© Ibuildings 2014/2015 - All rights reserved
#DrupalDaysEU
Verifying Drupal modules with OWASP ASVS 2014
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
During this workshop we'll be going more in-depth into how to audit a Drupal site. We'll be using OWASP ASVS 2014 and a Drupal 7 site which you will have to prove to be vulnerable.
Intro
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
During this interactive workshop we'll be discussing and demonstrating basic and advanced examples of the following vulnerabilities: - Injection of various kinds (JavaScript, HTML, SQL, XML, etc) - Missing Authentication or Authorization - Cross Site Request Forgery (CSRF) - Denial of Service - Abuse of functionality - Information Leakage - and more.
A laptop with VirtualBox installed is advised.
Intro
•
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• 09:30 - 10:00 Setup & Theory
• 10:00 - 11:00 Auditing
• 11:00 - 11:30 Fixing
• 11:30 - 12:30 Break
• 12:30 - 13:00 Fixing
• 13:00 - 13:30 Presenting
Schedule
•
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• VirtualBox
• Vagrant
• https://github.com/ibuildingsnl/insecured7
InsecureD7
•
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• /Volumes/IBUILDINGS/edd15-verify-workshop/vm/insecured7.ova
• Shared folder
• /etc/fstab
• Host-only network
• Symlink: ln -sf src docroot/profiles/insecured7
Getting the VM up and running
© Ibuildings 2014/2015 - All rights reserved
This is the Talk Title and it could be very long, for example on two lines or more
© Ibuildings 2014/2015 - All rights reserved
This is the Talk Title and it could be very long, for example on two lines or more
level 1 level 2 level 3
chapter 1 1.1 1.2 1.3
X X
X
X X X
chapter 2 2.1 2.2 2.3
XX
X XX
X XX
•
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Level 0 - Bullshit compliance level (0)
• Level 1 - Opportunistic (47)
• Level 2 - Standard (136)
• Level 3 - Advanced (164)
Level up!
•
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• V1. Authentication
• V2. Session Management
• V3. Access Control
• V4. Input Validation
• V5. Cryptography (at Rest)
• V6. Error Handling and Logging
• V7. Data Protection
ASVS Chapters• V8. Communication Security
• V9. HTTP Security
• V10. Malicious Controls
• V11. Business Logic
• V12. Files and Resources
• V13. Mobile
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
V1.4. Verify that credentials and all other identity information handled by the application does not traverse unencrypted or weakly encrypted links.
(level 1, 2 & 3)
An example
© Ibuildings 2014/2015 - All rights reserved
This is the Talk Title and it could be very long, for example on two lines or more
•
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Content-Security-Policy
• X-Frame-Options
• X-Content-Type-Options
• HTTP Strict Transport Security (HSTS)
Security Kit
http://ibuildings.nl/blog/2013/03/4-http-security-headers-you-should-always-be-using
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Adds the 'modules-usages-status' (mus) Drush command.
Generate a CSV listing of all modules with their versions and associated usage counts.
This can be used as input into security auditing scope.
Drupal Security Tool Usage
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
<?php global $requirements;
$report = "";do { $requirement = array_pop ( $requirements ) ; $audit_results = do_audit_with ( $requirement ); $report .= $audit_results; $requirements[] = $requirement;} while (time() < strtotime('2015-03-19 12:30:00 CET'))
auditing.php
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
5 lucky participants will give a 5 minute presentation on their results from the audit and fixing.
Presenting
Top Related