Verifying Drupal modules with OWASP ASVS 2014

•

0 likes•715 views

During this workshop we'll be going more in-depth into how to audit a Drupal site. We'll be using OWASP ASVS 2014 and a Drupal 7 site which participants will have to prove to be vulnerable. During this interactive workshop we'll be discussing and demonstrating basic and advanced examples of the following vulnerabilities: Injection of various kinds (JavaScript, HTML, SQL, XML, etc) Missing Authentication or Authorization Cross Site Request Forgery (CSRF) Denial of Service Abuse of functionality Information Leakage and more. A laptop with VirtualBox installed is advised.

Technology

© Ibuildings 2014/2015 - All rights reserved
#DrupalDaysEU
Verifying Drupal modules with OWASP ASVS 2014

#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors

#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Media Sponsors
Silver Sponsors

#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
During this workshop we'll be going more in-depth into how to audit a Drupal site. We'll
be using OWASP ASVS 2014 and a Drupal 7 site which you will have to prove to be
vulnerable.
Intro

#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
During this interactive workshop we'll be discussing and demonstrating basic and
advanced examples of the following vulnerabilities: 
- Injection of various kinds  
(JavaScript, HTML, SQL, XML, etc) 
- Missing Authentication or Authorization 
- Cross Site Request Forgery (CSRF) 
- Denial of Service 
- Abuse of functionality 
- Information Leakage 
- and more.
A laptop with VirtualBox installed is advised.
Intro

#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• 09:30 - 10:00 Setup & Theory
• 10:00 - 11:00 Auditing
• 11:00 - 11:30 Fixing
• 11:30 - 12:30 Break
• 12:30 - 13:00 Fixing
• 13:00 - 13:30 Presenting
Schedule

© Ibuildings 2014/2015 - All rights reserved
Setup

#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• VirtualBox
• Vagrant
• https://github.com/ibuildingsnl/insecured7
InsecureD7

#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• /Volumes/IBUILDINGS/edd15-verify-workshop/vm/insecured7.ova
• Shared folder
• /etc/fstab
• Host-only network
• Symlink: ln -sf src docroot/profiles/insecured7
Getting the VM up and running

© Ibuildings 2014/2015 - All rights reserved
Theory

© Ibuildings 2014/2015 - All rights reserved
This is the Talk Title and it could be very long,
for example on two lines or more

© Ibuildings 2014/2015 - All rights reserved
This is the Talk Title and it could be very long,
for example on two lines or more
level 1 level 2 level 3
chapter 1 
1.1 
1.2 
1.3
X X
X
X
X
X
chapter 2 
2.1 
2.2 
2.3
X 
X
 
X
X 
X
X
X 
X

#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Level 0 - Bullshit compliance level (0)
• Level 1 - Opportunistic (47)
• Level 2 - Standard (136)
• Level 3 - Advanced (164)
Level up!

#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• V1. Authentication
• V2. Session Management
• V3. Access Control
• V4. Input Validation
• V5. Cryptography (at Rest)
• V6. Error Handling and Logging
• V7. Data Protection
ASVS Chapters
• V8. Communication Security
• V9. HTTP Security
• V10. Malicious Controls
• V11. Business Logic
• V12. Files and Resources
• V13. Mobile

#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
V1.4. Verify that credentials and all other identity information handled by the application
does not traverse unencrypted or weakly encrypted links.
(level 1, 2 & 3)
An example

© Ibuildings 2014/2015 - All rights reserved

#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Content-Security-Policy
• X-Frame-Options
• X-Content-Type-Options
• HTTP Strict Transport Security (HSTS)
Security Kit
http://ibuildings.nl/blog/2013/03/4-http-security-
headers-you-should-always-be-using

#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Adds the 'modules-usages-status' (mus) Drush command.
Generate a CSV listing of all modules with their versions and associated usage counts.
This can be used as input into security auditing scope.
Drupal Security Tool Usage

© Ibuildings 2014/2015 - All rights reserved
Questions?

© Ibuildings 2014/2015 - All rights reserved
Auditting

$#DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved <?php global $requirements; $report = ""; do { $requirement = array_pop ( $requirements ) ; $audit_results = do_audit_with ( $requirement ); $report .= $audit_results; $requirements[] = $requirement; } while (time() < strtotime('2015-03-19 12:30:00 CET')) auditing.php$

© Ibuildings 2014/2015 - All rights reserved
Break

© Ibuildings 2014/2015 - All rights reserved
Fixing

© Ibuildings 2014/2015 - All rights reserved
Presenting

#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
5 lucky participants will give a 5 minute presentation on their results from the audit and
fixing.
Presenting

© Ibuildings 2014/2015 - All rights reserved
The End

Drupalgeddon, Heartbleed, Shellshock, a million visitors a month, painting a large target for hackers. But fast paced Dutch news site rtlnieuws.nl is still standing. Want to find out why? In this presentation I will discuss why it's important to bake security into your process. Come to learn more about: Defining security requirements up front and clearly with a customer How and where to learn more about security - A quick run through of the most common vulnerabilities and their prevention like: Injection of various kinds (JavaScript, HTML, SQL, XML, etc) Missing Authentication or Authorization Cross Site Request Forgery (CSRF) Verifying that you have met your security goals at the end Maintaining security even in the face of (inevitable) third party vulnerabilities You'll leave this presentation with a clear plan to define and exceed your own or your customers security requirements.

Verifying Drupal modules with OWASP ASVS 2014 (European Drupal Days 2015)

Eugenio Minardi

Secure Drupal, from start to finish (European Drupal Days 2015)

Eugenio Minardi

Doing Drupal security right

Gábor Hojtsy

Drupal security

Jozef Toth

Bridging the gap between business and technology - Behaviour Driven Developme...

Eugenio Minardi

A Practical Introduction to Symfony (European Drupal Days 2015)

Eugenio Minardi

Coding for desktop and mobile with HTML5 and Java EE 7 - Geertjan Wielenga

JAXLondon_Conference

With businesses built around software now disrupting multiple industries that appeared to have stable leaders, the need has emerged for enterprises to create "software factories" built around the following principles: Streaming customer feedback directly into rapid, iterative cycles of application development Horizontally scaling applications to meet user demand Compatibility with an enormous diversity of clients, with mobility (smartphones, tablets, etc.) taking the lead Continuous delivery of value, shrinking the cycle time from concept to cash Infrastructure has taken the lead in adapting to meet these needs with the move to the cloud, and Platform as a Service (PaaS) has raised the level of abstraction to a focus on an ecosystem of applications and services. However, most applications are still developed as if we're living in the previous generation of both business and infrastructure: the monolithic application. Microservices - small, loosely coupled applications that follow the Unix philosophy of "doing one thing well" - represent the application development side of enabling rapid, iterative development, horizontal scale, polyglot clients, and continuous delivery. They also enable us to scale application development and eliminate long term commitments to a single technology stack. While microservices are simple, they are certainly not easy. It's recently been said that "microservices are not a free lunch". Interestingly enough, if you look at the concerns expressed here about microservices, you'll find that they are exactly the challenges that a PaaS is intended to address. So while microservices do not necessarily imply cloud (and vice versa), there is in fact a symbiotic relationship between the two, with each approach somehow compensating for the limitations of the other, much like the practices of eXtreme Programming.

Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship

Matt Stine

As delivered to the Cloud Foundry Summit 2014 in San Francisco, CA: With businesses built around software now disrupting multiple industries that appeared to have stable leaders, the need has emerged for enterprises to create "software factories" built around the following principles: * Streaming customer feedback directly into rapid, iterative cycles of application development * Horizontally scaling applications to meet user demand * Compatibility with an enormous diversity of clients, with mobility (smartphones, tablets, etc.) taking the lead * Continuous delivery of value, shrinking the cycle time from concept to cash Infrastructure has taken the lead in adapting to meet these needs with the move to the cloud, and Platform as a Service (PaaS) has raised the level of abstraction to a focus on an ecosystem of applications and services. However, most applications are still developed as if we're living in the previous generation of both business and infrastructure: the monolithic application. Microservices - small, loosely coupled applications that follow the Unix philosophy of "doing one thing well" - represent the application development side of enabling rapid, iterative development, horizontal scale, polyglot clients, and continuous delivery. They also enable us to scale application development and eliminate long term commitments to a single technology stack. While microservices are simple, they are certainly not easy. It's recently been said that "microservices are not a free lunch". Interestingly enough, if you look at the concerns expressed here about microservices, you'll find that they are exactly the challenges that a PaaS is intended to address. So while microservices do not necessarily imply cloud (and vice versa), there is in fact a symbiotic relationship between the two, with each approach somehow compensating for the limitations of the other, much like the practices of eXtreme Programming.

WebSockets in Enterprise Applications

Pavel Bucek

Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability

Ann Lam

Hong kong drupal user group nov 8th - drupal 7.32 security vulnerabilityAnn Lam

Hong Kong Drupal User Group - Nov 8th

Wong Hoi Sing Edison

Hybrid and On-premise AWS workloads using HP Helion Eucalyptus

Vedanta Barooah

Security horrors

Boy Baukema

Get ready for a night of security horror! Together we'll look at some of the scariest horror stories from fiction and application security. From The Shining to data breaches and from Saw to ransomware. Horror stories entertain us and sometimes even teach us something about bad decision making. Tonight we'll not only look at some entertaining stories but highlight where they went wrong and what they should've done instead and together we'll learn more about defending against horrors. Scaring you tonight will be Boy Baukema, Senior Application Security Consultant at Veracode. He is a developer with 15+ years of software development experience and subject matter expert in application security. He provides consultative services to Veracode customers including large companies in sectors like financial services. He works with security teams and developers in 40+ programming languages to secure software.

Tampering with JavaScript

Boy Baukema

Similar to Verifying Drupal modules with OWASP ASVS 2014

Doing Drupal security right from Drupalcon LondonGábor Hojtsy

Drupal Security from Drupalcamp Bratislava

Gábor Hojtsy

Drupal Continuous Integration (European Drupal Days 2015)

Eugenio Minardi

Tweet4Beer (atualizada): Torneira de Chopp Controlada por Java, JavaFX, IoT ...

Marco Antonio Maciel

Netherlands Tech Tour 05 - Strategic Operationalization of MySQL

Mark Swarbrick

Performance on a budget (European Drupal Days 2015)

Eugenio Minardi

Successfully Deploying IPv6

Zivaro Inc

Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013The World Bank

Optimizing MariaDB for Web Applications (European Drupal Days 2015)

Eugenio Minardi

Managing Oracle Solaris Systems with Puppet

glynnfoster

Database as a Service, Collaborate 2016

Kellyn Pot'Vin-Gorman

JavaCro'15 - Everything a Java EE Developer needs to know about the JavaScrip...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association

Drupal for Big Data - is it ready? (European Drupal Days 2015)

Eugenio Minardi

Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship

VMware Tanzu

Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship

Matt Stine

WebSockets in Enterprise Applications

Pavel Bucek

Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability

Ann Lam

Hong kong drupal user group nov 8th - drupal 7.32 security vulnerabilityAnn Lam

Hong Kong Drupal User Group - Nov 8th

Wong Hoi Sing Edison

Hybrid and On-premise AWS workloads using HP Helion Eucalyptus

Vedanta Barooah

Similar to Verifying Drupal modules with OWASP ASVS 2014 (20)

Doing Drupal security right from Drupalcon London

Drupal Security from Drupalcamp Bratislava

Drupal Continuous Integration (European Drupal Days 2015)

Tweet4Beer (atualizada): Torneira de Chopp Controlada por Java, JavaFX, IoT ...

Netherlands Tech Tour 05 - Strategic Operationalization of MySQL

Performance on a budget (European Drupal Days 2015)

Successfully Deploying IPv6

Prospectus: Cloud, Mobility and Interopability - AMIK Bandung Sept 2013

Optimizing MariaDB for Web Applications (European Drupal Days 2015)

Managing Oracle Solaris Systems with Puppet

Database as a Service, Collaborate 2016

JavaCro'15 - Everything a Java EE Developer needs to know about the JavaScrip...

Drupal for Big Data - is it ready? (European Drupal Days 2015)

Cloud Foundry and Microservices: A Mutualistic Symbiotic Relationship

WebSockets in Enterprise Applications

Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability

Hong Kong Drupal User Group - Nov 8th

Hybrid and On-premise AWS workloads using HP Helion Eucalyptus

More from Boy Baukema

Security horrors

Boy Baukema

Tampering with JavaScript

Boy Baukema

Code by the sea: Web Application Security

Boy Baukema

A three-for-one of short talks on Web Application Security. First, are you secure? What is secure anyway? How can you be sure? Wouldn't it be nice if there was some kind of checklist you could show when someone asks you these questions? Fortunately several security specialists at the Open Web Application Security Project (OWASP) thought so too and created just such a list, called Application Security Verification Standard (ASVS). We'll look at what it is and how you can use it. Next we will discuss the Dutch Meldplicht Datalekken that came into effect on the first of January this year and what it means for you as a software developer. Finally we'll wrap up with a quick overview of the OWASP Top 10 and less obvious vulnerabilities that might be lurking in your codebases. https://www.meetup.com/Code-by-the-sea/events/234264535/

Ibuildings ISO 27001 lunchbox

Boy Baukema

OWASP ASVS 3 - What's new for level 1?

Boy Baukema

Security as a part of quality assuranceBoy Baukema

Recursive descent parsingBoy Baukema

Dpc14 security as part of Quality Assurance

Boy Baukema

SURFconext and Mobile

Boy Baukema

WebAppSec @ Ibuildings in 2014

Boy Baukema

Let's build a parser!

Boy Baukema

Javascript: 8 Reasons Every PHP Developer Should Love ItBoy Baukema

More from Boy Baukema (12)

Security horrors

Tampering with JavaScript

Code by the sea: Web Application Security

Ibuildings ISO 27001 lunchbox

OWASP ASVS 3 - What's new for level 1?

Security as a part of quality assurance

Recursive descent parsing

Dpc14 security as part of Quality Assurance

SURFconext and Mobile

WebAppSec @ Ibuildings in 2014

Let's build a parser!

Javascript: 8 Reasons Every PHP Developer Should Love It

Recently uploaded

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Uni Systems S.M.S.A.

20240605 QFM017 Machine Intelligence Reading List May 2024

Matthew Sinclair

Communications Mining Series - Zero to Hero - Session 1

DianaGray10

This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered: • Communication Mining Overview • Why is it important? • How can it help today’s business and the benefits • Phases in Communication Mining • Demo on Platform overview • Q/A

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

Microsoft - Power Platform_G.Aspiotis.pdf

Uni Systems S.M.S.A.

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Neo4j

Dr. Sean Tan, Head of Data Science, Changi Airport Group Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

GraphRAG is All You need? LLM & Knowledge Graph

Guy Korland

Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs. 1. Unifying Large Language Models and Knowledge Graphs: A Roadmap. https://arxiv.org/abs/2306.08302 2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs: https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

UiPath Test Automation using UiPath Test Suite series, part 5

DianaGray10

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

Neo4j

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

nkrafacyberclub

The Future of Platform Engineering

Jemma Hussein Allen

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

Climate Impact of Software Testing at Nordic Testing Days

Kari Kakkonen

My slides at Nordic Testing Days 6.6.2024 Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.

GridMate - End to end testing is a critical piece to ensure quality and avoid...

ThomasParaiso2

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

Recently uploaded (20)

By Design, not by Accident - Agile Venture Bolzano 2024

Uni Systems Copilot event_05062024_C.Vlachos.pdf

20240605 QFM017 Machine Intelligence Reading List May 2024

Communications Mining Series - Zero to Hero - Session 1

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Microsoft - Power Platform_G.Aspiotis.pdf

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Introduction to CHERI technology - Cybersecurity

GraphRAG is All You need? LLM & Knowledge Graph

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

Essentials of Automations: The Art of Triggers and Actions in FME

UiPath Test Automation using UiPath Test Suite series, part 5

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

The Future of Platform Engineering

Epistemic Interaction - tuning interfaces to provide information for AI support

Climate Impact of Software Testing at Nordic Testing Days

GridMate - End to end testing is a critical piece to ensure quality and avoid...

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Verifying Drupal modules with OWASP ASVS 2014

4. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved During this workshop we'll be going more in-depth into how to audit a Drupal site. We'll be using OWASP ASVS 2014 and a Drupal 7 site which you will have to prove to be vulnerable. Intro

5. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved During this interactive workshop we'll be discussing and demonstrating basic and advanced examples of the following vulnerabilities:  - Injection of various kinds   (JavaScript, HTML, SQL, XML, etc)  - Missing Authentication or Authorization  - Cross Site Request Forgery (CSRF)  - Denial of Service  - Abuse of functionality  - Information Leakage  - and more. A laptop with VirtualBox installed is advised. Intro

6. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • 09:30 - 10:00 Setup & Theory • 10:00 - 11:00 Auditing • 11:00 - 11:30 Fixing • 11:30 - 12:30 Break • 12:30 - 13:00 Fixing • 13:00 - 13:30 Presenting Schedule

9. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • /Volumes/IBUILDINGS/edd15-verify-workshop/vm/insecured7.ova • Shared folder • /etc/fstab • Host-only network • Symlink: ln -sf src docroot/profiles/insecured7 Getting the VM up and running

12. © Ibuildings 2014/2015 - All rights reserved This is the Talk Title and it could be very long, for example on two lines or more level 1 level 2 level 3 chapter 1  1.1  1.2  1.3 X X X X X X chapter 2  2.1  2.2  2.3 X  X   X X  X X X  X

14. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • V1. Authentication • V2. Session Management • V3. Access Control • V4. Input Validation • V5. Cryptography (at Rest) • V6. Error Handling and Logging • V7. Data Protection ASVS Chapters • V8. Communication Security • V9. HTTP Security • V10. Malicious Controls • V11. Business Logic • V12. Files and Resources • V13. Mobile

15. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved V1.4. Verify that credentials and all other identity information handled by the application does not traverse unencrypted or weakly encrypted links. (level 1, 2 & 3) An example

18. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved • Content-Security-Policy • X-Frame-Options • X-Content-Type-Options • HTTP Strict Transport Security (HSTS) Security Kit http://ibuildings.nl/blog/2013/03/4-http-security- headers-you-should-always-be-using

19. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved Adds the 'modules-usages-status' (mus) Drush command. Generate a CSV listing of all modules with their versions and associated usage counts. This can be used as input into security auditing scope. Drupal Security Tool Usage

22. #DrupalDaysEU © Ibuildings 2014/2015 - All rights reserved <?php global $requirements; $report = ""; do { $requirement = array_pop ( $requirements ) ; $audit_results = do_audit_with ( $requirement ); $report .= $audit_results; $requirements[] = $requirement; } while (time() < strtotime('2015-03-19 12:30:00 CET')) auditing.php

Verifying Drupal modules with OWASP ASVS 2014

Recommended

Recommended

More Related Content

Similar to Verifying Drupal modules with OWASP ASVS 2014

Similar to Verifying Drupal modules with OWASP ASVS 2014 (20)

More from Boy Baukema

More from Boy Baukema (12)

Recently uploaded

Recently uploaded (20)

Verifying Drupal modules with OWASP ASVS 2014