• Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
5,094
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
77
Comments
0
Likes
6

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • collected and analyzed from June 1, 2005 through March 24, 2010

Transcript

  • 1. Hack-proof Your Drupal App Key Habits of Secure Drupal Coding Hack-proof Your Drupal App DrupalCamp NH 2011
  • 2.
    • http://twitter.com/ebeyrent
    • http://drupal.org/user/23897
    Introductions
    • Permissions API
    • Permissions Superuser
    • Crowd SSO
    • LDAP Extended Groups
    • Context Local Tasks
    • Search Lucene Biblio
    • Search Lucene Attachments
    • Search Lucene OG
    • Visual Search API
    My Modules Hack-proof Your Drupal App DrupalCamp NH 2011 Erich Beyrent
  • 3.
    • Agenda
    • Secrets to Securing a Social Network
    • Key Habits of Secure Drupal Coding
    • Vulnerability Detection to Remediation
    • Security Resources for Drupal Applications
    • See For Yourself - demonstrations of application attacks
    • Discussions
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 4. Have you ever... Hack-proof Your Drupal App DrupalCamp NH 2011
  • 5. Hack-proof Your Drupal App DrupalCamp NH 2011 Source: http://www.flickr.com/photos/wili/233621595/
  • 6. HILARITY DID NOT ENSUE Hack-proof Your Drupal App DrupalCamp NH 2011
  • 7.
    • The Results
    • 120 vulnerabilities were discovered
      • XSS
      • CSRF
      • SQL Injection
      • Insufficient Authorization
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 8.
    • What Was Learned
    • 90% of the vulnerabilities existed in the theme
    • Untrusted data from the query string was printed without filtering
    • Custom search forms were insecure
    • crossdomain.xml caused vulnerabilities
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 9.
    • Fixing The Problems
    • Completely reviewed the theme, implementing
    • Drupal output filters
    • Code was audited to ensure sanitization of all
    • user data
    • Rewrote the search forms to sanitize user data and use the Form API
    • Implemented web services proxy
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 10. Drupal Security Report
    • Authored by Ben Jeavons and Greg Knaddison
    • Provides an analysis of the current state of security in Drupal
    • Reports on the number of vulnerabilities by type reported in SAs for Drupal core and contributed modules
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 11. Source: Drupal Security Report http://drupalsecurityreport.org/ June 2005 – March 2010 Hack-proof Your Drupal App DrupalCamp NH 2011 By The Numbers
  • 12. Source: http://www.cvedetails.com/vendor/1367/Drupal.html Hack-proof Your Drupal App DrupalCamp NH 2011
  • 13.
    • Wrap your output
    Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
  • 14.
    • Wrap your output
    • Protect your database
    Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
  • 15.
    • Wrap your output
    • Protect your database
    • Beware user input
    Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
  • 16.
    • Wrap your output
    • Protect your database
    • Beware user input
    • AJAX risks
    Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
  • 17.
    • Reality
    Hack-proof Your Drupal App DrupalCamp NH 2011 YouTube (July 2010)
  • 18.
    • Reality
    • Security experts estimate that 66% of websites are vulnerable to XSS attacks (Jeremiah Grossman, WhiteHat Security)
    • The vast majority of vulnerabilities in Drupal are in XSS attacks
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 19. Why?
    • Drupal has at least 8 different APIs for sanitizing output
    • Security presentations are given at DrupalCons and DrupalCamps all around the world
    • Drupal Security Announcements
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 20.
    • Wrap Your Output
    • check_plain()
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 21.
    • check_plain()
    • This is for simple text without any markup.
    • Encodes special characters in a plain-text string for display as HTML.
    • Checks for UTF-8 to prevent cross site scripting attacks on Internet Explorer 6.
    • Don't use this when using the t(), l(); use placeholders
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 22.
    • Wrap Your Output
    • check_plain()
    • check_markup()
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 23.
    • check_markup()
    • This is for text which contains markup in some language
    • Runs all the enabled filters on a piece of text.
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 24.
    • Wrap Your Output
    • check_plain()
    • check_markup()
    • filter_xss()
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 25.
    • filter_xss()
    • Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities.
      • Removes characters and constructs that can trick browsers.
      • Makes sure all HTML entities are well-formed.
      • Makes sure all HTML tags and attributes are well-formed.
      • Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:).
      • Source: http://http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss/7
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 26.
    • Wrap Your Output
    • check_plain()
    • check_markup()
    • filter_xss()
    • filter_xss_admin()
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 27.
    • filter_xss_admin()
    • Very permissive XSS/HTML filter for admin-only use. .
      • Use only for fields where it is impractical to use the whole filter system, but where some (mainly inline) mark-up is desired (so check_plain () is not acceptable).
      • Allows all tags that can be used inside an HTML body, save for scripts and styles.
      • Source:http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss_admin/7
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 28.
    • t()
    • String translation, sanitizes your output if used properly
    • t(“Input @s", array('@s' => $string));
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 29.
    • l()
    • Filters link text and protects against bad protocols
    • GOOD
    • print l($content, $link);
    • BAD
    • print '<a href=&quot;' . $link . '&quot;>' . $content . '</a>';
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 30.
    • drupal_set_title()
    • In Drupal 7, sanitized output by default!
    • drupal_set_title($tainted, CHECK_PLAIN);
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 31.
    • Protect Your Database
    • db_query()
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 32.
    • db_query()
    • Runs a query in the database with arguments to the query, passed in as separate parameters, which are escaped to prevent SQL injection attacks.
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 33.
    • db_query()
    • CORRECT:
      • db_query(“INSERT INTO {table} VALUES (%d, '%s')”, $node->profile_age, $node->profile_firstname);
    • WRONG:
      • db_query(“SELECT * FROM table WHERE field =
      • $node->profile_age”);
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 34.
    • Protect Your Database
    • db_query()
    • db_rewrite_sql() – Not in Drupal 7
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 35.
    • db_rewrite_sql()
    • Rewrites node, taxonomy and comment queries to respect Drupal's node access mechanism.
    • Protects against unauthorized access to content.
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 36.
    • db_rewrite_sql()
    • CORRECT:
      • db_query(db_rewrite_sql( “SELECT * FROM {node} WHERE uid = %d”, $uid));
    • INCORRECT:
      • db_query(“SELECT * FROM {node} WHERE uid = %d”, $uid);
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 37.
    • Beware User Input
    • Sources of user input:
      • Form fields
      • Uploaded files
      • Query string
      • Other sites
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 38.
    • This is an exploited comment.
    • <link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://ha.ckers.org/xss.js{&quot;><script>alert('xss');</script>}body{font-family:{&quot; />
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 39.
    • AJAX Risks
    • AJAX transactions are not private
    • Eval() is not 100% safe; use JSONP
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 40.
    • Sanitize output
    • Use the Form API
    • Use parameterized queries
    • Leave core intact
    • Grant minimal permissions
    • Use HTTPS for social websites
    • Keep core and modules up to date!
    Hack-proof Your Drupal App DrupalCamp NH 2011 Things Good Drupalers Do
  • 41.
    • Printing raw values
    • Modifying data with $_GET
    • Parameterized queries? WTF?
    • Hacking core and killing kittens
    • Allowing untrusted users to post the following tags: script, img, iframe, embed, object, input, link, style, meta, frameset, div, base, table, tr, td
    • Allowing untrusted users to post full HTML
    Things That Will Bite You Hack-proof Your Drupal App DrupalCamp NH 2011
  • 42.
    • “ drupal” is NOT a good admin password!!
    • (neither is “lapurd”)
  • 43.
    • Other Common Mistakes
    • <?php
    • global $user;
    • // Bad – this will escalate the privileges
    • $user = user_load(array('uid' => $uid));
    • ?>
    • <?php
    • global $user;
    • // SAFE – do this instead
    • $account = user_load(array('uid' => $uid));
    • ?>
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 44.
    • Other Common Mistakes
    • Improper URL access
      • Incorrect usage of 'access callback' in hook_menu()
      • Lack of security settings on views
    • Writing forms in HTML
      • Use the Form API to provide automatic CSRF protection
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 45.
    • Other Common Mistakes
    • Unvalidated and open redirects
      • Iframes, drupal_goto, location.href
    • Promiscuous crossdomain.xml files
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 46.
    • Don't Trust User Input!
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 47.
    • http:// drupal.org
    • Writing Secure Code (http://drupal.org/writing-secure-code)
    • Handle Text in a Secure Fashion ( http://drupal.org/node/28984 )
    • Secure File Permissions: http://drupal.org/node/244924
    • Drupal Security Team
    • Drupal Security Resources
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 48.
    • Coder ( http:// drupal.org /project/coder )
    • Security Review ( http:// drupal.org/project/security_review )
    • Secure Code Review ( http:// drupal.org/project/secure_code_review )
    • Secure Permissions ( http:// drupal.org/project/secure_permissions )
    • Modules
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 49.
    • Pro Drupal Development book (VanDyk)
    • Cracking Drupal: A Drop in the Bucket (Knaddison)
    • XSS Scripting Attacks (Grossman)
    • Books
    Hack-proof Your Drupal App DrupalCamp NH 2011
  • 50.
    • Questions?
    Hack-proof Your Drupal App DrupalCamp NH 2011