SlideShare ist ein Scribd-Unternehmen logo

End to end web security

George Boobyer
George Boobyer

In this presentation we will be looking at: Common threats to the security of your website. The various attack surfaces of a website; from the server, down the wire to presentation in the client browser. Simple approaches to mitigating these threats. Keeping web applications free from malicious attack is an arms race. From bruteforce attacks against your server through to browser based attacks to your pages once delivered (e.g. XSS, click jacking, cross site request forgery (CSRF)); there are many ways in which your web site is susceptible to attack. Fortunately there are several established counter measures that are simply (if rarely) implemented that are effective in mitigating such threats. We will look at the various modes of attack, review some real world examples and see how counter measures can be put in place. The presentation is aimed at anyone responsible for delivering information over the web regardless of whether they are responsible for the hosting and administration of their web site. Covering measures you can implement yourself and measures you may wish supported by your hosting provider. Topics covered: Server hardening through the use of firewalls, TLS/SSL implementation to protect delivery across the wire and Secure response headers and Content Security Policies to protect your page once received by the user's browser.

Technologie
1 von 68
Downloaden Sie, um offline zu lesen
END TO END WEB SECURITY TAKE YOUR HEAD OUT OF THE SAND AND 
 DELIVER YOUR WEB PAGES SECURELY Beginners guide http://map.norsecorp.com/#/
GEORGE BOOBYER DRUPAL: iAUGUR
 GEORGE@BLUE-BAG.COM TWITTER: iBLUEBAG www.blue-bag.com Established in 2000
WEB SECURITY Threats, culprits & examples Threats & how they work How can we guard against them Server Environment Security Application level security Transport Security Browser based security Questions
HACKERS: WHO / WHAT ARE THEY Defacers Content injection Data Breaches "Hactivists" Intruders: Parasites / Squatters / Malware
 Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood
DEFACED SITES Examples redacted Home page replaced with hacker's banner
HACKERS: WHAT ARE THEY Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders: Parasites / Squatters / Malware
 Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood
CONTENT INJECTION PARASITES <script> location.href='http://www.fashionheel-us.com/';</script> Body overwritten with redirect
CONTENT INJECTION PARASITES
USER AGENT SPECIFIC PARASITES User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html)
USER AGENT SPECIFIC PARASITES User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html) User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) Chrome/51.0.2704.84 Safari/537.36
HACKERS: WHAT ARE THEY Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders: Parasites / Squatters / Malware
 Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood
SOME EXAMPLES Data breach Vulnerable systems
HIGH PROFILE DATA BREACHES @TROYHUNT
HACKERS: WHAT ARE THEY Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders: Parasites / Squatters / Malware
 Angler EK / Nautilus / Necurs / Locky Layer 4 & 7 attacks - HTTP flood
HACKERS: HACKER ON HACKER Hacking team vs Phineas Albanian hitman http://pastebin.com/raw/0SNSvyjJ
HACKERS: HACKER ON TERROR Anonymous
HACKERS: WHAT ARE THEY Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders / Botnets Layer 4 & 7 attacks - HTTP flood
INTRUDERS / BOTNETS Parasites / Squatters Malware / Ransomeware Angler EK / Nautilus Necurs / Locky
HACKERS: WHAT ARE THEY Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders / Botnets Ransom: Layer 4 & 7 attacks - HTTP flood
DDOS / FLOOD ATTACKS LAYER 4 LAYER 7 UDP Flood SYN Flood DNS Attacks XML-RPC HTTP GET/POST SLOWLORIS IP Stressers, Booters and shells
HACKERS: THEY HAVE IT EASY Open configuration files Browsable folders
 Out of date CMS Phishing / Social Engineering Leverage other breaches / password reuse Search Engines
MISCONFIGURATIONS: SAVED COPIES OF SENSITIVE FILES
MISCONFIGURATIONS: DIRECTORY BROWSING navigable / readable config files
HTTPS KEEPS YOU SAFE - RIGHT? not if your settings.php is readable
HACKERS: THEY HAVE IT EASY Open configuration files Browsable folders
 Out of date CMS Phishing / Social Engineering Leverage other breaches / password reuse Search Engines Shells
ANYTHING BUT COSMETIC: TAKING CONTROL
HACKERS: THEY HAVE IT EASY Open configuration files Browsable folders
 Out of date CMS Phishing / Social Engineering Leverage other breaches / password reuse Search Engines
HACKERS: THEY HAVE IT EASY Open configuration files Browsable folders
 Out of date CMS Phishing / Social Engineering Leverage other breaches / password reuse Search Engines
HACKERS: HOW THEY FEED - LOW HANGING FRUIT Internet of things: shodan.io Google Dorks Exploit-db Drive by Show off: zone-h
Internet of things: shodan.io Google Dorks Exploit-db Drive by / Trawlers Show off: zone-h Example to locate Drupalgeddon vulnerable sites - redacted HACKERS: HOW THEY FEED - LOW HANGING FRUIT
Normal day: Attempts to use known hacks by 255 hosts were logged 753 time(s) /admin/fckeditor/editor/filemanager/upload/php/upload.php /wp-config.php.bak  /wp-login.php /backup.sql /Ringing.at.your.dorbell! /admin/assets/ckeditor/elfinder/php/connector.php /wp-admin/admin-ajax.php?action=revslider_ajax_action //phpMyAdmin/scripts/setup.php /SQLite/SQLiteManager-1.2.4/main.php /jenkins/login
 /joomla/administrator /wp-content/plugins/sell-downloads/sell-downloads.php?file=../../.././wp-config.php /modules/coder/LICENSE.txt /modules/restws/LICENSE.txt /sites/all/modules/webform_multifile/LICENSE.txt SSHD Illegal users:
 admin nagios ubnt
 fluffy guest info library linux oracle shell test
 unix
 webmaster
 ..... HACKERS: HOW THEY FEED - TRAWLERS
Internet of things: shodan.io Google Dorks Exploit-db Drive by / Trawlers Show off: zone-h HACKERS: HOW THEY FEED - LOW HANGING FRUIT
WEB SECURITY How can we guard against threats Server Environment Security Application level security Transport Security Browser based security
ATTACK SURFACES Coffee shop wifi XSS
 CSRF
 Frames
 Clickjacking
 SSL stripping
SPHERES OF PROTECTION CMS mod_security mod_evasive Apache Network / FW WAF TLS 'At Large' Security 3rd Parties Browser: WAN Network Secure Headers
 XSS/CSRF Protection
 Info. Disclosure
 HTTPS
ATTACK SURFACES Server (Layer 3) Other servers (backup, monitoring, local) Application / Layer 7 In transit The browser
SERVER: PORTS ARE OPEN DOORS Know what ports you have open, what is listening on them and who can access. On the server: 0.0.0.0:9080 LISTEN 1804/varnishd 127.0.0.1:25 LISTEN 2583/exim4 144.76.185.80:443 LISTEN 1037/pound 0.0.0.0:2812 LISTEN 1007/monit 127.0.0.1:6082 LISTEN 1799/varnishd 0.0.0.0:3306 LISTEN 1727/mysqld 127.0.0.1:11211 LISTEN 849/memcached 127.0.0.1:6379 LISTEN 946/redis-server 12 0.0.0.0:10000 LISTEN 2644/perl 144.76.185.80:80 LISTEN 1037/pound 0.0.0.0:22 LISTEN 851/sshd 0 :::9080 LISTEN 1804/varnishd 0 ::1:25 LISTEN 2583/exim4 0 :::8443 LISTEN 1779/apache2 0 :::8080 LISTEN 1779/apache2 0 :::22 LISTEN 851/sshd $netstat -nlp | grep tcp From outside: $nmap xxx.xxx.xxx.xxx Not shown: 990 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 554/tcp open tsp 7070/tcp open realserver 8080/tcp open http-proxy 8443/tcp open https-alt 9080/tcp open glrpc 10000/tcp open snet-sensor-mgmt Red: IP / MAC restricted
 Grey: Router proxies
SERVER: CONFIGURE YOUR FIREWALL Allow if: White listed Allowed port Not blocked Rate ok
 Otherwise:
 Reject / Drop
NETWORK: ATTACKS & BLOCK LISTS The IP 195.154.47.128 has just been banned by Fail2Ban after 3 attempts against ssh. Firewall 195.154.47.12 CVE-2016-2118 (a.k.a. BADLOCK) SSH Brute force Block Blocklist Drop Firewall IPSET IPSET Any Port 1 2 3 4 5 Log Report to blocklist Source/share lists
 of bad ips Block on first visit Initial
 Server Anyother
 Server Compromised Zombie Exclude whitelist
SERVER: INFORMATION LEAKAGE HTTP/1.1 200 OK Date: Wed, 15 Jun 2016 10:49:58 GMT
 Server: Apache/2.4.10 (Debian PHP 5.6.22-0+deb8u1 OpenSSL 1.0.1t) Last-Modified: Tue, 19 Apr 2016 17:02:36 GMT Content-Type: text/html; charset=UTF-8 Content-Language: en-gb X-Powered-By: PHP/5.6.22-0+deb8u1 X-Generator: Drupal 7 (http://drupal.org) HTTP/1.1 200 OK Date: Wed, 15 Jun 2016 10:49:58 GMT
 Server: Apache Last-Modified: Tue, 19 Apr 2016 17:02:36 GMT Content-Type: text/html; charset=UTF-8 Content-Language: en-gb After: ;;;;;;;;;;;;;;;;; ; Miscellaneous ; ;;;;;;;;;;;;;;;;; expose_php = Off # ServerTokens ServerTokens Prod ServerSignature Off php.ini Apache Config: Header always unset 'X-Powered-By' $curl -I http://www.yoursite.com
ATTACK SURFACES Server (Layer 3) Other servers (backup, monitoring, local) Application / Layer 7 In transit The browser
APPLICATION LEVEL ATTACKS https://blog.sucuri.net/2016/05/sucuri-hacked-report-2016q1.html
DRUPAL SECURITY https://www.drupal.org/security-advisory-policy
CONTROL YOUR APPLICATION ENVIRONMENT Migrate all .htaccess to vhosts Get a static IP Limit what files can be read Limit where PHP can be 'run' Restrict file permissions (640 / 440) Update your CMS
DENY ACCESS TO SENSITIVE FILES # Protect files and directories from prying eyes. <FilesMatch ".(engine|inc|info|install|make|module|profile|test|po|sh|.*sql| theme|tpl(.php)?|xtmpl)(~|.sw[op]|.bak|.orig|.save)?$|^(..*|Entries.*| Repository|Root|Tag|Template|composer.(json|lock))$|^#.*#$|.php(~|.sw[op]| .bak|.orig.save)$"> Require all denied </FilesMatch> Disallow access to files by type Disallow access to hidden directories (i.e. git) <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} "!(^|/).well-known/([^./]+./?)+$" [NC] RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)." - [F] </IfModule> <Directorymatch "^/.*/.git+/"> Require all denied </Directorymatch> .well-known
 use for standard files:
 favicon, DNT, letsencrypt etc see:
 https://tools.ietf.org/html/rfc5785 https://www.iana.org/assignments/well- known-uris/well-known-uris.xhtml https://www.drupal.org/node/2408321
LIMIT PHP EXECUTION <Directory /var/www/yoursite/htdocs/sites/default/files> # Turn off all options we don't need. Options None Options +SymLinksIfOwnerMatch # Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 <Files *> # Override the handler again if we're run later in the evaluation list. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 </Files> # If we know how to do it safely, disable the PHP engine entirely. <IfModule mod_php5.c> php_flag engine off </IfModule> </Directory> Protect folders: tmp, files and private folders and any others. Note you will need these in the folders as .htaccess too just to stop Drupal complaining
No PHP files other than index.php
 No text files other than robots.txt <FilesMatch "([^index].php|[^myrobots|robots].*.txt)$"> AuthName "Restricted" AuthUserFile /etc/apache2/.htpasswds/passwdfile AuthType basic Require valid-user Require ip 123.123.123.123 <- Your static IP Require ip 127.0.0.1 </FilesMatch> LIMIT PHP EXECUTION
DO YOUR PHP FILES NEED TO BE IN THE DOCROOT? https://www.drupal.org/node/2767907
APPLICATION LEVEL ATTACKS Requires Configuration Slowloris Know your traffic levels MOD EVASIVE Requires Configuration Know your application patterns Cautious whitelisting MOD SECURITY
APPLICATION LEVEL ATTACKS Blocklist mod_evasive syslog Apache logs Firewall mod_security Server Server Server Immune system
HTTPS EVERYWHERE http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html http://www.httpvshttps.com I don't take credit cards It's slower? What about http resources
 Can't afford wildcard SSL and 
 letsencrypt doesn't do wildcards https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives
SECURE IN TRANSIT Setup HTTPS / TLS Free certificates Strong Ciphers Upgrade insecure requests Strict Transport Security (HSTS) Pin public keys Audit TLS
TLS AUDIT Not just for the A+ Consider other browsers / agents
 e.g. Screaming frog on OSX / Java
CASE STUDY Your page is everyone's canvas <style type="text/css">.gm-style .gm-style-cc span,.gm-style .gm-style-cc a,.gm-style .gm- style-mtc div{font-size:10px}</style> <iframe> <script>
BROWSER BASED ATTACKS Cross-site scripting - XSS Cross-site request forgery - CSRF Click jacking - Frames Check out: https://mathiasbynens.github.io/rel-noopener/
SECURE HEADERS X-Content-Type-Options: nosniff
 Guards against "drive-by download attacks" by preventing IE & Chrome from MIME-sniffing a response away from the declared content-type. X-Frame-Options: DENY
 Provides Clickjacking protection X-Xss-Protection: 1; mode=block
 Configures the XSS audit facilities in IE & Chrome X-Permitted-Cross-Domain-Policies: none
 Adobe specific header that controls whether Flash & PDFs can access cross domain data - read the crossdomain.xml
XSS - CROSS SITE SCRIPTING Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. X-XSS-Protection: 0 X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block (do not render the document if XSS is found) (disable XSS filter/auditor) (remove unsafe parts; this is the default setting if no 
 X-XSS-Protection header is present) http://blog.innerht.ml/the-misunderstood-x-xss-protection/
SECURE HEADERS Strict-Transport-Security: max- age=31536000; includeSubDomains env=HTTPS Informs the UA that all communications should be treated as HTTPS. Prevents MiTM & SSL-stripping attacks Public-Key-Pins
 By specifying the fingerprint of certain cryptographic identities, you can force the UA to only accept those identities going forwards. Content-Security-Policy:
 Provides details about the sources of resources the browser can trust. e.g. Images, scripts, CSS, frames (both ancestors & children) See https://securityheaders.io
CSRF - CROSS SITE REQUEST FORGERY an attack that forces an end user to execute unwanted actions Drupal protects you against this
CONTENT SECURITY POLICY Connect Source Media Source Object Source Form Action Upgrade Insecure Requests Block All Mixed Content Sandbox Reflected XSS Base URI Manifest Source Plugin Types Referrer How to test: Default Source Script Source Style Source Image Source Font Source Child Source Frame Ancestors Report Only Report URI Others: Typical elements: Audit!
CONTENT SECURITY POLICY Content-Security-Policy:
 default-src 'self';
 img-src * data:;
 style-src 'self' 'unsafe-inline' *.googleapis.com f.fontdeck.com;
 font-src 'self' *.gstatic.com;
 script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google- analytics.com *.googleapis.com *.jquery.com *.google.com google.com *.newrelic.com *.nr-data.net connect.facebook.net; 
 connect-src 'self';
 frame-ancestors 'self' *.facebook.com;
 frame-src 'self' *.facebook.com;
 report-uri https://xyz.report-uri.io/r/default/csp/enforce https://report-uri.io/account/reports/csp/
CONTENT SECURITY POLICY Policy contraventions are reported by the browser : https://report-uri.io/account/reports/csp/
X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Cache-Control: max-age=2592000 X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; img-src 'self' data: *.gravatar.com *.google.com *.googleapis.com www.google-analytics.com syndication.twitter.com *.gstatic.com; style-src 'self' 'unsafe-inline' *.googleapis.com; font-src 'self' *.googleapis.com *.gstatic.com; script-src 'self' 'unsafe-inline' www.google-analytics.com s7.addthis.com platform.twitter.com *.googleapis.com *.gstatic.com *.google.com google.com ; connect-src 'self';frame-src 'self' platform.twitter.com syndication.twitter.com; X-Permitted-Cross-Domain-Policies: none Content-Language: en-gb Age: 95666 X-Cache: HIT X-Cache-Hits: 40 Server: cloudflare-nginx SECURITY HEADERS @Scott_Helme
CONTENT SECURITY POLICY Mozilla CSP Policy directives CSP Builder https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives https://report-uri.io/home/generate Drupal Modules https://www.drupal.org/project/seckit
SECURITY THREATS & MEASURES Bruteforcing Phishing XSS Click Jacking CSRF SSL Stripping Firewall Keys/2FA Headers CSP Tokens HSTS
FINAL THOUGHTS Bake your principles into practices - Ansible - immutable infrastructure •Follow some Opsec people:
 @Scott_Helme, @troyhunt, @ivanristic, @briankrebs •Does your site have to be dynamic? •Letsencrypt - https.  •Security is a department - not a one off •Learn your attack surface, test on Tor •VPN, Password apps, 2Factor Authentication •Work together (bad ips, honeypot, block list) - don't hit back
DON'T HIT BACK
QUESTIONS

Empfohlen

DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET websitePositive Hack Days
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpressn|u - The Open Security Community
 

Empfohlen

DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET websitePositive Hack Days
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpressn|u - The Open Security Community
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
Hacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav BishtHacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav BishtRaghav Bisht
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure ProgrammingBalavignesh Kasinathan
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
TO Hack an ASP .NET website?
TO Hack an ASP .NET website? TO Hack an ASP .NET website?
TO Hack an ASP .NET website? Positive Hack Days
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧Orange Tsai
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and familyFrancois Marier
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Antivirus Bypass Techniques - 2016
Antivirus Bypass Techniques - 2016Antivirus Bypass Techniques - 2016
Antivirus Bypass Techniques - 2016Raghav Bisht
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Webdpd
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 

Weitere ähnliche Inhalte

Was ist angesagt?

[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
Hacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav BishtHacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav BishtRaghav Bisht
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧Orange Tsai
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and familyFrancois Marier
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Antivirus Bypass Techniques - 2016
Antivirus Bypass Techniques - 2016Antivirus Bypass Techniques - 2016
Antivirus Bypass Techniques - 2016Raghav Bisht
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
 

Was ist angesagt? (20)

[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
 
Hacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav BishtHacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav Bisht
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Hack any website
Hack any websiteHack any website
Hack any website
 
TO Hack an ASP .NET website?
TO Hack an ASP .NET website? TO Hack an ASP .NET website?
TO Hack an ASP .NET website?
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данных
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and family
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Antivirus Bypass Techniques - 2016
Antivirus Bypass Techniques - 2016Antivirus Bypass Techniques - 2016
Antivirus Bypass Techniques - 2016
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
 
20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms20+ ways to bypass your mac os privacy mechanisms
20+ ways to bypass your mac os privacy mechanisms
 

Andere mochten auch

Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Webdpd
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
DemoDay Berlin Partners
DemoDay Berlin PartnersDemoDay Berlin Partners
DemoDay Berlin PartnersFabio Lombardi
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Web application Security
Web application SecurityWeb application Security
Web application SecurityLee C
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
 
Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Fabien Potencier
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 

Andere mochten auch (11)

Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Web
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 
DemoDay Berlin Partners
DemoDay Berlin PartnersDemoDay Berlin Partners
DemoDay Berlin Partners
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Web application Security
Web application SecurityWeb application Security
Web application Security
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practices
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutions
 
Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4Dependency injection in PHP 5.3/5.4
Dependency injection in PHP 5.3/5.4
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security Overview
 
Web Security
Web SecurityWeb Security
Web Security
 

Ähnlich wie End to end web security

Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security SeminarCalibrate
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception saconPriyanka Aash
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Peter Souter
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutionsNick Owen
 

Ähnlich wie End to end web security (20)

HARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVERHARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVER
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Squid server
Squid serverSquid server
Squid server
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Let's shield Liferay
Let's shield LiferayLet's shield Liferay
Let's shield Liferay
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
demo1
demo1demo1
demo1
 

Kürzlich hochgeladen

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Kürzlich hochgeladen (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 

End to end web security

  • 1. END TO END WEB SECURITY TAKE YOUR HEAD OUT OF THE SAND AND 
 DELIVER YOUR WEB PAGES SECURELY Beginners guide http://map.norsecorp.com/#/
  • 2. GEORGE BOOBYER DRUPAL: iAUGUR
 GEORGE@BLUE-BAG.COM TWITTER: iBLUEBAG www.blue-bag.com Established in 2000
  • 3. WEB SECURITY Threats, culprits & examples Threats & how they work How can we guard against them Server Environment Security Application level security Transport Security Browser based security Questions
  • 4. HACKERS: WHO / WHAT ARE THEY Defacers Content injection Data Breaches "Hactivists" Intruders: Parasites / Squatters / Malware
 Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood
  • 5. DEFACED SITES Examples redacted Home page replaced with hacker's banner
  • 6. HACKERS: WHAT ARE THEY Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders: Parasites / Squatters / Malware
 Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood
  • 7. CONTENT INJECTION PARASITES <script> location.href='http://www.fashionheel-us.com/';</script> Body overwritten with redirect
  • 9. USER AGENT SPECIFIC PARASITES User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html)
  • 10. USER AGENT SPECIFIC PARASITES User-Agent:Googlebot/2.1 (+http://www.googlebot.com/bot.html) User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) Chrome/51.0.2704.84 Safari/537.36
  • 11. HACKERS: WHAT ARE THEY Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders: Parasites / Squatters / Malware
 Angler EK / Nautilus / Necurs Layer 7 attacks - HTTP flood
  • 12. SOME EXAMPLES Data breach Vulnerable systems
  • 13. HIGH PROFILE DATA BREACHES @TROYHUNT
  • 14. HACKERS: WHAT ARE THEY Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders: Parasites / Squatters / Malware
 Angler EK / Nautilus / Necurs / Locky Layer 4 & 7 attacks - HTTP flood
  • 15. HACKERS: HACKER ON HACKER Hacking team vs Phineas Albanian hitman http://pastebin.com/raw/0SNSvyjJ
  • 16. HACKERS: HACKER ON TERROR Anonymous
  • 17. HACKERS: WHAT ARE THEY Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders / Botnets Layer 4 & 7 attacks - HTTP flood
  • 18. INTRUDERS / BOTNETS Parasites / Squatters Malware / Ransomeware Angler EK / Nautilus Necurs / Locky
  • 19. HACKERS: WHAT ARE THEY Defacers / Malicious Content injection Data Breaches "Hactivists" Intruders / Botnets Ransom: Layer 4 & 7 attacks - HTTP flood
  • 20. DDOS / FLOOD ATTACKS LAYER 4 LAYER 7 UDP Flood SYN Flood DNS Attacks XML-RPC HTTP GET/POST SLOWLORIS IP Stressers, Booters and shells
  • 21. HACKERS: THEY HAVE IT EASY Open configuration files Browsable folders
 Out of date CMS Phishing / Social Engineering Leverage other breaches / password reuse Search Engines
  • 22. MISCONFIGURATIONS: SAVED COPIES OF SENSITIVE FILES
  • 24. HTTPS KEEPS YOU SAFE - RIGHT? not if your settings.php is readable
  • 25. HACKERS: THEY HAVE IT EASY Open configuration files Browsable folders
 Out of date CMS Phishing / Social Engineering Leverage other breaches / password reuse Search Engines Shells
  • 26. ANYTHING BUT COSMETIC: TAKING CONTROL
  • 27. HACKERS: THEY HAVE IT EASY Open configuration files Browsable folders
 Out of date CMS Phishing / Social Engineering Leverage other breaches / password reuse Search Engines
  • 28. HACKERS: THEY HAVE IT EASY Open configuration files Browsable folders
 Out of date CMS Phishing / Social Engineering Leverage other breaches / password reuse Search Engines
  • 29. HACKERS: HOW THEY FEED - LOW HANGING FRUIT Internet of things: shodan.io Google Dorks Exploit-db Drive by Show off: zone-h
  • 30. Internet of things: shodan.io Google Dorks Exploit-db Drive by / Trawlers Show off: zone-h Example to locate Drupalgeddon vulnerable sites - redacted HACKERS: HOW THEY FEED - LOW HANGING FRUIT
  • 31. Normal day: Attempts to use known hacks by 255 hosts were logged 753 time(s) /admin/fckeditor/editor/filemanager/upload/php/upload.php /wp-config.php.bak  /wp-login.php /backup.sql /Ringing.at.your.dorbell! /admin/assets/ckeditor/elfinder/php/connector.php /wp-admin/admin-ajax.php?action=revslider_ajax_action //phpMyAdmin/scripts/setup.php /SQLite/SQLiteManager-1.2.4/main.php /jenkins/login
 /joomla/administrator /wp-content/plugins/sell-downloads/sell-downloads.php?file=../../.././wp-config.php /modules/coder/LICENSE.txt /modules/restws/LICENSE.txt /sites/all/modules/webform_multifile/LICENSE.txt SSHD Illegal users:
 admin nagios ubnt
 fluffy guest info library linux oracle shell test
 unix
 webmaster
 ..... HACKERS: HOW THEY FEED - TRAWLERS
  • 32. Internet of things: shodan.io Google Dorks Exploit-db Drive by / Trawlers Show off: zone-h HACKERS: HOW THEY FEED - LOW HANGING FRUIT
  • 33. WEB SECURITY How can we guard against threats Server Environment Security Application level security Transport Security Browser based security
  • 34. ATTACK SURFACES Coffee shop wifi XSS
 CSRF
 Frames
 Clickjacking
 SSL stripping
  • 35. SPHERES OF PROTECTION CMS mod_security mod_evasive Apache Network / FW WAF TLS 'At Large' Security 3rd Parties Browser: WAN Network Secure Headers
 XSS/CSRF Protection
 Info. Disclosure
 HTTPS
  • 36. ATTACK SURFACES Server (Layer 3) Other servers (backup, monitoring, local) Application / Layer 7 In transit The browser
  • 37. SERVER: PORTS ARE OPEN DOORS Know what ports you have open, what is listening on them and who can access. On the server: 0.0.0.0:9080 LISTEN 1804/varnishd 127.0.0.1:25 LISTEN 2583/exim4 144.76.185.80:443 LISTEN 1037/pound 0.0.0.0:2812 LISTEN 1007/monit 127.0.0.1:6082 LISTEN 1799/varnishd 0.0.0.0:3306 LISTEN 1727/mysqld 127.0.0.1:11211 LISTEN 849/memcached 127.0.0.1:6379 LISTEN 946/redis-server 12 0.0.0.0:10000 LISTEN 2644/perl 144.76.185.80:80 LISTEN 1037/pound 0.0.0.0:22 LISTEN 851/sshd 0 :::9080 LISTEN 1804/varnishd 0 ::1:25 LISTEN 2583/exim4 0 :::8443 LISTEN 1779/apache2 0 :::8080 LISTEN 1779/apache2 0 :::22 LISTEN 851/sshd $netstat -nlp | grep tcp From outside: $nmap xxx.xxx.xxx.xxx Not shown: 990 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 554/tcp open tsp 7070/tcp open realserver 8080/tcp open http-proxy 8443/tcp open https-alt 9080/tcp open glrpc 10000/tcp open snet-sensor-mgmt Red: IP / MAC restricted
 Grey: Router proxies
  • 38. SERVER: CONFIGURE YOUR FIREWALL Allow if: White listed Allowed port Not blocked Rate ok
 Otherwise:
 Reject / Drop
  • 39. NETWORK: ATTACKS & BLOCK LISTS The IP 195.154.47.128 has just been banned by Fail2Ban after 3 attempts against ssh. Firewall 195.154.47.12 CVE-2016-2118 (a.k.a. BADLOCK) SSH Brute force Block Blocklist Drop Firewall IPSET IPSET Any Port 1 2 3 4 5 Log Report to blocklist Source/share lists
 of bad ips Block on first visit Initial
 Server Anyother
 Server Compromised Zombie Exclude whitelist
  • 40. SERVER: INFORMATION LEAKAGE HTTP/1.1 200 OK Date: Wed, 15 Jun 2016 10:49:58 GMT
 Server: Apache/2.4.10 (Debian PHP 5.6.22-0+deb8u1 OpenSSL 1.0.1t) Last-Modified: Tue, 19 Apr 2016 17:02:36 GMT Content-Type: text/html; charset=UTF-8 Content-Language: en-gb X-Powered-By: PHP/5.6.22-0+deb8u1 X-Generator: Drupal 7 (http://drupal.org) HTTP/1.1 200 OK Date: Wed, 15 Jun 2016 10:49:58 GMT
 Server: Apache Last-Modified: Tue, 19 Apr 2016 17:02:36 GMT Content-Type: text/html; charset=UTF-8 Content-Language: en-gb After: ;;;;;;;;;;;;;;;;; ; Miscellaneous ; ;;;;;;;;;;;;;;;;; expose_php = Off # ServerTokens ServerTokens Prod ServerSignature Off php.ini Apache Config: Header always unset 'X-Powered-By' $curl -I http://www.yoursite.com
  • 41. ATTACK SURFACES Server (Layer 3) Other servers (backup, monitoring, local) Application / Layer 7 In transit The browser
  • 44. CONTROL YOUR APPLICATION ENVIRONMENT Migrate all .htaccess to vhosts Get a static IP Limit what files can be read Limit where PHP can be 'run' Restrict file permissions (640 / 440) Update your CMS
  • 45. DENY ACCESS TO SENSITIVE FILES # Protect files and directories from prying eyes. <FilesMatch ".(engine|inc|info|install|make|module|profile|test|po|sh|.*sql| theme|tpl(.php)?|xtmpl)(~|.sw[op]|.bak|.orig|.save)?$|^(..*|Entries.*| Repository|Root|Tag|Template|composer.(json|lock))$|^#.*#$|.php(~|.sw[op]| .bak|.orig.save)$"> Require all denied </FilesMatch> Disallow access to files by type Disallow access to hidden directories (i.e. git) <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} "!(^|/).well-known/([^./]+./?)+$" [NC] RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)." - [F] </IfModule> <Directorymatch "^/.*/.git+/"> Require all denied </Directorymatch> .well-known
 use for standard files:
 favicon, DNT, letsencrypt etc see:
 https://tools.ietf.org/html/rfc5785 https://www.iana.org/assignments/well- known-uris/well-known-uris.xhtml https://www.drupal.org/node/2408321
  • 46. LIMIT PHP EXECUTION <Directory /var/www/yoursite/htdocs/sites/default/files> # Turn off all options we don't need. Options None Options +SymLinksIfOwnerMatch # Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 <Files *> # Override the handler again if we're run later in the evaluation list. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 </Files> # If we know how to do it safely, disable the PHP engine entirely. <IfModule mod_php5.c> php_flag engine off </IfModule> </Directory> Protect folders: tmp, files and private folders and any others. Note you will need these in the folders as .htaccess too just to stop Drupal complaining
  • 47. No PHP files other than index.php
 No text files other than robots.txt <FilesMatch "([^index].php|[^myrobots|robots].*.txt)$"> AuthName "Restricted" AuthUserFile /etc/apache2/.htpasswds/passwdfile AuthType basic Require valid-user Require ip 123.123.123.123 <- Your static IP Require ip 127.0.0.1 </FilesMatch> LIMIT PHP EXECUTION
  • 48. DO YOUR PHP FILES NEED TO BE IN THE DOCROOT? https://www.drupal.org/node/2767907
  • 49. APPLICATION LEVEL ATTACKS Requires Configuration Slowloris Know your traffic levels MOD EVASIVE Requires Configuration Know your application patterns Cautious whitelisting MOD SECURITY
  • 50. APPLICATION LEVEL ATTACKS Blocklist mod_evasive syslog Apache logs Firewall mod_security Server Server Server Immune system
  • 51. HTTPS EVERYWHERE http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html http://www.httpvshttps.com I don't take credit cards It's slower? What about http resources
 Can't afford wildcard SSL and 
 letsencrypt doesn't do wildcards https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives
  • 52. SECURE IN TRANSIT Setup HTTPS / TLS Free certificates Strong Ciphers Upgrade insecure requests Strict Transport Security (HSTS) Pin public keys Audit TLS
  • 53. TLS AUDIT Not just for the A+ Consider other browsers / agents
 e.g. Screaming frog on OSX / Java
  • 54. CASE STUDY Your page is everyone's canvas <style type="text/css">.gm-style .gm-style-cc span,.gm-style .gm-style-cc a,.gm-style .gm- style-mtc div{font-size:10px}</style> <iframe> <script>
  • 55. BROWSER BASED ATTACKS Cross-site scripting - XSS Cross-site request forgery - CSRF Click jacking - Frames Check out: https://mathiasbynens.github.io/rel-noopener/
  • 56. SECURE HEADERS X-Content-Type-Options: nosniff
 Guards against "drive-by download attacks" by preventing IE & Chrome from MIME-sniffing a response away from the declared content-type. X-Frame-Options: DENY
 Provides Clickjacking protection X-Xss-Protection: 1; mode=block
 Configures the XSS audit facilities in IE & Chrome X-Permitted-Cross-Domain-Policies: none
 Adobe specific header that controls whether Flash & PDFs can access cross domain data - read the crossdomain.xml
  • 57. XSS - CROSS SITE SCRIPTING Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. X-XSS-Protection: 0 X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block (do not render the document if XSS is found) (disable XSS filter/auditor) (remove unsafe parts; this is the default setting if no 
 X-XSS-Protection header is present) http://blog.innerht.ml/the-misunderstood-x-xss-protection/
  • 58. SECURE HEADERS Strict-Transport-Security: max- age=31536000; includeSubDomains env=HTTPS Informs the UA that all communications should be treated as HTTPS. Prevents MiTM & SSL-stripping attacks Public-Key-Pins
 By specifying the fingerprint of certain cryptographic identities, you can force the UA to only accept those identities going forwards. Content-Security-Policy:
 Provides details about the sources of resources the browser can trust. e.g. Images, scripts, CSS, frames (both ancestors & children) See https://securityheaders.io
  • 59. CSRF - CROSS SITE REQUEST FORGERY an attack that forces an end user to execute unwanted actions Drupal protects you against this
  • 60. CONTENT SECURITY POLICY Connect Source Media Source Object Source Form Action Upgrade Insecure Requests Block All Mixed Content Sandbox Reflected XSS Base URI Manifest Source Plugin Types Referrer How to test: Default Source Script Source Style Source Image Source Font Source Child Source Frame Ancestors Report Only Report URI Others: Typical elements: Audit!
  • 61. CONTENT SECURITY POLICY Content-Security-Policy:
 default-src 'self';
 img-src * data:;
 style-src 'self' 'unsafe-inline' *.googleapis.com f.fontdeck.com;
 font-src 'self' *.gstatic.com;
 script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google- analytics.com *.googleapis.com *.jquery.com *.google.com google.com *.newrelic.com *.nr-data.net connect.facebook.net; 
 connect-src 'self';
 frame-ancestors 'self' *.facebook.com;
 frame-src 'self' *.facebook.com;
 report-uri https://xyz.report-uri.io/r/default/csp/enforce https://report-uri.io/account/reports/csp/
  • 62. CONTENT SECURITY POLICY Policy contraventions are reported by the browser : https://report-uri.io/account/reports/csp/
  • 63. X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Cache-Control: max-age=2592000 X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; img-src 'self' data: *.gravatar.com *.google.com *.googleapis.com www.google-analytics.com syndication.twitter.com *.gstatic.com; style-src 'self' 'unsafe-inline' *.googleapis.com; font-src 'self' *.googleapis.com *.gstatic.com; script-src 'self' 'unsafe-inline' www.google-analytics.com s7.addthis.com platform.twitter.com *.googleapis.com *.gstatic.com *.google.com google.com ; connect-src 'self';frame-src 'self' platform.twitter.com syndication.twitter.com; X-Permitted-Cross-Domain-Policies: none Content-Language: en-gb Age: 95666 X-Cache: HIT X-Cache-Hits: 40 Server: cloudflare-nginx SECURITY HEADERS @Scott_Helme
  • 64. CONTENT SECURITY POLICY Mozilla CSP Policy directives CSP Builder https://developer.mozilla.org/en/docs/Web/Security/CSP/CSP_policy_directives https://report-uri.io/home/generate Drupal Modules https://www.drupal.org/project/seckit
  • 65. SECURITY THREATS & MEASURES Bruteforcing Phishing XSS Click Jacking CSRF SSL Stripping Firewall Keys/2FA Headers CSP Tokens HSTS
  • 66. FINAL THOUGHTS Bake your principles into practices - Ansible - immutable infrastructure •Follow some Opsec people:
 @Scott_Helme, @troyhunt, @ivanristic, @briankrebs •Does your site have to be dynamic? •Letsencrypt - https.  •Security is a department - not a one off •Learn your attack surface, test on Tor •VPN, Password apps, 2Factor Authentication •Work together (bad ips, honeypot, block list) - don't hit back