Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Drupal Security by Ben Jeavons

OWASP Montréal
March 25, 2013
Programming
0
280

Drupal Security by Ben Jeavons

Drupal is an open-source web application that powers over 2% of the web and like any other application is at risk for attack. This talk will cover a range of topics about Drupal and security, including the state of Drupal and security, the process and goals of Drupal’s Security Team, and API’s and best-practice configuration for maintaining a secure site.

Ben Jeavons is a software engineer at Acquia, a company providing products, services, and technical support for Drupal. Ben is a member of Drupal Security Team and co-author of the Drupal Security Whitepaper.

Complete webcast: https://www.youtube.com/watch?v=dC-TjZkMTk8

https://www.owasp.org/index.php/Montreal

OWASP Montréal

March 25, 2013
Tweet

More Decks by OWASP Montréal

See All by OWASP Montréal
OWASP_-_Operate_PCIDSS_infrastructure_using_devOps_approch.pptx.pdf
owaspmontreal
0
110
Endpoint Bypass Charles Hamilton
owaspmontreal
0
130
Hybrid approach to security testing
owaspmontreal
0
190
Threat Modeling Toolkit
owaspmontreal
0
900
NorthSec - Applied Security Event
owaspmontreal
0
170
Sécurité des applications : Les fondements
owaspmontreal
0
110
WORKSHOP ! Server Side Template Injection (SSTI)
owaspmontreal
1
900
Ransomware and healthcare - Hacking Health
owaspmontreal
0
140
OWASP Montréal reçoit Mario Contestabile
owaspmontreal
0
170

Other Decks in Programming

See All in Programming
実演TypeScript + GitHub Copilot
erukiti
9
3.1k
良いコードとは 研修
techtekt
1
250
グラフアルゴリズム実践活用術
joisino
8
4.7k
What’s new in Android?(Google IO ex 23-GDG Pangyo)
taehwandev
0
480
データ基盤管理の考え方 〜dbtの極意〜 Lunch LT
10xinc
3
530
オープンデータとAWSで作っている 浜松市イベントカレンダー
jacoyutorius
0
110
Pulumiを触ってみよう
yuhta28
0
140
Nostr REQ with Rx / Rx で REQ する Nostr
penpenpng
0
190
Android 14 新機能 / Android 14 Meetup Nagoya
star_zero
1
330
ぼくのかんがえたさいきょうのけいやくによるプログラミング
m_seki
0
240
dbtではじめる クエリの再利用と正確性の向上について
yamayafumiteru
4
710
Glue for Rayを使ってみよう #devio2023 / devio2023-glue-for-ray
kasacchiful
0
330

Featured

See All Featured
Agile that works and the tools we love
rasmusluckow
323
20k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
5
6.9k
Teambox: Starting and Learning
jrom
125
8.1k
From Idea to $5000 a Month in 5 Months
shpigford
375
45k
Git: the NoSQL Database
bkeepers
PRO
420
61k
We Have a Design System, Now What?
morganepeng
40
6.3k
The Brand Is Dead. Long Live the Brand.
mthomps
48
5k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
Designing the Hi-DPI Web
ddemaree
274
33k
Happy Clients
brianwarren
92
6k
Code Review Best Practice
trishagee
53
13k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.6k

Transcript

  1. Drupal Security
    Ben Jeavons
    OWASP & Drupal Meet-up
    Monday, March 25th
    Monday, March 25, 13

    View Slide

  2. Drupal is secure
    Modern PHP application
    Powers 2% of the web
    Strong APIs & peer-reviewed
    Dedicated security team
    Monday, March 25, 13

    View Slide

  3. Drupal is secure
    Most vulnerabilities in custom code & config
    Use Drupal APIs and practices
    Peer-review code and config
    ^
    core
    Monday, March 25, 13

    View Slide

  4. Ben Jeavons
    Working with Drupal for 6 years
    @benswords
    Member of Drupal Security Team
    Monday, March 25, 13

    View Slide

  5. Acquia Cloud
    Drupal-specific services & tools
    Professional audits and training
    Monday, March 25, 13

    View Slide

  6. Drupal Security
    Monday, March 25, 13

    View Slide

  7. Drupal
    Drupal core
    Contributed projects
    Monday, March 25, 13

    View Slide

  8. Drupal
    Drupal Core
    Contributed projects
    Drupal.org and the community
    Security Team
    Monday, March 25, 13

    View Slide

  9. Core security features
    Monday, March 25, 13

    View Slide

  10. Core security features
    Passwords salted and hashed to PHPass
    Access control and permission system
    Form API protects CSRF & semantic forgery
    Monday, March 25, 13

    View Slide

  11. Core security features
    Flood control
    DB abstraction mitigates SQL injection
    Sanitization & filter functions
    Brute-force login prevention
    Monday, March 25, 13

    View Slide

  12. Core assumptions
    Filter on output
    Integrated admin interface
    Visible user names and internal IDs
    Monday, March 25, 13

    View Slide

  13. Ecosystem security
    Open-source & heavily peer-reviewed
    Notification system for updates
    Controlled repos access
    Enhanced security through contrib modules
    Monday, March 25, 13

    View Slide

  14. Statistics
    Monday, March 25, 13

    View Slide

  15. drupalsecurityreport.com
    analyzed Security Advisories
    Drupal in context of OWASP Top 10
    Monday, March 25, 13

    View Slide

  16. Security Advisories
    Contributed project SAs: 604
    Drupal core SAs: 61
    Monday, March 25, 13

    View Slide

  17. Drupal vulnerabilities by popularity
    XSS CSRF Access bypass
    SQLi Arbitrary code execution Information disclosure
    Other
    47%
    11%
    19%
    5%
    4%
    3%
    9%
    reported in core and contrib SAs from June 1 2005 through March 20 2013
    Monday, March 25, 13

    View Slide

  18. XSS
    Access Bypass
    CSRF
    Authentication/Session
    Arbitrary Code Execution
    SQL Injection
    Others
    0 100 200 300 400
    Number of vulnerabilities by type
    Drupal Core
    Drupal Contrib Projects
    Vulnerabilities by type for core and contrib
    reported in SAs June 1 2005 through March 20 2013
    Monday, March 25, 13

    View Slide

  19. Drupal in the wild
    Most vulnerabilities exist
    In custom code (modules or themes)
    Insecure configuration or practices
    Running known vulnerable core/contrib
    Custom code is not well reviewed or tested
    Monday, March 25, 13

    View Slide

  20. Secure configuration
    http://www.flickr.com/photos/maistora/3237164755/
    Monday, March 25, 13

    View Slide

  21. Secure configuration
    Control user input with text formats
    Monday, March 25, 13

    View Slide

  22. Text formats
    Monday, March 25, 13

    View Slide

  23. Text formats
    Monday, March 25, 13

    View Slide

  24. Text formats
    Formats run when displaying input
    Filtered HTML for untrusted roles
    Full HTML for completely trusted roles
    Monday, March 25, 13

    View Slide

  25. Monday, March 25, 13

    View Slide

  26. 1.
    Raw
    Input
    4.
    Filtered
    Output
    Monday, March 25, 13

    View Slide

  27. Filtered HTML
    HTML filter
    Limits the allowed
    tags
    Monday, March 25, 13

    View Slide

  28. or visit your-site.com/filter/tips
    Monday, March 25, 13

    View Slide

  29. Writing secure code
    Monday, March 25, 13

    View Slide

  30. Writing secure code
    XSS and user input
    http://www.flickr.com/photos/nathaninsandiego/3757033518/ http://flic.kr/p/6HZMaY
    Monday, March 25, 13

    View Slide

  31. Monday, March 25, 13

    View Slide

  32. Monday, March 25, 13

    View Slide

  33. Monday, March 25, 13

    View Slide

  34. function my_callback() {
    $node = node_load(33);
    return theme(‘my_page’, $node);
    }
    function theme_my_page($node) {
    return ‘’ . $node->title . ’’;
    }
    Monday, March 25, 13

    View Slide

  35. XSS in Themes
    in page.tpl.php

    print $node->field_my[0][‘value’];
    ?>

    Monday, March 25, 13

    View Slide

  36. 1.
    Raw
    Input
    4.
    Filtered
    Output
    Monday, March 25, 13

    View Slide

  37. Monday, March 25, 13

    View Slide

  38. function my_callback() {
    $node = node_load(33);
    return theme(‘my_page’, $node);
    }
    function theme_my_page($node) {
    return ‘’ . check_plain($node->title) . ’
    div>’;
    }
    Monday, March 25, 13

    View Slide

  39. Writing secure code
    Access bypass
    http://www.flickr.com/photos/nikonvscanon/1816459664/
    Monday, March 25, 13

    View Slide

  40. function my_page_callback($nid)
    $node = node_load($nid);
    return node_view($node);
    }
    Monday, March 25, 13

    View Slide

  41. Access controls
    node_access() - specifically for nodes
    $query->addTag(‘node_access)
    user_access() - general user access control
    Monday, March 25, 13

    View Slide

  42. function my_page_callback($nid) {
    $node = node_load($nid);
    if (node_access(‘view’, $node)) {
    return node_view($node);
    }
    else {
    return MENU_ACCESS_DENIED;
    }
    }
    Monday, March 25, 13

    View Slide

  43. Drupal Security Team
    Monday, March 25, 13

    View Slide

  44. Drupal Security Team
    Volunteers (but often not their time)
    Security professionals & enthusiasts
    Dedicated for 8 years
    Publish Security Advisories for Drupal
    Monday, March 25, 13

    View Slide

  45. Issue process
    Vulnerability report
    Validation
    Contact maintainer to write fix
    Review
    Coordinate and write SA
    Commit fix and publish release and SA
    Monday, March 25, 13

    View Slide

  46. Issue process
    If maintainer doesn’t respond the project
    may be marked unsupported
    Team duties do not include reviewing all
    code
    Monday, March 25, 13

    View Slide

  47. Security Team
    Team duties do not include reviewing all
    code
    Looking for more team members ;)
    Monday, March 25, 13

    View Slide

  48. Automated tools
    http://www.flickr.com/photos/hubmedia/2141860216/
    Monday, March 25, 13

    View Slide

  49. Steps to a mostly automated review
    Configuration analysis using Security Review
    Check for modified files with Hacked! module
    Static code analysis using Coder module
    Basic pen-testing using “Vuln” Feature
    More: drupalscout.com/node/11
    Monday, March 25, 13

    View Slide

  50. Security Review
    Automatic secure configuration analysis
    drupal.org/project/security_review
    Monday, March 25, 13

    View Slide

  51. Custom code
    Coder module
    Audit and peer review
    drupal.org/writing-secure-code
    Monday, March 25, 13

    View Slide

  52. Security Modules
    drupal.org/project/hardened_drupal
    Paranoia
    Security Kit (seckit)
    Email Confirm
    more drupalscout.com/node/31
    Monday, March 25, 13

    View Slide

  53. drupal.org/security
    drupalscout.com
    drupalsecurityreport.com
    [email protected]
    @benswords
    Monday, March 25, 13

    View Slide