Downloaded 27 times
![DENY ACCESS TO SENSITIVE FILES
# Protect files and directories from prying eyes.
<FilesMatch ".(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|
theme|tpl(.php)?|xtmpl)(~|.sw[op]|.bak|.orig|.save)?$|^(..*|Entries.*|
Repository|Root|Tag|Template|composer.(json|lock))$|^#.*#$|.php(~|.sw[op]|
.bak|.orig.save)$">
Require all denied
</FilesMatch>
Disallow access to files by type
Disallow access to hidden directories (i.e. git)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} "!(^|/).well-known/([^./]+./?)+$" [NC]
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)." - [F]
</IfModule>
<Directorymatch "^/.*/.git+/">
Require all denied
</Directorymatch>
.well-known
use for standard files:
favicon, DNT, letsencrypt etc
see:
https://tools.ietf.org/html/rfc5785
https://www.iana.org/assignments/well-
known-uris/well-known-uris.xhtml
https://www.drupal.org/node/2408321](https://image.slidesharecdn.com/ds-security-redacted-160725145255/75/End-to-end-web-security-45-2048.jpg)
![No PHP files other than index.php
No text files other than robots.txt
<FilesMatch "([^index].php|[^myrobots|robots].*.txt)$">
AuthName "Restricted"
AuthUserFile /etc/apache2/.htpasswds/passwdfile
AuthType basic
Require valid-user
Require ip 123.123.123.123 <- Your static IP
Require ip 127.0.0.1
</FilesMatch>
LIMIT PHP EXECUTION](https://image.slidesharecdn.com/ds-security-redacted-160725145255/75/End-to-end-web-security-47-2048.jpg)
Uploaded byGeorge Boobyer
End to end web security
The document is a comprehensive guide on web security that outlines various threats, including hackers, malware, and data breaches, while detailing preventative measures such as server environment security, application-level security, and transport security. It emphasizes the importance of secure configurations, firewall protections, and monitoring for potential vulnerabilities and attacks. Additionally, it provides insights into browser-based attacks, security headers, and the necessity of keeping web applications and systems up to date to fend off various cybersecurity challenges.
More Related Content
![[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho](https://cdn.slidesharecdn.com/ss_thumbnails/cb16rianchoen-161109050650-thumbnail.jpg?width=640&height=640&fit=bounds)
![[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson](https://cdn.slidesharecdn.com/ss_thumbnails/cb16dawsonja-161109051202-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to End to end web security
![[2.1] Web application Security Trends - Omar Ganiev](https://cdn.slidesharecdn.com/ss_thumbnails/2-150301070554-conversion-gate02-thumbnail.jpg?width=640&height=640&fit=bounds)
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
End to end web security
- 1. END TO END WEB SECURITY TAKEYOUR HEAD OUT OF THE SAND AND DELIVER YOUR WEB PAGES SECURELY Beginners guide http://map.norsecorp.com/#/
- 2. GEORGE BOOBYER DRUPAL: iAUGUR [email protected] TWITTER:iBLUEBAG www.blue-bag.com Established in 2000
- 3. WEB SECURITY Threats, culprits& examples Threats & how they work How can we guard against them Server Environment Security Application level security Transport Security Browser based security Questions
- 4. HACKERS: WHO /WHAT ARE THEY Defacers Content injection Data Breaches "Hactivists" Intruders: Parasites / Squatters / Malware Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood
- 5. DEFACED SITES Examples redacted Homepage replaced with hacker's banner
- 6. HACKERS: WHAT ARETHEY Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders: Parasites / Squatters / Malware Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood
- 7. CONTENT INJECTION PARASITES <script>location.href='http://www.fashionheel-us.com/';</script> Body overwritten with redirect
- 8.
- 9. USER AGENT SPECIFICPARASITES User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html)
- 10. USER AGENT SPECIFICPARASITES User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html) User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) Chrome/51.0.2704.84 Safari/537.36
- 11. HACKERS: WHAT ARETHEY Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders: Parasites / Squatters / Malware Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood
- 12. SOME EXAMPLES Data breachVulnerable systems
- 13. HIGH PROFILE DATABREACHES @TROYHUNT
- 14. HACKERS: WHAT ARETHEY Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders: Parasites / Squatters / Malware Angler EK / Nautilus / Necurs / Locky Layer 4 & 7 attacks - HTTP flood
- 15. HACKERS: HACKER ONHACKER Hacking team vs Phineas Albanian hitman http://pastebin.com/raw/0SNSvyjJ
- 16. HACKERS: HACKER ONTERROR Anonymous
- 17. HACKERS: WHAT ARETHEY Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders / Botnets Layer 4 & 7 attacks - HTTP flood
- 18. INTRUDERS / BOTNETS Parasites/ Squatters Malware / Ransomeware Angler EK / Nautilus Necurs / Locky
- 19. HACKERS: WHAT ARETHEY Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders / Botnets Ransom: Layer 4 & 7 attacks - HTTP flood
- 20. DDOS / FLOODATTACKS LAYER 4 LAYER 7 UDP Flood SYN Flood DNS Attacks XML-RPC HTTP GET/POST SLOWLORIS IP Stressers, Booters and shells
- 21. HACKERS: THEY HAVEIT EASY Open configuration files Browsable folders Out of date CMS Phishing / Social Engineering Leverage other breaches / password reuse Search Engines
- 22. MISCONFIGURATIONS: SAVED COPIESOF SENSITIVE FILES
- 23. MISCONFIGURATIONS: DIRECTORY BROWSING navigable/ readable config files
- 24. HTTPS KEEPS YOUSAFE - RIGHT? not if your settings.php is readable
- 25. HACKERS: THEY HAVEIT EASY Open configuration files Browsable folders Out of date CMS Phishing / Social Engineering Leverage other breaches / password reuse Search Engines Shells
- 26. ANYTHING BUT COSMETIC:TAKING CONTROL
- 27. HACKERS: THEY HAVEIT EASY Open configuration files Browsable folders Out of date CMS Phishing / Social Engineering Leverage other breaches / password reuse Search Engines
- 28. HACKERS: THEY HAVEIT EASY Open configuration files Browsable folders Out of date CMS Phishing / Social Engineering Leverage other breaches / password reuse Search Engines
- 29. HACKERS: HOW THEYFEED - LOW HANGING FRUIT Internet of things: shodan.io Google Dorks Exploit-db Drive by Show off: zone-h
- 30. Internet of things:shodan.io Google Dorks Exploit-db Drive by / Trawlers Show off: zone-h Example to locate Drupalgeddon vulnerable sites - redacted HACKERS: HOW THEY FEED - LOW HANGING FRUIT
- 31. Normal day: Attemptsto use known hacks by 255 hosts were logged 753 time(s) /admin/fckeditor/editor/filemanager/upload/php/upload.php /wp-config.php.bak /wp-login.php /backup.sql /Ringing.at.your.dorbell! /admin/assets/ckeditor/elfinder/php/connector.php /wp-admin/admin-ajax.php?action=revslider_ajax_action //phpMyAdmin/scripts/setup.php /SQLite/SQLiteManager-1.2.4/main.php /jenkins/login /joomla/administrator /wp-content/plugins/sell-downloads/sell-downloads.php?file=../../.././wp-config.php /modules/coder/LICENSE.txt /modules/restws/LICENSE.txt /sites/all/modules/webform_multifile/LICENSE.txt SSHD Illegal users: admin nagios ubnt fluffy guest info library linux oracle shell test unix webmaster ..... HACKERS: HOW THEY FEED - TRAWLERS
- 32. Internet of things:shodan.io Google Dorks Exploit-db Drive by / Trawlers Show off: zone-h HACKERS: HOW THEY FEED - LOW HANGING FRUIT
- 33. WEB SECURITY How canwe guard against threats Server Environment Security Application level security Transport Security Browser based security
- 34. ATTACK SURFACES Coffee shopwifi XSS CSRF Frames Clickjacking SSL stripping
- 35. SPHERES OF PROTECTION CMS mod_security mod_evasive Apache Network/ FW WAF TLS 'At Large' Security 3rd Parties Browser: WAN Network Secure Headers XSS/CSRF Protection Info. Disclosure HTTPS
- 36. ATTACK SURFACES Server (Layer3) Other servers (backup, monitoring, local) Application / Layer 7 In transit The browser
- 37. SERVER: PORTS AREOPEN DOORS Know what ports you have open, what is listening on them and who can access. On the server: 0.0.0.0:9080 LISTEN 1804/varnishd 127.0.0.1:25 LISTEN 2583/exim4 144.76.185.80:443 LISTEN 1037/pound 0.0.0.0:2812 LISTEN 1007/monit 127.0.0.1:6082 LISTEN 1799/varnishd 0.0.0.0:3306 LISTEN 1727/mysqld 127.0.0.1:11211 LISTEN 849/memcached 127.0.0.1:6379 LISTEN 946/redis-server 12 0.0.0.0:10000 LISTEN 2644/perl 144.76.185.80:80 LISTEN 1037/pound 0.0.0.0:22 LISTEN 851/sshd 0 :::9080 LISTEN 1804/varnishd 0 ::1:25 LISTEN 2583/exim4 0 :::8443 LISTEN 1779/apache2 0 :::8080 LISTEN 1779/apache2 0 :::22 LISTEN 851/sshd $netstat -nlp | grep tcp From outside: $nmap xxx.xxx.xxx.xxx Not shown: 990 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 554/tcp open tsp 7070/tcp open realserver 8080/tcp open http-proxy 8443/tcp open https-alt 9080/tcp open glrpc 10000/tcp open snet-sensor-mgmt Red: IP / MAC restricted Grey: Router proxies
- 38. SERVER: CONFIGURE YOURFIREWALL Allow if: White listed Allowed port Not blocked Rate ok Otherwise: Reject / Drop
- 39. NETWORK: ATTACKS &BLOCK LISTS The IP 195.154.47.128 has just been banned by Fail2Ban after 3 attempts against ssh. Firewall 195.154.47.12 CVE-2016-2118 (a.k.a. BADLOCK) SSH Brute force Block Blocklist Drop Firewall IPSET IPSET Any Port 1 2 3 4 5 Log Report to blocklist Source/share lists of bad ips Block on first visit Initial Server Anyother Server Compromised Zombie Exclude whitelist
- 40. SERVER: INFORMATION LEAKAGE HTTP/1.1200 OK Date: Wed, 15 Jun 2016 10:49:58 GMT Server: Apache/2.4.10 (Debian PHP 5.6.22-0+deb8u1 OpenSSL 1.0.1t) Last-Modified: Tue, 19 Apr 2016 17:02:36 GMT Content-Type: text/html; charset=UTF-8 Content-Language: en-gb X-Powered-By: PHP/5.6.22-0+deb8u1 X-Generator: Drupal 7 (http://drupal.org) HTTP/1.1 200 OK Date: Wed, 15 Jun 2016 10:49:58 GMT Server: Apache Last-Modified: Tue, 19 Apr 2016 17:02:36 GMT Content-Type: text/html; charset=UTF-8 Content-Language: en-gb After: ;;;;;;;;;;;;;;;;; ; Miscellaneous ; ;;;;;;;;;;;;;;;;; expose_php = Off # ServerTokens ServerTokens Prod ServerSignature Off php.ini Apache Config: Header always unset 'X-Powered-By' $curl -I http://www.yoursite.com
- 41. ATTACK SURFACES Server (Layer3) Other servers (backup, monitoring, local) Application / Layer 7 In transit The browser
- 42.
- 43.
- 44. CONTROL YOUR APPLICATIONENVIRONMENT Migrate all .htaccess to vhosts Get a static IP Limit what files can be read Limit where PHP can be 'run' Restrict file permissions (640 / 440) Update your CMS
- 45. DENY ACCESS TOSENSITIVE FILES # Protect files and directories from prying eyes. <FilesMatch ".(engine|inc|info|install|make|module|profile|test|po|sh|.*sql| theme|tpl(.php)?|xtmpl)(~|.sw[op]|.bak|.orig|.save)?$|^(..*|Entries.*| Repository|Root|Tag|Template|composer.(json|lock))$|^#.*#$|.php(~|.sw[op]| .bak|.orig.save)$"> Require all denied </FilesMatch> Disallow access to files by type Disallow access to hidden directories (i.e. git) <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} "!(^|/).well-known/([^./]+./?)+$" [NC] RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)." - [F] </IfModule> <Directorymatch "^/.*/.git+/"> Require all denied </Directorymatch> .well-known use for standard files: favicon, DNT, letsencrypt etc see: https://tools.ietf.org/html/rfc5785 https://www.iana.org/assignments/well- known-uris/well-known-uris.xhtml https://www.drupal.org/node/2408321
- 46. LIMIT PHP EXECUTION <Directory/var/www/yoursite/htdocs/sites/default/files> # Turn off all options we don't need. Options None Options +SymLinksIfOwnerMatch # Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 <Files *> # Override the handler again if we're run later in the evaluation list. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 </Files> # If we know how to do it safely, disable the PHP engine entirely. <IfModule mod_php5.c> php_flag engine off </IfModule> </Directory> Protect folders: tmp, files and private folders and any others. Note you will need these in the folders as .htaccess too just to stop Drupal complaining
- 47. No PHP filesother than index.php No text files other than robots.txt <FilesMatch "([^index].php|[^myrobots|robots].*.txt)$"> AuthName "Restricted" AuthUserFile /etc/apache2/.htpasswds/passwdfile AuthType basic Require valid-user Require ip 123.123.123.123 <- Your static IP Require ip 127.0.0.1 </FilesMatch> LIMIT PHP EXECUTION
- 48. DO YOUR PHPFILES NEED TO BE IN THE DOCROOT? https://www.drupal.org/node/2767907
- 49. APPLICATION LEVEL ATTACKS RequiresConfiguration Slowloris Know your traffic levels MOD EVASIVE Requires Configuration Know your application patterns Cautious whitelisting MOD SECURITY
- 50. APPLICATION LEVEL ATTACKS Blocklist mod_evasive syslog Apachelogs Firewall mod_security Server Server Server Immune system
- 51. HTTPS EVERYWHERE http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html http://www.httpvshttps.com I don'ttake credit cards It's slower? What about http resources Can't afford wildcard SSL and letsencrypt doesn't do wildcards https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives
- 52. SECURE IN TRANSIT SetupHTTPS / TLS Free certificates Strong Ciphers Upgrade insecure requests Strict Transport Security (HSTS) Pin public keys Audit TLS
- 53. TLS AUDIT Not justfor the A+ Consider other browsers / agents e.g. Screaming frog on OSX / Java
- 54. CASE STUDY Your pageis everyone's canvas <style type="text/css">.gm-style .gm-style-cc span,.gm-style .gm-style-cc a,.gm-style .gm- style-mtc div{font-size:10px}</style> <iframe> <script>
- 55. BROWSER BASED ATTACKS Cross-sitescripting - XSS Cross-site request forgery - CSRF Click jacking - Frames Check out: https://mathiasbynens.github.io/rel-noopener/
- 56. SECURE HEADERS X-Content-Type-Options: nosniff Guardsagainst "drive-by download attacks" by preventing IE & Chrome from MIME-sniffing a response away from the declared content-type. X-Frame-Options: DENY Provides Clickjacking protection X-Xss-Protection: 1; mode=block Configures the XSS audit facilities in IE & Chrome X-Permitted-Cross-Domain-Policies: none Adobe specific header that controls whether Flash & PDFs can access cross domain data - read the crossdomain.xml
- 57. XSS - CROSSSITE SCRIPTING Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. X-XSS-Protection: 0 X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block (do not render the document if XSS is found) (disable XSS filter/auditor) (remove unsafe parts; this is the default setting if no X-XSS-Protection header is present) http://blog.innerht.ml/the-misunderstood-x-xss-protection/
- 58. SECURE HEADERS Strict-Transport-Security: max- age=31536000;includeSubDomains env=HTTPS Informs the UA that all communications should be treated as HTTPS. Prevents MiTM & SSL-stripping attacks Public-Key-Pins By specifying the fingerprint of certain cryptographic identities, you can force the UA to only accept those identities going forwards. Content-Security-Policy: Provides details about the sources of resources the browser can trust. e.g. Images, scripts, CSS, frames (both ancestors & children) See https://securityheaders.io
- 59. CSRF - CROSSSITE REQUEST FORGERY an attack that forces an end user to execute unwanted actions Drupal protects you against this
- 60. CONTENT SECURITY POLICY ConnectSource Media Source Object Source Form Action Upgrade Insecure Requests Block All Mixed Content Sandbox Reflected XSS Base URI Manifest Source Plugin Types Referrer How to test: Default Source Script Source Style Source Image Source Font Source Child Source Frame Ancestors Report Only Report URI Others: Typical elements: Audit!
- 61. CONTENT SECURITY POLICY Content-Security-Policy: default-src'self'; img-src * data:; style-src 'self' 'unsafe-inline' *.googleapis.com f.fontdeck.com; font-src 'self' *.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google- analytics.com *.googleapis.com *.jquery.com *.google.com google.com *.newrelic.com *.nr-data.net connect.facebook.net; connect-src 'self'; frame-ancestors 'self' *.facebook.com; frame-src 'self' *.facebook.com; report-uri https://xyz.report-uri.io/r/default/csp/enforce https://report-uri.io/account/reports/csp/
- 62. CONTENT SECURITY POLICY Policycontraventions are reported by the browser : https://report-uri.io/account/reports/csp/
- 63. X-Frame-Options: DENY X-Xss-Protection: 1;mode=block Cache-Control: max-age=2592000 X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; img-src 'self' data: *.gravatar.com *.google.com *.googleapis.com www.google-analytics.com syndication.twitter.com *.gstatic.com; style-src 'self' 'unsafe-inline' *.googleapis.com; font-src 'self' *.googleapis.com *.gstatic.com; script-src 'self' 'unsafe-inline' www.google-analytics.com s7.addthis.com platform.twitter.com *.googleapis.com *.gstatic.com *.google.com google.com ; connect-src 'self';frame-src 'self' platform.twitter.com syndication.twitter.com; X-Permitted-Cross-Domain-Policies: none Content-Language: en-gb Age: 95666 X-Cache: HIT X-Cache-Hits: 40 Server: cloudflare-nginx SECURITY HEADERS @Scott_Helme
- 64. CONTENT SECURITY POLICY MozillaCSP Policy directives CSP Builder https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives https://report-uri.io/home/generate Drupal Modules https://www.drupal.org/project/seckit
- 65. SECURITY THREATS &MEASURES Bruteforcing Phishing XSS Click Jacking CSRF SSL Stripping Firewall Keys/2FA Headers CSP Tokens HSTS
- 66. FINAL THOUGHTS Bake yourprinciples into practices - Ansible - immutable infrastructure •Follow some Opsec people: @Scott_Helme, @troyhunt, @ivanristic, @briankrebs •Does your site have to be dynamic? •Letsencrypt - https. •Security is a department - not a one off •Learn your attack surface, test on Tor •VPN, Password apps, 2Factor Authentication •Work together (bad ips, honeypot, block list) - don't hit back
- 67.
- 68.