full web stack security
DESCRIPTION
Presentation made by António Almeida e Ricardo Amaro during DrupalCamp Lisboa 2011.TRANSCRIPT
Staying out of harm's way
Full Web Stack Security
Drupal is just one piece of the software stack: vulnerabilities can exist at the server and network levels as well.
GVS (Drupal Security Review)
Prelude
OWASP TOP 10
the 10 most worissome web app attack vectors
(owasp.org)
I. on the app
A1. Injection
A2. Cross-Site Scripting (XSS)
A3. Broken Authentication and Session Management
A4. Insecure Direct Object References
A5. Cross-Site Request Forgery (CSRF)
II. also off the app
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A8. Failure to Restrict URL Access
A9. Insufficient Transport Layer Protection
A10. Unvalidated Redirects and Forwards
defensive vectors drupal security
team
writing secure code: SQL http://drupal.org/writing-secure-code
drupal filters on output http://drupal.org/node/263002
cross site scripting: using check_plain/markup. http://drupal.org/node/101495
handling user input : placeholders for t(), user input in forms.http://drupal.org/node/28984
check_plain(): api.drupal.org.http://api.drupal.org/api/function/check_plain
check_markup() at API.drupal.org.http://api.drupal.org/api/function/check_markupCross Site Request Forgery - handle forms securely.http://drupal.org/node/178896Safely impersonating another user.http://drupal.org/node/218104Using eval() in Drupal.http://drupal.org/node/715010db_rewrite_sql() - when to use and why.http://drupal.org/node/93737
how to deal...
with an attack
and
...mitigate it's impact at
infrastructure level?
well... not really
it's a dirty fight
Darkmood
but there's hope...
Sonata
it's the server stupid
permitted HTTP methods
GETPOSTHEAD
tricky methods
WebDAV
PUTDELETE
lethal methods
OPTIONS
CONNECT
TRACE
allowed hosts
don't allow a forged Host header
information disclosure
hide everything
but who cares?
the blind elephant is
watching you
defcon'10
http://blindelephant.sf.net
and now for something completelydifferent
a shell script that wraps an AWK script and does some cleanup of your PHP configuration
php.ini
this will be a drush command in a nearby future.
https://github.com/perusio/php-ini-cleanup
Black Opslaying low
hunting like a black panther in the night
Aria
DDoS & DoS prevention
Limit the number of connections
Limit the size andnumber of uploads
& downloads
limit the number of connections
withlimit zones
in nginx
limit_zone uno $binary_remote_addr 1m;
location /uploads { limit_conn uno 1; # one connection}
D6 filefield POST filefield/ahah (uploads)location ~* filefield/ahah { limit_conn uno 1; # one connection}
only one connection per IP is allowed
D7 filefield in corePOST file/ajax (uploads)location ~* file/ajax { limit_conn uno 2; # two connections}
only two connectionsper IP are allowed
limit the number of requests per session or
address
nginx HttpLimitReq
module
llimit_req_zone $binary_remote_addrzone=eins:10m rate 1r/s;
location /downloads/ {limit_req zone=eins burst=5;}
usually 1 req/s with a burst of 5
l
otherwise you get a
503Service Unavailable
The matchfâites vos jeux
the rules of the Marquis of Queensbury apply to this match
Chaconne
slowloris+
DDoS
simulation live
Minuetto
There's so much stuff we had to left out
these for example
• SSH for deployment and maintenance
• SFTP for transfers, running services
• FTP, smb shares, open ports
• telnet, remote desktop, VNC
to be continued...
somewhere over the rainbow
perusio
http://drupal.org/user/8859
ricardoamarohttp://drupal.org/user/666176
both founders of the Associação Drupal Portugal
become a member
http://drupal-pt.org/node/145
Associação Drupal Portugal