Your SlideShare is downloading. ×
Hack-Proof Your Drupal App
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Hack-Proof Your Drupal App

5,254

Published on

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,254
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
80
Comments
0
Likes
6
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • collected and analyzed from June 1, 2005 through March 24, 2010
  • Transcript

    • 1. Hack-proof Your Drupal App Key Habits of Secure Drupal Coding Hack-proof Your Drupal App DrupalCamp NH 2011
    • 2.
      • http://twitter.com/ebeyrent
      • http://drupal.org/user/23897
      Introductions
      • Permissions API
      • Permissions Superuser
      • Crowd SSO
      • LDAP Extended Groups
      • Context Local Tasks
      • Search Lucene Biblio
      • Search Lucene Attachments
      • Search Lucene OG
      • Visual Search API
      My Modules Hack-proof Your Drupal App DrupalCamp NH 2011 Erich Beyrent
    • 3.
      • Agenda
      • Secrets to Securing a Social Network
      • Key Habits of Secure Drupal Coding
      • Vulnerability Detection to Remediation
      • Security Resources for Drupal Applications
      • See For Yourself - demonstrations of application attacks
      • Discussions
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 4. Have you ever... Hack-proof Your Drupal App DrupalCamp NH 2011
    • 5. Hack-proof Your Drupal App DrupalCamp NH 2011 Source: http://www.flickr.com/photos/wili/233621595/
    • 6. HILARITY DID NOT ENSUE Hack-proof Your Drupal App DrupalCamp NH 2011
    • 7.
      • The Results
      • 120 vulnerabilities were discovered
        • XSS
        • CSRF
        • SQL Injection
        • Insufficient Authorization
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 8.
      • What Was Learned
      • 90% of the vulnerabilities existed in the theme
      • Untrusted data from the query string was printed without filtering
      • Custom search forms were insecure
      • crossdomain.xml caused vulnerabilities
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 9.
      • Fixing The Problems
      • Completely reviewed the theme, implementing
      • Drupal output filters
      • Code was audited to ensure sanitization of all
      • user data
      • Rewrote the search forms to sanitize user data and use the Form API
      • Implemented web services proxy
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 10. Drupal Security Report
      • Authored by Ben Jeavons and Greg Knaddison
      • Provides an analysis of the current state of security in Drupal
      • Reports on the number of vulnerabilities by type reported in SAs for Drupal core and contributed modules
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 11. Source: Drupal Security Report http://drupalsecurityreport.org/ June 2005 – March 2010 Hack-proof Your Drupal App DrupalCamp NH 2011 By The Numbers
    • 12. Source: http://www.cvedetails.com/vendor/1367/Drupal.html Hack-proof Your Drupal App DrupalCamp NH 2011
    • 13.
      • Wrap your output
      Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
    • 14.
      • Wrap your output
      • Protect your database
      Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
    • 15.
      • Wrap your output
      • Protect your database
      • Beware user input
      Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
    • 16.
      • Wrap your output
      • Protect your database
      • Beware user input
      • AJAX risks
      Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
    • 17.
      • Reality
      Hack-proof Your Drupal App DrupalCamp NH 2011 YouTube (July 2010)
    • 18.
      • Reality
      • Security experts estimate that 66% of websites are vulnerable to XSS attacks (Jeremiah Grossman, WhiteHat Security)
      • The vast majority of vulnerabilities in Drupal are in XSS attacks
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 19. Why?
      • Drupal has at least 8 different APIs for sanitizing output
      • Security presentations are given at DrupalCons and DrupalCamps all around the world
      • Drupal Security Announcements
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 20.
      • Wrap Your Output
      • check_plain()
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 21.
      • check_plain()
      • This is for simple text without any markup.
      • Encodes special characters in a plain-text string for display as HTML.
      • Checks for UTF-8 to prevent cross site scripting attacks on Internet Explorer 6.
      • Don't use this when using the t(), l(); use placeholders
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 22.
      • Wrap Your Output
      • check_plain()
      • check_markup()
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 23.
      • check_markup()
      • This is for text which contains markup in some language
      • Runs all the enabled filters on a piece of text.
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 24.
      • Wrap Your Output
      • check_plain()
      • check_markup()
      • filter_xss()
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 25.
      • filter_xss()
      • Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities.
        • Removes characters and constructs that can trick browsers.
        • Makes sure all HTML entities are well-formed.
        • Makes sure all HTML tags and attributes are well-formed.
        • Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:).
        • Source: http://http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss/7
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 26.
      • Wrap Your Output
      • check_plain()
      • check_markup()
      • filter_xss()
      • filter_xss_admin()
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 27.
      • filter_xss_admin()
      • Very permissive XSS/HTML filter for admin-only use. .
        • Use only for fields where it is impractical to use the whole filter system, but where some (mainly inline) mark-up is desired (so check_plain () is not acceptable).
        • Allows all tags that can be used inside an HTML body, save for scripts and styles.
        • Source:http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss_admin/7
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 28.
      • t()
      • String translation, sanitizes your output if used properly
      • t(“Input @s", array('@s' => $string));
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 29.
      • l()
      • Filters link text and protects against bad protocols
      • GOOD
      • print l($content, $link);
      • BAD
      • print '<a href=&quot;' . $link . '&quot;>' . $content . '</a>';
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 30.
      • drupal_set_title()
      • In Drupal 7, sanitized output by default!
      • drupal_set_title($tainted, CHECK_PLAIN);
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 31.
      • Protect Your Database
      • db_query()
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 32.
      • db_query()
      • Runs a query in the database with arguments to the query, passed in as separate parameters, which are escaped to prevent SQL injection attacks.
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 33.
      • db_query()
      • CORRECT:
        • db_query(“INSERT INTO {table} VALUES (%d, '%s')”, $node->profile_age, $node->profile_firstname);
      • WRONG:
        • db_query(“SELECT * FROM table WHERE field =
        • $node->profile_age”);
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 34.
      • Protect Your Database
      • db_query()
      • db_rewrite_sql() – Not in Drupal 7
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 35.
      • db_rewrite_sql()
      • Rewrites node, taxonomy and comment queries to respect Drupal's node access mechanism.
      • Protects against unauthorized access to content.
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 36.
      • db_rewrite_sql()
      • CORRECT:
        • db_query(db_rewrite_sql( “SELECT * FROM {node} WHERE uid = %d”, $uid));
      • INCORRECT:
        • db_query(“SELECT * FROM {node} WHERE uid = %d”, $uid);
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 37.
      • Beware User Input
      • Sources of user input:
        • Form fields
        • Uploaded files
        • Query string
        • Other sites
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 38.
      • This is an exploited comment.
      • <link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://ha.ckers.org/xss.js{&quot;><script>alert('xss');</script>}body{font-family:{&quot; />
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 39.
      • AJAX Risks
      • AJAX transactions are not private
      • Eval() is not 100% safe; use JSONP
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 40.
      • Sanitize output
      • Use the Form API
      • Use parameterized queries
      • Leave core intact
      • Grant minimal permissions
      • Use HTTPS for social websites
      • Keep core and modules up to date!
      Hack-proof Your Drupal App DrupalCamp NH 2011 Things Good Drupalers Do
    • 41.
      • Printing raw values
      • Modifying data with $_GET
      • Parameterized queries? WTF?
      • Hacking core and killing kittens
      • Allowing untrusted users to post the following tags: script, img, iframe, embed, object, input, link, style, meta, frameset, div, base, table, tr, td
      • Allowing untrusted users to post full HTML
      Things That Will Bite You Hack-proof Your Drupal App DrupalCamp NH 2011
    • 42.
      • “ drupal” is NOT a good admin password!!
      • (neither is “lapurd”)
    • 43.
      • Other Common Mistakes
      • <?php
      • global $user;
      • // Bad – this will escalate the privileges
      • $user = user_load(array('uid' => $uid));
      • ?>
      • <?php
      • global $user;
      • // SAFE – do this instead
      • $account = user_load(array('uid' => $uid));
      • ?>
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 44.
      • Other Common Mistakes
      • Improper URL access
        • Incorrect usage of 'access callback' in hook_menu()
        • Lack of security settings on views
      • Writing forms in HTML
        • Use the Form API to provide automatic CSRF protection
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 45.
      • Other Common Mistakes
      • Unvalidated and open redirects
        • Iframes, drupal_goto, location.href
      • Promiscuous crossdomain.xml files
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 46.
      • Don't Trust User Input!
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 47.
      • http:// drupal.org
      • Writing Secure Code (http://drupal.org/writing-secure-code)
      • Handle Text in a Secure Fashion ( http://drupal.org/node/28984 )
      • Secure File Permissions: http://drupal.org/node/244924
      • Drupal Security Team
      • Drupal Security Resources
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 48.
      • Coder ( http:// drupal.org /project/coder )
      • Security Review ( http:// drupal.org/project/security_review )
      • Secure Code Review ( http:// drupal.org/project/secure_code_review )
      • Secure Permissions ( http:// drupal.org/project/secure_permissions )
      • Modules
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 49.
      • Pro Drupal Development book (VanDyk)
      • Cracking Drupal: A Drop in the Bucket (Knaddison)
      • XSS Scripting Attacks (Grossman)
      • Books
      Hack-proof Your Drupal App DrupalCamp NH 2011
    • 50.
      • Questions?
      Hack-proof Your Drupal App DrupalCamp NH 2011

    ×