BREACHES
@TROYHUNT
HACKERS: WHAT ARE THEYDefacers / Malicious
Content injection
Data Breaches
"Hactivists"
Intruders: Parasites / Squatters / Malware Angler EK / Nautilus / Necurs / Locky Layer 4 & 7 attacks - HTTP flood
HACKERS: HACKER ON HACKERHacking team vs Phineas
Albanian hitman
http://pastebin.com/raw/0SNSvyjJ
HACKERS: HACKER ON TERRORAnonymous
HACKERS: WHAT ARE THEY
Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders / Botnets Layer 4 & 7 attacks - HTTP flood
INTRUDERS / BOTNETS
Parasites / Squatters Malware / Ransomeware Angler EK / Nautilus Necurs / Locky
HACKERS: WHAT ARE THEY
Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders / Botnets Ransom: Layer 4 & 7 attacks - HTTP flood
DDOS / FLOOD ATTACKS
LAYER 4 LAYER 7UDP Flood
SYN Flood
DNS Attacks
XML-RPC
HTTP GET/POST
SLOWLORIS
IP Stressers, Booters and shells
HACKERS: THEY HAVE IT EASYOpen configuration files
Browsable folders
Out of date CMS
Phishing / Social Engineering
Leverage other breaches / password reuse
Search Engines
MISCONFIGURATIONS: SAVED COPIES OF SENSITIVE FILES
MISCONFIGURATIONS: DIRECTORY BROWSING
navigable / readable config files
HTTPS KEEPS YOU SAFE - RIGHT?
not if your settings.php is readable
HACKERS: THEY HAVE IT EASYOpen configuration files
Browsable folders
Out of date CMS
Phishing / Social Engineering
Leverage other breaches / password reuse
Search Engines
Shells
ANYTHING BUT COSMETIC: TAKING CONTROL
HACKERS: THEY HAVE IT EASYOpen configuration files
Browsable folders
Out of date CMS
Phishing / Social Engineering
Leverage other breaches / password reuse
Search Engines
HACKERS: THEY HAVE IT EASYOpen configuration files
Browsable folders
Out of date CMS
Phishing / Social Engineering
Leverage other breaches / password reuse
Search Engines
HACKERS: HOW THEY FEED - LOW HANGING FRUIT
Internet of things: shodan.io
Google Dorks
Exploit-db
Drive by
Show off: zone-h
Internet of things: shodan.io
Google Dorks
Exploit-db
Drive by / Trawlers
Show off: zone-h
Example to locate Drupalgeddon vulnerable sites - redacted
HACKERS: HOW THEY FEED - LOW HANGING FRUIT
Normal day: Attempts to use known hacks by 255 hosts were logged 753 time(s)
/admin/fckeditor/editor/filemanager/upload/php/upload.php/wp-config.php.bak /wp-login.php/backup.sql/Ringing.at.your.dorbell!/admin/assets/ckeditor/elfinder/php/connector.php/wp-admin/admin-ajax.php?action=revslider_ajax_action//phpMyAdmin/scripts/setup.php/SQLite/SQLiteManager-1.2.4/main.php/jenkins/login /joomla/administrator/wp-content/plugins/sell-downloads/sell-downloads.php?file=../../.././wp-config.php/modules/coder/LICENSE.txt/modules/restws/LICENSE.txt/sites/all/modules/webform_multifile/LICENSE.txt
SSHD Illegal users: adminnagiosubnt fluffyguest
infolibrarylinuxoracleshell
test unix webmaster .....
HACKERS: HOW THEY FEED - TRAWLERS
Internet of things: shodan.io
Google Dorks
Exploit-db
Drive by / Trawlers
Show off: zone-h
HACKERS: HOW THEY FEED - LOW HANGING FRUIT
WEB SECURITY
How can we guard against threats
Server Environment Security
Application level security
Transport Security
Browser based security
ATTACK SURFACES
Coffee shop wifi
XSSCSRF
FramesClickjackingSSL stripping
SPHERES OF PROTECTION
CMS
mod_security
mod_evasive
Apache
Network / FW
WAFTLS 'At Large' Security
3rd Parties
Browser:
WAN Network
Secure HeadersXSS/CSRF Protection
Info. DisclosureHTTPS
ATTACK SURFACES
Server (Layer 3) Other servers (backup, monitoring, local) Application / Layer 7 In transit The browser
SERVER: PORTS ARE OPEN DOORSKnow what ports you have open, what is listening on them
and who can access.
On the server:
0.0.0.0:9080 LISTEN 1804/varnishd127.0.0.1:25 LISTEN 2583/exim4144.76.185.80:443 LISTEN 1037/pound0.0.0.0:2812 LISTEN 1007/monit127.0.0.1:6082 LISTEN 1799/varnishd0.0.0.0:3306 LISTEN 1727/mysqld127.0.0.1:11211 LISTEN 849/memcached127.0.0.1:6379 LISTEN 946/redis-server 120.0.0.0:10000 LISTEN 2644/perl144.76.185.80:80 LISTEN 1037/pound0.0.0.0:22 LISTEN 851/sshd0 :::9080 LISTEN 1804/varnishd0 ::1:25 LISTEN 2583/exim40 :::8443 LISTEN 1779/apache20 :::8080 LISTEN 1779/apache20 :::22 LISTEN 851/sshd
$netstat -nlp | grep tcpFrom outside:$nmap xxx.xxx.xxx.xxx
Not shown: 990 filtered portsPORT STATE SERVICE80/tcp open http443/tcp open https554/tcp open tsp7070/tcp open realserver8080/tcp open http-proxy8443/tcp open https-alt9080/tcp open glrpc10000/tcp open snet-sensor-mgmt
Red: IP / MAC restricted Grey: Router proxies
SERVER: CONFIGURE YOUR FIREWALL
Allow if:
White listed
Allowed port
Not blocked
Rate ok
Otherwise:Reject / Drop
NETWORK: ATTACKS & BLOCK LISTS
The IP 195.154.47.128 has just been banned by Fail2Ban after3 attempts against ssh.
Firewall
195.154.47.12
CVE-2016-2118 (a.k.a. BADLOCK)
SSH Brute force
Block
Blocklist
Drop
Firewall
IPSET
IPSET
Any Port
1
2
3
4
5
Log
Report to blocklist
Source/share lists of bad ips
Block on first visit
Init
ial
Serv
er Any
othe
rSe
rver
Compromised Zombie
Exclude whitelist
SERVER: INFORMATION LEAKAGE
HTTP/1.1 200 OKDate: Wed, 15 Jun 2016 10:49:58 GMT Server: Apache/2.4.10 (Debian PHP 5.6.22-0+deb8u1 OpenSSL 1.0.1t)Last-Modified: Tue, 19 Apr 2016 17:02:36 GMTContent-Type: text/html; charset=UTF-8Content-Language: en-gbX-Powered-By: PHP/5.6.22-0+deb8u1X-Generator: Drupal 7 (http://drupal.org)
HTTP/1.1 200 OKDate: Wed, 15 Jun 2016 10:49:58 GMT Server: ApacheLast-Modified: Tue, 19 Apr 2016 17:02:36 GMTContent-Type: text/html; charset=UTF-8Content-Language: en-gb
After:
;;;;;;;;;;;;;;;;;; Miscellaneous ;;;;;;;;;;;;;;;;;;
expose_php = Off
# ServerTokensServerTokens ProdServerSignature Off
php.ini
Apache Config:
Header always unset 'X-Powered-By'
$curl -I http://www.yoursite.com
ATTACK SURFACES
Server (Layer 3) Other servers (backup, monitoring, local) Application / Layer 7 In transit The browser
APPLICATION LEVEL ATTACKS
https://blog.sucuri.net/2016/05/sucuri-hacked-report-2016q1.html
DRUPAL SECURITY
https://www.drupal.org/security-advisory-policy
CONTROL YOUR APPLICATION ENVIRONMENT
Migrate all .htaccess to vhosts
Get a static IP
Limit what files can be read
Limit where PHP can be 'run'
Restrict file permissions (640 / 440)
Update your CMS
DENY ACCESS TO SENSITIVE FILES
# Protect files and directories from prying eyes.<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$"> Require all denied</FilesMatch>
Disallow access to files by type
Disallow access to hidden directories (i.e. git)<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC] RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)\." - [F]</IfModule>
<Directorymatch "^/.*/\.git+/"> Require all denied</Directorymatch>
.well-known use for standard files: favicon, DNT, letsencrypt etcsee: https://tools.ietf.org/html/rfc5785https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtmlhttps://www.drupal.org/node/2408321
LIMIT PHP EXECUTION
<Directory /var/www/yoursite/htdocs/sites/default/files> # Turn off all options we don't need. Options None Options +SymLinksIfOwnerMatch
# Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 <Files *> # Override the handler again if we're run later in the evaluation list. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 </Files>
# If we know how to do it safely, disable the PHP engine entirely. <IfModule mod_php5.c> php_flag engine off </IfModule></Directory>
Protect folders: tmp, files and private folders and any others.
Note you will need these in the folders as .htaccess too just to stop Drupal complaining
No PHP files other than index.php No text files other than robots.txt
<FilesMatch "([^index].php|[^myrobots|robots].*\.txt)$"> AuthName "Restricted" AuthUserFile /etc/apache2/.htpasswds/passwdfile AuthType basic Require valid-user Require ip 123.123.123.123 <- Your static IP Require ip 127.0.0.1</FilesMatch>
LIMIT PHP EXECUTION
DO YOUR PHP FILES NEED TO BE IN THE DOCROOT?
https://www.drupal.org/node/2767907
APPLICATION LEVEL ATTACKS
Requires Configuration
Slowloris
Know your traffic levels
MOD EVASIVE
Requires Configuration
Know your application patterns
Cautious whitelisting
MOD SECURITY
APPLICATION LEVEL ATTACKS
Blocklistmod_evasive
syslog
Apache logs
Firewall
mod_security
Server
Server
Server
Immune system
HTTPS EVERYWHERE
http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html
http://www.httpvshttps.com
I don't take credit cards
It's slower?
What about http resources
Can't afford wildcard SSL and letsencrypt doesn't do wildcards
https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives
SECURE IN TRANSIT
Setup HTTPS / TLS
Free certificates
Strong Ciphers
Upgrade insecure requests
Strict Transport Security (HSTS)
Pin public keys
Audit TLS
TLS AUDIT
Not just for the A+
Consider other browsers / agentse.g. Screaming frog on OSX / Java
CASE STUDY
Your page is everyone's canvas<style type="text/css">.gm-style .gm-style-cc span,.gm-style .gm-style-cc a,.gm-style .gm-
style-mtc div{font-size:10px}</style>
<ifram
e> <script>
BROWSER BASED ATTACKS
Cross-site scripting - XSS
Cross-site request forgery - CSRF
Click jacking - Frames
Check out: https://mathiasbynens.github.io/rel-noopener/
SECURE HEADERS
X-Content-Type-Options: nosniff Guards against "drive-by download attacks" by preventing IE & Chrome from MIME-sniffing a response away from the declared content-type.
X-Frame-Options: DENY Provides Clickjacking protection
X-Xss-Protection: 1; mode=block Configures the XSS audit facilities in IE & Chrome
X-Permitted-Cross-Domain-Policies: none Adobe specific header that controls whether Flash & PDFs can access cross domain data - read the crossdomain.xml
XSS - CROSS SITE SCRIPTINGCross-Site Scripting (XSS) attacks are a type of injection,
in which malicious scripts are injected into otherwise benign and trusted web sites.
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block(do not render the document if XSS is found)
(disable XSS filter/auditor)
(remove unsafe parts; this is the default setting if no X-XSS-Protection header is present)
http://blog.innerht.ml/the-misunderstood-x-xss-protection/
SECURE HEADERSStrict-Transport-Security: max-age=31536000; includeSubDomains env=HTTPS Informs the UA that all communications should be treated as HTTPS. Prevents MiTM & SSL-stripping attacks
Public-Key-Pins By specifying the fingerprint of certain cryptographic identities, you can force the UA to only accept those identities going forwards.
Content-Security-Policy: Provides details about the sources of resources the browser can trust. e.g. Images, scripts, CSS, frames (both ancestors & children)
See https://securityheaders.io
CSRF - CROSS SITE REQUEST FORGERYan attack that forces an end user to execute unwanted
actions
Drupal protects you against this
CONTENT SECURITY POLICY
Connect SourceMedia SourceObject SourceForm ActionUpgrade Insecure Requests
Block All Mixed ContentSandboxReflected XSSBase URIManifest Source
Plugin TypesReferrer
How to test: Default SourceScript SourceStyle SourceImage SourceFont SourceChild SourceFrame Ancestors
Report OnlyReport URI
Others:
Typical elements:
Audit!
CONTENT SECURITY POLICY
Content-Security-Policy: default-src 'self'; img-src * data:; style-src 'self' 'unsafe-inline' *.googleapis.com f.fontdeck.com; font-src 'self' *.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google-analytics.com *.googleapis.com *.jquery.com *.google.com google.com *.newrelic.com *.nr-data.net connect.facebook.net; connect-src 'self'; frame-ancestors 'self' *.facebook.com; frame-src 'self' *.facebook.com; report-uri https://xyz.report-uri.io/r/default/csp/enforcehttps://report-uri.io/account/reports/csp/
CONTENT SECURITY POLICYPolicy contraventions are reported by the browser :
https://report-uri.io/account/reports/csp/
X-Frame-Options: DENYX-Xss-Protection: 1; mode=blockCache-Control: max-age=2592000X-Content-Type-Options: nosniffContent-Security-Policy: default-src 'self'; img-src 'self' data: *.gravatar.com *.google.com *.googleapis.com www.google-analytics.com syndication.twitter.com *.gstatic.com; style-src 'self' 'unsafe-inline' *.googleapis.com; font-src 'self' *.googleapis.com *.gstatic.com; script-src 'self' 'unsafe-inline' www.google-analytics.com s7.addthis.com platform.twitter.com *.googleapis.com *.gstatic.com *.google.com google.com ; connect-src 'self';frame-src 'self' platform.twitter.com syndication.twitter.com;X-Permitted-Cross-Domain-Policies: noneContent-Language: en-gbAge: 95666X-Cache: HITX-Cache-Hits: 40Server: cloudflare-nginx
SECURITY HEADERS
@Scott_Helme
CONTENT SECURITY POLICY
Mozilla CSP Policy directives
CSP Builder
https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives
https://report-uri.io/home/generate
Drupal Moduleshttps://www.drupal.org/project/seckit
SECURITY THREATS & MEASURES
Bruteforcing
Phishing
XSS
Click Jacking
CSRF
SSL Stripping
Firewall
Keys/2FA
Headers
CSP
Tokens
HSTS
FINAL THOUGHTSBake your principles into practices - Ansible - immutable infrastructure
•Follow some Opsec people:@Scott_Helme, @troyhunt, @ivanristic, @briankrebs
•Does your site have to be dynamic? •Letsencrypt - https. •Security is a department - not a one off •Learn your attack surface, test on Tor •VPN, Password apps, 2Factor Authentication •Work together (bad ips, honeypot, block list) -
don't hit back
DON'T HIT BACK
QUESTIONS