Drupal Security by Ben Jeavons

Transcript

1. Drupal Security Ben Jeavons OWASP & Drupal Meet-up Monday, March

   25th Monday, March 25, 13

2. Drupal is secure Modern PHP application Powers 2% of the

   web Strong APIs & peer-reviewed Dedicated security team Monday, March 25, 13

3. Drupal is secure Most vulnerabilities in custom code & config

   Use Drupal APIs and practices Peer-review code and config ^ core Monday, March 25, 13

4. Ben Jeavons Working with Drupal for 6 years @benswords Member

   of Drupal Security Team Monday, March 25, 13

5. Acquia Cloud Drupal-specific services & tools Professional audits and training

   Monday, March 25, 13

6. Drupal Security Monday, March 25, 13

7. Drupal Drupal core Contributed projects Monday, March 25, 13

8. Drupal Drupal Core Contributed projects Drupal.org and the community Security

   Team Monday, March 25, 13

9. Core security features Monday, March 25, 13

10. Core security features Passwords salted and hashed to PHPass Access

    control and permission system Form API protects CSRF & semantic forgery Monday, March 25, 13

11. Core security features Flood control DB abstraction mitigates SQL injection

    Sanitization & filter functions Brute-force login prevention Monday, March 25, 13

12. Core assumptions Filter on output Integrated admin interface Visible user

    names and internal IDs Monday, March 25, 13

13. Ecosystem security Open-source & heavily peer-reviewed Notification system for updates

    Controlled repos access Enhanced security through contrib modules Monday, March 25, 13

14. Statistics Monday, March 25, 13

15. drupalsecurityreport.com analyzed Security Advisories Drupal in context of OWASP Top

    10 Monday, March 25, 13

16. Security Advisories Contributed project SAs: 604 Drupal core SAs: 61

    Monday, March 25, 13

17. Drupal vulnerabilities by popularity XSS CSRF Access bypass SQLi Arbitrary

    code execution Information disclosure Other 47% 11% 19% 5% 4% 3% 9% reported in core and contrib SAs from June 1 2005 through March 20 2013 Monday, March 25, 13

18. XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection

    Others 0 100 200 300 400 Number of vulnerabilities by type Drupal Core Drupal Contrib Projects Vulnerabilities by type for core and contrib reported in SAs June 1 2005 through March 20 2013 Monday, March 25, 13

19. Drupal in the wild Most vulnerabilities exist In custom code

    (modules or themes) Insecure configuration or practices Running known vulnerable core/contrib Custom code is not well reviewed or tested Monday, March 25, 13

20. Secure configuration http://www.flickr.com/photos/maistora/3237164755/ Monday, March 25, 13

21. Secure configuration Control user input with text formats Monday, March

    25, 13

22. Text formats Monday, March 25, 13

23. Text formats Monday, March 25, 13

24. Text formats Formats run when displaying input Filtered HTML for

    untrusted roles Full HTML for completely trusted roles Monday, March 25, 13

25. Monday, March 25, 13

26. 1. Raw Input 4. Filtered Output Monday, March 25, 13

27. Filtered HTML HTML filter Limits the allowed tags Monday, March

    25, 13

28. or visit your-site.com/filter/tips Monday, March 25, 13

29. Writing secure code Monday, March 25, 13

30. Writing secure code XSS and user input http://www.flickr.com/photos/nathaninsandiego/3757033518/ http://flic.kr/p/6HZMaY Monday,

    March 25, 13

31. Monday, March 25, 13

32. Monday, March 25, 13

33. Monday, March 25, 13

34. function my_callback() { $node = node_load(33); return theme(‘my_page’, $node); }

    function theme_my_page($node) { return ‘<div>’ . $node->title . ’</div>’; } Monday, March 25, 13

35. XSS in Themes in page.tpl.php <div> <?php print $node->field_my[0][‘value’]; ?>

    </div> Monday, March 25, 13

36. 1. Raw Input 4. Filtered Output Monday, March 25, 13

37. Monday, March 25, 13

38. function my_callback() { $node = node_load(33); return theme(‘my_page’, $node); }

    function theme_my_page($node) { return ‘<div>’ . check_plain($node->title) . ’</ div>’; } Monday, March 25, 13

39. Writing secure code Access bypass http://www.flickr.com/photos/nikonvscanon/1816459664/ Monday, March 25, 13

40. function my_page_callback($nid) $node = node_load($nid); return node_view($node); } Monday, March

    25, 13

41. Access controls node_access() - specifically for nodes $query->addTag(‘node_access) user_access() -

    general user access control Monday, March 25, 13

42. function my_page_callback($nid) { $node = node_load($nid); if (node_access(‘view’, $node)) {

    return node_view($node); } else { return MENU_ACCESS_DENIED; } } Monday, March 25, 13

43. Drupal Security Team Monday, March 25, 13

44. Drupal Security Team Volunteers (but often not their time) Security

    professionals & enthusiasts Dedicated for 8 years Publish Security Advisories for Drupal Monday, March 25, 13

45. Issue process Vulnerability report Validation Contact maintainer to write fix

    Review Coordinate and write SA Commit fix and publish release and SA Monday, March 25, 13

46. Issue process If maintainer doesn’t respond the project may be

    marked unsupported Team duties do not include reviewing all code Monday, March 25, 13

47. Security Team Team duties do not include reviewing all code

    Looking for more team members ;) Monday, March 25, 13

48. Automated tools http://www.flickr.com/photos/hubmedia/2141860216/ Monday, March 25, 13

49. Steps to a mostly automated review Configuration analysis using Security

    Review Check for modified files with Hacked! module Static code analysis using Coder module Basic pen-testing using “Vuln” Feature More: drupalscout.com/node/11 Monday, March 25, 13

50. Security Review Automatic secure configuration analysis drupal.org/project/security_review Monday, March 25,

    13

51. Custom code Coder module Audit and peer review drupal.org/writing-secure-code Monday,

    March 25, 13

52. Security Modules drupal.org/project/hardened_drupal Paranoia Security Kit (seckit) Email Confirm more

    drupalscout.com/node/31 Monday, March 25, 13

53. drupal.org/security drupalscout.com drupalsecurityreport.com [email protected] @benswords Monday, March 25, 13