Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Slides:



Advertisements
Similar presentations
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Advertisements

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
INSTALLATION OF WORDPRESS. WORDPRESS WordPress is an open source CMS, often used as a blog publishing application powered by PHP and MySQL. It has many.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane
Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Chapter 6: Hostile Code Guide to Computer Network Security.
Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Justin Klein Keane Drupal Training Session 1 Introduction to Drupal.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.
Higher Order WP Security Hacks, attacks, and getting your site back Dougal Campbell.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
8/1/2015. Please Ask Questions! 2 Hacks In The News Office of Personnel Management (OPN) Flash vulnerabilities Sony Heartbleed iCloud Leaked Pictures.
OWASP Zed Attack Proxy Project Lead
Copyright Justin C. Klein HECTOR Security Intelligence Platform Developed for: University of Pennsylvania School of Arts & Science.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Copyright Justin C. Klein Keane Drupal Threat Landscape.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
XP New Perspectives on The Internet, Sixth Edition— Comprehensive Tutorial 5 1 Downloading and Storing Data Using FTP and Other Services to Transfer and.
Computer viruses are small software programs that are made to spread from one computer to another and to interfere with computer operations. There are.
Cross-Site Attacks James Walden Northern Kentucky University.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
SPAM Settings. The ExchangeDefender Admin Site is a powerful tool that gives you access to all of the benefits ExchangeDefender has to offer, from the.
1 Commonwealth Security Information Resource Center Michael Watson Security Incident Management Director 10/17/2008
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
GOAL User Interactive Web Interface Update Pages by Club Officers Two Level of Authentication.
I3Live Security Paul Wisniewski UW-Madison August, 2010.
Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.
Security and Web Programming/Design. cell phones bio-facilities Sodas, junk food, and coffee Welcome to the No Smoking State.
SCSC 455 Computer Security Chapter 3 User Security.
Module 7: Designing Security for Accounts and Services.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
SEARCH ENGINE OPTIMIZATION, SECURITY, MAINTENANCE.
Prototype Security New Feature: Send Mass & Activity Code.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
1 E-Site - FTP Services Setup / install guide. 2 About FTP services can run on any desired port(s) Runs as a windows service Works for all sites installed.
How to use Drupal Awdhesh Kumar (Team Leader) Presentation Topic.
● The most common website platform ● User friendly-easy to edit ● Constantly improving-updates, plugins, themes Why WordPress?
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Group 18: Chris Hood Brett Poche
Critical Security Controls
Configuring Windows Firewall with Advanced Security
Secure Software Confidentiality Integrity Data Security Authentication
Home Internet Vulnerabilities
Riding Someone Else’s Wave with CSRF
Operating System Security
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Chapter 8, pp 171 – pp 200 Web Security, by Lincoln D. Stein
Test 3 review FTP & Cybersecurity
6. Application Software Security
Presentation transcript:

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix Systems

Security Responsibility Drupal API protects sites from many threats Module code may have holes but it's tough to find them on your own By definition you need to delegate privilege Enforcing safe configuration is just a mouse click away

Why Bother? “I'm running a small site, who would want to attack it?” “I back up every night, if it goes down I can just restore?” “I'm the only admin, so vulnerabilities don't actually affect users.”

Logical Fallacy You don't know what the attacker is after! Bandwidth Blackhat SEO Spam Drive by download JavaScript port scanning Host RFI text file On, and on, and on...

Risk Analysis Everyone should gauge their own risk Threat x Likelihood x Impact = Risk How can you judge likelihood? What about unknown threats? You may not think of security problems before they affect your site

Sample Attack Pattern Enumerate user accounts Brute force (guess) passwords Log in as a low privilege user Escalate privilege Take over web server process Establish a shell account Escalate privilege to root

Real World Attack Pattern Attacker identifies reflected XSS Attacker links to your reflected XSS Search engine crawls link, reflects to attacker site Attacker site gains search rank based on your site

Other Attack Patterns Attacker discovers ability to post content Attacker posts stored XSS Attacker posts to site with link to malware, trust exploitation Attacker spams your site Attacker brute forces a site account Account has same credentials as shell Possibilities are endless

Account = Privilege = Danger! Accounts have specific privilege Some privileges are super dangerous: Administer content types Administer filters Administer users Administer permissions Administer site configuration

PHP through Web UI = THREAT If attackers can write PHP it's game over Jealously protect PHP permissions Users with PHP can destroy the site by accident Poorly coded PHP can introduce other vulns!

Permissions to Create Content Created content could mean: Stored xss Stored xsrf Hijacked message Exploited trust Spam Drive by download And on and on...

Privilege Continued Don't tree the Drupal permissions form!

Use Roles Create roles to subdivide permissions to only those users who actually need them.

Limit Access to User Profiles Consider using RealName module Limit access to authenticated users

Creating Profiles Don't allow anonymous users to create new accounts (or they will) Be careful what permissions these accounts could get

Don't Passwords! Remove '!password' tokens! Login link works just fine

Limit PHP If you aren't using the PHP input type get rid of it Delete php in the /modules directory This will remove the PHP input format filter Make sure no role has any permission with 'PHP' in the description Monitor your permissions assignments

Refine Input Types Restrict HTML Input

Modules Modules are the #1 way vulnerabilities get to your site Don't use pre release modules no matter what the help forums say! They aren't suitable for production They're not supported by Drupal security They're buggy by definition!

File Uploads Be careful what files can be uploaded

Restrict Error Reporting MySQL errors aren't helpful to users and can give away configuration details.

Mitigation Defensive strategies help to defend your Drupal site

Defense in Depth If you can't prevent – detect! Several core modules help

Defense in Depth Review your logs to detect Or use an automated system like OSSEC (

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.