Verifying Drupal modules with OWASP ASVS 2014

© Ibuildings 2014/2015 - All rights reserved

#DrupalDaysEU

Verifying Drupal modules with OWASP ASVS 2014

#DrupalDaysEU


Gold Sponsors

#DrupalDaysEU


Media Sponsors

Silver Sponsors

#DrupalDaysEU


During this workshop we'll be going more in-depth into how to audit a Drupal site. We'll be using OWASP ASVS 2014 and a Drupal 7 site which you will have to prove to be vulnerable.

Intro

#DrupalDaysEU


During this interactive workshop we'll be discussing and demonstrating basic and advanced examples of the following vulnerabilities: - Injection of various kinds (JavaScript, HTML, SQL, XML, etc) - Missing Authentication or Authorization - Cross Site Request Forgery (CSRF) - Denial of Service - Abuse of functionality - Information Leakage - and more.

A laptop with VirtualBox installed is advised.

Intro

•

#DrupalDaysEU


• 09:30 - 10:00 Setup & Theory

• 10:00 - 11:00 Auditing

• 11:00 - 11:30 Fixing

• 11:30 - 12:30 Break

• 12:30 - 13:00 Fixing

• 13:00 - 13:30 Presenting

Schedule


Setup

•

#DrupalDaysEU


• VirtualBox

• Vagrant

• https://github.com/ibuildingsnl/insecured7

InsecureD7

•

#DrupalDaysEU


• /Volumes/IBUILDINGS/edd15-verify-workshop/vm/insecured7.ova

• Shared folder

• /etc/fstab

• Host-only network

• Symlink: ln -sf src docroot/profiles/insecured7

Getting the VM up and running


Theory


This is the Talk Title and it could be very long, for example on two lines or more



level 1 level 2 level 3

chapter 1 1.1 1.2 1.3

X X

X

X X X

chapter 2 2.1 2.2 2.3

XX

X XX

X XX

•

#DrupalDaysEU


• Level 0 - Bullshit compliance level (0)

• Level 1 - Opportunistic (47)

• Level 2 - Standard (136)

• Level 3 - Advanced (164)

Level up!

•

#DrupalDaysEU


• V1. Authentication

• V2. Session Management

• V3. Access Control

• V4. Input Validation

• V5. Cryptography (at Rest)

• V6. Error Handling and Logging

• V7. Data Protection

ASVS Chapters• V8. Communication Security

• V9. HTTP Security

• V10. Malicious Controls

• V11. Business Logic

• V12. Files and Resources

• V13. Mobile

#DrupalDaysEU


V1.4. Verify that credentials and all other identity information handled by the application does not traverse unencrypted or weakly encrypted links.

(level 1, 2 & 3)

An example




•

#DrupalDaysEU


• Content-Security-Policy

• X-Frame-Options

• X-Content-Type-Options

• HTTP Strict Transport Security (HSTS)

Security Kit

http://ibuildings.nl/blog/2013/03/4-http-security-headers-you-should-always-be-using

#DrupalDaysEU


Adds the 'modules-usages-status' (mus) Drush command.

Generate a CSV listing of all modules with their versions and associated usage counts.

This can be used as input into security auditing scope.

Drupal Security Tool Usage


Questions?


Auditting

#DrupalDaysEU


<?php global $requirements;

$report = "";do { $requirement = array_pop ( $requirements ) ; $audit_results = do_audit_with ( $requirement ); $report .= $audit_results; $requirements[] = $requirement;} while (time() < strtotime('2015-03-19 12:30:00 CET'))

auditing.php


Break


Fixing



Presenting

#DrupalDaysEU


5 lucky participants will give a 5 minute presentation on their results from the audit and fixing.

Presenting


The End

Technology

Verifying Drupal modules with OWASP ASVS 2014