full web stack security

Staying out of harm's way

Full Web Stack Security

Drupal is just one piece of the software stack: vulnerabilities can exist at the server and network levels as well.

GVS  (Drupal Security Review)

Prelude

OWASP TOP 10

the 10 most worissome web app attack vectors

(owasp.org)

I. on the app

A1. Injection

A2. Cross-Site Scripting (XSS)

A3. Broken Authentication and Session Management

A4. Insecure Direct Object References

A5. Cross-Site Request Forgery (CSRF)

II. also off the app

A6. Security Misconfiguration

A7. Insecure Cryptographic Storage

A8. Failure to Restrict URL Access

A9. Insufficient Transport Layer Protection

A10. Unvalidated Redirects and Forwards

defensive vectors drupal security

team

writing secure code: SQL http://drupal.org/writing-secure-code

drupal filters on output http://drupal.org/node/263002

cross site scripting: using check_plain/markup. http://drupal.org/node/101495

handling user input : placeholders for t(), user input in forms.http://drupal.org/node/28984

check_plain(): api.drupal.org.http://api.drupal.org/api/function/check_plain    

 check_markup() at API.drupal.org.http://api.drupal.org/api/function/check_markupCross Site Request Forgery - handle forms securely.http://drupal.org/node/178896Safely impersonating another user.http://drupal.org/node/218104Using eval() in Drupal.http://drupal.org/node/715010db_rewrite_sql() - when to use and why.http://drupal.org/node/93737    

how to deal... 

with an attack

and

...mitigate it's impact at

infrastructure level?

well... not really

it's a dirty fight

Darkmood

but there's hope...

Sonata

it's the server stupid

permitted HTTP methods

GETPOSTHEAD

tricky methods

WebDAV 

PUTDELETE

lethal methods

 OPTIONS

CONNECT

TRACE

allowed hosts

don't allow a forged Host header

information disclosure

hide everything

but who cares?

the blind elephant is

watching you

defcon'10

http://blindelephant.sf.net

and now for something completelydifferent 

a shell script that wraps an AWK script and does some cleanup of your PHP configuration

php.ini

this will be a drush command in a nearby future.

https://github.com/perusio/php-ini-cleanup

Black Opslaying low

hunting like a black panther in the night

Aria

DDoS & DoS prevention

Limit the number of connections

Limit the size andnumber of uploads 

& downloads

limit the number of connections

withlimit zones

in nginx

limit_zone uno $binary_remote_addr 1m;

location /uploads {   limit_conn uno 1; # one connection}

D6 filefield POST filefield/ahah (uploads)location ~* filefield/ahah {   limit_conn uno 1; # one connection}

only one connection per IP is allowed

D7 filefield in corePOST file/ajax (uploads)location ~* file/ajax {   limit_conn uno 2; # two connections}

only two connectionsper IP are allowed

  limit the number of requests per session or

address 

nginx HttpLimitReq 

module

 llimit_req_zone $binary_remote_addrzone=eins:10m rate 1r/s;

location /downloads/ {limit_req zone=eins burst=5;}

usually 1 req/s with a burst of 5

 l

otherwise you get a

503Service Unavailable

The matchfâites vos jeux

the rules of the Marquis of Queensbury apply to this match

Chaconne

slowloris+

DDoS 

simulation live

Minuetto

There's so much stuff we had to left out

these for example

• SSH for deployment and maintenance

• SFTP for transfers, running services

• FTP, smb shares, open ports 

• telnet, remote desktop, VNC

to be continued...

somewhere over the rainbow

 perusio 

http://drupal.org/user/8859

ricardoamarohttp://drupal.org/user/666176

both founders of the Associação Drupal Portugal

become a member

http://drupal-pt.org/node/145

                 Associação Drupal Portugal