Full Web Stack Security

59
Staying ou t of harm's way

description

Presentation made by António Almeida e Ricardo Amaro during DrupalCamp Lisboa 2011.

Transcript of Full Web Stack Security

Page 1: Full Web Stack Security

Staying out of harm's way

Page 2: Full Web Stack Security

Full Web Stack Security

Page 3: Full Web Stack Security

Drupal is just one piece of the software stack: vulnerabilities can exist at the server and network levels as well.

GVS  (Drupal Security Review)

Page 4: Full Web Stack Security

Prelude

Page 5: Full Web Stack Security

OWASP TOP 10

the 10 most worissome web app attack vectors

(owasp.org)

Page 6: Full Web Stack Security

I. on the app

A1. Injection

A2. Cross-Site Scripting (XSS)

A3. Broken Authentication and Session Management

A4. Insecure Direct Object References

A5. Cross-Site Request Forgery (CSRF)

Page 7: Full Web Stack Security

II. also off the app

A6. Security Misconfiguration

A7. Insecure Cryptographic Storage

A8. Failure to Restrict URL Access

A9. Insufficient Transport Layer Protection

A10. Unvalidated Redirects and Forwards

Page 8: Full Web Stack Security

 

defensive vectors drupal security

team

Page 9: Full Web Stack Security

writing secure code: SQL http://drupal.org/writing-secure-code

drupal filters on output http://drupal.org/node/263002

cross site scripting: using check_plain/markup. http://drupal.org/node/101495

handling user input : placeholders for t(), user input in forms.http://drupal.org/node/28984

check_plain(): api.drupal.org.http://api.drupal.org/api/function/check_plain    

Page 10: Full Web Stack Security

 check_markup() at API.drupal.org.http://api.drupal.org/api/function/check_markupCross Site Request Forgery - handle forms securely.http://drupal.org/node/178896Safely impersonating another user.http://drupal.org/node/218104Using eval() in Drupal.http://drupal.org/node/715010db_rewrite_sql() - when to use and why.http://drupal.org/node/93737    

Page 11: Full Web Stack Security

how to deal... 

with an attack

Page 12: Full Web Stack Security

 

and

Page 13: Full Web Stack Security

 

...mitigate it's impact at

infrastructure level?

  

Page 14: Full Web Stack Security

well... not really

Page 15: Full Web Stack Security

it's a dirty fight

Page 16: Full Web Stack Security

Darkmood

Page 17: Full Web Stack Security

but there's hope...

Page 18: Full Web Stack Security

Sonata

Page 19: Full Web Stack Security

 

it's the server stupid

Page 20: Full Web Stack Security

permitted HTTP methods

GETPOSTHEAD

Page 21: Full Web Stack Security

 

tricky methods

Page 22: Full Web Stack Security

WebDAV 

PUTDELETE

Page 23: Full Web Stack Security

 

lethal methods

Page 24: Full Web Stack Security

 OPTIONS

CONNECT

TRACE

Page 25: Full Web Stack Security

 

allowed hosts

Page 26: Full Web Stack Security

 

don't allow a forged Host header

Page 27: Full Web Stack Security

 

information disclosure

Page 28: Full Web Stack Security

 

hide everything

Page 29: Full Web Stack Security

 

but who cares?

Page 30: Full Web Stack Security
Page 31: Full Web Stack Security

 

the blind elephant is

watching you

Page 32: Full Web Stack Security

 

defcon'10

http://blindelephant.sf.net

Page 33: Full Web Stack Security

 

and now for something completelydifferent 

Page 34: Full Web Stack Security
Page 35: Full Web Stack Security

 

a shell script that wraps an AWK script and does some cleanup of your PHP configuration

php.ini

Page 36: Full Web Stack Security

 

this will be a drush command in a nearby future.

https://github.com/perusio/php-ini-cleanup

Page 37: Full Web Stack Security

Black Opslaying low

Page 38: Full Web Stack Security

hunting like a black panther in the night

Page 39: Full Web Stack Security

Aria

Page 40: Full Web Stack Security

 

DDoS & DoS prevention

Page 41: Full Web Stack Security

 

Limit the number of connections

Limit the size andnumber of uploads 

& downloads

Page 42: Full Web Stack Security

 

limit the number of connections

withlimit zones

Page 43: Full Web Stack Security

 

in nginx

limit_zone uno $binary_remote_addr 1m;

location /uploads {   limit_conn uno 1; # one connection}

Page 44: Full Web Stack Security

 

D6 filefield POST filefield/ahah (uploads)location ~* filefield/ahah {   limit_conn uno 1; # one connection}

only one connection per IP is allowed

Page 45: Full Web Stack Security

 

D7 filefield in corePOST file/ajax (uploads)location ~* file/ajax {   limit_conn uno 2; # two connections}

only two connectionsper IP are allowed

Page 46: Full Web Stack Security

  limit the number of requests per session or

address 

nginx HttpLimitReq 

module

Page 47: Full Web Stack Security

 llimit_req_zone $binary_remote_addrzone=eins:10m rate 1r/s;

location /downloads/ {limit_req zone=eins burst=5;}

usually 1 req/s with a burst of 5

Page 48: Full Web Stack Security

 l

otherwise you get a

503Service Unavailable

Page 49: Full Web Stack Security

The matchfâites vos jeux

Page 50: Full Web Stack Security

the rules of the Marquis of Queensbury apply to this match

Page 51: Full Web Stack Security

Chaconne

Page 52: Full Web Stack Security

 

slowloris+

DDoS 

simulation live

Page 53: Full Web Stack Security
Page 54: Full Web Stack Security

Minuetto

Page 55: Full Web Stack Security

There's so much stuff we had to left out

Page 56: Full Web Stack Security

these for example

• SSH for deployment and maintenance

• SFTP for transfers, running services

• FTP, smb shares, open ports 

• telnet, remote desktop, VNC

Page 57: Full Web Stack Security

to be continued...

somewhere over the rainbow

Page 58: Full Web Stack Security

 perusio 

http://drupal.org/user/8859

ricardoamarohttp://drupal.org/user/666176

both founders of the Associação Drupal Portugal

Page 59: Full Web Stack Security

 

become a member

http://drupal-pt.org/node/145

                 Associação Drupal Portugal