Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015)
•
0 likes•473 views
Boy Baukema @ European Drupal Days 2015
Recommended
Recommended
More Related Content
Similar to Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015)
Similar to Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015) (20)
More from Eugenio Minardi
More from Eugenio Minardi (20)
Recently uploaded
Recently uploaded (20)
Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015)
- 1. © Ibuildings 2014/2015 - All rights reserved #DrupalDaysEU Verifying Drupal modules with OWASP ASVS 2014
- 2. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Gold Sponsors
- 3. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Media Sponsors Silver Sponsors
- 4. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved During this workshop we'll be going more in-depth into how to audit a Drupal site. We'll be using OWASP ASVS 2014 and a Drupal 7 site which you will have to prove to be vulnerable. Intro
- 5. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved During this interactive workshop we'll be discussing and demonstrating basic and advanced examples of the following vulnerabilities: - Injection of various kinds (JavaScript, HTML, SQL, XML, etc) - Missing Authentication or Authorization - Cross Site Request Forgery (CSRF) - Denial of Service - Abuse of functionality - Information Leakage - and more. A laptop with VirtualBox installed is advised. Intro
- 6. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • 09:30 - 10:00 Setup & Theory • 10:00 - 11:00 Auditing • 11:00 - 11:30 Fixing • 11:30 - 12:30 Break • 12:30 - 13:00 Fixing • 13:00 - 13:30 Presenting Schedule
- 7. © Ibuildings 2014/2015 - All rights reserved Setup
- 8. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • VirtualBox • Vagrant • https://github.com/ibuildingsnl/insecured7 InsecureD7
- 9. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • /Volumes/IBUILDINGS/edd15-verify-workshop/vm/insecured7.ova • Shared folder • /etc/fstab • Host-only network • Symlink: ln -sf src docroot/profiles/insecured7 Getting the VM up and running
- 10. © Ibuildings 2014/2015 - All rights reserved Theory
- 11. © Ibuildings 2014/2015 - All rights reserved This is the Talk Title and it could be very long, for example on two lines or more
- 12. © Ibuildings 2014/2015 - All rights reserved This is the Talk Title and it could be very long, for example on two lines or more level 1 level 2 level 3 chapter 1 1.1 1.2 1.3 X X X X X X chapter 2 2.1 2.2 2.3 X X X X X X X X
- 13. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • Level 0 - Bullshit compliance level (0) • Level 1 - Opportunistic (47) • Level 2 - Standard (136) • Level 3 - Advanced (164) Level up!
- 14. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • V1. Authentication • V2. Session Management • V3. Access Control • V4. Input Validation • V5. Cryptography (at Rest) • V6. Error Handling and Logging • V7. Data Protection ASVS Chapters • V8. Communication Security • V9. HTTP Security • V10. Malicious Controls • V11. Business Logic • V12. Files and Resources • V13. Mobile
- 15. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved V1.4. Verify that credentials and all other identity information handled by the application does not traverse unencrypted or weakly encrypted links. (level 1, 2 & 3) An example
- 16. © Ibuildings 2014/2015 - All rights reserved
- 17. © Ibuildings 2014/2015 - All rights reserved This is the Talk Title and it could be very long, for example on two lines or more
- 18. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • Content-Security-Policy • X-Frame-Options • X-Content-Type-Options • HTTP Strict Transport Security (HSTS) Security Kit http://ibuildings.nl/blog/2013/03/4-http-security- headers-you-should-always-be-using
- 19. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Adds the 'modules-usages-status' (mus) Drush command. Generate a CSV listing of all modules with their versions and associated usage counts. This can be used as input into security auditing scope. Drupal Security Tool Usage
- 20. © Ibuildings 2014/2015 - All rights reserved Questions?
- 21. © Ibuildings 2014/2015 - All rights reserved Auditting
- 22. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved <?php global $requirements; $report = ""; do { $requirement = array_pop ( $requirements ) ; $audit_results = do_audit_with ( $requirement ); $report .= $audit_results; $requirements[] = $requirement; } while (time() < strtotime('2015-03-19 12:30:00 CET')) auditing.php
- 23. © Ibuildings 2014/2015 - All rights reserved Break
- 24. © Ibuildings 2014/2015 - All rights reserved Fixing
- 25. © Ibuildings 2014/2015 - All rights reserved
- 26. © Ibuildings 2014/2015 - All rights reserved Presenting
- 27. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved 5 lucky participants will give a 5 minute presentation on their results from the audit and fixing. Presenting
- 28. © Ibuildings 2014/2015 - All rights reserved The End