Save 37% off PRO during our Black Friday Sale! »

DDD17 - Web Applications Automated Security Testing in a Continuous Delivery Pipeline

Fdeabaecd044c39cb7d75b104b0aff7c?s=47 Fedir RYKHTIK
March 21, 2017
Technology
0
300

DDD17 - Web Applications Automated Security Testing in a Continuous Delivery Pipeline

Slides from "Web Applications Automated Security Testing in a Continuous Delivery Pipeline" workshop, made during Drupal Developers Days 2017 at Seville, Spain

Fdeabaecd044c39cb7d75b104b0aff7c?s=128

Fedir RYKHTIK

March 21, 2017
Tweet

More Decks by Fedir RYKHTIK

See All by Fedir RYKHTIK
Fdeabaecd044c39cb7d75b104b0aff7c?s=48 fedir
0
83
Fdeabaecd044c39cb7d75b104b0aff7c?s=48 fedir
0
410
Fdeabaecd044c39cb7d75b104b0aff7c?s=48 fedir
0
20
Fdeabaecd044c39cb7d75b104b0aff7c?s=48 fedir
0
180
Fdeabaecd044c39cb7d75b104b0aff7c?s=48 fedir
0
450
Fdeabaecd044c39cb7d75b104b0aff7c?s=48 fedir
2
1.3k
Fdeabaecd044c39cb7d75b104b0aff7c?s=48 fedir
0
68
Fdeabaecd044c39cb7d75b104b0aff7c?s=48 fedir
0
160
Fdeabaecd044c39cb7d75b104b0aff7c?s=48 fedir
0
160

Other Decks in Technology

See All in Technology
5c4a9121473a13463ca3d8c0cf6d3152?s=48 o3
2
370
484571ccba0db66b69dc11761afdd0c4?s=48 chiroito
1
170
73c9d1065e0075a9da6e404e08fe77fb?s=48 siroitori0413
0
130
208eaad444edf8029cba3bbd1c0cc864?s=48 takumiogawa
6
3.2k
5d9cd19df0e91caac118b793b4f803d5?s=48 takefumiyoshii
2
1.1k
7cd783377515bdf8207062840b7b2f4e?s=48 soracom
PRO
2
180
8d80af14296180866264212adbfb587e?s=48 godan
0
150
156a7b659a9b4aba83a8c0a33515a06f?s=48 e11i0t_4lders0n
1
1.2k
D0f5daa7cc3a26140c06ea29e5e235cc?s=48 noriyukitakei
0
560
7602f2751868682b296171f58589c851?s=48 lyrixx
3
230
40638b9e3a098313234f358d35103735?s=48 y150saya
0
920
50bc42471d197d0dbef7171f2ef85bb6?s=48 comucal
PRO
0
220

Featured

See All Featured
91cefdf141106fa10674aae74ce05890?s=48 yeseniaperezcruz
307
33k
A0517b08532aec8ab2aae3f65d40ad86?s=48 hannesfritz
32
1.2k
5f83ef806155b403c3393160ce51f955?s=48 jlugia
218
16k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
373
43k
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
11
1.2k
Fe6b81005d1553accd6b2a28f6a2bef1?s=48 phodgson
92
4.2k
C4de88ea47538e4594750e3861a341c8?s=48 brettharned
96
3.6k
828ace851b606e1206900f26459f55ad?s=48 speakerdeck
PRO
2
470
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
25
950
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
15
750
Bfd6b681ec6e8c9bef82ff0521c364f7?s=48 kastner
56
2.1k
462dad0dd24c568a32dcdb0ae895ae1b?s=48 rasmusluckow
318
19k

Transcript

  1. Web Applications Automated Security Testing in a Continuous Delivery Pipeline

    At #DrupalDevDaysSeville by @FedirFr

  2. About this workshop • Duration 2 hours • 100% open

    source powered • Intermediate technical level required • Oriented Developers / QA / Operations / CTO / ... • Interactive, study-oriented ...

  3. Workshop content • Theoretical part • Introduction to Web security

    ◦ Major security risks ◦ Pentesting types • Insecure code • Drupalxploitable project • Practical part • Vulnerable site create / study • Manual security testing with scanners • Manual security testing using Zed Attack Proxy GUI • Automated security testing

  4. Introduction in Web Security

  5. Major Risks

  6. Pentesting methods - Black-box • We don't know what is

    inside • Testing as an external user

  7. Pentesting methods - Grey-box • We have advanced access to

    the project

  8. Pentesting methods - White-box • We know all about the

    project • We have the access to the project code

  9. Manual Penetration Testing Scanner Target

  10. Manual Penetration Testing with Proxy Web browser Attack Proxy Target

  11. Automating Penetration Testing Web browser Attack Proxy Target Security Framework

    CI Bugtraceker

  12. Classical continuous delivery model - https://en.wikipedia.org/wiki/Continuous_delivery

  13. How to write (in)secure code for Drupal 8

  14. Current situation for Drupal 8 • https://www.drupal.org/docs/8/security/writing-secure-code-for-drupal-8 a. Sanitizing on

    output to avoid Cross Site Scripting (XSS) attacks : t(), Html::escape Xss::filter() or Xss::filterAdmin() b. Checking URLs UrlHelper::stripDangerousProtocols(), UrlHelper::filterBadProtocol(), SafeMarkup::format(). c. Use the database abstraction layer to avoid SQL injection attacks

  15. Bad code example - SQL Injection db_query('SELECT foo FROM {table}

    t WHERE t.name = '. $_GET['user']); Exploit example : https://www.exploit-db.com/exploits/34993/

  16. Bad code example - XSS exploits - --- modules/system/system.admin.inc 2013-04-03

    17:29:52.000000000 -0400 +++ modules/system/system.admin.inc 2013-08-07 10:47:29.277279676 -0400 @@ -979,10 +979,10 @@ function _system_modules_build_row($info ); // Set the basic properties. $form['name'] = array( - - '#markup' => $info['name'], + '#markup' => check_plain($info['name']), ); $form['description'] = array( - - '#markup' => t($info['description']), + '#markup' => t("@desc", array('@desc' => $info['description'])), ); $form['version'] = array( '#markup' => $info['version'], http://seclists.org/fulldisclosure/2013/Aug/158

  17. There are much more risks ... SQL, HTML, iFrame, SSI,

    OS Command, PHP, XML, XPath, LDAP, Host Header and SMTP injections Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF) AJAX and Web Services issues (jQuery/JSON/XML/SOAP/WSDL) Authentication, authorization and session issues, file upload flaws and backdoor files Arbitrary file access, directory traversals, local and remote file inclusions (LFI/RFI) Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,... HTTP parameter pollution, HTTP response splitting and HTTP verb tampering Insecure DistCC, FTP, NTP, Samba, SNMP, VNC and WebDAV configurations HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues XML External Entity attacks (XXE) and Server Side Request Forgery (SSRF) Heartbleed and Shellshock vulnerability (OpenSSL), Denial-of-Service (DoS) attacks Parameter tampering, cookie and password reset poisoning ...

  18. Drupalxploitable

  19. About Drupalxploitable • Purposefully vulnerables Drupal installation • Basically :

    “a very crappy Drupal site” • Open source (github)

  20. Existing projects in PHP world Damn Vulnerable Web Application (DVWA)

    http://www.dvwa.co.uk/ Mutillidae http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 WebGoatPHP https://github.com/shivamdixit/WebGoatPHP buggy web application http://www.itsecgames.com/

  21. And even standalone distribution Metasploitable https://sourceforge.net/projects/metasploitable/

  22. Practical part

  23. Used infrastructure • Virtualbox VM ◦ Ubuntu 16.04 LTS server

    64 bit ◦ Jenkins CI ◦ OWASP ZAP, sqlmap, CMSMap ... ◦ Drupal 8 vulnerable site for manual and automatic testing

  24. SSH Access from host by 2222 port (mapped to 22)

    $ ssh drupal@127.0.0.1 -p 2222 SSH credentials : root / password Jenkins Access from the host: http://127.0.0.1:8180/ Internal VM access: http://127.0.0.1:8080/ Admin credentials : admin / password Drupal / Apache Access from the host: http://127.0.0.1:8280/ Internal VM access: http://127.0.0.1/ Admin credentials : drupal / drupal Virtualbox - Services description

  25. sqlmap python sqlmap.py -v 2 --url=http://127.0.0.1/user/ --user-agent=SQLMAP --delay=1 --retries=2 --keep-alive

    --threads=5 --batch --dbms=MySQL --os=Linux --level=5 --risk=2 --banner --is-dba --dbs --tables --technique=BEUST -s /tmp/scan_report.txt --flush-session -t /tmp/scan_trace.txt --fresh-queries

  26. CMSmap python cmsmap.py -t http://127.0.0.1 -f D https://github.com/Dionach/CMSmap

  27. droopescan droopescan scan drupal -u http://127.0.0.1/ -t 8 https://github.com/droope/droopescan

  28. gauntlt https://github.com/gauntlt/gauntlt https://github.com/gauntlt/gauntlt-demo/tree/master/examples Uses natural language in a Given, When,

    Then Gherkin syntax to describe security requirements as features.

  29. bdd-security https://github.com/continuumsecurity/bdd-security https://www.continuumsecurity.net/bdd-security/ Selenium + OWASP ZAP + Nessus +

    SSLyze + Internal security tools

  30. OWASP ZAP

  31. OWASP ZAP - Simple scan zap-cli quick-scan --self-contained --start-options '-config

    api.disablekey=true' http://127.0.0.1/ zap-cli --api-key coeoobt6fof9k4g3iajshtnp7v quick-scan --self-contained --spider -r http://127.0.0.1/ * API key could be found in ~/.ZAP/config.xml of current user.

  32. OWASP ZAP - Simple scan with ZAPR zapr --debug --summary

    http://127.0.0.1

  33. OWASP ZAP - Running as a daemon /opt/zaproxy/zap.sh -daemon -host

    0.0.0.0 -port 8480 Also, Docker usage possible : https://github.com/zaproxy/zaproxy/wiki/Docker

  34. OWASP ZAP - Plugins management Install all plugins, take some

    time : su jenkins /opt/zaproxy/zap.sh -daemon -host 0.0.0.0 -port 8480 -addoninstallall Install selected plugin : su jenkins /opt/zaproxy/zap.sh -daemon -host 0.0.0.0 -port 8480 -addoninstall exportreport * Plugins will be installed in the ~/.ZAP folder of user, who launches ZAP. ** Plugins keys could be found here : https://github.com/zaproxy/zap-extensions/releases

  35. OWASP ZAP https://github.com/zaproxy/zaproxy/wiki/Docker zap.sh -daemon -host 0.0.0.0 -port 8480 zap-x.sh

    -daemon -host 0.0.0.0 -port 8080 zap-cli quick-scan --self-contained \ --start-options '-config api.disablekey=true' http://target

  36. Configure Jenkins CI security project

  37. Ubuntu server VM Jenkins CI Server Drupalxploitable Owasp ZED Attack

    Proxy Report results Run security scan Drupal automated security testing model

  38. Jenkins CI - Plugins used • Official OWASP ZAP Jenkins

    Plugin • Environment Injector Plugin

  39. Jenkins - OWASP ZAP Plugin - Configuration https://wiki.jenkins-ci.org/display/JENKINS/ZAProxy+Plugin

  40. Ressources • https://martijnvanlambalgen.wordpress.com/2015/10/18/automating-your-vulnerability-scan-with-owasp-zap/ • https://www.securify.nl/blog/SFY20150303/automating_security_tests_using_owasp_zap_and_jenkins.html • https://tools.pentestbox.org/ • https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project •

    http://connect.ed-diamond.com/MISC/MISC-087/Pourquoi-inclure-la-securite-dans-votre-pipeline-DevOps • https://www.owasp.org/index.php/Automated_Audit_using_SQLMap • https://myexploit.wordpress.com/information-gathering-sqlmap/ • https://insights.sei.cmu.edu/devops/2016/01/adding-security-to-your-devops-pipeline.html • https://www.slideshare.net/wickett/pragmatic-security-and-rugged-devops-sxsw-2015 • https://es.slideshare.net/StephendeVries2/automating-security-tests-for-continuous-integration • https://www.drupal.org/docs/8/security/writing-secure-code-for-drupal-8 • https://www.drupal.org/node/101496 • https://www.drupal.org/taxonomy/term/127 • https://www.owasp.org/index.php/How_to_write_insecure_code • https://es.slideshare.net/StephendeVries2/continuous-and-visible-security-testing-with-bddsecurity • https://theagileadmin.com/2015/12/03/security-tooling-delivered-by-docker/

  41. Special thanks • To my company @AgenceStratis, which understands the

    importance of open source culture and supports it • To Mikke Schirén (@mikkdroid) from wunderkraut, who really helped us with Jenkins 2 configuration during the workshop day • To Drupal Developer Days Sevilla team for great organization of the event.