End to end web security
-
Upload
george-boobyer -
Category
Technology
-
view
213 -
download
0
Transcript of End to end web security
![Page 1: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/1.jpg)
END TO END WEB
SECURITY
TAKE YOUR HEAD OUT OF THE SAND AND
DELIVER YOUR WEB PAGES SECURELY
Beginners guide
http://map.norsecorp.com/#/
![Page 2: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/2.jpg)
GEORGE BOOBYERDRUPAL: iAUGUR
[email protected] TWITTER: iBLUEBAG
www.blue-bag.com
Established in 2000
![Page 3: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/3.jpg)
WEB SECURITY
Threats, culprits & examplesThreats & how they work
How can we guard against them
Server Environment Security
Application level security
Transport Security
Browser based security
Questions
![Page 4: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/4.jpg)
HACKERS: WHO / WHAT ARE THEYDefacers
Content injection
Data Breaches
"Hactivists"
Intruders: Parasites / Squatters / Malware Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood
![Page 5: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/5.jpg)
DEFACED SITES
Examples redacted
Home page replaced with hacker's banner
![Page 6: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/6.jpg)
HACKERS: WHAT ARE THEYDefacers / Malicious
Content injection
Data Breaches
"Hactivists"
Intruders: Parasites / Squatters / Malware Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood
![Page 7: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/7.jpg)
CONTENT INJECTION PARASITES
<script> location.href='http://www.fashionheel-us.com/';</script>
Body overwritten with redirect
![Page 8: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/8.jpg)
CONTENT INJECTION PARASITES
![Page 9: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/9.jpg)
USER AGENT SPECIFIC PARASITES
User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html)
![Page 10: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/10.jpg)
USER AGENT SPECIFIC PARASITES
User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html)
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) Chrome/51.0.2704.84 Safari/537.36
![Page 11: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/11.jpg)
HACKERS: WHAT ARE THEYDefacers / Malicious
Content injection
Data Breaches
"Hactivists"
Intruders: Parasites / Squatters / Malware Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood
![Page 12: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/12.jpg)
SOME EXAMPLESData breach Vulnerable systems
![Page 13: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/13.jpg)
HIGH PROFILE DATA BREACHES
@TROYHUNT
![Page 14: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/14.jpg)
HACKERS: WHAT ARE THEYDefacers / Malicious
Content injection
Data Breaches
"Hactivists"
Intruders: Parasites / Squatters / Malware Angler EK / Nautilus / Necurs / Locky Layer 4 & 7 attacks - HTTP flood
![Page 15: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/15.jpg)
HACKERS: HACKER ON HACKERHacking team vs Phineas
Albanian hitman
http://pastebin.com/raw/0SNSvyjJ
![Page 16: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/16.jpg)
HACKERS: HACKER ON TERRORAnonymous
![Page 17: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/17.jpg)
HACKERS: WHAT ARE THEY
Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders / Botnets Layer 4 & 7 attacks - HTTP flood
![Page 18: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/18.jpg)
INTRUDERS / BOTNETS
Parasites / Squatters Malware / Ransomeware Angler EK / Nautilus Necurs / Locky
![Page 19: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/19.jpg)
HACKERS: WHAT ARE THEY
Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders / Botnets Ransom: Layer 4 & 7 attacks - HTTP flood
![Page 20: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/20.jpg)
DDOS / FLOOD ATTACKS
LAYER 4 LAYER 7UDP Flood
SYN Flood
DNS Attacks
XML-RPC
HTTP GET/POST
SLOWLORIS
IP Stressers, Booters and shells
![Page 21: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/21.jpg)
HACKERS: THEY HAVE IT EASYOpen configuration files
Browsable folders
Out of date CMS
Phishing / Social Engineering
Leverage other breaches / password reuse
Search Engines
![Page 22: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/22.jpg)
MISCONFIGURATIONS: SAVED COPIES OF SENSITIVE FILES
![Page 23: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/23.jpg)
MISCONFIGURATIONS: DIRECTORY BROWSING
navigable / readable config files
![Page 24: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/24.jpg)
HTTPS KEEPS YOU SAFE - RIGHT?
not if your settings.php is readable
![Page 25: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/25.jpg)
HACKERS: THEY HAVE IT EASYOpen configuration files
Browsable folders
Out of date CMS
Phishing / Social Engineering
Leverage other breaches / password reuse
Search Engines
Shells
![Page 26: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/26.jpg)
ANYTHING BUT COSMETIC: TAKING CONTROL
![Page 27: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/27.jpg)
HACKERS: THEY HAVE IT EASYOpen configuration files
Browsable folders
Out of date CMS
Phishing / Social Engineering
Leverage other breaches / password reuse
Search Engines
![Page 28: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/28.jpg)
HACKERS: THEY HAVE IT EASYOpen configuration files
Browsable folders
Out of date CMS
Phishing / Social Engineering
Leverage other breaches / password reuse
Search Engines
![Page 29: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/29.jpg)
HACKERS: HOW THEY FEED - LOW HANGING FRUIT
Internet of things: shodan.io
Google Dorks
Exploit-db
Drive by
Show off: zone-h
![Page 30: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/30.jpg)
Internet of things: shodan.io
Google Dorks
Exploit-db
Drive by / Trawlers
Show off: zone-h
Example to locate Drupalgeddon vulnerable sites - redacted
HACKERS: HOW THEY FEED - LOW HANGING FRUIT
![Page 31: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/31.jpg)
Normal day: Attempts to use known hacks by 255 hosts were logged 753 time(s)
/admin/fckeditor/editor/filemanager/upload/php/upload.php/wp-config.php.bak /wp-login.php/backup.sql/Ringing.at.your.dorbell!/admin/assets/ckeditor/elfinder/php/connector.php/wp-admin/admin-ajax.php?action=revslider_ajax_action//phpMyAdmin/scripts/setup.php/SQLite/SQLiteManager-1.2.4/main.php/jenkins/login /joomla/administrator/wp-content/plugins/sell-downloads/sell-downloads.php?file=../../.././wp-config.php/modules/coder/LICENSE.txt/modules/restws/LICENSE.txt/sites/all/modules/webform_multifile/LICENSE.txt
SSHD Illegal users: adminnagiosubnt fluffyguest
infolibrarylinuxoracleshell
test unix webmaster .....
HACKERS: HOW THEY FEED - TRAWLERS
![Page 32: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/32.jpg)
Internet of things: shodan.io
Google Dorks
Exploit-db
Drive by / Trawlers
Show off: zone-h
HACKERS: HOW THEY FEED - LOW HANGING FRUIT
![Page 33: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/33.jpg)
WEB SECURITY
How can we guard against threats
Server Environment Security
Application level security
Transport Security
Browser based security
![Page 34: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/34.jpg)
ATTACK SURFACES
Coffee shop wifi
XSSCSRF
FramesClickjackingSSL stripping
![Page 35: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/35.jpg)
SPHERES OF PROTECTION
CMS
mod_security
mod_evasive
Apache
Network / FW
WAFTLS 'At Large' Security
3rd Parties
Browser:
WAN Network
Secure HeadersXSS/CSRF Protection
Info. DisclosureHTTPS
![Page 36: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/36.jpg)
ATTACK SURFACES
Server (Layer 3) Other servers (backup, monitoring, local) Application / Layer 7 In transit The browser
![Page 37: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/37.jpg)
SERVER: PORTS ARE OPEN DOORSKnow what ports you have open, what is listening on them
and who can access.
On the server:
0.0.0.0:9080 LISTEN 1804/varnishd127.0.0.1:25 LISTEN 2583/exim4144.76.185.80:443 LISTEN 1037/pound0.0.0.0:2812 LISTEN 1007/monit127.0.0.1:6082 LISTEN 1799/varnishd0.0.0.0:3306 LISTEN 1727/mysqld127.0.0.1:11211 LISTEN 849/memcached127.0.0.1:6379 LISTEN 946/redis-server 120.0.0.0:10000 LISTEN 2644/perl144.76.185.80:80 LISTEN 1037/pound0.0.0.0:22 LISTEN 851/sshd0 :::9080 LISTEN 1804/varnishd0 ::1:25 LISTEN 2583/exim40 :::8443 LISTEN 1779/apache20 :::8080 LISTEN 1779/apache20 :::22 LISTEN 851/sshd
$netstat -nlp | grep tcpFrom outside:$nmap xxx.xxx.xxx.xxx
Not shown: 990 filtered portsPORT STATE SERVICE80/tcp open http443/tcp open https554/tcp open tsp7070/tcp open realserver8080/tcp open http-proxy8443/tcp open https-alt9080/tcp open glrpc10000/tcp open snet-sensor-mgmt
Red: IP / MAC restricted Grey: Router proxies
![Page 38: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/38.jpg)
SERVER: CONFIGURE YOUR FIREWALL
Allow if:
White listed
Allowed port
Not blocked
Rate ok
Otherwise:Reject / Drop
![Page 39: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/39.jpg)
NETWORK: ATTACKS & BLOCK LISTS
The IP 195.154.47.128 has just been banned by Fail2Ban after3 attempts against ssh.
Firewall
195.154.47.12
CVE-2016-2118 (a.k.a. BADLOCK)
SSH Brute force
Block
Blocklist
Drop
Firewall
IPSET
IPSET
Any Port
1
2
3
4
5
Log
Report to blocklist
Source/share lists of bad ips
Block on first visit
Init
ial
Serv
er Any
othe
rSe
rver
Compromised Zombie
Exclude whitelist
![Page 40: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/40.jpg)
SERVER: INFORMATION LEAKAGE
HTTP/1.1 200 OKDate: Wed, 15 Jun 2016 10:49:58 GMT Server: Apache/2.4.10 (Debian PHP 5.6.22-0+deb8u1 OpenSSL 1.0.1t)Last-Modified: Tue, 19 Apr 2016 17:02:36 GMTContent-Type: text/html; charset=UTF-8Content-Language: en-gbX-Powered-By: PHP/5.6.22-0+deb8u1X-Generator: Drupal 7 (http://drupal.org)
HTTP/1.1 200 OKDate: Wed, 15 Jun 2016 10:49:58 GMT Server: ApacheLast-Modified: Tue, 19 Apr 2016 17:02:36 GMTContent-Type: text/html; charset=UTF-8Content-Language: en-gb
After:
;;;;;;;;;;;;;;;;;; Miscellaneous ;;;;;;;;;;;;;;;;;;
expose_php = Off
# ServerTokensServerTokens ProdServerSignature Off
php.ini
Apache Config:
Header always unset 'X-Powered-By'
$curl -I http://www.yoursite.com
![Page 41: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/41.jpg)
ATTACK SURFACES
Server (Layer 3) Other servers (backup, monitoring, local) Application / Layer 7 In transit The browser
![Page 42: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/42.jpg)
APPLICATION LEVEL ATTACKS
https://blog.sucuri.net/2016/05/sucuri-hacked-report-2016q1.html
![Page 43: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/43.jpg)
DRUPAL SECURITY
https://www.drupal.org/security-advisory-policy
![Page 44: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/44.jpg)
CONTROL YOUR APPLICATION ENVIRONMENT
Migrate all .htaccess to vhosts
Get a static IP
Limit what files can be read
Limit where PHP can be 'run'
Restrict file permissions (640 / 440)
Update your CMS
![Page 45: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/45.jpg)
DENY ACCESS TO SENSITIVE FILES
# Protect files and directories from prying eyes.<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$"> Require all denied</FilesMatch>
Disallow access to files by type
Disallow access to hidden directories (i.e. git)<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC] RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)\." - [F]</IfModule>
<Directorymatch "^/.*/\.git+/"> Require all denied</Directorymatch>
.well-known use for standard files: favicon, DNT, letsencrypt etcsee: https://tools.ietf.org/html/rfc5785https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtmlhttps://www.drupal.org/node/2408321
![Page 46: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/46.jpg)
LIMIT PHP EXECUTION
<Directory /var/www/yoursite/htdocs/sites/default/files> # Turn off all options we don't need. Options None Options +SymLinksIfOwnerMatch
# Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 <Files *> # Override the handler again if we're run later in the evaluation list. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 </Files>
# If we know how to do it safely, disable the PHP engine entirely. <IfModule mod_php5.c> php_flag engine off </IfModule></Directory>
Protect folders: tmp, files and private folders and any others.
Note you will need these in the folders as .htaccess too just to stop Drupal complaining
![Page 47: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/47.jpg)
No PHP files other than index.php No text files other than robots.txt
<FilesMatch "([^index].php|[^myrobots|robots].*\.txt)$"> AuthName "Restricted" AuthUserFile /etc/apache2/.htpasswds/passwdfile AuthType basic Require valid-user Require ip 123.123.123.123 <- Your static IP Require ip 127.0.0.1</FilesMatch>
LIMIT PHP EXECUTION
![Page 48: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/48.jpg)
DO YOUR PHP FILES NEED TO BE IN THE DOCROOT?
https://www.drupal.org/node/2767907
![Page 49: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/49.jpg)
APPLICATION LEVEL ATTACKS
Requires Configuration
Slowloris
Know your traffic levels
MOD EVASIVE
Requires Configuration
Know your application patterns
Cautious whitelisting
MOD SECURITY
![Page 50: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/50.jpg)
APPLICATION LEVEL ATTACKS
Blocklistmod_evasive
syslog
Apache logs
Firewall
mod_security
Server
Server
Server
Immune system
![Page 51: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/51.jpg)
HTTPS EVERYWHERE
http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html
http://www.httpvshttps.com
I don't take credit cards
It's slower?
What about http resources
Can't afford wildcard SSL and letsencrypt doesn't do wildcards
https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives
![Page 52: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/52.jpg)
SECURE IN TRANSIT
Setup HTTPS / TLS
Free certificates
Strong Ciphers
Upgrade insecure requests
Strict Transport Security (HSTS)
Pin public keys
Audit TLS
![Page 53: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/53.jpg)
TLS AUDIT
Not just for the A+
Consider other browsers / agentse.g. Screaming frog on OSX / Java
![Page 54: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/54.jpg)
CASE STUDY
Your page is everyone's canvas<style type="text/css">.gm-style .gm-style-cc span,.gm-style .gm-style-cc a,.gm-style .gm-
style-mtc div{font-size:10px}</style>
<ifram
e> <script>
![Page 55: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/55.jpg)
BROWSER BASED ATTACKS
Cross-site scripting - XSS
Cross-site request forgery - CSRF
Click jacking - Frames
Check out: https://mathiasbynens.github.io/rel-noopener/
![Page 56: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/56.jpg)
SECURE HEADERS
X-Content-Type-Options: nosniff Guards against "drive-by download attacks" by preventing IE & Chrome from MIME-sniffing a response away from the declared content-type.
X-Frame-Options: DENY Provides Clickjacking protection
X-Xss-Protection: 1; mode=block Configures the XSS audit facilities in IE & Chrome
X-Permitted-Cross-Domain-Policies: none Adobe specific header that controls whether Flash & PDFs can access cross domain data - read the crossdomain.xml
![Page 57: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/57.jpg)
XSS - CROSS SITE SCRIPTINGCross-Site Scripting (XSS) attacks are a type of injection,
in which malicious scripts are injected into otherwise benign and trusted web sites.
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block(do not render the document if XSS is found)
(disable XSS filter/auditor)
(remove unsafe parts; this is the default setting if no X-XSS-Protection header is present)
http://blog.innerht.ml/the-misunderstood-x-xss-protection/
![Page 58: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/58.jpg)
SECURE HEADERSStrict-Transport-Security: max-age=31536000; includeSubDomains env=HTTPS Informs the UA that all communications should be treated as HTTPS. Prevents MiTM & SSL-stripping attacks
Public-Key-Pins By specifying the fingerprint of certain cryptographic identities, you can force the UA to only accept those identities going forwards.
Content-Security-Policy: Provides details about the sources of resources the browser can trust. e.g. Images, scripts, CSS, frames (both ancestors & children)
See https://securityheaders.io
![Page 59: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/59.jpg)
CSRF - CROSS SITE REQUEST FORGERYan attack that forces an end user to execute unwanted
actions
Drupal protects you against this
![Page 60: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/60.jpg)
CONTENT SECURITY POLICY
Connect SourceMedia SourceObject SourceForm ActionUpgrade Insecure Requests
Block All Mixed ContentSandboxReflected XSSBase URIManifest Source
Plugin TypesReferrer
How to test: Default SourceScript SourceStyle SourceImage SourceFont SourceChild SourceFrame Ancestors
Report OnlyReport URI
Others:
Typical elements:
Audit!
![Page 61: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/61.jpg)
CONTENT SECURITY POLICY
Content-Security-Policy: default-src 'self'; img-src * data:; style-src 'self' 'unsafe-inline' *.googleapis.com f.fontdeck.com; font-src 'self' *.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google-analytics.com *.googleapis.com *.jquery.com *.google.com google.com *.newrelic.com *.nr-data.net connect.facebook.net; connect-src 'self'; frame-ancestors 'self' *.facebook.com; frame-src 'self' *.facebook.com; report-uri https://xyz.report-uri.io/r/default/csp/enforcehttps://report-uri.io/account/reports/csp/
![Page 62: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/62.jpg)
CONTENT SECURITY POLICYPolicy contraventions are reported by the browser :
https://report-uri.io/account/reports/csp/
![Page 63: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/63.jpg)
X-Frame-Options: DENYX-Xss-Protection: 1; mode=blockCache-Control: max-age=2592000X-Content-Type-Options: nosniffContent-Security-Policy: default-src 'self'; img-src 'self' data: *.gravatar.com *.google.com *.googleapis.com www.google-analytics.com syndication.twitter.com *.gstatic.com; style-src 'self' 'unsafe-inline' *.googleapis.com; font-src 'self' *.googleapis.com *.gstatic.com; script-src 'self' 'unsafe-inline' www.google-analytics.com s7.addthis.com platform.twitter.com *.googleapis.com *.gstatic.com *.google.com google.com ; connect-src 'self';frame-src 'self' platform.twitter.com syndication.twitter.com;X-Permitted-Cross-Domain-Policies: noneContent-Language: en-gbAge: 95666X-Cache: HITX-Cache-Hits: 40Server: cloudflare-nginx
SECURITY HEADERS
@Scott_Helme
![Page 64: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/64.jpg)
CONTENT SECURITY POLICY
Mozilla CSP Policy directives
CSP Builder
https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives
https://report-uri.io/home/generate
Drupal Moduleshttps://www.drupal.org/project/seckit
![Page 65: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/65.jpg)
SECURITY THREATS & MEASURES
Bruteforcing
Phishing
XSS
Click Jacking
CSRF
SSL Stripping
Firewall
Keys/2FA
Headers
CSP
Tokens
HSTS
![Page 66: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/66.jpg)
FINAL THOUGHTSBake your principles into practices - Ansible - immutable infrastructure
•Follow some Opsec people:@Scott_Helme, @troyhunt, @ivanristic, @briankrebs
•Does your site have to be dynamic? •Letsencrypt - https. •Security is a department - not a one off •Learn your attack surface, test on Tor •VPN, Password apps, 2Factor Authentication •Work together (bad ips, honeypot, block list) -
don't hit back
![Page 67: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/67.jpg)
DON'T HIT BACK
![Page 68: End to end web security](https://reader036.fdocuments.in/reader036/viewer/2022062900/58ea26951a28abf9018b5adb/html5/thumbnails/68.jpg)
QUESTIONS