Your SlideShare is downloading. ×
0
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Hack-Proof Your Drupal App
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Hack-Proof Your Drupal App

5,317

Published on

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,317
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
80
Comments
0
Likes
6
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • collected and analyzed from June 1, 2005 through March 24, 2010
  • Transcript

    • 1. Hack-proof Your Drupal App Key Habits of Secure Drupal Coding Hack-proof Your Drupal App DrupalCamp NH 2011
    • 2. <ul><li>http://twitter.com/ebeyrent </li></ul><ul><li>http://drupal.org/user/23897 </li></ul>Introductions <ul><li>Permissions API </li></ul><ul><li>Permissions Superuser </li></ul><ul><li>Crowd SSO </li></ul><ul><li>LDAP Extended Groups </li></ul><ul><li>Context Local Tasks </li></ul><ul><li>Search Lucene Biblio </li></ul><ul><li>Search Lucene Attachments </li></ul><ul><li>Search Lucene OG </li></ul><ul><li>Visual Search API </li></ul>My Modules Hack-proof Your Drupal App DrupalCamp NH 2011 Erich Beyrent
    • 3. <ul><li>Agenda </li></ul><ul><li>Secrets to Securing a Social Network </li></ul><ul><li>Key Habits of Secure Drupal Coding </li></ul><ul><li>Vulnerability Detection to Remediation </li></ul><ul><li>Security Resources for Drupal Applications </li></ul><ul><li>See For Yourself - demonstrations of application attacks </li></ul><ul><li>Discussions </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 4. Have you ever... Hack-proof Your Drupal App DrupalCamp NH 2011
    • 5. Hack-proof Your Drupal App DrupalCamp NH 2011 Source: http://www.flickr.com/photos/wili/233621595/
    • 6. HILARITY DID NOT ENSUE Hack-proof Your Drupal App DrupalCamp NH 2011
    • 7. <ul><li>The Results </li></ul><ul><li>120 vulnerabilities were discovered </li></ul><ul><ul><li>XSS </li></ul></ul><ul><ul><li>CSRF </li></ul></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>Insufficient Authorization </li></ul></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 8. <ul><li>What Was Learned </li></ul><ul><li>90% of the vulnerabilities existed in the theme </li></ul><ul><li>Untrusted data from the query string was printed without filtering </li></ul><ul><li>Custom search forms were insecure </li></ul><ul><li>crossdomain.xml caused vulnerabilities </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 9. <ul><li>Fixing The Problems </li></ul><ul><li>Completely reviewed the theme, implementing </li></ul><ul><li>Drupal output filters </li></ul><ul><li>Code was audited to ensure sanitization of all </li></ul><ul><li>user data </li></ul><ul><li>Rewrote the search forms to sanitize user data and use the Form API </li></ul><ul><li>Implemented web services proxy </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 10. Drupal Security Report <ul><li>Authored by Ben Jeavons and Greg Knaddison </li></ul><ul><li>Provides an analysis of the current state of security in Drupal </li></ul><ul><li>Reports on the number of vulnerabilities by type reported in SAs for Drupal core and contributed modules </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 11. Source: Drupal Security Report http://drupalsecurityreport.org/ June 2005 – March 2010 Hack-proof Your Drupal App DrupalCamp NH 2011 By The Numbers
    • 12. Source: http://www.cvedetails.com/vendor/1367/Drupal.html Hack-proof Your Drupal App DrupalCamp NH 2011
    • 13. <ul><li>Wrap your output </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
    • 14. <ul><li>Wrap your output </li></ul><ul><li>Protect your database </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
    • 15. <ul><li>Wrap your output </li></ul><ul><li>Protect your database </li></ul><ul><li>Beware user input </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
    • 16. <ul><li>Wrap your output </li></ul><ul><li>Protect your database </li></ul><ul><li>Beware user input </li></ul><ul><li>AJAX risks </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
    • 17. <ul><li>Reality </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011 YouTube (July 2010)
    • 18. <ul><li>Reality </li></ul><ul><li>Security experts estimate that 66% of websites are vulnerable to XSS attacks (Jeremiah Grossman, WhiteHat Security) </li></ul><ul><li>The vast majority of vulnerabilities in Drupal are in XSS attacks </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 19. Why? <ul><li>Drupal has at least 8 different APIs for sanitizing output </li></ul><ul><li>Security presentations are given at DrupalCons and DrupalCamps all around the world </li></ul><ul><li>Drupal Security Announcements </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 20. <ul><li>Wrap Your Output </li></ul><ul><li>check_plain() </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 21. <ul><li>check_plain() </li></ul><ul><li>This is for simple text without any markup. </li></ul><ul><li>Encodes special characters in a plain-text string for display as HTML. </li></ul><ul><li>Checks for UTF-8 to prevent cross site scripting attacks on Internet Explorer 6. </li></ul><ul><li>Don't use this when using the t(), l(); use placeholders </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 22. <ul><li>Wrap Your Output </li></ul><ul><li>check_plain() </li></ul><ul><li>check_markup() </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 23. <ul><li>check_markup() </li></ul><ul><li>This is for text which contains markup in some language </li></ul><ul><li>Runs all the enabled filters on a piece of text. </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 24. <ul><li>Wrap Your Output </li></ul><ul><li>check_plain() </li></ul><ul><li>check_markup() </li></ul><ul><li>filter_xss() </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 25. <ul><li>filter_xss() </li></ul><ul><li>Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities. </li></ul><ul><ul><li>Removes characters and constructs that can trick browsers. </li></ul></ul><ul><ul><li>Makes sure all HTML entities are well-formed. </li></ul></ul><ul><ul><li>Makes sure all HTML tags and attributes are well-formed. </li></ul></ul><ul><ul><li>Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:). </li></ul></ul><ul><ul><li>Source: http://http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss/7 </li></ul></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 26. <ul><li>Wrap Your Output </li></ul><ul><li>check_plain() </li></ul><ul><li>check_markup() </li></ul><ul><li>filter_xss() </li></ul><ul><li>filter_xss_admin() </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 27. <ul><li>filter_xss_admin() </li></ul><ul><li>Very permissive XSS/HTML filter for admin-only use. . </li></ul><ul><ul><li>Use only for fields where it is impractical to use the whole filter system, but where some (mainly inline) mark-up is desired (so check_plain () is not acceptable). </li></ul></ul><ul><ul><li>Allows all tags that can be used inside an HTML body, save for scripts and styles. </li></ul></ul><ul><ul><li>Source:http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss_admin/7 </li></ul></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 28. <ul><li>t() </li></ul><ul><li>String translation, sanitizes your output if used properly </li></ul><ul><li>t(“Input @s&quot;, array('@s' => $string)); </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 29. <ul><li>l() </li></ul><ul><li>Filters link text and protects against bad protocols </li></ul><ul><li>GOOD </li></ul><ul><li>print l($content, $link); </li></ul><ul><li>BAD </li></ul><ul><li>print '<a href=&quot;' . $link . '&quot;>' . $content . '</a>'; </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 30. <ul><li>drupal_set_title() </li></ul><ul><li>In Drupal 7, sanitized output by default! </li></ul><ul><li>drupal_set_title($tainted, CHECK_PLAIN); </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 31. <ul><li>Protect Your Database </li></ul><ul><li>db_query() </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 32. <ul><li>db_query() </li></ul><ul><li>Runs a query in the database with arguments to the query, passed in as separate parameters, which are escaped to prevent SQL injection attacks. </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 33. <ul><li>db_query() </li></ul><ul><li>CORRECT: </li></ul><ul><ul><li>db_query(“INSERT INTO {table} VALUES (%d, '%s')”, $node->profile_age, $node->profile_firstname); </li></ul></ul><ul><li>WRONG: </li></ul><ul><ul><li>db_query(“SELECT * FROM table WHERE field = </li></ul></ul><ul><ul><li>$node->profile_age”); </li></ul></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 34. <ul><li>Protect Your Database </li></ul><ul><li>db_query() </li></ul><ul><li>db_rewrite_sql() – Not in Drupal 7 </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 35. <ul><li>db_rewrite_sql() </li></ul><ul><li>Rewrites node, taxonomy and comment queries to respect Drupal's node access mechanism. </li></ul><ul><li>Protects against unauthorized access to content. </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 36. <ul><li>db_rewrite_sql() </li></ul><ul><li>CORRECT: </li></ul><ul><ul><li>db_query(db_rewrite_sql( “SELECT * FROM {node} WHERE uid = %d”, $uid)); </li></ul></ul><ul><li>INCORRECT: </li></ul><ul><ul><li>db_query(“SELECT * FROM {node} WHERE uid = %d”, $uid); </li></ul></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 37. <ul><li>Beware User Input </li></ul><ul><li>Sources of user input: </li></ul><ul><ul><li>Form fields </li></ul></ul><ul><ul><li>Uploaded files </li></ul></ul><ul><ul><li>Query string </li></ul></ul><ul><ul><li>Other sites </li></ul></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 38. <ul><li>This is an exploited comment. </li></ul><ul><li><link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://ha.ckers.org/xss.js{&quot;><script>alert('xss');</script>}body{font-family:{&quot; /> </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 39. <ul><li>AJAX Risks </li></ul><ul><li>AJAX transactions are not private </li></ul><ul><li>Eval() is not 100% safe; use JSONP </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 40. <ul><li>Sanitize output </li></ul><ul><li>Use the Form API </li></ul><ul><li>Use parameterized queries </li></ul><ul><li>Leave core intact </li></ul><ul><li>Grant minimal permissions </li></ul><ul><li>Use HTTPS for social websites </li></ul><ul><li>Keep core and modules up to date! </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011 Things Good Drupalers Do
    • 41. <ul><li>Printing raw values </li></ul><ul><li>Modifying data with $_GET </li></ul><ul><li>Parameterized queries? WTF? </li></ul><ul><li>Hacking core and killing kittens </li></ul><ul><li>Allowing untrusted users to post the following tags: script, img, iframe, embed, object, input, link, style, meta, frameset, div, base, table, tr, td </li></ul><ul><li>Allowing untrusted users to post full HTML </li></ul>Things That Will Bite You Hack-proof Your Drupal App DrupalCamp NH 2011
    • 42. <ul><li>“ drupal” is NOT a good admin password!! </li></ul><ul><li>(neither is “lapurd”) </li></ul>
    • 43. <ul><li>Other Common Mistakes </li></ul><ul><li><?php </li></ul><ul><li>global $user; </li></ul><ul><li>// Bad – this will escalate the privileges </li></ul><ul><li>$user = user_load(array('uid' => $uid)); </li></ul><ul><li>?> </li></ul><ul><li><?php </li></ul><ul><li>global $user; </li></ul><ul><li>// SAFE – do this instead </li></ul><ul><li>$account = user_load(array('uid' => $uid)); </li></ul><ul><li>?> </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 44. <ul><li>Other Common Mistakes </li></ul><ul><li>Improper URL access </li></ul><ul><ul><li>Incorrect usage of 'access callback' in hook_menu() </li></ul></ul><ul><ul><li>Lack of security settings on views </li></ul></ul><ul><li>Writing forms in HTML </li></ul><ul><ul><li>Use the Form API to provide automatic CSRF protection </li></ul></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 45. <ul><li>Other Common Mistakes </li></ul><ul><li>Unvalidated and open redirects </li></ul><ul><ul><li>Iframes, drupal_goto, location.href </li></ul></ul><ul><li>Promiscuous crossdomain.xml files </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 46. <ul><li>Don't Trust User Input! </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 47. <ul><li>http:// drupal.org </li></ul><ul><li>Writing Secure Code (http://drupal.org/writing-secure-code) </li></ul><ul><li>Handle Text in a Secure Fashion ( http://drupal.org/node/28984 ) </li></ul><ul><li>Secure File Permissions: http://drupal.org/node/244924 </li></ul><ul><li>Drupal Security Team </li></ul><ul><li>Drupal Security Resources </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 48. <ul><li>Coder ( http:// drupal.org /project/coder ) </li></ul><ul><li>Security Review ( http:// drupal.org/project/security_review ) </li></ul><ul><li>Secure Code Review ( http:// drupal.org/project/secure_code_review ) </li></ul><ul><li>Secure Permissions ( http:// drupal.org/project/secure_permissions ) </li></ul><ul><li>Modules </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 49. <ul><li>Pro Drupal Development book (VanDyk) </li></ul><ul><li>Cracking Drupal: A Drop in the Bucket (Knaddison) </li></ul><ul><li>XSS Scripting Attacks (Grossman) </li></ul><ul><li>Books </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    • 50. <ul><li>Questions? </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011

    ×