• Vulnerability scan Tests against the OWASP Top 10 vulnerabilities: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Ranked as critical, high, medium or low level. • User testing Tester is given a standard user account on the system being tested and attempts to escalate privileges or access unauthorised areas of the application or site. • Areas covered ◦ Server config ◦ Craft config ◦ Site design and coding
test: https://www.ssllabs.com/ssltest/ • Tests SSL config. Aim for A+ rating • Set Http Strict Transport Security (HSTS) headers with a long expiry date. Forces domain to be served over https only so check with client first. https://scotthelme.co.uk/hsts-cheat-sheet/#example-policies add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; • Restrict TLS to versions 1.2 and above. Note that this will block access to IE 8, 9 and 10 which only support TLS 1.1.
test: https://securityheaders.com • Tests a wide range of security headers. Aim for an A rating or above. • X-Frame-Options - Controls whether or not site can be framed (IE11 only). add_header X-Frame-Options "DENY" always; • X-XSS-Protection - Used to configure built-in reflective XSS protection. add_header X-Xss-Protection "1; mode=block" always; • X-Content-Type-Options - Prevents a browser from trying to MIME-sniff the content type and forces it to use the declared content-type. add_header X-Content-Type-Options "nosniff" always;
- Controls how much information browser includes with navigations away from a document depending on protocol and origin. add_header Referrer-Policy "no-referrer-when-downgrade" always; • Content-Security-Policy - Whitelist sources of approved content for site, enabling you to effectively block XSS attacks. Scott Helme has a great introduction: https://scotthelme.co.uk/content-security-policy-an-introduction/ …and a tool to help generate a CSP: https://report-uri.com/home/generate If you have any inline CSS or JS, you will need to add unsafe-inline and probably unsafe-eval, which will trigger low-level pen test warnings.
remove. • Server - Identifies server software and often version number. Scott Helme has advice on how to remove: https://scotthelme.co.uk/hardening-your-http-response-headers/#server Note, for nginx, it isn’t possible to completely remove the Server header without recompiling nginx from source after making changes to ngx_http_header_filter_module.c file. • X-Powered-By - This can be removed in Craft in general.php by setting 'sendPoweredByHeader' => false
good baseline level of security as documented in the Security FAQ: https://craftcms.com/guides/security-faq There is also an excellent guide to Securing Craft: https://craftcms.com/guides/securing-craft One of the key recommendations in this guide is to change the cpTrigger config setting to obfuscate the control panel URL. leaving at the default value of admin is likely to be considered a high-level vulnerability in a pen test. If possible, restrict access to the Craft control panel by IP address using a web application firewall.
- The amount of time a user must wait before re-attempting to log in after their account is locked due to too many failed login attempts. Default value: 300 seconds • invalidLoginWindowDuration - The amount of time to track invalid login attempts for a user, for determining if Craft should lock an account. Default value: 3600 seconds (1 hour) • maxInvalidLogins - The number of invalid login attempts Craft will allow within the specified duration before the account gets locked. Default value: 5
- The amount of time a user stays logged if “Remember Me” is checked on the login page. Default value: 1209600 seconds (2 weeks) • userSessionDuration - The amount of time before a user will get logged out due to inactivity. Default value: 3600 seconds (1 hour) • requireMatchingUserAgentForSession - Whether Craft should require a matching user agent string when restoring a user session from a cookie. Default value: true
- Whether Craft should require the existence of a user agent string and IP address when creating a new user session. Default value: true • verificationCodeDuration - The amount of time a user verification code can be used before expiring. Default value: 86400 seconds (1 day) • defaultTokenDuration - The default amount of time tokens can be used before expiring. Default value: 86400 seconds (1 day)
- The higher the cost value, the longer it takes to generate a password hash and to verify against it. Therefore, higher cost slows down a brute-force attack. Default value: 13 • preventUserEnumeration - When set to false, you get distinct messages saying if the username/email didn’t exist or the email was successfully sent and to check your email for further instructions. This can allow for username/email enumeration based on the response. If set true, you will always get a successful response even if there was an error making it difficult to enumerate users. Default value: false
- (Craft 2 only) If set to true, all redirect parameters and possibly some 3rd party plugin parameters will need to be hashed to ensure they weren’t tampered with, e.g.: <input type="hidden" name="redirect" value="{{ 'my-page'|hash }}"> Default value: false
you to set weak passwords, the only default restriction is that passwords are between 6 and 160 characters long. Allowing simple, guessable passwords is likely to be considered a high-level vulnerability in a pen test. Use the Password Policy plugin from Rias to improve this https://plugins.craftcms.com/password-policy • Add rules-based complex password policy • Includes an optional password check against Troy Hunt’s Have I Been Pwned database: https://haveibeenpwned.com • Includes optional password strength meter based on Dropbox’s zxcvbn library https://github.com/dropbox/zxcvbn
unnecessary config files Craft has both .htaccess and web.config files in its default installation. You should remove whichever of these files that you don’t need for your web server. Bonus points if you remove both and add the contents to the web server’s main config file instead. • Concurrent user sessions By default Craft permits multiple logins from the same user account. The recommendation is that an authenticated user should only be permitted one active user session. It is not currently possible to fix this in Craft.
• Never use the |raw filter if you are outputting user provided content. • Protect content intended for signed in users with the {% requireLogin %} tag on all affected page templates. • Check signed in users are in the correct user group to access restricted content. • If you are using custom permissions, defined in a module or plugin, don’t forget to test against them in your templates. • Test different user permissions by logging in as users in each user group as you develop the site.
Third party code vulnerabilities • Check 3rd party code for any known vulnerabilities or security issues using Snyk: https://snyk.io/vuln Checks can also be built into CI/CD pipelines for automated testing. • Keep all 3rd party code updated. Using outdated software is likely to be considered a medium-level vulnerability in a pen test.
Avoid inline CSS and JS • Allows you to set a more secure Content-Security-Policy. • Means that you can’t inline critical CSS for performance optimisation. • Might need to adapt how Google Analytics, Tag Manager and Maps are integrated into the site, more details here: https://developers.google.com/tag-manager/web/csp
Cookies • Set the secure flag on all cookies. • If possible, use httponly cookies set on the server, however these won’t be accessible through JS. • If you need to use JS-accessible cookies, ensure that no sensitive information is leaked through the cookies.
Login, registration and password reset forms • Add autocomplete="off" parameter to password fields. Note that users will still be able to use a password manager to autofill passwords. • Add Google ReCAPTCHA or similar to all forms to protect against automated submissions.
bobtani
bkuhlmann
ham0215
databricksjapan
aeonpeople
biwakonbu
.JPG){kind=avatar}
koh_naga
furu8
ma3tk
toshi_atsumi
kmatsui
kniino
malarkey
holman
tanoku
aleyda
ufuk
bkeepers
chriscoyier
chrisshort
soudai
eileencodes
maltzj
