Hack-proof Your Drupal App Key Habits of Secure Drupal Coding Hack-proof Your Drupal App DrupalCamp NH 2011
<ul><li>http://twitter.com/ebeyrent </li></ul><ul><li>http://drupal.org/user/23897 </li></ul>Introductions <ul><li>Permiss...
<ul><li>Agenda </li></ul><ul><li>Secrets to Securing a Social Network </li></ul><ul><li>Key Habits of Secure Drupal Coding...
Have you ever... Hack-proof Your Drupal App DrupalCamp NH 2011
Hack-proof Your Drupal App DrupalCamp NH 2011 Source: http://www.flickr.com/photos/wili/233621595/
HILARITY DID NOT ENSUE Hack-proof Your Drupal App DrupalCamp NH 2011
<ul><li>The Results </li></ul><ul><li>120 vulnerabilities were discovered </li></ul><ul><ul><li>XSS </li></ul></ul><ul><ul...
<ul><li>What Was Learned </li></ul><ul><li>90% of the vulnerabilities existed in the theme </li></ul><ul><li>Untrusted dat...
<ul><li>Fixing The Problems </li></ul><ul><li>Completely reviewed the theme, implementing  </li></ul><ul><li>Drupal output...
Drupal Security Report <ul><li>Authored by Ben Jeavons and Greg Knaddison </li></ul><ul><li>Provides an analysis of the cu...
Source:  Drupal Security Report http://drupalsecurityreport.org/ June 2005 – March 2010 Hack-proof Your Drupal App DrupalC...
Source: http://www.cvedetails.com/vendor/1367/Drupal.html Hack-proof Your Drupal App DrupalCamp NH 2011
<ul><li>Wrap your output </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
<ul><li>Wrap your output </li></ul><ul><li>Protect your database </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011 K...
<ul><li>Wrap your output </li></ul><ul><li>Protect your database </li></ul><ul><li>Beware user input </li></ul>Hack-proof ...
<ul><li>Wrap your output </li></ul><ul><li>Protect your database </li></ul><ul><li>Beware user input </li></ul><ul><li>AJA...
<ul><li>Reality </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011 YouTube (July 2010)
<ul><li>Reality </li></ul><ul><li>Security experts estimate that 66% of  websites are vulnerable to XSS attacks (Jeremiah ...
Why? <ul><li>Drupal has at least 8 different APIs for sanitizing output </li></ul><ul><li>Security presentations are given...
<ul><li>Wrap Your Output </li></ul><ul><li>check_plain() </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
<ul><li>check_plain() </li></ul><ul><li>This is for simple text without any markup.  </li></ul><ul><li>Encodes special cha...
<ul><li>Wrap Your Output </li></ul><ul><li>check_plain() </li></ul><ul><li>check_markup() </li></ul>Hack-proof Your Drupal...
<ul><li>check_markup() </li></ul><ul><li>This is for text which contains markup in some language </li></ul><ul><li>Runs al...
<ul><li>Wrap Your Output </li></ul><ul><li>check_plain() </li></ul><ul><li>check_markup() </li></ul><ul><li>filter_xss() <...
<ul><li>filter_xss() </li></ul><ul><li>Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities. </li>...
<ul><li>Wrap Your Output </li></ul><ul><li>check_plain() </li></ul><ul><li>check_markup() </li></ul><ul><li>filter_xss() <...
<ul><li>filter_xss_admin() </li></ul><ul><li>Very permissive XSS/HTML filter for admin-only use.  . </li></ul><ul><ul><li>...
<ul><li>t() </li></ul><ul><li>String translation, sanitizes your output if used properly </li></ul><ul><li>t(“Input @s&quo...
<ul><li>l() </li></ul><ul><li>Filters link text and protects against bad protocols </li></ul><ul><li>GOOD </li></ul><ul><l...
<ul><li>drupal_set_title()  </li></ul><ul><li>In Drupal 7, sanitized output by default! </li></ul><ul><li>drupal_set_title...
<ul><li>Protect Your Database </li></ul><ul><li>db_query() </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
<ul><li>db_query() </li></ul><ul><li>Runs a query in the database with arguments to the query, passed in as separate param...
<ul><li>db_query() </li></ul><ul><li>CORRECT: </li></ul><ul><ul><li>db_query(“INSERT INTO {table} VALUES (%d, '%s')”,  $no...
<ul><li>Protect Your Database </li></ul><ul><li>db_query() </li></ul><ul><li>db_rewrite_sql() – Not in Drupal 7 </li></ul>...
<ul><li>db_rewrite_sql() </li></ul><ul><li>Rewrites node, taxonomy and comment queries to respect Drupal's node access mec...
<ul><li>db_rewrite_sql() </li></ul><ul><li>CORRECT: </li></ul><ul><ul><li>db_query(db_rewrite_sql(  “SELECT * FROM {node} ...
<ul><li>Beware User Input </li></ul><ul><li>Sources of user input: </li></ul><ul><ul><li>Form fields </li></ul></ul><ul><u...
<ul><li>This is an exploited comment. </li></ul><ul><li><link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&q...
<ul><li>AJAX Risks </li></ul><ul><li>AJAX transactions are not private </li></ul><ul><li>Eval() is not 100% safe; use JSON...
<ul><li>Sanitize output </li></ul><ul><li>Use the Form API </li></ul><ul><li>Use parameterized queries </li></ul><ul><li>L...
<ul><li>Printing raw values </li></ul><ul><li>Modifying data with $_GET </li></ul><ul><li>Parameterized queries?  WTF? </l...
<ul><li>“ drupal” is NOT a good admin password!! </li></ul><ul><li>(neither is “lapurd”) </li></ul>
<ul><li>Other Common Mistakes </li></ul><ul><li><?php </li></ul><ul><li>global $user; </li></ul><ul><li>// Bad – this will...
<ul><li>Other Common Mistakes </li></ul><ul><li>Improper URL access </li></ul><ul><ul><li>Incorrect usage of 'access callb...
<ul><li>Other Common Mistakes </li></ul><ul><li>Unvalidated and open redirects </li></ul><ul><ul><li>Iframes, drupal_goto,...
<ul><li>Don't Trust User Input! </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
<ul><li>http:// drupal.org </li></ul><ul><li>Writing Secure Code (http://drupal.org/writing-secure-code) </li></ul><ul><li...
<ul><li>Coder ( http:// drupal.org /project/coder ) </li></ul><ul><li>Security Review ( http:// drupal.org/project/securit...
<ul><li>Pro Drupal Development book (VanDyk) </li></ul><ul><li>Cracking Drupal: A Drop in the Bucket (Knaddison) </li></ul...
<ul><li>Questions? </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
Upcoming SlideShare
Loading in...5
×

Hack-Proof Your Drupal App

5,371

Published on

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,371
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
80
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide
  • collected and analyzed from June 1, 2005 through March 24, 2010
  • Hack-Proof Your Drupal App

    1. 1. Hack-proof Your Drupal App Key Habits of Secure Drupal Coding Hack-proof Your Drupal App DrupalCamp NH 2011
    2. 2. <ul><li>http://twitter.com/ebeyrent </li></ul><ul><li>http://drupal.org/user/23897 </li></ul>Introductions <ul><li>Permissions API </li></ul><ul><li>Permissions Superuser </li></ul><ul><li>Crowd SSO </li></ul><ul><li>LDAP Extended Groups </li></ul><ul><li>Context Local Tasks </li></ul><ul><li>Search Lucene Biblio </li></ul><ul><li>Search Lucene Attachments </li></ul><ul><li>Search Lucene OG </li></ul><ul><li>Visual Search API </li></ul>My Modules Hack-proof Your Drupal App DrupalCamp NH 2011 Erich Beyrent
    3. 3. <ul><li>Agenda </li></ul><ul><li>Secrets to Securing a Social Network </li></ul><ul><li>Key Habits of Secure Drupal Coding </li></ul><ul><li>Vulnerability Detection to Remediation </li></ul><ul><li>Security Resources for Drupal Applications </li></ul><ul><li>See For Yourself - demonstrations of application attacks </li></ul><ul><li>Discussions </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    4. 4. Have you ever... Hack-proof Your Drupal App DrupalCamp NH 2011
    5. 5. Hack-proof Your Drupal App DrupalCamp NH 2011 Source: http://www.flickr.com/photos/wili/233621595/
    6. 6. HILARITY DID NOT ENSUE Hack-proof Your Drupal App DrupalCamp NH 2011
    7. 7. <ul><li>The Results </li></ul><ul><li>120 vulnerabilities were discovered </li></ul><ul><ul><li>XSS </li></ul></ul><ul><ul><li>CSRF </li></ul></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>Insufficient Authorization </li></ul></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    8. 8. <ul><li>What Was Learned </li></ul><ul><li>90% of the vulnerabilities existed in the theme </li></ul><ul><li>Untrusted data from the query string was printed without filtering </li></ul><ul><li>Custom search forms were insecure </li></ul><ul><li>crossdomain.xml caused vulnerabilities </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    9. 9. <ul><li>Fixing The Problems </li></ul><ul><li>Completely reviewed the theme, implementing </li></ul><ul><li>Drupal output filters </li></ul><ul><li>Code was audited to ensure sanitization of all </li></ul><ul><li>user data </li></ul><ul><li>Rewrote the search forms to sanitize user data and use the Form API </li></ul><ul><li>Implemented web services proxy </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    10. 10. Drupal Security Report <ul><li>Authored by Ben Jeavons and Greg Knaddison </li></ul><ul><li>Provides an analysis of the current state of security in Drupal </li></ul><ul><li>Reports on the number of vulnerabilities by type reported in SAs for Drupal core and contributed modules </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    11. 11. Source: Drupal Security Report http://drupalsecurityreport.org/ June 2005 – March 2010 Hack-proof Your Drupal App DrupalCamp NH 2011 By The Numbers
    12. 12. Source: http://www.cvedetails.com/vendor/1367/Drupal.html Hack-proof Your Drupal App DrupalCamp NH 2011
    13. 13. <ul><li>Wrap your output </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
    14. 14. <ul><li>Wrap your output </li></ul><ul><li>Protect your database </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
    15. 15. <ul><li>Wrap your output </li></ul><ul><li>Protect your database </li></ul><ul><li>Beware user input </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
    16. 16. <ul><li>Wrap your output </li></ul><ul><li>Protect your database </li></ul><ul><li>Beware user input </li></ul><ul><li>AJAX risks </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
    17. 17. <ul><li>Reality </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011 YouTube (July 2010)
    18. 18. <ul><li>Reality </li></ul><ul><li>Security experts estimate that 66% of websites are vulnerable to XSS attacks (Jeremiah Grossman, WhiteHat Security) </li></ul><ul><li>The vast majority of vulnerabilities in Drupal are in XSS attacks </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    19. 19. Why? <ul><li>Drupal has at least 8 different APIs for sanitizing output </li></ul><ul><li>Security presentations are given at DrupalCons and DrupalCamps all around the world </li></ul><ul><li>Drupal Security Announcements </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    20. 20. <ul><li>Wrap Your Output </li></ul><ul><li>check_plain() </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    21. 21. <ul><li>check_plain() </li></ul><ul><li>This is for simple text without any markup. </li></ul><ul><li>Encodes special characters in a plain-text string for display as HTML. </li></ul><ul><li>Checks for UTF-8 to prevent cross site scripting attacks on Internet Explorer 6. </li></ul><ul><li>Don't use this when using the t(), l(); use placeholders </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    22. 22. <ul><li>Wrap Your Output </li></ul><ul><li>check_plain() </li></ul><ul><li>check_markup() </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    23. 23. <ul><li>check_markup() </li></ul><ul><li>This is for text which contains markup in some language </li></ul><ul><li>Runs all the enabled filters on a piece of text. </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    24. 24. <ul><li>Wrap Your Output </li></ul><ul><li>check_plain() </li></ul><ul><li>check_markup() </li></ul><ul><li>filter_xss() </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    25. 25. <ul><li>filter_xss() </li></ul><ul><li>Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities. </li></ul><ul><ul><li>Removes characters and constructs that can trick browsers. </li></ul></ul><ul><ul><li>Makes sure all HTML entities are well-formed. </li></ul></ul><ul><ul><li>Makes sure all HTML tags and attributes are well-formed. </li></ul></ul><ul><ul><li>Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:). </li></ul></ul><ul><ul><li>Source: http://http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss/7 </li></ul></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    26. 26. <ul><li>Wrap Your Output </li></ul><ul><li>check_plain() </li></ul><ul><li>check_markup() </li></ul><ul><li>filter_xss() </li></ul><ul><li>filter_xss_admin() </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    27. 27. <ul><li>filter_xss_admin() </li></ul><ul><li>Very permissive XSS/HTML filter for admin-only use. . </li></ul><ul><ul><li>Use only for fields where it is impractical to use the whole filter system, but where some (mainly inline) mark-up is desired (so check_plain () is not acceptable). </li></ul></ul><ul><ul><li>Allows all tags that can be used inside an HTML body, save for scripts and styles. </li></ul></ul><ul><ul><li>Source:http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss_admin/7 </li></ul></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    28. 28. <ul><li>t() </li></ul><ul><li>String translation, sanitizes your output if used properly </li></ul><ul><li>t(“Input @s&quot;, array('@s' => $string)); </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    29. 29. <ul><li>l() </li></ul><ul><li>Filters link text and protects against bad protocols </li></ul><ul><li>GOOD </li></ul><ul><li>print l($content, $link); </li></ul><ul><li>BAD </li></ul><ul><li>print '<a href=&quot;' . $link . '&quot;>' . $content . '</a>'; </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    30. 30. <ul><li>drupal_set_title() </li></ul><ul><li>In Drupal 7, sanitized output by default! </li></ul><ul><li>drupal_set_title($tainted, CHECK_PLAIN); </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    31. 31. <ul><li>Protect Your Database </li></ul><ul><li>db_query() </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    32. 32. <ul><li>db_query() </li></ul><ul><li>Runs a query in the database with arguments to the query, passed in as separate parameters, which are escaped to prevent SQL injection attacks. </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    33. 33. <ul><li>db_query() </li></ul><ul><li>CORRECT: </li></ul><ul><ul><li>db_query(“INSERT INTO {table} VALUES (%d, '%s')”, $node->profile_age, $node->profile_firstname); </li></ul></ul><ul><li>WRONG: </li></ul><ul><ul><li>db_query(“SELECT * FROM table WHERE field = </li></ul></ul><ul><ul><li>$node->profile_age”); </li></ul></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    34. 34. <ul><li>Protect Your Database </li></ul><ul><li>db_query() </li></ul><ul><li>db_rewrite_sql() – Not in Drupal 7 </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    35. 35. <ul><li>db_rewrite_sql() </li></ul><ul><li>Rewrites node, taxonomy and comment queries to respect Drupal's node access mechanism. </li></ul><ul><li>Protects against unauthorized access to content. </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    36. 36. <ul><li>db_rewrite_sql() </li></ul><ul><li>CORRECT: </li></ul><ul><ul><li>db_query(db_rewrite_sql( “SELECT * FROM {node} WHERE uid = %d”, $uid)); </li></ul></ul><ul><li>INCORRECT: </li></ul><ul><ul><li>db_query(“SELECT * FROM {node} WHERE uid = %d”, $uid); </li></ul></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    37. 37. <ul><li>Beware User Input </li></ul><ul><li>Sources of user input: </li></ul><ul><ul><li>Form fields </li></ul></ul><ul><ul><li>Uploaded files </li></ul></ul><ul><ul><li>Query string </li></ul></ul><ul><ul><li>Other sites </li></ul></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    38. 38. <ul><li>This is an exploited comment. </li></ul><ul><li><link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://ha.ckers.org/xss.js{&quot;><script>alert('xss');</script>}body{font-family:{&quot; /> </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    39. 39. <ul><li>AJAX Risks </li></ul><ul><li>AJAX transactions are not private </li></ul><ul><li>Eval() is not 100% safe; use JSONP </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    40. 40. <ul><li>Sanitize output </li></ul><ul><li>Use the Form API </li></ul><ul><li>Use parameterized queries </li></ul><ul><li>Leave core intact </li></ul><ul><li>Grant minimal permissions </li></ul><ul><li>Use HTTPS for social websites </li></ul><ul><li>Keep core and modules up to date! </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011 Things Good Drupalers Do
    41. 41. <ul><li>Printing raw values </li></ul><ul><li>Modifying data with $_GET </li></ul><ul><li>Parameterized queries? WTF? </li></ul><ul><li>Hacking core and killing kittens </li></ul><ul><li>Allowing untrusted users to post the following tags: script, img, iframe, embed, object, input, link, style, meta, frameset, div, base, table, tr, td </li></ul><ul><li>Allowing untrusted users to post full HTML </li></ul>Things That Will Bite You Hack-proof Your Drupal App DrupalCamp NH 2011
    42. 42. <ul><li>“ drupal” is NOT a good admin password!! </li></ul><ul><li>(neither is “lapurd”) </li></ul>
    43. 43. <ul><li>Other Common Mistakes </li></ul><ul><li><?php </li></ul><ul><li>global $user; </li></ul><ul><li>// Bad – this will escalate the privileges </li></ul><ul><li>$user = user_load(array('uid' => $uid)); </li></ul><ul><li>?> </li></ul><ul><li><?php </li></ul><ul><li>global $user; </li></ul><ul><li>// SAFE – do this instead </li></ul><ul><li>$account = user_load(array('uid' => $uid)); </li></ul><ul><li>?> </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    44. 44. <ul><li>Other Common Mistakes </li></ul><ul><li>Improper URL access </li></ul><ul><ul><li>Incorrect usage of 'access callback' in hook_menu() </li></ul></ul><ul><ul><li>Lack of security settings on views </li></ul></ul><ul><li>Writing forms in HTML </li></ul><ul><ul><li>Use the Form API to provide automatic CSRF protection </li></ul></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    45. 45. <ul><li>Other Common Mistakes </li></ul><ul><li>Unvalidated and open redirects </li></ul><ul><ul><li>Iframes, drupal_goto, location.href </li></ul></ul><ul><li>Promiscuous crossdomain.xml files </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    46. 46. <ul><li>Don't Trust User Input! </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    47. 47. <ul><li>http:// drupal.org </li></ul><ul><li>Writing Secure Code (http://drupal.org/writing-secure-code) </li></ul><ul><li>Handle Text in a Secure Fashion ( http://drupal.org/node/28984 ) </li></ul><ul><li>Secure File Permissions: http://drupal.org/node/244924 </li></ul><ul><li>Drupal Security Team </li></ul><ul><li>Drupal Security Resources </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    48. 48. <ul><li>Coder ( http:// drupal.org /project/coder ) </li></ul><ul><li>Security Review ( http:// drupal.org/project/security_review ) </li></ul><ul><li>Secure Code Review ( http:// drupal.org/project/secure_code_review ) </li></ul><ul><li>Secure Permissions ( http:// drupal.org/project/secure_permissions ) </li></ul><ul><li>Modules </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    49. 49. <ul><li>Pro Drupal Development book (VanDyk) </li></ul><ul><li>Cracking Drupal: A Drop in the Bucket (Knaddison) </li></ul><ul><li>XSS Scripting Attacks (Grossman) </li></ul><ul><li>Books </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    50. 50. <ul><li>Questions? </li></ul>Hack-proof Your Drupal App DrupalCamp NH 2011
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×