OWASP Wordpress Security Implementation Guideline

2014-10-16T23:36:49Z

Dan Vasile:

= Considerations =
This project aims for a unified approach on WordPress security design and implementation. It is definitely more than a checklist, it's a guide for secure implementation and invitation to consider and analyze each individual case.

There is a long list of recommended resources. The author aimed to offer open source or free resources instead of commercial ones. Some plugins have a free version and a paid one that offers extra functionality. In such cases, the focus was on the free version.

= General security =
This section is meant to be just a reminder that all the other hardening measures are useless if an attacker can gain access to WordPress users’ computers. We’re not going to spend the time and effort to go into details but rather enumerate the common good practices each security conscious user should have in mind. There are plenty of good resources to help anyone accomplish security basics.

== Device security ==
When we talk about devices capable of accessing the WordPress administration interface we don’t just talk about computers but mobile devices as well. The following is a list of items that needs to be taken into account when securing the devices that will be accessing the WordPress instances. Some of them may refer to PCs and mobile devices, others just to one of the devices.

* Password protect the device
* Use strong passwords
* Keep the OS updated
* Encrypt the storage
* Have an anti-virus installed and updated
* Have a malware/spyware scanner installed and perform regular scans and updates
* Have a firewall installed and configured
* [http://www.cert.org/historical/tech_tips/securing-web-browser-index.cfm Secure your browser]

= Infrastructure security =
Before hardening the core of WordPress an implementer must consider hardening the services on which the instance will be installed. Sometimes the underlying infrastructure is not under the control of the implementer. While there are things that can be hardened on WordPress to mitigate things that are supposed to be fixed on the infrastructure side, one should always consider defense in depth. The implementer can contact the infrastructure administrator and ask for specific hardening in order to further protect the applications that will be installed on top of that, in this case WordPress.

The foundation of infrastructure hardening is operating system hardening. This is a broad subject and highly dependent on the OS, the main concerns being around privileges, access control, authentication and logging. It’s a topic outside the coverage of the current project and these are things that must be covered by experienced system administrators.

WordPress can be installed on a multitude of platforms but the main focus below is on the most common components, Apache and MySQL. The general rules though apply to all supported infrastructure components.

Following best design practices, the tiers of the WordPress instance should be separated. However the presentation and application layers are bind together leaving room for one separation, the one with the database. For small applications it’s not a common practice, but for larger sites this becomes a must from a security but also a performance perspective.

As was the case with general security, this is just a list of things that should be performed in order to harden the infrastructure and not the means to do it.

== Apache hardening ==
* Update regularly
* Disable directory listing
* Secure the communication with the server by generating and using SSL certificates
* Disable unnecessary modules
** Good candidates for this are: ''userdir'', ''suexec'', ''cgi/cgid'', ''include'', ''autoindex''
* Run the daemon as a separate user and group
* Use ''Allow'' and ''Deny'' to restrict access to directories
* Use ''mod_security''module to secure Apache
* Disable following of ''symbolic links''
* Turn off server sides includes and CGI execution
* Limit request size
* Configure other settings like ''TimeOut'', ''MaxClients'', ''KeepAliveTimeout'', ''LimitRequestFields'', ''LimitRequestFieldSize'' in order to prevent DoS attacks
* Enable and configure proper logging
* Modify server banner

== PHP hardening ==
* Update regularly
* Don’t install PHP as a CGI binary
* Disable unnecessary PHP modules
* Disable unused potentially dangerous PHP functions (good examples: ''exec'',''passthru'',''shell_exec'',''system'', etc.)
* Log errors internally
* Disable verbose error reporting on the client side
* Turn off remote code execution (if it’s not needed; the core WordPress doesn’t need this functionality)
* Disable magic quotes
* Limit PHP access to file system
* Protect from DoS
** Control POST size
** Limit script time execution
** Limit memory usage
* Consider implementing the [http://www.suhosin.org/stories/index.html Suhoshin security extension]
* Hide the version of PHP in use
* Hide the .php extension

== MySQL hardening ==
There is an entire [https://www.owasp.org/index.php/OWASP_Backend_Security_Project_MySQL_Hardening OWASP project dedicated to MySQL hardening]. The main action items are:

* Update regularly
* Disable or restrict remote access
* Filesystem access restrictions and ACLs
* Designing a chroot-jail
* Encrypting network traffic (this is a must if the database layer is physically separated from the application layer)
* Encrypting raw databases on filesystem level
** Redundant if disk encryption is in place at the OS layer
** However, by using ''dmcrypt'', one can generate an extra layer of encryption
* Backup encryption
* Configuration
** Connectivity: maximum number of concurrent connections and related settings
** Logging
** Access control and privilege management
** Set up root password
** Rename root account
** Delete unused users and databases
** Remove installation history

A PHP security checker is available [https://github.com/sektioneins/pcc here]. This is a one-page php file designed to analyze PHP configuration and rank the findings based on severity.

== Remote access ==
* Don’t use FTP (use sFTP where possible)
* If SSH access is available, use [http://linux.die.net/man/1/scp scp] or [http://winscp.net/eng/index.php WinSCP] for file transfer
* Consider using VPN or [http://www.pentest.ro/ssh-tunnels-an-alternative-to-vpn/ SSH tunnels] to the server for accessing the WordPress administrative interface

= Wordpress security =
There are three main components of WordPress that need to be considered from a security perspective when implementing the solution.

* Core – the basic default installation files that provide most of the functionality
* Plugins – special written code to improve and extend the basic functionality
* Theme – the presentation layer which may come with some limited extended functionality

== Updates ==
It is of vital importance to keep WordPress core, plugins and themes updated. Once an update is released, it needs to be applied as soon as possible to close any security holes.

Functional problems with updates must be considered. It is possible that an update will break some of the functionality so a backup is recommended before updating the core.

=== WordPress Core ===
The WordPress core has three different types of updates:

* Core development updates, known as the "bleeding edge"
* Minor core updates, such as maintenance and security releases
* Major core release updates

Starting with version 3.7, automatic background updates were introduced by default for minor core updates releases (generally security updates). This default behavior can be overridden by editing the wp-config.php file and adding or modifying the following statement

''define( 'WP_AUTO_UPDATE_CORE', true );''

When set to true all updates will be enabled. Translations are updated by default with the minor core updates.

=== Themes and Plugins ===
The themes and plugins can be updated automatically using filters. The best place to put a filter is in a [http://codex.wordpress.org/Must_Use_Plugins must-use plugin]. WordPress doesn’t recommend putting filters in the wp-config.php file because of conflicts with other parts of the code.

To enable automatic updates for themes and plugins, add the following code

''add_filter( 'auto_update_plugin', '__return_true' );''

''add_filter( 'auto_update_theme', '__return_true' );''

== Removal of unused plugins and themes ==
Depending on the server configuration, the files in the WordPress folder can be accessed from the Internet regardless of whether they are used or not. Even if a plugin is disabled, the files are still there and they are accessible from the Internet.

When a new vulnerability is discovered, the attackers write scripts to look for the vulnerable files. Knowing the location of vulnerable plugins increases their chances of infiltrating a vulnerable instance.

Any plugins and themes that are not actively used must be deleted.

== Plugins & Themes Security ==
Plugins and themes are a great addition to the functionality offered by the WordPress core. WordPress’ success is based on these elements. It’s easy to develop a new theme, add new functions with plugins. This ease of development comes with the security downside. In the rush for functionality, the developers often forget about security. Looking at the [https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress CVE list for WordPress] it’s worth noticing that in the past years most of the security defects are affecting the plugins and themes and not WordPress core.

Developing on top of WordPress should be regarded as regular development job and follow a standard secure development lifecycle. Concrete action items for this chapter include source code review and penetration testing of plugins and themes.

When choosing to use an already developed plugin by a 3rd party, a security audit should be performed. Good differentiators for available plugins are:

* Publication in the official plugin store at [https://wordpress.org/plugins/ https://wordpress.org/plugins/]
* User ratings and comments
* Version number (is it a young plugin/theme or faced the challenges of time?)
* Last update
* Update frequency
* Compatibility with the current version of the WordPress core

In order to perform a source code audit, the following tools can be used:

* [http://rips-scanner.sourceforge.net/ RIPS]
* [http://www.program-transformation.org/PHP/PhpSat PHP-sat]
* [http://www.scovetta.com/yasca.html Yasca]
* [http://resources.infosecinstitute.com/finding-bugs-in-php-using-grep/ Manual analysis using ][http://resources.infosecinstitute.com/finding-bugs-in-php-using-grep/ grep]

Things to pay extra attention during the source code audit:

* Obfuscated code
* BASE64 encode function
* System call functions (exec, passthru, system, shell_exec, etc.)
* PHP code execution (eval, assert, preg_replace, etc.)
* Information disclosure functions (phpinfo, getenv, getmygid/pid/uid, etc.)
* Filesystem functions (fopen, bz/gzopen, chgrp/own/mod, etc.)

== Backup ==
The backup process is essential when something bad happens. The configuration of the backup process can make the distinction between a clean and fast recovery and loss of data and prolonged downtime.

What needs to be included in the backup?

* The WordPress files
** WordPress Core Installation
** WordPress Plugins
** WordPress Themes
** Images and Files
** JavaScript and PHP scripts, and other code files
** Additional Files and Static Web Pages
* The database

It’s easy to say that a full backup of the /public_html folder is needed. However there are situations in which this is not feasible nor enough. There are situations in which large quantities of data are generated in the public folder (statistics, temporary data, etc.) that are useless in the backup process. There’s also the situation in which configuration files are placed outside the public directory. They also need backup.

The plan is to identify the files and folders that must be part of the backup process and save these in a remote location.

For database backup, the mysql command line can be used or administrative interfaces like phpMyAdmin.

How often should the backup be performed? It all depends on how often the instance is updated from a content perspective. If there are multiple updates a day, it’s a good idea to have a daily backup. If there’s a new article every several days, than a weekly or monthly backup is the way to go.

It’s a good practice to keep multiple backups and have them time stamped. This is because a breach might not be noticed immediately and a clean recovery can only be performed from a backup which is several iterations old.

Verifying that the backup is functional is part of the process. A backup that does not allow quick and full recovery is useless. The idea is to have a clean server and perform a full recovery from the backup, then check all the functionality and make sure nothing is missing.

=== Automation ===
The steps above are manual and labor intensive. There is a full list of plugins that can help along the process: [https://wordpress.org/plugins/tags/backup https://wordpress.org/plugins/tags/backup]

The one free alternative offering full backup capabilities standing out of the list is [https://wordpress.org/plugins/backwpup/ BackWPup]. The free version can be used to save your complete installation including /wp-content/ and push them to an external Backup Service, like Dropbox, S3, FTP (not a good idea) and many more.

From a security perspective, it’s worth noticing that an attacker who compromised the installation may be able to retrieve credentials and access the remote location of the backups, thus being able to manipulate or delete them. As a good precaution, on the remote side where the backups are stored, an independent process should take the backups and move them to a location inaccessible from the WordPress installation.

== User roles and proper usage ==
Understanding the roles and properly assigning them to them to users is essential in the segregation of duties process.

The WordPress roles are:

* Super Admin – somebody with access to the site network administration features and all other features
* Administrator – somebody who has access to all the administration features within a single site
* Editor – somebody who can publish and manage posts including the posts of other users
* Author – somebody who can publish and manage their own posts
* Contributor – somebody who can write and manage their own posts but cannot publish them
* Subscriber – somebody who can only manage their profile

The least privilege principle must be considered when assigning roles.

A full list of privileges and a comparison between roles is available at [http://codex.wordpress.org/Roles_and_Capabilities http://codex.wordpress.org/Roles_and_Capabilities].

Supporting plugins:

* [https://wordpress.org/plugins/members/ Members Plugin]
* [https://wordpress.org/plugins/role-scoper/ Role Scoper Plugin]
* [http://wordpress.org/extend/plugins/user-access-manager/ User Access Manager]
* [http://wordpress.org/extend/plugins/advanced-access-manager/ Advanced Access Manager]
* [http://wordpress.org/extend/plugins/user-role-editor/ User Role Editor]

== Restrict the access to the admin interface ==
Restricting the access to the admin interface should be considered as no regular user is in need of access to this area. For a site with few users it makes sense to whitelist their IP addresses. Additionally, the access can be restricted only to the localhost and have the users VPN in or create a tunnel to the server (if SSH is enabled) and then access the admin interface.

To restrict the access to the wp-admin folder, a file called .htaccess needs to be created in that folder. The content of the file should be:

''Order Deny,Allow''

''Deny from all''

''Allow from 127.0.0.1''

Multiple IP addresses separated by whitespaces can be added and the use wildcards (*) is permitted.

== Prevent brute-forcing ==
Bruteforcing is the easy way in for an attacker. As discussed in the General Security chapter, a prerequisite for preventing bruteforcing is to have [https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Password_Complexity strong passwords]. Apart from that, an additional layer of protection can be added in the form of [http://en.wikipedia.org/wiki/CAPTCHA CAPTCHA].

One good plugin candidate is [https://wordpress.org/plugins/google-captcha/ Google Captcha (reCAPTCHA)]. The advantage of this plugin is that it can be used to add the extra layer of protection on other areas as well (like registration and comments).

CAPTCHA is not a perfect solution by any means. There are services offering real-time CAPTCHA solving for a few cents per challenge. However it takes seconds to solve a CAPTCHA even for a good service like this, thus this sort of attack becomes unfeasible.

Another preventive measure is to lock-out accounts after a series of failed attempts. There is no plugin at the moment that can lock a user after several failed attempts for a period of time, there are plugins blocking IP addresses that are brute-forcing the login mechanism. This approach is not the best when dealing with distributed attacks.

== Implement two factor authentication ==
To add another layer of security on the authentication mechanism, two factor authentication can be enabled. Two factor authentication is a method of securing accounts requiring that you not only know something (a password) to log in but also that you possess something (your mobile device). The benefit of this approach to security is that even if someone guesses your password, they need to have also stolen your possession in order to break into your account.

Supporting plugin:

* [https://wordpress.org/plugins/google-authenticator/installation/ Google Authenticator]

== Remove or change the default administrator account ==
There are two main reasons for creating a new administrator or modifing the old one:

* After the installation the default username is “admin”; an attacker trying to bruteforce his way in will try default usernames
* The default id of the admin account is 1; an attacker who discovers a SQL injection is will try to update the user with id = 1

Both tasks can be performed manually in the database without the need to delete the admin account or can be performed in the admiministration UI, by creating a new administrator, log in with the new credentials and delete the default one.

== Disable user registration if not needed ==
If user management is performed manually or through integration with other user management systems, there is no need for this functionality to be enabled in WordPress.

To disable user registration, log in as an administrator, go to '''Settings -> General''' and make sure the '''“Anyone can register”''' box is unchecked.

== Change the database prefix ==
In case a 0-day SQL injection vulnerability is discovered, an attacker will try to exploit the known tables from a default WordPress installation. To prevent this from happening, the default prefix of the tables needs to be changed. This can be performed in several ways:

* During the installation process
* Manually via ''mysql'' command line or ''phpMyAdmin'' for all the tables; after this, the wp-config.php file must be configured to reflect the changes ($table_prefix = "ves1uaq3_";)
* With a plugin ([https://wordpress.org/plugins/db-prefix-change/ Change DB Prefix])

== Control comments ==
WordPress was initially a blogging platform so the ability to add comments was part of the success story. Things changed with the shift of WordPress towards a CMS so comments might not be necessary in all instances. There are several things that need to be considered when dealing with this topic:

* Are comments needed? If not, they should be disabled. Log in as administrator. For new posts go to '''Settings -> Discussion''' and uncheck "'''Allow people to post comments on new articles'''". For existing posts, go to '''Posts''', select all of them, '''Bulk Actions -> Edit''' and choose “'''do not allow'''” near '''Comments''' before hitting '''Update posts'''.
* If comments are required, who should be able to post them? If only registered users should be allowed to add comments, go to '''Settings -> Discussion''' and check the “'''Users must be registered and logged in to comment'''” box.
* Should comments be reviewed before publishing? If so, the “'''Comment must be manually approved'''” box must be checked.
* If comments are not reviewed before publishing, using an anti-spam plugin like the default [https://wordpress.org/plugins/akismet/ Akismet] is advised

As a general rule of thumb, all the options under '''Settings -> Discussion '''should be carefully reviewed.

== Check file permissions ==
Permissions on files and directories determine who is allowed to read, write and execute them. Permission settings will vary from situation to situation and between shared hosting and dedicated hosting.

Following is a list of desired permissions on sensitive items and fallback options:

* wp-config.php
** Desired: 400
** Fallback: 440, 600, 640
* uploads folder
** Desired: 755
** Fallback: 766, 777 (not recommended)
* .htaccess files
** Desired: 400
** Fallback: 440, 444, 600, 640

== Delete readme.html and install.php ==
The readme.html file may reveal sensitive information and is not needed from a functional perspective. The install.php is a residue of the installation process and even though it does not allow to restart the installation process it’s not needed and should be removed.

Action item:

* Delete the /<WordPress_root>/readme.html and /<WordPress_root>/wp-admin/install.php files

== Add blank index.php files where needed ==
Especially in shared environments where the settings of the web server are outside the control of the WordPress implementer, directory listing might be enabled. To add an extra layer of security, blank index.php files should be added to the folders that don’t have indexes in order to prevent browsing of the resources. The main folders that need to be considered are:

* wp-includes
* wp-content
* wp-content/plugins
* wp-content/themes
* wp-content/uploads

== Move wp-config.php file outside the web root folder ==
The wp-config.php file is a very important configuration file. It contains a lot of sensitive information about your WordPress site, like your database information for example.

WordPress will automatically look for this file in the folder above the WordPress root folder if it does not exist in the root folder. Moving this file out of the public_html folder means the file will not be accessible from the Internet.

== Create secret keys ==
Starting with WordPress 2.6, a new set of security features for passwords and password hashing and cookie security is included. This feature works without doing anything, but it's not particularly powerful without some extra steps. In order to greatly increase the security of the WordPress installation, secret keys must be set up. This should be part of the standard installation process. Whenever there’s suspicion that the secret keys have been compromised, the administrator must change them. Changing the secret keys will invalidate all sessions so users will need to re-authenticate.

Setting up or changing secret keys can be done by adding or editing the following lines to the wp-config.php file, right after the other define statements:

''define('AUTH_KEY', 'put your unique phrase here');''

''define('SECURE_AUTH_KEY', 'put your unique phrase here');''

''define('LOGGED_IN_KEY', 'put your unique phrase here');''

''define('NONCE_KEY', 'put your unique phrase here');''

== Enforce transport layer encryption for administrative tasks ==
It was discussed earlier that SSL should be configured and used to access the WordPress instance. Usually sites are available over port 80 AND 443. This means that the user is free to choose if he uses a clear text or an encrypted communication channel.

In order to force the usage of SSL (at least) for sensitive actions, the following lines must be added to the wp-config.php file:

''define('FORCE_SSL_LOGIN', true);''

''define('FORCE_SSL_ADMIN', true);''

== Use a web application firewall ==
While a Web Application Firewall should be in place at the web server layer, because that is not always accessible to the implementer, a WAF plugin can be used to add this layer of protection.

A good plugin candidate is [https://wordpress.org/plugins/ninjafirewall/ NinjaFirewall].

== Security plugins ==
This section is a list of security plugins and a short description of their functionality. As previously discussed, the focus is on free plugins.

* [https://wordpress.org/plugins/better-wp-security/ iThemes Security] – iThemes Security (formerly Better WP Security) gives you over 30+ ways to secure and protect your WordPress site. In its free version it can obscure, detect, protect and recover a WordPress installation
* [https://wordpress.org/plugins/bulletproof-security/ BulletProof Security] – the free version offers:
** .htaccess Website Security Protection (Firewalls)
** Login Security & Monitoring
** DB Backup
** DB Backup Logging
** DB Table Prefix Changer
** Security Logging
** HTTP Error Logging
** FrontEnd/BackEnd Maintenance Mode
* [https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ All In One WP Security & Firewall]
** User Account/Login/Registration Security
** Database & File System Security
** htaccess and wp-config.php File Backup and Restore
** Blacklist Functionality
** Firewall Functionality
** Brute force login attack prevention
** Security Scanner
* [https://wordpress.org/plugins/sucuri-scanner/ Sucuri Security - Auditing, Malware Scanner and Security Hardening]
** Security Activity Auditing
** File Integrity Monitoring
** Remote Malware Scanning
** Blacklist Monitoring
** Effective Security Hardening
** Post-Hack Security Actions
** Security Notifications
** Website Firewall (add on)
* [https://wordpress.org/plugins/wp-security-scan/ Acunetix WP Security] & [https://wordpress.org/plugins/secure-wordpress/faq/ Acunetix Secure WordPress] – these plugins check your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:
** Passwords
** File permissions
** Database security
** Version hiding
** WordPress admin protection/security
** Removes WP Generator META tag from core code

= Large-scale integration =
Implementing one WordPress site and maintaining it is a doable job for an administrator. In large corporate environments there may be hundreds of instances that need management, configuration and maintenance. This can easily become an unmanageable situation. When dealing with large number of instances, a centralized approach is needed.

== Creating a standard image ==
The first step is to create a standard WordPress installation with all the security configuration and plugins in place. This should be a blank installation with no data that can be easily replicated when a new instance needs to be created.

A process for new instances must be in place and approach at least the following subjects:

* General configuration
* Database connectivity
* Setting the administrator account

== LDAP integration & Single Sign On ==
User management for large WordPress sites can be a hassle. In corporate environments users are in general centrally managed and assigned to different groups. WordPress can make use of this already established situation. Whether if it’s [http://en.wikipedia.org/wiki/Active_Directory Active Directory] or other LDAP compatible service, this establishment is already used in the organization trying to implement WordPress. It’s easy to set up groups based on Wordpress roles and assign users to different groups, based on their required level of access. Once the integration is achieved, one can go further towards an elegant solution by implementing Single Sign On.

Supporting plugins:

* [https://wordpress.org/plugins/active-directory-integration/ Active Directory Integration]
* [https://wordpress.org/support/plugin/active-directory-sso Active Directory SSO]
* [https://wordpress.org/plugins/simple-ldap-login/ Simple LDAP Login]

== Multisites ==
A large environment requires multiple instances of WordPress. Managing each individual instance can become impossible for a single person or a small team. This is where a built-in feature of WordPress comes in hand, [http://codex.wordpress.org/Create_A_Network multisite or network of sites].

A multisite network can be very similar to a personal version of WordPress.com. End users can create their own sites on demand, just like end users of WordPress.com can create blogs on demand. If there’s no need to allow end users to create their own sites on demand, the administrator of the network can create a multisite network in which only he can add new sites.

A multisite network is a collection of sites that all share the same WordPress installation. They can also share plugins and themes. The individual sites in the network are virtual sites in the sense that they do not have their own directories on your server, although they do have separate directories for media uploads within the shared installation, and they do have separate tables in the database.

WordPress does a good job in providing the necessary documentation for:

* [http://codex.wordpress.org/Create_A_Network Installation]
* [http://codex.wordpress.org/Multisite_Network_Administration Administration]
* [http://codex.wordpress.org/Debugging_a_WordPress_Network Debugging]
* [http://codex.wordpress.org/Migrating_Multiple_Blogs_into_WordPress_3.0_Multisite Migration]

The benefit of the multisite feature is centralized management of security. Plugins can be checked once for security defects and when a stable and secure version is available it can be pushed to all the sites in the same time.

This built-in solution might not always be the best choice. For example, all the plugins are shared between different sites and the administrators of those sites choose which plugins to enable and which to disable.

== Unified management of multiple installations ==
If multiple separate instances of WordPress need to be managed centrally, there are several solution (most of them have at least some form of commercial addons) that can accomplish the task:

* [http://infinitewp.com/ InfinteWP] is a free, self-hosted multiple WordPress management platform that simplifies WordPress management tasks into simple clicks. Features:
** One master login
** One click updates
** Instant backup & restore
** Plugins & themes management
* [https://managewp.com/ ManageWP]
* [https://wpremote.com/ WPRemote] lets administrators monitor an unlimited number of WordPress websites. Through the WP Remote dashboard they can update WordPress and update plugins and themes. A snapshot (backup) of the websites can be downloaded from the interface

= Resources =
The project started with a discussion between [https://www.linkedin.com/in/dancatalinvasile Dan Vasile] (the initiator) and [https://www.linkedin.com/in/andersvinther Anders Vinther] who has already published [http://www.wpsecuritychecklist.com/ a guide] about secure WordPress implementation. Based on the information there, a part of the skeleton and content of the current project was created.

== Browser security ==
* [http://www.cert.org/historical/tech_tips/securing-web-browser-index.cfm http://www.cert.org/historical/tech_tips/securing-web-browser-index.cfm]

== Apache hardening ==
* [http://httpd.apache.org/docs/current/misc/security_tips.html http://httpd.apache.org/docs/current/misc/security_tips.html]
* [http://www.tecmint.com/apache-security-tips/ http://www.tecmint.com/apache-security-tips/]
* [https://wiki.debian.org/Apache/Hardening https://wiki.debian.org/Apache/Hardening]

== PHP hardening ==
* [http://php.net/manual/en/security.php http://php.net/manual/en/security.php]
* [http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html]
* [http://www.suhosin.org/stories/index.html http://www.suhosin.org/stories/index.html]

== MySQL hardening ==
* [https://www.owasp.org/index.php/OWASP_Backend_Security_Project_MySQL_Hardening https://www.owasp.org/index.php/OWASP_Backend_Security_Project_MySQL_Hardening]
* [http://www.greensql.com/content/mysql-security-best-practices-hardening-mysql-tips http://www.greensql.com/content/mysql-security-best-practices-hardening-mysql-tips]

== Wordpress ==
* [http://codex.wordpress.org/Configuring_Automatic_Background_Updates http://codex.wordpress.org/Configuring_Automatic_Background_Updates]
* [http://stackoverflow.com/questions/3115559/exploitable-php-functions http://stackoverflow.com/questions/3115559/exploitable-php-functions]
* [http://codex.wordpress.org/WordPress_Backups http://codex.wordpress.org/WordPress_Backups]
* [http://codex.wordpress.org/Roles_and_Capabilities http://codex.wordpress.org/Roles_and_Capabilities]
* [http://en.support.wordpress.com/security/two-step-authentication/ http://en.support.wordpress.com/security/two-step-authentication/]
* [http://codex.wordpress.org/Create_A_Network http://codex.wordpress.org/Create_A_Network]
* [http://codex.wordpress.org/Before_You_Create_A_Network http://codex.wordpress.org/Before_You_Create_A_Network]
* [http://codex.wordpress.org/Migrating_Multiple_Blogs_into_WordPress_3.0_Multisite http://codex.wordpress.org/Migrating_Multiple_Blogs_into_WordPress_3.0_Multisite]

=Project About=
{{:Projects/OWASP_Wordpress_Security_Checklist_Project}}

[[Category:OWASP Project]]

Testing Checklist

2014-01-16T14:57:39Z

Dan Vasile:

{{Template:OWASP Testing Guide v4}}

The following is the list of controls to test during the assessment:

{| {{table}}
| align="center" style="background:#f0f0f0;"|'''Ref. No.'''
| align="center" style="background:#f0f0f0;"|'''Category'''
| align="center" style="background:#f0f0f0;"|'''Test Name'''
|-
| ||||
|-
| 4.2||||'''Information Gathering'''
|-
| 4.2.1||OTG-INFO-001||Conduct Search Engine Discovery and Reconnaissance for Information Leakage
|-
| 4.2.2||OTG-INFO-002||Fingerprint Web Server
|-
| 4.2.3||OTG-INFO-003||Review Webserver Metafiles for Information Leakage
|-
| 4.2.4||OTG-INFO-004||Enumerate Applications on Webserver
|-
| 4.2.5||OTG-INFO-005||Review Webpage Comments and Metadata for Information Leakage
|-
| 4.2.6||OTG-INFO-006||Identify application entry points
|-
| 4.2.8||OTG-INFO-008||Map execution paths through application
|-
| 4.2.9||OTG-INFO-009||Fingerprint Web Application Framework
|-
| 4.2.10||OTG-INFO-010||Fingerprint Web Application
|-
| 4.2.11||OTG-INFO-011||Map Network and Application Architecture
|-
| ||||
|-
| 4.3||||'''Configuration and Deploy Management Testing'''
|-
| 4.3.1||OTG-CONFIG-001||Test Network/Infrastructure Configuration
|-
| 4.3.2||OTG-CONFIG-002 ||Test Application Platform Configuration
|-
| 4.3.3||OTG-CONFIG-003||Test File Extensions Handling for Sensitive Information
|-
| 4.3.4||OTG-CONFIG-003|| Backup and Unreferenced Files for Sensitive Information
|-
| 4.3.5||OTG-CONFIG-005||Enumerate Infrastructure and Application Admin Interfaces
|-
| 4.3.6||OTG-CONFIG-006||Test HTTP Methods
|-
| 4.3.7||OTG-CONFIG-007||Testing for Database credentials/connection strings available
|-
| 4.3.8||OTG-CONFIG-008||Test Content Security Policy
|-
| 4.3.9||OTG-CONFIG-009||Test HTTP Strict Transport Security
|-
| 4.3.10||OTG-CONFIG-010||Test Frame Options
|-
| 4.3.11||OTG-CONFIG-011||Test RIA cross domain policy
|-
| 4.3.12||OTG-CONFIG-012||Test Content Type Options
|-
| ||||
|-
| 4.4||||'''Identity Management Testing'''
|-
| 4.4.1||OTG-IDENT-001||Test Role Definitions
|-
| 4.4.2||OTG-IDENT-002||Test User Registration Process
|-
| 4.4.3||OTG-IDENT-003||Test Account Provisioning Process
|-
| 4.4.4||OTG-IDENT-004||Testing for Account Enumeration and Guessable User Account
|-
| 4.4.5||OTG-IDENT-005||Testing for Weak or unenforced username policy
|-
| 4.4.6||OTG-IDENT-006||Test Permissions of Guest/Training Accounts
|-
| 4.4.7||OTG-IDENT-007||Test Account Suspension/Resumption Process
|-
| 4.4.8||OTG-IDENT-008||Test User Deregistration Process
|-
| 4.4.9||OTG-IDENT-009 ||Test Account Deregistration Process
|-
| ||||
|-
| 4.5||||'''Authentication Testing'''
|-
| 4.5.1||OTG-AUTHN-001||Testing for Credentials Transported over an Encrypted Channel
|-
| 4.5.2||OTG-AUTHN-002||Testing for default credentials
|-
| 4.5.3||OTG-AUTHN-003||Testing for Weak lock out mechanism
|-
| 4.5.4||OTG-AUTHN-004||Testing for bypassing authentication schema
|-
| 4.5.5||OTG-AUTHN-005||Test remember password functionality
|-
| 4.5.6||OTG-AUTHN-006||Testing for Browser cache weakness
|-
| 4.5.7||OTG-AUTHN-007||Testing for Weak password policy
|-
| 4.5.8||OTG-AUTHN-008||Testing for Weak security question/answer
|-
| 4.5.9||OTG-AUTHN-009||Testing for weak password change or reset functionalities
|-
| 4.5.10||OTG-AUTHN-010||Testing for Weaker authentication in alternative channel
|-
| ||||
|-
| 4.6||||'''Authorization Testing'''
|-
| 4.6.1||OTG-AUTHZ-001||Test Management of Account Permissions
|-
| 4.6.2||OTG-AUTHZ-002||Testing Directory traversal/file include
|-
| 4.6.3||OTG-AUTHZ-003||Testing for bypassing authorization schema
|-
| 4.6.4||OTG-AUTHZ-004||Testing for Privilege Escalation
|-
| 4.6.5||OTG-AUTHZ-005||Testing for Insecure Direct Object References
|-
| 4.6.6||OTG-AUTHZ-006||Testing for Failure to Restrict access to authorized resource
|-
| 4.6.7||OTG-AUTHZ-007||Test privileges of server components
|-
| 4.6.8||OTG-AUTHZ-008||Test enforcement of application entry points
|-
| 4.6.9||OTG-AUTHZ-009||Testing for failure to restrict access to authenticated resource
|-
| ||||
|-
| 4.7||||'''Session Management Testing'''
|-
| 4.7.1||OTG-SESS-001 ||Testing for Bypassing Session Management Schema
|-
| 4.7.2||OTG-SESS-002||Testing for Cookies attributes
|-
| 4.7.3||OTG-SESS-003||Testing for Session Fixation
|-
| 4.7.4||OTG-SESS-004||Testing for Exposed Session Variables
|-
| 4.7.5||OTG-SESS-005||Testing for Cross Site Request Forgery
|-
| 4.7.6||OTG-SESS-006||Test Session Token Strength
|-
| 4.7.7||OTG-SESS-007 ||Testing for logout functionality
|-
| 4.7.8||OTG-SESS-008||Test Session Timeout
|-
| 4.7.9||OTG-SESS-009||Test multiple concurrent sessions
|-
| 4.7.10||OTG-SESS-010||Testing for Session puzzling
|-
| ||||
|-
| 4.8||||'''Data Validation Testing'''
|-
| 4.8.1||OTG-INPVAL-001||Testing for Reflected Cross Site Scripting
|-
| 4.8.2||OTG-INPVAL-002||Testing for Stored Cross Site Scripting
|-
| 4.8.3||OTG-INPVAL-003 ||Testing for HTTP Verb Tampering
|-
| 4.8.4||OTG-INPVAL-004||Testing for HTTP Parameter pollution
|-
| 4.8.5||OTG-INPVAL-005 ||Testing for Unvalidated Redirects and Forwards
|-
| 4.8.6||OTG-INPVAL-006||Testing for SQL Injection
|-
| 4.8.6.1||||Oracle Testing
|-
| 4.8.6.2||||MySQL Testing
|-
| 4.8.6.3||||SQL Server Testing
|-
| 4.8.6.4||||Testing PostgreSQL
|-
| 4.8.6.5||||MS Access Testing
|-
| 4.8.6.6||||Testing for NoSQL injection
|-
| 4.8.7||OTG-INPVAL-007||Testing for LDAP Injection
|-
| 4.8.8||OTG-INPVAL-008||Testing for ORM Injection
|-
| 4.8.9||OTG-INPVAL-009||Testing for XML Injection
|-
| 4.8.10||OTG-INPVAL-010||Testing for SSI Injection
|-
| 4.8.11||OTG-INPVAL-011||Testing for XPath Injection
|-
| 4.8.12||OTG-INPVAL-012||IMAP/SMTP Injection
|-
| 4.8.13||OTG-INPVAL-013||Testing for Code Injection
|-
| 4.8.13.1||||Testing for Local File Inclusion
|-
| 4.8.13.2||||Testing for Remote File Inclusion
|-
| 4.8.14||OTG-INPVAL-014||Testing for Command Injection
|-
| 4.8.15||OTG-INPVAL-015||Testing for Buffer overflow
|-
| 4.8.15.1||||Testing for Heap overflow
|-
| 4.8.15.2||||Testing for Stack overflow
|-
| 4.8.15.3||||Testing for Format string
|-
| 4.8.16||OTG-INPVAL-016||Testing for incubated vulnerabilities
|-
| 4.8.17||OTG-INPVAL-017||Testing for HTTP Splitting/Smuggling
|-
| ||||
|-
| 4.9||||'''Error Handling'''
|-
| 4.9.1||OTG-ERR-001||Analysis of Error Codes
|-
| 4.9.2||OTG-ERR-002||Analysis of Stack Traces
|-
| ||||
|-
| 4.1||||'''Cryptography'''
|-
| 4.10.1||OTG-CRYPST-001||Testing for Insecure encryption usage
|-
| 4.10.2||OTG-CRYPST-001||Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
|-
| 4.10.3||OTG-CRYPST-003||Testing for Padding Oracle
|-
| 4.10.4||OTG-CRYPST-004||Testing for Cacheable HTTPS Response
|-
| 4.10.5||OTG-CRYPST-005||Test Cache Directives
|-
| 4.10.6||OTG-CRYPST-006||Testing for Insecure Cryptographic Storage
|-
| 4.10.7||OTG-CRYPST-007||Testing for Sensitive information sent via unencrypted channels
|-
| 4.10.8||OTG-CRYPST-008||Test Cryptographic Key Management
|-
| ||||
|-
| 4.11||||'''Logging'''
|-
| 4.11.1||OTG-LOG-001||Test time synchronisation
|-
| 4.11.2||OTG-LOG-002||Test user-viewable log of authentication events
|-
| ||||
|-
| 4.12||OWASP-BL-001||'''Business Logic Testing'''
|-
| 4.12.1||OTG-BUSLOGIC-001||Test Business Logic Data Validation
|-
| 4.12.2||OTG-BUSLOGIC-002||Test Ability to Forge Requests
|-
| 4.12.3||OTG-BUSLOGIC-003||Test Integrity Checks
|-
| 4.12.4||OTG-BUSLOGIC-004||Test for Process Timing
|-
| 4.12.5||OTG-BUSLOGIC-005||Test Number of Times a Function Can be Used Limits
|-
| 4.12.6||OTG-BUSLOGIC-006||Testing for the Circumvention of Work Flows
|-
| 4.12.7||OTG-BUSLOGIC-007||Test Defenses Against Application Mis-use
|-
| 4.12.8||OTG-BUSLOGIC-008||Test Upload of Unexpected File Types
|-
| 4.12.9||OTG-BUSLOGIC-009||Test Upload of Malicious Files
|-
| ||||
|-
| 4.15||||'''Client Side Testing'''
|-
| 4.15.1||OTG-CLIENT-001||Testing for DOM based Cross Site Scripting
|-
| 4.15.2||OWASP-CS-002||Testing for JavaScript Execution
|-
| 4.15.3||OWASP-CS-003||Testing for HTML Injection
|-
| 4.15.4||OWASP-CS-004 ||Testing for Client Side URL Redirect
|-
| 4.15.5||OWASP-CS-005||Testing for CSS Injection
|-
| 4.15.6||OWASP-CS-006||Testing for Client Side Resource Manipulation
|-
| 4.15.7||OTG-CLIENT-007||Test Cross Origin Resource Sharing
|-
| 4.15.8||OTG-CLIENT-008||Testing for Cross Site Flashing
|-
| 4.15.9||OTG-CLIENT-009||Testing for Clickjacking
|-
| 4.15.10||OTG-CLIENT-010||Testing WebSockets
|-
| 4.15.11||OTG-CLIENT-011||Test Web Messaging
|-
| 4.15.12||OTG-CLIENT-012||Test Local Storage
|-
|
|}

OWASP Romania InfoSec Conference 2013 Agenda

2013-10-28T19:21:36Z

Dan Vasile:

__NOTOC__

{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4"
| style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | <h2>Agenda </h2>
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Time'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Title'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Speaker'''
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 10:30 - 11:00 (30 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Registration
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" |
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 11:00 - 11:15 (15 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Introduction & Welcome
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | [http://ro.linkedin.com/pub/oana-cornea/55/430/b10 Oana Cornea]
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | Introduction to OWASP & Bucharest Event, Schedule for the Day
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:15 - 12:00 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Secure Development LifeCycle 
(aka "The good the bad and the ugly implementations") [https://www.owasp.org/images/1/1a/OWASP_-_InfoSec_Romania_-_SDLC_the_good%2C_the_bad_and_the_ugly_.pdf]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://nl.linkedin.com/pub/martin-knobloch/3/182/b97 Martin Knobloch]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Software development is not THAT new anymore, but it is still a fast changing work environment. 
We do develop more functionality faster, and the applications do even look more pretty! 
But what about security? Guess what, it is not a developers first priority! 
This presentation is about how to implement secure development strategy without blaming and bashing on developers. Instead of increasing the workload of the development-team with more process overhead, (security) quality gates, etc. 
Lets help developer by implementing impalpable mechanism!
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 12:05 - 12:50 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Practical Defense with mod_security Web Application Firewall
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ie.linkedin.com/in/mventuneac Marian Ventuneac]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Marian will introduce the mod_security Web Application Firewall (WAF). This session will be a practical demonstration of mitigating security risks for a sample vulnerable Web application.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 12:55 - 13:40 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Scanning Romania with Nessus (web part) [https://www.owasp.org/images/e/e9/OWASP_-_InfoSec_Romania_-AdrianFurtuna_ScanningRomania.pdf]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/in/adrianfurtuna Adrian Furtuna]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | This talk presents the results of a passive vulnerability scan performed against all Romanian IP addresses, targeting all web servers listening on port 80. 
The research was performed against multiple network packet captures selected from the output of Carna botnet, which scanned Romania in July 2012.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:40 - 14:30 (50 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |Lunch/Coffee Break
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:30 - 15:15 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Reading the minds [https://www.owasp.org/images/c/c7/OWASP_-_InfoSec_Romania_-reading-the-minds.pdf]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/pub/anatolie-prisacaru/45/232/764 Anatolie Prisacaru]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | In my presentation I will focus the analysis of what data web browsers, extensions and web servers keep in memory. I will start with a quick introduction on how to dump and analyse processes' random access memory maps on a Linux based operating system with basic tools and then run a quick code review to see a couple of weak points, find their Achilles' heel and finally prove why statements like "Your sensitive data is encrypted _locally_ before upload so even LastPass cannot get access to it" can be pretty misleading.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:20 - 16:05 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Online Fraud and the part it plays in Cybercrime [https://www.owasp.org/images/3/3b/OWASP_-_InfoSec_Romania_-_Online_Fraud.pdf]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/pub/alex-doroftei/50/b74/36b Alexandru Doroftei]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The presentation will be about what is online fraud, what risks do companies face when they support e-commerce and the growing role fraud has in the cybercrime area. I will describe a few of the best practices against fraud, diving a little bit in the fraud industry numbers associated with fraud.
|-)
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:10 - 16:55 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Hacking the Wordpress ecosystem [https://www.owasp.org/images/9/9a/Dan_Catalin_VASILE_-_Hacking_the_Wordpress_EcoSystem.pdf]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/pub/dan-catalin-vasile/1a/549/384 Dan Catalin Vasile]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | This talk came from the personal need of securing multiple instances of Wordpress. An OWASP Project was initiated to gather the knowledge around this subject in one place. 
The presentation will address the following subjects: 
- securing the installation process 
- server side measures: backup, securing login, antivirus, regular scan, web firewall, monitoring, permissions, etc. 
- client side measures: personal devices security, password management, communication channels, etc. 
- hacking the infrastructure 
- hacking plugins
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 17:00 - 17:45 (45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Resolving 3 Common threats in MVC (A4 - Insecure Direct Object References , A3 - Cross-Site Scripting (XSS) , A8 - Cross-Site Request Forgery (CSRF) ) [https://www.owasp.org/images/6/6d/OWASP_-_InfoSec_Romania_-AndreiIgnat.pdf]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/in/ignatandrei Andrei Ignat]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Any website is confronted with hackers. The security measures are easy to follow - and this presentation shares to you this knowledge.
|-
|}

File:Dan Catalin VASILE - Hacking the Wordpress EcoSystem.pdf

2013-10-28T19:17:18Z

Dan Vasile:

OWASP Romania InfoSec Conference 2013 Team

2013-10-15T12:32:28Z

File:Logo AGORA.jpg

2013-10-08T13:15:07Z

Dan Vasile:

OWASP Romania InfoSec Conference 2013

2013-09-24T19:28:43Z

Dan Vasile:

__NOTOC__

{{:Owasp Romania Conference header}}

=Welcome=

{| style="width: 100%;"
|-
| style="width: 100%; color: rgb(0, 0, 0);" |
{| style="border: 0px solid ; background: transparent none repeat scroll 0% 0%; width: 100%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;"
|-
| style="width: 95%; color: rgb(0, 0, 0);" |

'''Owasp Romania InfoSec Conference 2013 - October 25th'''

OWASP Romania team is happy to announce the '''OWASP Romania InfoSec Conference 2013''', a one day '''Security''' and '''Hacking Conference'''. It will take place on 25th of October, 2013 - Bucharest, Romania. 
The OWASP Romania InfoSec Conference objective is to raise awareness about application security, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

'''Who Should Attend?'''

*Application Developers
*Application Testers and Quality Assurance
*Application Project Management and Staff
*Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
*Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
*Security Managers and Staff
*Executives, Managers, and Staff Responsible for IT Security Governance
*IT Professionals Interesting in Improving IT Security
*Anyone interested in learning about or promoting Web Application Security 
 

= Conference details =
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="5"
|-
| align="center" style="background:#4B0082;" colspan="2" | 
'''CONFERENCE (Friday 25th of October)''' 
|-
|-
| style="width:20%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Date'''
| style="width:80%" valign="middle" bgcolor="#CCCCEE" align="center" colspan="0" | '''Location'''
|-
| valign="middle" bgcolor="#EEEEEE" align="center" | ''' Friday 25th of October '''
| valign="middle" bgcolor="#EEEEEE" align="left" | '''Venue Location: University "Politehnica" of Bucharest 
Venue Address: Splaiul Independentei nr. 313, sector 6, Bucuresti, ROMANIA; 
Postal cod: RO-060042''' 
Venue Map: [https://plus.google.com/101033585760098377632/about]
|-
| align="center" style="background:#CCCCEE;" colspan="2" | '''Price and registration'''
|-
| align="center" style="background:#EEEEEE;" colspan="2" | This event is '''FREE''', you need to register on the link provided below, print your ticket and present it at the entrance. 
'''Limited number of seats! Register now!''' [https://owasp-romaniachapter-infosec.eventbrite.com/ https://owasp-romaniachapter-infosec.eventbrite.com/ ]

|-
| align="center" style="background:#CCCCEE;" colspan="2" | '''Event details'''
|-
| align="left" style="background:#EEEEEE;" colspan="2" |
* The presentation slides will be in English
* The presentations will be held in Romanian, except the one of Mr. Martin Knobloch
* There will be a short Q&A session at the end of each presentation (please hold them until the presentation ends)
* A mid-day break will be available for speaking with the presenters and with each other

|}
 
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4"
| style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | '''Agenda '''
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Time'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Title'''
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Speaker'''
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 15 mins
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Introduction & Welcome
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | [http://ro.linkedin.com/pub/oana-cornea/55/430/b10 Oana Cornea]
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | Introduction to OWASP & Bucharest Event, Schedule for the Day
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 45 mins
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Secure Development LifeCycle 
(aka "The good the bad and the ugly implementations")
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://nl.linkedin.com/pub/martin-knobloch/3/182/b97 Martin Knobloch]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Software development is not THAT new anymore, but it is still a fast changing work environment. 
We do develop more functionality faster, and the applications do even look more pretty! 
But what about security? Guess what, it is not a developers first priority! 
This presentation is about how to implement secure development strategy without blaming and bashing on developers. Instead of increasing the workload of the development-team with more process overhead, (security) quality gates, etc. 
Lets help developer by implementing impalpable mechanism!
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 45 mins
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Practical Defense with mod_security Web Application Firewall
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ie.linkedin.com/in/mventuneac Marian Ventuneac]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Marian will introduce the mod_security Web Application Firewall (WAF). This session will be a practical demonstration of mitigating security risks for a sample vulnerable Web application.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 45 mins
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Scanning Romania with Nessus (web part)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/in/adrianfurtuna Adrian Furtuna]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | This talk presents the results of a passive vulnerability scan performed against all Romanian IP addresses, targeting all web servers listening on port 80. 
The research was performed against multiple network packet captures selected from the output of Carna botnet, which scanned Romania in July 2012.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 45 mins
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Reading the minds
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/pub/anatolie-prisacaru/45/232/764 Anatolie Prisacaru]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | In my presentation I will focus the analysis of how web browsers and extensions keep in memory. I will start with a quick introduction on how to dump and analyse processes' random access memory maps on a Linux based operating system with basic tools and then run a quick code review to see a couple of weak points, find their Achilles' heel and finally prove why statements like "Your sensitive data is encrypted _locally_ before upload so even LastPass cannot get access to it" can be pretty misleading.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 45 mins
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Resolving 3 Common threats in MVC (A4 - Insecure Direct Object References , A3 - Cross-Site Scripting (XSS) , A8 - Cross-Site Request Forgery (CSRF) )
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/in/ignatandrei Andrei Ignat]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Any website is confronted with hackers. The security measures are easy to follow - and this presentation shares to you this knowledge.
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 45 mins
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Hacking the Wordpress ecosystem
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/pub/dan-catalin-vasile/1a/549/384 Dan Catalin Vasile]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | This talk came from the personal need of securing multiple instances of Wordpress. An OWASP Project was initiated to gather the knowledge around this subject in one place. 
The presentation will address the following subjects: 
- securing the installation process 
- server side measures: backup, securing login, antivirus, regular scan, web firewall, monitoring, permissions, etc. 
- client side measures: personal devices security, password management, communication channels, etc. 
- hacking the infrastructure 
- hacking plugins
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 45 mins
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | iOS applications risks and defenses
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [http://ro.linkedin.com/pub/oana-cornea/55/430/b10 Oana Cornea]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The presentation will highlight the main iOS applications attack vectors, techniques and tools to perform a pentest and mechanisms that can be implemented to reduce application vulnerabilities. These will be presented in connection with the Owasp top ten mobile risks and will show how to improve the security of mobile applications.
|-
|}

=Sponsors =

 
{| cellspacing="10" border="0" valign="middle" align="center" style="background: none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;"
|-
| <h2>Event Supporters</h2>
|-
| [[Image:Logo_phpromania.png|300px|link=http://www.phpromania.net/]]
|-
| <h2>Educational Supporters</h2>
|-
| [[Image:UPBlogo.png|150px|link=http://www.upb.ro/en/]]
|
|}
=Questions=

*If you have any questions about this event, please send an email to [mailto:oana.cornea@owasp.org Oana Cornea]

2013-09-24T15:31:09Z

Dan Vasile:

2013-09-14T22:51:19Z

Dan Vasile:

Romania

2013-09-14T22:47:13Z

Dan Vasile:

{{Chapter Template|chaptername=Romania|extra= The Chapter leader is [mailto:oana.cornea@owasp.org Oana Cornea] 
The Chapter Board Members are:
* [mailto:tudor.enache@owasp.org Tudor Enache]
* [mailto:danvasile@pentest.ro Dan Vasile]
* [mailto:chirita.ionel@gmail.com Ionel Chirita]
* [mailto:Marian.ventuneac@owasp.org Marian Ventuneac]

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Romania|emailarchives=http://lists.owasp.org/pipermail/owasp-Romania}}

== Local News ==

== Upcoming event: OWASP Romania InfoSec Conference 2013, Oct 25 ==

'''Location and host: "Politehnica" University, Bucureşti, România'''
[https://www.owasp.org/index.php/OwaspRomaniaConference OWASP Romania InfoSec Conference 2013]
 

== OWASP Romania Chapter Meeting #4: Aug 22, 2013 ==

'''Location and host: SemaParc RiverView Building, 6th floor, Str. Splaiul Independentei, nr. 309, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Owasp updates and projects
20:00 - 21:00 Presentation: "Application Security Introduction", Cristian Pascariu
 
== OWASP Romania Chapter Meeting #3: Jun 5, 2013 ==

'''Location and host: "Politehnica" University, Bucureşti, România'''
'''Time: 14:30'''
Owasp EU Tour 2013 [https://www.owasp.org/index.php/EUTour2013_Bucharest_Agenda] 
Here are the presentations: 
<ul>
<li>
'''Introduction to Owasp''' - Ionel Chirita [https://www.owasp.org/images/9/9d/OWASP_EU_Tour_2013_Bucharest_Ionel_Chirita.pdf]</li>
<li>'''Investing in security''' - Claudiu Constantinescu [https://www.owasp.org/images/6/6c/OWASP_EU_Tour_2013_Bucharest_Claudiu_Constantinescu.pdf]</li>
<li>'''Penetration testing - a way of improving our cyber security''' - Adrian Furtuna [https://www.owasp.org/images/9/93/OWASP_EU_Tour_2013_Bucharest_AdrianFurtuna.pdf]</li>
<li>'''Android reverse engineering: understanding third-party applications''' - Vicente Aguilera Diaz [https://www.owasp.org/images/a/a6/OWASP_EU_Tour_2013_Bucharest_Vicente_Aguilera_Diaz.pdf]</li>
<li>'''The Trouble with Passwords''' - Mark Goodwin [http://people.mozilla.com/~mgoodwin/presentations/20130410/shells/embedder.html#http://people.mozilla.com/~mgoodwin/presentations/20130410/template.html]</li>
<li>'''Hacking the ViewState in ASP.NET''' - Ovidiu Diaconescu[https://www.owasp.org/images/d/d3/OWASP_EU_Tour_2013_Bucharest_OvidiuDiaconescu.pdf] </li>
<li>'''Do you "GRANT ALL PRIVILEGES ..." in MySQL/MariaDB/Percona Server? '''- Gabriel Preda[https://www.owasp.org/images/2/2c/OWASP_EU_Tour_2013_Bucharest_Gabriel_Preda.pdf]</li>
</ul>
'''Some photos [https://www.owasp.org/index.php/File:OwaspEUTour_RomaniaChapterMeeting2013Photos.zip]'''
 
== OWASP Romania Chapter Meeting #2: Feb 28, 2013 ==

'''Location and host: Hanul Berarilor, Str. Poenaru Bordea, nr. 2, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:30 Member expectations, future meetings, OWASP projects, technical topics

Feb 10, 2013 Oana Cornea published iOS Application Security Testing Cheat Sheet [https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet]

May 26, 2011 OWASP Top 10 Web Application Security Risks at RONUA [http://ronua.ro/CS/groups/ronua-bucuresti/default.aspx]

 
== OWASP Romania Chapter Meeting #1: May 27, 2011 ==

'''Location and host: Muzeul Literaturii Române, Bd. Dacia 12, Sector 1, Bucureşti, România [http://www.mlr.ro]'''
'''Time: 17:00'''
17:00 - 17:15 Admission
17:15 - 17:30 Brief introduction to OWASP, Claudiu Constantinescu
17:30 - 18:00 Open discussion regarding OWASP Romania; what is expected or wished
18:00 - 18:15 Web Application Security Testing - comparison of 6 web application vulnerability scanners - Cristian
18:15 - 19:00 Other presentations and discussions

Everyone is welcome to join us at our chapter meetings, members and non-members.

[[Category:OWASP Chapter]]
[[Category:Europe]]

Romania

2013-09-14T22:36:08Z

Dan Vasile:

{{Chapter Template|chaptername=Romania|extra= The Chapter leader is [mailto:oana.cornea@owasp.org Oana Cornea] 
The Chapter Board Members are:
* [mailto:tudor.enache@owasp.org Tudor Enache]
* [mailto:danvasile@pentest.ro Dan Vasile]
* [mailto:chirita.ionel@gmail.com Ionel Chirita]
* [mailto:Marian.ventuneac@owasp.org Marian Ventuneac]

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Romania|emailarchives=http://lists.owasp.org/pipermail/owasp-Romania}}

== Local News ==

== Upcoming event: OWASP Romania InfoSec Conference 2013, Oct 25 ==

'''Location and host: "Politehnica" University, Bucureşti, România'''
OWASP Romania InfoSec Conference 2013 [https://www.owasp.org/index.php/OwaspRomaniaConference]
 

== OWASP Romania Chapter Meeting #4: Aug 22, 2013 ==

'''Location and host: SemaParc RiverView Building, 6th floor, Str. Splaiul Independentei, nr. 309, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:00 Owasp updates and projects
20:00 - 21:00 Presentation: "Application Security Introduction", Cristian Pascariu
 
== OWASP Romania Chapter Meeting #3: Jun 5, 2013 ==

'''Location and host: "Politehnica" University, Bucureşti, România'''
'''Time: 14:30'''
Owasp EU Tour 2013 [https://www.owasp.org/index.php/EUTour2013_Bucharest_Agenda] 
Here are the presentations: 
<ul>
<li>
'''Introduction to Owasp''' - Ionel Chirita [https://www.owasp.org/images/9/9d/OWASP_EU_Tour_2013_Bucharest_Ionel_Chirita.pdf]</li>
<li>'''Investing in security''' - Claudiu Constantinescu [https://www.owasp.org/images/6/6c/OWASP_EU_Tour_2013_Bucharest_Claudiu_Constantinescu.pdf]</li>
<li>'''Penetration testing - a way of improving our cyber security''' - Adrian Furtuna [https://www.owasp.org/images/9/93/OWASP_EU_Tour_2013_Bucharest_AdrianFurtuna.pdf]</li>
<li>'''Android reverse engineering: understanding third-party applications''' - Vicente Aguilera Diaz [https://www.owasp.org/images/a/a6/OWASP_EU_Tour_2013_Bucharest_Vicente_Aguilera_Diaz.pdf]</li>
<li>'''The Trouble with Passwords''' - Mark Goodwin [http://people.mozilla.com/~mgoodwin/presentations/20130410/shells/embedder.html#http://people.mozilla.com/~mgoodwin/presentations/20130410/template.html]</li>
<li>'''Hacking the ViewState in ASP.NET''' - Ovidiu Diaconescu[https://www.owasp.org/images/d/d3/OWASP_EU_Tour_2013_Bucharest_OvidiuDiaconescu.pdf] </li>
<li>'''Do you "GRANT ALL PRIVILEGES ..." in MySQL/MariaDB/Percona Server? '''- Gabriel Preda[https://www.owasp.org/images/2/2c/OWASP_EU_Tour_2013_Bucharest_Gabriel_Preda.pdf]</li>
</ul>
'''Some photos [https://www.owasp.org/index.php/File:OwaspEUTour_RomaniaChapterMeeting2013Photos.zip]'''
 
== OWASP Romania Chapter Meeting #2: Feb 28, 2013 ==

'''Location and host: Hanul Berarilor, Str. Poenaru Bordea, nr. 2, Bucureşti, România'''
'''Time: 19:00'''
19:00 - 20:30 Member expectations, future meetings, OWASP projects, technical topics

Feb 10, 2013 Oana Cornea published iOS Application Security Testing Cheat Sheet [https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet]

May 26, 2011 OWASP Top 10 Web Application Security Risks at RONUA [http://ronua.ro/CS/groups/ronua-bucuresti/default.aspx]

 
== OWASP Romania Chapter Meeting #1: May 27, 2011 ==

'''Location and host: Muzeul Literaturii Române, Bd. Dacia 12, Sector 1, Bucureşti, România [http://www.mlr.ro]'''
'''Time: 17:00'''
17:00 - 17:15 Admission
17:15 - 17:30 Brief introduction to OWASP, Claudiu Constantinescu
17:30 - 18:00 Open discussion regarding OWASP Romania; what is expected or wished
18:00 - 18:15 Web Application Security Testing - comparison of 6 web application vulnerability scanners - Cristian
18:15 - 19:00 Other presentations and discussions

Everyone is welcome to join us at our chapter meetings, members and non-members.

[[Category:OWASP Chapter]]
[[Category:Europe]]

OWASP Windows Binary Executable Files Security Checks Project

2013-08-23T15:24:59Z

Dan Vasile:

This checklist represent a series of tests and the associated tools to perform the tasks related to thick client testing.

We define the thick client as a computer (client) in client–server architecture or networks that typically provides rich functionality independent of the central server. The focus of this checklist will be around PC/Windows architecture, although general concepts apply to all thick clients.

==The Map==

[[File:Thick client testing.jpg]]

==Thick Client Security Testing==

===Information Gathering===

====Application Architecture====

====Platform Mapping====

====Languages and Frameworks====

===Client Side attacks===

====Files Analysis====

====Binary Analysis====

====Memory Analysis====

===Network Side Attacks===

====Installation Traffic====

====Run Time Traffic====

===Server Side Attacks===

====Network Layer Attacks====

====Layer 7 Attacks====

= Project About =
{{:Projects/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project}}

[[Category:OWASP Project]]

OWASP Windows Binary Executable Files Security Checks Project

2013-08-23T15:20:53Z

Dan Vasile:

= Project About =
{{:Projects/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project}}

= Binary Checklist =

This checklist represent a series of tests and the associated tools to perform the tasks related to thick client testing.

We define the thick client as a computer (client) in client–server architecture or networks that typically provides rich functionality independent of the central server. The focus of this checklist will be around PC/Windows architecture, although general concepts apply to all thick clients.

==The Map==

[[File:Thick client testing.jpg]]

==Thick Client Security Testing==

===Information Gathering===

====Application Architecture====

====Platform Mapping====

====Languages and Frameworks====

===Client Side attacks===

====Files Analysis====

====Binary Analysis====

====Memory Analysis====

===Network Side Attacks===

====Installation Traffic====

====Run Time Traffic====

===Server Side Attacks===

====Network Layer Attacks====

====Layer 7 Attacks====

[[Category:OWASP Project]]

2013-08-22T15:16:30Z

Dan Vasile:

OWASP Windows Binary Executable Files Security Checks Project

2013-08-22T15:14:02Z

Dan Vasile:

[[Category:New]]

= OWASP Windows Binary Executable Files Security Checks =
This checklist represent a series of tests and the associated tools to perform the tasks related to thick client testing.

We define the thick client as a computer (client) in client–server architecture or networks that typically provides rich functionality independent of the central server. The focus of this checklist will be around PC/Windows architecture, although general concepts apply to all thick clients.

==The Map==

[[File:Thick client testing.jpg]]

= Project About =
{{:Projects/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project}}

[[Category:OWASP Project]]

OWASP Windows Binary Executable Files Security Checks Project

2013-08-22T15:12:38Z

Dan Vasile:

= OWASP Windows Binary Executable Files Security Checks =
This checklist represent a series of tests and the associated tools to perform the tasks related to thick client testing.

We define the thick client as a computer (client) in client–server architecture or networks that typically provides rich functionality independent of the central server. The focus of this checklist will be around PC/Windows architecture, although general concepts apply to all thick clients.

==The Map==

[[File:Thick client testing.jpg]]

= Project About =
{{:Projects/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project}}

[[Category:OWASP Project]]

OWASP Windows Binary Executable Files Security Checks Project

2013-08-22T15:09:42Z

Dan Vasile:

= Project About =
{{:Projects/OWASP_Windows_Binary_Executable_Files_Security_Checks_Project}}

= OWASP Windows Binary Executable Files Security Checks =
This checklist represent a series of tests and the associated tools to perform the tasks related to thick client testing.

We define the thick client as a computer (client) in client–server architecture or networks that typically provides rich functionality independent of the central server. The focus of this checklist will be around PC/Windows architecture, although general concepts apply to all thick clients.

==The Map==

[[File:Thick client testing.jpg]]

[[Category:OWASP Project]]