Hack-Proof Your Drupal App

Hack-proof Your Drupal App Key Habits of Secure Drupal Coding Hack-proof Your Drupal App DrupalCamp NH 2011

http://twitter.com/ebeyrent
http://drupal.org/user/23897
Introductions
Permissions API
Permissions Superuser
Crowd SSO
LDAP Extended Groups
Context Local Tasks
Search Lucene Biblio
Search Lucene Attachments
Search Lucene OG
Visual Search API
My Modules Hack-proof Your Drupal App DrupalCamp NH 2011 Erich Beyrent

Agenda
Secrets to Securing a Social Network
Key Habits of Secure Drupal Coding
Vulnerability Detection to Remediation
Security Resources for Drupal Applications
See For Yourself - demonstrations of application attacks
Discussions
Hack-proof Your Drupal App DrupalCamp NH 2011

Have you ever... Hack-proof Your Drupal App DrupalCamp NH 2011

Hack-proof Your Drupal App DrupalCamp NH 2011 Source: http://www.flickr.com/photos/wili/233621595/

HILARITY DID NOT ENSUE Hack-proof Your Drupal App DrupalCamp NH 2011

The Results
120 vulnerabilities were discovered
XSS
CSRF
SQL Injection
Insufficient Authorization

What Was Learned
90% of the vulnerabilities existed in the theme
Untrusted data from the query string was printed without filtering
Custom search forms were insecure
crossdomain.xml caused vulnerabilities

Fixing The Problems
Completely reviewed the theme, implementing
Drupal output filters
Code was audited to ensure sanitization of all
user data
Rewrote the search forms to sanitize user data and use the Form API
Implemented web services proxy

Drupal Security Report
Authored by Ben Jeavons and Greg Knaddison
Provides an analysis of the current state of security in Drupal
Reports on the number of vulnerabilities by type reported in SAs for Drupal core and contributed modules

Source: Drupal Security Report http://drupalsecurityreport.org/ June 2005 – March 2010 Hack-proof Your Drupal App DrupalCamp NH 2011 By The Numbers

Source: http://www.cvedetails.com/vendor/1367/Drupal.html Hack-proof Your Drupal App DrupalCamp NH 2011

Wrap your output
Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding

Wrap your output
Protect your database

Wrap your output
Beware user input

Wrap your output
Beware user input
AJAX risks

Reality
Hack-proof Your Drupal App DrupalCamp NH 2011 YouTube (July 2010)

Reality
Security experts estimate that 66% of websites are vulnerable to XSS attacks (Jeremiah Grossman, WhiteHat Security)
The vast majority of vulnerabilities in Drupal are in XSS attacks

Why?
Drupal has at least 8 different APIs for sanitizing output
Security presentations are given at DrupalCons and DrupalCamps all around the world
Drupal Security Announcements

Wrap Your Output
check_plain()

check_plain()
This is for simple text without any markup.
Encodes special characters in a plain-text string for display as HTML.
Checks for UTF-8 to prevent cross site scripting attacks on Internet Explorer 6.
Don't use this when using the t(), l(); use placeholders

Wrap Your Output
check_plain()
check_markup()

check_markup()
This is for text which contains markup in some language
Runs all the enabled filters on a piece of text.

Wrap Your Output
check_plain()
check_markup()
filter_xss()

filter_xss()
Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities.
Removes characters and constructs that can trick browsers.
Makes sure all HTML entities are well-formed.
Makes sure all HTML tags and attributes are well-formed.
Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:).
Source: http://http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss/7

Wrap Your Output
check_plain()
check_markup()
filter_xss()
filter_xss_admin()

filter_xss_admin()
Very permissive XSS/HTML filter for admin-only use. .
Use only for fields where it is impractical to use the whole filter system, but where some (mainly inline) mark-up is desired (so check_plain () is not acceptable).
Allows all tags that can be used inside an HTML body, save for scripts and styles.
Source:http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss_admin/7

t()
String translation, sanitizes your output if used properly
t(“Input @s", array('@s' => $string));

l()
Filters link text and protects against bad protocols
GOOD
print l($content, $link);
BAD
print '<a href="' . $link . '">' . $content . '</a>';

drupal_set_title()
In Drupal 7, sanitized output by default!
drupal_set_title($tainted, CHECK_PLAIN);

Protect Your Database
db_query()

db_query()
Runs a query in the database with arguments to the query, passed in as separate parameters, which are escaped to prevent SQL injection attacks.

db_query()
CORRECT:
db_query(“INSERT INTO {table} VALUES (%d, '%s')”, $node->profile_age, $node->profile_firstname);
WRONG:
db_query(“SELECT * FROM table WHERE field =
$node->profile_age”);

Protect Your Database
db_query()
db_rewrite_sql() – Not in Drupal 7

db_rewrite_sql()
Rewrites node, taxonomy and comment queries to respect Drupal's node access mechanism.
Protects against unauthorized access to content.

db_rewrite_sql()
CORRECT:
db_query(db_rewrite_sql( “SELECT * FROM {node} WHERE uid = %d”, $uid));
INCORRECT:
db_query(“SELECT * FROM {node} WHERE uid = %d”, $uid);

Beware User Input
Sources of user input:
Form fields
Uploaded files
Query string
Other sites

This is an exploited comment.
<link rel="stylesheet" type="text/css" href="http://ha.ckers.org/xss.js{"><script>alert('xss');</script>}body{font-family:{" />

AJAX Risks
AJAX transactions are not private
Eval() is not 100% safe; use JSONP

Sanitize output
Use the Form API
Use parameterized queries
Leave core intact
Grant minimal permissions
Use HTTPS for social websites
Keep core and modules up to date!
Hack-proof Your Drupal App DrupalCamp NH 2011 Things Good Drupalers Do

Printing raw values
Modifying data with $_GET
Parameterized queries? WTF?
Hacking core and killing kittens
Allowing untrusted users to post the following tags: script, img, iframe, embed, object, input, link, style, meta, frameset, div, base, table, tr, td
Allowing untrusted users to post full HTML
Things That Will Bite You Hack-proof Your Drupal App DrupalCamp NH 2011

“ drupal” is NOT a good admin password!!
(neither is “lapurd”)

Other Common Mistakes
<?php
global $user;
// Bad – this will escalate the privileges
$user = user_load(array('uid' => $uid));
?>
<?php
global $user;
// SAFE – do this instead
$account = user_load(array('uid' => $uid));
?>

Improper URL access
Incorrect usage of 'access callback' in hook_menu()
Lack of security settings on views
Writing forms in HTML
Use the Form API to provide automatic CSRF protection

Unvalidated and open redirects
Iframes, drupal_goto, location.href
Promiscuous crossdomain.xml files

Don't Trust User Input!

http:// drupal.org
Writing Secure Code (http://drupal.org/writing-secure-code)
Handle Text in a Secure Fashion ( http://drupal.org/node/28984 )
Secure File Permissions: http://drupal.org/node/244924
Drupal Security Team
Drupal Security Resources

Coder ( http:// drupal.org /project/coder )
Security Review ( http:// drupal.org/project/security_review )
Secure Code Review ( http:// drupal.org/project/secure_code_review )
Secure Permissions ( http:// drupal.org/project/secure_permissions )
Modules

Pro Drupal Development book (VanDyk)
Cracking Drupal: A Drop in the Bucket (Knaddison)
XSS Scripting Attacks (Grossman)
Books

Questions?

Hack-Proof Your Drupal App

by Erich Beyrent

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 12

Statistics

Hack-Proof Your Drupal App Presentation Transcript