Download - Full Web Stack Security
![Page 1: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/1.jpg)
Staying out of harm's way
![Page 2: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/2.jpg)
Full Web Stack Security
![Page 3: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/3.jpg)
Drupal is just one piece of the software stack: vulnerabilities can exist at the server and network levels as well.
GVS (Drupal Security Review)
![Page 4: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/4.jpg)
Prelude
![Page 5: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/5.jpg)
OWASP TOP 10
the 10 most worissome web app attack vectors
(owasp.org)
![Page 6: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/6.jpg)
I. on the app
A1. Injection
A2. Cross-Site Scripting (XSS)
A3. Broken Authentication and Session Management
A4. Insecure Direct Object References
A5. Cross-Site Request Forgery (CSRF)
![Page 7: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/7.jpg)
II. also off the app
A6. Security Misconfiguration
A7. Insecure Cryptographic Storage
A8. Failure to Restrict URL Access
A9. Insufficient Transport Layer Protection
A10. Unvalidated Redirects and Forwards
![Page 8: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/8.jpg)
defensive vectors drupal security
team
![Page 9: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/9.jpg)
writing secure code: SQL http://drupal.org/writing-secure-code
drupal filters on output http://drupal.org/node/263002
cross site scripting: using check_plain/markup. http://drupal.org/node/101495
handling user input : placeholders for t(), user input in forms.http://drupal.org/node/28984
check_plain(): api.drupal.org.http://api.drupal.org/api/function/check_plain
![Page 10: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/10.jpg)
check_markup() at API.drupal.org.http://api.drupal.org/api/function/check_markupCross Site Request Forgery - handle forms securely.http://drupal.org/node/178896Safely impersonating another user.http://drupal.org/node/218104Using eval() in Drupal.http://drupal.org/node/715010db_rewrite_sql() - when to use and why.http://drupal.org/node/93737
![Page 11: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/11.jpg)
how to deal...
with an attack
![Page 12: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/12.jpg)
and
![Page 13: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/13.jpg)
...mitigate it's impact at
infrastructure level?
![Page 14: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/14.jpg)
well... not really
![Page 15: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/15.jpg)
it's a dirty fight
![Page 16: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/16.jpg)
Darkmood
![Page 17: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/17.jpg)
but there's hope...
![Page 18: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/18.jpg)
Sonata
![Page 19: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/19.jpg)
it's the server stupid
![Page 20: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/20.jpg)
permitted HTTP methods
GETPOSTHEAD
![Page 21: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/21.jpg)
tricky methods
![Page 22: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/22.jpg)
WebDAV
PUTDELETE
![Page 23: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/23.jpg)
lethal methods
![Page 24: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/24.jpg)
OPTIONS
CONNECT
TRACE
![Page 25: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/25.jpg)
allowed hosts
![Page 26: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/26.jpg)
don't allow a forged Host header
![Page 27: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/27.jpg)
information disclosure
![Page 28: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/28.jpg)
hide everything
![Page 29: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/29.jpg)
but who cares?
![Page 30: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/30.jpg)
![Page 31: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/31.jpg)
the blind elephant is
watching you
![Page 32: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/32.jpg)
defcon'10
http://blindelephant.sf.net
![Page 33: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/33.jpg)
and now for something completelydifferent
![Page 34: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/34.jpg)
![Page 35: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/35.jpg)
a shell script that wraps an AWK script and does some cleanup of your PHP configuration
php.ini
![Page 36: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/36.jpg)
this will be a drush command in a nearby future.
https://github.com/perusio/php-ini-cleanup
![Page 37: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/37.jpg)
Black Opslaying low
![Page 38: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/38.jpg)
hunting like a black panther in the night
![Page 39: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/39.jpg)
Aria
![Page 40: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/40.jpg)
DDoS & DoS prevention
![Page 41: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/41.jpg)
Limit the number of connections
Limit the size andnumber of uploads
& downloads
![Page 42: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/42.jpg)
limit the number of connections
withlimit zones
![Page 43: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/43.jpg)
in nginx
limit_zone uno $binary_remote_addr 1m;
location /uploads { limit_conn uno 1; # one connection}
![Page 44: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/44.jpg)
D6 filefield POST filefield/ahah (uploads)location ~* filefield/ahah { limit_conn uno 1; # one connection}
only one connection per IP is allowed
![Page 45: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/45.jpg)
D7 filefield in corePOST file/ajax (uploads)location ~* file/ajax { limit_conn uno 2; # two connections}
only two connectionsper IP are allowed
![Page 46: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/46.jpg)
limit the number of requests per session or
address
nginx HttpLimitReq
module
![Page 47: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/47.jpg)
llimit_req_zone $binary_remote_addrzone=eins:10m rate 1r/s;
location /downloads/ {limit_req zone=eins burst=5;}
usually 1 req/s with a burst of 5
![Page 48: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/48.jpg)
l
otherwise you get a
503Service Unavailable
![Page 49: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/49.jpg)
The matchfâites vos jeux
![Page 50: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/50.jpg)
the rules of the Marquis of Queensbury apply to this match
![Page 51: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/51.jpg)
Chaconne
![Page 52: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/52.jpg)
slowloris+
DDoS
simulation live
![Page 53: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/53.jpg)
![Page 54: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/54.jpg)
Minuetto
![Page 55: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/55.jpg)
There's so much stuff we had to left out
![Page 56: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/56.jpg)
these for example
• SSH for deployment and maintenance
• SFTP for transfers, running services
• FTP, smb shares, open ports
• telnet, remote desktop, VNC
![Page 57: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/57.jpg)
to be continued...
somewhere over the rainbow
![Page 58: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/58.jpg)
perusio
http://drupal.org/user/8859
ricardoamarohttp://drupal.org/user/666176
both founders of the Associação Drupal Portugal
![Page 59: Full Web Stack Security](https://reader035.vdocuments.mx/reader035/viewer/2022062312/554bccc9b4c905706a8b4871/html5/thumbnails/59.jpg)
become a member
http://drupal-pt.org/node/145
Associação Drupal Portugal