drupalcamp london 2017 - web site insecurity
TRANSCRIPT
WEB SITE INSECURITYHow your CMS site will get hacked and how to
prevent it
WEB SECURITY
➤ Common threats to web security with real world case studies of compromised sites,
➤ A 'dissection' of a typical common exploit tool and how it operates,
➤ Simple approaches to mitigating common threats/vulnerabilities,
➤ Defence in depth – an overview of the various components of web security,
➤ Drupal specific measures that standard penetration testing often does not account for.
➤ An overview of how to benefit from:
➤ Security monitoring and log analysis
➤ Intrusion Detection Systems & Firewalls
➤ Security headers and Content Security Policies (CSP).
GEORGE BOOBYERDrupal: iAugur
twitter: @iBluebag
WWW.BLUE-BAG.COMEstablished in 2000
WHY IS THE WEB INSECURE?
➤ Security is perceived to be complex or someone else's domain,
➤ The web is a playground of the well-meaning/naïve and the ill-disposed or malevolent,
➤ It is also a place of automated exploitation,
➤ Web software / infrastructure is often insecure by default,
➤ Often our goals (budgets) end at site launch,
➤ We don’t often look after sites once live - we check the visible content and cross our fingers it is safe.
➤ Security is not hard and any effort will be rewarded
INVEST IN SECURITY
➤ What is at risk?
➤ Loss of business ➤ Reputation (you / your client) ➤ Sensitive data ➤ Personal data - enumeration ➤ SEO ranking ➤ Blacklisting ➤ Ransom
➤ Model your costs:
➤ Spend 37% of your expected losses on security Diminishing returns (Gordon–Loeb model)
➤ Automate - Ansible - Immutable Infrastructure
➤ Defacers
➤ SEO Spam - content injection
➤ Data Breaches
➤ Hactivists
➤ Recruiters (Botnet orchestration)
➤ Ransomware botnets
➤ Layer 7 Attacks - DDOS
➤ Unintentional - Application level vulnerabilities
HACKERS - WHO ARE THEY?
DEFACERS
DEFACERS
DEFACERS
DEFACERS
DEFACERS
DEFACERS
CONTENT INJECTION
<script> location.href='http://www.fashionheel-us.com/';</script>
Body overwritten with redirect
CONTENT INJECTION - USER AGENT SPECIFIC
User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html)
DATA BREACHES
DATA BREACHES
@TROYHUNT
HACKIVISTS
Hacking team vs Phineas
Albanian hitman
http://pastebin.com/raw/0SNSvyjJ
BOTNET RECRUITS
"Investigation of the attack uncovered 49,657 unique IPs which hosted Mirai-infected devices. As previously reported, these were mostly CCTV cameras—a popular choice of DDoS botnet herders. Other victimized devices included DVRs and routers." https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
BOTNET RECRUITS
[FREE] World's Largest Net:Mirai Botnet, Client, Echo Loader, CNC source code release - Anna-senpai - 09-30-2016 11:50 AM
Preface Greetz everybody,
When I first go in DDoS industry, I wasn't planning on staying in it long. I made my money, there's lots of eyes looking at IOT now, so it's time to GTFO. However, I know every skid and their mama, it's their wet dream to have something besides qbot.
So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.
So, I am your senpai, and I will treat you real nice, my hf-chan.
And to everyone that thought they were doing anything by hitting my CNC, I had good laughs, this bot uses domain for CNC. It takes 60 seconds for all bots to reconnect, lol
Also, shoutout to this blog post by malwaremustdie http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html https://web.archive.org/web/20160930230210/http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html <- backup in case low quality reverse engineer unixfreaxjp decides to edit his posts lol Had a lot of respect for you, thought you were good reverser, but you really just completely and totally failed in reversing this binary. "We still have better kung fu than you kiddos" don't make me laugh please, you made so many mistakes and even confused some different binaries with my. LOL
Let me give you some slaps back - 1) port 48101 is not for back connect, it is for control to prevent multiple instances of bot running together 2) /dev/watchdog and /dev/misc are not for "making the delay", it for preventing system from hanging. This one is low-hanging fruit, so sad that you are extremely dumb 3) You failed and thought FAKE_CNC_ADDR and FAKE_CNC_PORT was real CNC, lol "And doing the backdoor to connect via HTTP on 65.222.202.53". you got tripped up by signal flow ;) try harder skiddo 4) Your skeleton tool sucks ass, it thought the attack decoder was "sinden style", but it does not even use a text-based protocol? CNC and bot communicate over binary protocol 5) you say 'chroot("/") so predictable like torlus' but you don't understand, some others kill based on cwd. It shows how out-of-the-loop you are with real malware. Go back to skidland
http://pastebin.com/raw/mevDFPg6
EXPLOITING THE EXPLOITABLE
OPEN ACCESS
OPEN ACCESS
It's a hydroelectric control system!
VAST RESOURCE OF VULNERABLE DEVICES
https://press.avast.com/avast-exposes-internet-of-things-attack-risk-in-barcelona-home-of-mobile-world-congress-2017
HACKERS: THEY HAVE IT EASY
➤ Insecure Servers & open ports
➤ Default settings and passwords
➤ Open configuration files
➤ Browsable folders
➤ Out of date CMS (insecure plugins)
➤ SQL Injection
➤ Phishing / Social Engineering
➤ Leverage other breaches / password reuse
➤ Search Engines / Exploit databases & resources
➤ Botnets / Proxies
OUT OF DATE SOFTWARE
➤ Out of date CMS core
➤ Vulnerable plugins / modules
https://www.drupal.org/security-advisory-policy
MISCONFIGURATIONS: SAVED COPIES OF SENSITIVE FILES
MISCONFIGURATIONS: SAVED COPIES OF SENSITIVE FILES
navigable / readable config files
MISCONFIGURATIONS: VISIBLE SENSITIVE FILES
ANYTHING BUT COSMETIC: TAKING CONTROL
ANYTHING BUT COSMETIC: TAKING CONTROL
ANYTHING BUT COSMETIC: TAKING CONTROL
ANYTHING BUT COSMETIC: TAKING CONTROL
UPLOAD A SHELLfunction drupal_bootstrap($phase = NULL, $new_phase = TRUE) { …. case DRUPAL_BOOTSTRAP_SESSION: require_once DRUPAL_ROOT . '/' . variable_get('session_inc', 'includes/session.inc'); drupal_session_initialize(); break;
In the session_inc variable include a malicious file from the /tmp/ folder:
https://blog.sucuri.net/2016/05/finding-conditional-drupal-database-spam.html
HACKERS: HOW THEY FEED - LOW HANGING FRUIT
➤ Internet of things: shodan.io
HACKERS: HOW THEY FEED - LOW HANGING FRUIT
inurl:CHANGELOG.txt intext:drupal intext:"SA-CORE" -intext:7.32 -site:github.com -site:drupal.org
➤ Internet of things: shodan.io ➤ Google Dorks
HACKERS: HOW THEY FEED - LOW HANGING FRUIT
➤ Internet of things: shodan.io ➤ Google Dorks ➤ Exploit-db
HACKERS: HOW THEY FEED - LOW HANGING FRUIT
➤ Internet of things: shodan.io ➤ Google Dorks ➤ Exploit-db ➤ Show off: zone-h
HACKERS: HOW THEY FEED - LOW HANGING FRUIT
➤ Internet of things: shodan.io ➤ Google Dorks ➤ Exploit-db ➤ Show off: zone-h ➤ Trawlers / chancers
THE GREPS OF WRATHA story of one failed exploit
ROUTINE LOG/EVENT ANALYSIS
➤ Ideally ship and aggregate logs
➤ Routine analysis of logs for 40x and 5xx
➤ Review requests by status code
➤ Routine analysis of big hitters
➤ Routine analysis of hits by status code
# get a list of 404s by ip and target
grep "HTTP/1.1\" 404" access.log | awk '{print $1 " " $8 } ' | sort | uniq -c | sort -n
# get the pages that cause 500
grep "HTTP/1.1\" 500" access.log | awk '{print $8 } ' | sort | uniq -c | sort -n
# list CMS hackers
grep -E -i -w 'wp-(admin|content|includes|login)' access.log.1 | awk '{print $1 " " $8}' | sort | uniq -c | sort -nr
INVESTIGATE A SPECIFIC EVENT
➤ Get the big hitters from the past hour or so
➤ Get the requests for specific IPs#Get big hitters along with their agent string
zcat pound.log.1.gz | awk -v OFS='\t' '{print $7, substr($0, index($0,$18))}' | sort | uniq -c | sort -nk1
# top 50 hitters with counts (ignore static assets)
tail -100000 access.log|egrep -i -v "jpg|png|js|css" | awk '{print $2}'|sort | uniq -c | sort -nk1 | tail -50
# hits per hour awk -F: '{print $2}' access_log | sort | uniq -c
# hits per hour by an ip
grep -w {ipaddress} logfile | awk -F: '{print $2}' | sort | uniq -c
# hits for a period
awk '$5>"[20/Sep/2015:16:00:" && $5<"[20/Sep/2015:18:23:"' access.log | less
# hit count by ip for a period
awk '$5>"[20/Sep/2015:16:00:" && $5<"[20/Sep/2015:18:23:"' access.log | awk '{print $2}'|sort | uniq -c | sort -nk1
CMS EXPLOIT - SMELLING A RAT
➤ Routine analysis shows a pattern
/vmskdl44rededd
/N0Wccvvd333.php
/N0Wccvvd333.php
/N0WaY/N0WaY1bb2/N0WaY123.php
/N0WaY/N0WaY1bb2/N0WaY123.php
/wp-login.php
/wp-config.php
/configuration.php
/administrator
/user
/CHANGELOG.txt
/?q=admin/views/ajax/autocomplete/user/N0t3xstgg12394
RESEARCH AND PROTECTION
➤ In the case of a specific exploit - do some research
➤ In our example we have an exploit:
➤ That is coming from multiple ips
➤ Appears to follows a typical pattern
➤ Characteristics are the same on unrelated servers
Look for non existent file: N0WaY/N0WaY1bb2/N0WaY123.php see how the site reacts...
Determine CMS
CMS Specific exploit attempts
wp-login wp-admin
joomla.xmlCHANGELOG.txt
def DruCore(self):
if LooseVersion("7") <= LooseVersion(str(self.DruVersion)) <= LooseVersion("7.31"):
msg = "Drupal Vulnerable to SA-CORE-2014-005"; report.high(msg)
SEARCH FOR KEY CHARACTERISTICS
➤ Github
➤ Exploit Databases
➤ Penetration test tools
CMSMap
CAUGHT RAT: CMS MAP
➤ Tests for CMS
➤ Tests for CMS version
➤ Multiple exploits
➤ Updates from Exploit DB
➤ Upload shell
➤ Call back to host
➤ Protect vulnerabilities
➤ Update regularly
➤ Block signature
➤ Ban known baddies
2.92.230.173 5.165.47.132 37.15.2.6 46.119.108.124 46.219.247.129 62.183.85.176 77.52.98.181 77.122.3.232 79.172.7.23 82.149.151.12
91.202.27.239 95.139.232.62 95.28.120.251 95.70.43.209 95.167.1.250 109.87.102.147 109.184.1.245 176.69.113.104 178.67.152.248 195.230.129.226
Disclaimer Usage of CMSmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume NO liability and are NOT responsible for any misuse or damage caused by this program.
PROTECTION MEASURES
➤ Control Leakage ➤ Restrict access to files ➤ Layered Defence
INFORMATION LEAKAGE != OBFUSCATION
Cons:
➤ Security through obscurity is pointless
➤ There are many ways that you can determine the CMS and its version
https://www.drupal.org/node/766404
Pros:
➤ A layered defence has this as a component
➤ Many exploits are reliant on simple version determination for version specific exploits
➤ Simple process to place effective hurdle in the path of script kiddies
➤ A component of defence only
INFORMATION LEAKAGE != OBFUSCATION
Cons:
➤ Security through obscurity is pointless
➤ There are many ways that you can determine the CMS and its version
https://www.drupal.org/node/766404
SECURITY MISCONCEPTIONS
➤ Port reassignmentUse port 2020, 2222 etc in place of 22Bad Idea!
➤ Waste of time: port scanners (nmap) will find it
➤ False sense of security: Better spend time doing real securityRSA keys, IP restriction, AllowGroups, no Root loginIDS or other activity pattern matching.
➤ Poor Security:Ports below 1024 are privileged portsAbove 1024 are not - easy to mimic ssh and listen.
➤ Non standard - Other security measures won’t guard it.
DEFENCE LEVEL 1 - PORT LEVEL CONTROL
Know what ports you have open, what is listening on them and who can access.
On the server:
0.0.0.0:9080 LISTEN 1804/varnishd127.0.0.1:25 LISTEN 2583/exim4144.76.185.80:443 LISTEN 1037/pound0.0.0.0:2812 LISTEN 1007/monit127.0.0.1:6082 LISTEN 1799/varnishd0.0.0.0:3306 LISTEN 1727/mysqld127.0.0.1:11211 LISTEN 849/memcached127.0.0.1:6379 LISTEN 946/redis-server 120.0.0.0:10000 LISTEN 2644/perl144.76.185.80:80 LISTEN 1037/pound0.0.0.0:22 LISTEN 851/sshd0 :::9080 LISTEN 1804/varnishd0 ::1:25 LISTEN 2583/exim40 :::8443 LISTEN 1779/apache20 :::8080 LISTEN 1779/apache20 :::22 LISTEN 851/sshd
$netstat -nlp | grep tcp
From outside:$nmap xxx.xxx.xxx.xxx
Not shown: 990 filtered portsPORT STATE SERVICE80/tcp open http443/tcp open https554/tcp open tsp7070/tcp open realserver8080/tcp open http-proxy8443/tcp open https-alt9080/tcp open glrpc10000/tcp open snet-sensor-mgmt
Red: IP / MAC restricted Grey: Router proxies
DEFENCE LEVEL 1 - FIREWALL BLOCK LISTS
The IP 195.154.47.128 has just been banned by Fail2Ban after3 attempts against ssh.
Firewall
195.154.47.12
CVE-2016-2118 (a.k.a. BADLOCK)
SSH Brute force
Block
Blocklist
Drop
Firewall
IPSET
IPSET
Any Port
1
2
3
4
5
Log
Report to blocklist
Source/share lists of bad ips
Block on first visit
Init
ial
Serv
er Any
othe
rSe
rver
Compromised Zombie
Exclude whitelist
DEFENCE LEVEL 2 - HARDEN SOFTWARE
➤ Configure ➤ mod_negotiation
-Multiviews
➤ mod_indexes-Indexes
➤ Modules To Disable
➤ mod_status ➤ mod_userdir ➤ mod_info
➤ PHP ➤ enable_dl = Off ➤ allow_url_fopen = Off ➤ register_globals = Off ➤ disable_functions = openlog ➤ open_basedir = /var/www/ ➤ upload_tmp_dir = /var/www/tmp
$ curl -Ikis "http://localhost/dump" -H "Accept: Accio/dumps"
HTTP/1.1 406 Not Acceptable
Date: Mon, 27 Feb 2017 17:40:36 GMT
Server: Apache/2.4.25 (Unix) PHP/5.6.29
Alternates: {"dump.sql" 1 {type application/x-sql} {length 104857600}}, {"dump.txt" 1 {type text/plain} {length 104857600}}
Vary: negotiate,accept
TCN: list
Content-Type: text/html; charset=iso-8859-1
DEFENCE LEVEL 2 - FILE PROTECTION MEASURES
All public folders (files)php_flag engine off
All private files:php_flag engine off Require all denied
All public folders (document root)AllowOverride None Options -Indexes +SymLinksIfOwnerMatch -MultiViews
Deny access to txt files and php files other than specific ones:<FilesMatch "([^(xxrobots|robots)].*\.txt|[^(index|channel)].*\.php)$"> Require all denied Require ip {your-static-ip} Require ip 127.0.0.1 Require valid-user Require group {your secure group}
Deny access to hidden (DVCS) files:
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC] RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)\." - [F] </IfModule>
Deny access to files by type:<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
Require all denied
DEFENCE LEVEL 2 - FILE PROTECTION MEASURES
DEFENCE LEVEL 2 - CONTROL ACCESS
➤ Can't access TXT or PHP
➤ Restrict all sensitive file types - whether you use them or not
➤ Restrict PHP to specific folders
/vmskdl44rededd /N0Wccvvd333.php /N0Wccvvd333.php /N0WaY/N0WaY1bb2/N0WaY123.php /N0WaY/N0WaY1bb2/N0WaY123.php /wp-login.php /wp-config.php /configuration.php /administrator /user /CHANGELOG.txt /?q=admin/views/ajax/autocomplete/user/N0t3xstgg12394
DEFENCE LEVEL 3 - ANALYSE ACCESS PATTERNS
➤ Analyse activity patterns
➤ Protect admin paths
➤ Clearly here our rat is sniffing for copies of settings.php
➤ Often it is database dumps.
➤ Don't dump on production!
DEFENCE LEVEL 3 - ANALYSE ACCESS PATTERNS
➤ Analyse activity patterns
➤ Protect admin paths
➤ Clearly here our rat is sniffing for copies of settings.php
➤ Often it is database dumps.
➤ Don't dump on production!
# Examples of real attempts to access sensitive files and backups /sites/default/settings /sites/default/settings.php~ /sites/default/settings.php.txt /sites/default/settings.php.old /sites/default/settings.php_old /sites/default/settings.php-old /sites/default/settings.php.save /sites/default/settings.php.swp /sites/default/settings.php.swo /sites/default/settings.php_bak /sites/default/settings.php-bak /sites/default/settings.php.original /sites/default/settings.php.orig /sites/default/settings.php.bak /sites/default/settings.save /sites/default/settings.old /sites/default/settings.bak /sites/default/settings.orig /sites/default/settings.original /sites/default/settings.txt
DEFENCE LEVEL 3 - ANALYSE ACCESS PATTERNS
➤ Analyse activity patterns
➤ Protect admin paths
➤ Clearly here our rat is sniffing for copies of settings.php
➤ Often it is database dumps.
➤ Don't dump on production!
# Examples of real attempts to access sensitive files and backups /sites/default/settings /sites/default/settings.php~ /sites/default/settings.php.txt /sites/default/settings.php.old /sites/default/settings.php_old /sites/default/settings.php-old /sites/default/settings.php.save /sites/default/settings.php.swp /sites/default/settings.php.swo /sites/default/settings.php_bak /sites/default/settings.php-bak /sites/default/settings.php.original /sites/default/settings.php.orig /sites/default/settings.php.bak /sites/default/settings.save /sites/default/settings.old /sites/default/settings.bak /sites/default/settings.orig /sites/default/settings.original /sites/default/settings.txt
All of the following had UA of "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "GET /backup.zip "GET /backup.rar "GET /backup.tar.gz "GET /backup.sql "GET /backup.sql.gz "GET /backup "GET /public_html.tar.gz "GET /public_html.tar.bz2 "GET /public_html.zip "GET /public_html.rar "GET /dump.sql "GET /dump.sql.gz "GET /dump.sql.bz2 "GET /dump.sql.zip "GET /dump.zip "GET /dump "GET /mysqldump "GET /mysqldump.sql "GET /pma "GET /phpmyadmin "GET /myadmin
DEFENCE LEVEL 4 - REACTIVE
➤ mod_evasive
➤ mod_security
➤ Fail2ban
➤ Logwatch
➤ ELK
➤ IPTABLES / IPSET
[Definition]
# Option: failregex # Notes.: regex to match the N0WaY settings.bak attack. # Values: TEXT # Test : fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-cmsnoway.conf '^<HOST> .*(\/admin\/reports\/dblog).*$'
failregex = ^<HOST> .* "GET .*(/N0WaY/N0WaY1bb2/N0WaY123\.php|settings\.(php\.)?(php~|sw(p|o)|txt|swo|php(-old|-bak|_bak)|php_old|bak|old|save|orig(inal)?)|wp-config\.php).*
# Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex = '^<HOST> .*(\/admin\/reports\/dblog).*$'
DEFENCE LEVEL 5 - INTRUSION DETECTION SYSTEM➤ Host based Intrusion detection system
➤ log analysis
➤ file integrity checking,
➤ policy monitoring,
➤ rootkit detection,
➤ real-time alerting and
➤ active responseOSSEC HIDS Notification.2017 Jan 19 13:57:11
Received From: server-005-023->syscheckRule: 550 fired (level 7) -> "Integrity checksum changed."Portion of the log(s):
Integrity checksum changed for: '/var/www/www.somesite.com/live/htdocs/sites/default/settings.php'Permissions changed from 'r--r-----' to 'rw-r-----'
--END OF NOTIFICATIONhttp://ossec.github.io/
CMS - NOWAY - DEFENCE IN DEPTH
Settings.php.bakFile extension denied
Access pattern blocked
Origin IP blocked
File permissions 0444
disallow php/bak
Fail2ban / HIDS
IPSET
M o n i t o r
Best protection - File is not there in the first place!!
ATTACK SURFACES
Coffee shop wifi
XSSCSRF
FramesClickjackingSSL stripping
SPHERES OF PROTECTION
mod_security
mod_evasive
Apache
Network / FW
WAFTLS 'At Large' Security
3rd Parties
Browser:
WAN Network
Secure HeadersXSS/CSRF Protection
Info. DisclosureHTTPS
NOTHING IS PERFECT
SECURITY IN THE BROWSER
➤ HTTPS
➤ Cross-site scripting - XSS
➤ Cross-site request forgery - CSRF
➤ Click jacking - Frames
➤ Secure Cookies
https://pokeinthe.iohttps://scotthelme.co.uk/
Adoption in Alexa top million websites
CHECK LIST FOR WEB SECURITY
https://wiki.mozilla.org/Security/Guidelines/Web_Security
➤ X-Content-Type-Options: nosniffGuards against "drive-by download attacks" by preventing IE & Chrome from MIME-sniffing a response away from the declared content-type.
➤ X-Frame-Options: DENYProvides Clickjacking protection
➤ X-Xss-Protection: 1; mode=block Configures the XSS audit facilities in IE & Chrome
➤ Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Informs the UA that all communications should be treated as HTTPS. Prevents MiTM & SSL-stripping attacks
SECURITY IN THE BROWSER
beware the consequences!
SECURE COOKIES FOIL CSRF
➤ Set Cookie as: ➤ HTTP only ➤ Secure ➤ SameSite
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;SameSite=lax;
Apache Configuration:
ini_set('session.cookie_httponly', 1); if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') { ini_set('session.cookie_secure', 1); }
Drupal Configuration:
In Drupal 8 httpOnly and Secure are set by default
SECURE HEADERS
➤ Subresource Integrity Provide SHA hash of inline or CDN scripts.
➤ Public-Key-Pins By specifying the fingerprint of certain cryptographic identities, you can force the UA to only accept those identities going forwards.
➤ Content-Security-Policy:Provides details about the sources of resources the browser can trust. e.g. Images, scripts, CSS, frames (both ancestors & children)
See https://securityheaders.io
CONTENT SECURITY POLICY
Connect Source Media Source Object Source Form Action Upgrade Insecure Requests
Block All Mixed Content Sandbox Reflected XSS Base URI Manifest Source
Plugin Types Referrer
How to test:
Default Source Script Source Style Source Image Source Font Source Child Source Frame Ancestors
Report Only Report URI
Others:
Typical elements:
Audit!
CONTENT SECURITY POLICY
Content-Security-Policy: default-src 'self'; img-src * data:; style-src 'self' 'unsafe-inline' *.googleapis.com f.fontdeck.com; font-src 'self' *.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google-analytics.com *.googleapis.com *.jquery.com *.google.com google.com *.newrelic.com *.nr-data.net connect.facebook.net; connect-src 'self'; frame-ancestors 'self' *.facebook.com; frame-src 'self' *.facebook.com; report-uri https://xyz.report-uri.io/r/default/csp/enforcehttps://report-uri.io/account/reports/csp/
CONTENT SECURITY POLICYPolicy contraventions are reported by the browser :
https://report-uri.io/account/reports/csp/
CONTENT SECURITY POLICY
Mozilla CSP Policy directiveshttps://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives
Drupal Moduleshttps://www.drupal.org/project/seckit
CSP Builders
MOST COMMON REASONS YOU GET HACKED
➤ Don't have a security policy / budget
➤ Software outdated
➤ Relying on default setup (config and passwords)
➤ In sufficient access controls
➤ Password reuse
➤ Phishing and human error
➤ No IDS / Firewall / CSP etc
➤ No Monitoring and evaluation
➤ No response prepared
➤ Regularly review
➤ Audit attack surfaces
➤ Test defences
➤ Structured defences
➤ Avoid complacency
➤ Rebuild regularly
➤ Security Research
➤ Event monitoring
SO - WHAT DO WE DO ABOUT ALL THIS!
FINAL THOUGHTS - ANY SECURITY IS BETTER THAN NONEBake your principles into practices - Ansible - immutable infrastructure
➤ Security is a department - not a one off - Push for a budget!
➤ Define areas of responsibility with hosting
➤ Prepare response
➤ Learn your attack surface, test on Tor
➤ Monitor & test regularly
➤ Follow some Opsec people:@Scott_Helme, @troyhunt, @ivanristic, @briankrebs @aprilmpls
➤ Letsencrypt - HTTPS.
➤ Work together (bad ips, honeypot, block list) - don't hit back