Secure your Drupalsite by firsthacking into it
Think like a hackerhttp://www.flickr.com/photos/31246066@N04/4252587897/
How sites get hackedXSSInsecure environmentStolen accessOutdated code, known vulnerabilities
XSS Demo           • Malicious Javascript is entered           • Admin unknowingly executes           • Javascript alters ...
https://vimeo.com/15447718
Ben JeavonsDrupaler for 5 yearsMember of Drupal Security Team@benswords
Drupal vulnerabilities by popularity                                  12%                           7%                    ...
Cross Site Scripting
Cross Site ScriptingXSSJavascript      Performing actions without your intentEverything you can do XSS can do faster
Stored XSS Step 1           RequestAttacker             Drupal   DB             JS                              JS
Stored XSS Step 2         RequestVictim              Drupal   DB         Response           JS                JS
Stored XSS Step 3Victim   Request                   Drupal   DB  JS                        JS
$node = node_load($nid);$title = $node->title;drupal_set_title($title);...(later, in page.tpl.php)...<h1><?php print $titl...
Fixing XSSIdentify where the data came from     User input!
user agentlanguagetime zonereferrer& more HTTP request headersLots of tools/ways to modifythese for requests
Fixing XSSIdentify where the data came fromIs that data being filtered or escaped beforeoutput?
Raw  InputFilteredOutput
$node = node_load($nid);$title = $node->title;$safe = check_plain($title);drupal_set_title($safe);...(later, in page.tpl.p...
XSS in Themes<div class=”stuff”><?php   print $node->field_stuff[0][‘value’];?>
<div class=”stuff”><?phpprint $node->field_stuff[0][‘safe’];// OR$stuff = $node->field_stuff[0];print content_format(‘fiel...
Sanitize user input for output$msg = variable_get(‘my_msg’,‘’);print check_plain($msg);
Test for XSS vulnerability<script>alert(‘xss yo’)</script>github.com / unn / vuln
Insecure Environment
Insecure EnvironmentLock down your stack      Admin tools and access to themPrinciple of least privilege      Give out onl...
Insecure Environment/devel/variable/phpMyAdmin
Insecure EnvironmentMake backupsTest that they workSecure access to backups
Center for Health                                                                                        Transformation’s ...
Insecure Environment/sites/default/files/backup_migrate/
Stolen Access
SSLRun Drupal on full TLS/SSLsecurepages & securepages_prevent_hijackhttp://drupalscout.com/node/17Use a valid certificate
SFTP“Secure” FTPYour host should provide itIf not, consider a new one
Stay up-to-date
Stay up-to-dateKnow and apply security updates       Security AdvisoriesNot just Drupal       third-party libraries (TinyM...
/CHANGELOG.txt
Automationhttp://www.flickr.com/photos/hubmedia/2141860216/
Steps to a mostly automated review   Security Review: drupal.org/project/security_review   Hacked: drupal.org/project/hack...
in-depth, hands-on security training            drupalcon.org      bit.ly/drupalcon-security
Read  drupal.org/security/writing-secure-code  drupalscout.com  crackingdrupal.comConverse  groups.drupal.org/best-practic...
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Upcoming SlideShare
Loading in...5
×

Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

32,988

Published on

Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout your development process and live maintenance.


About the Presenter:

Ben Jeavons is a member of the Drupal Security team and co-author of the Drupal Security Report. As an engineer at Acquia he works on the Acquia Network including the security and performance analysis tool, Acquia Insight.

Experience Level: Intermediate

Published in: Technology
3 Comments
4 Likes
Statistics
Notes
  • Free Download : http://gg.gg/114bb
    Hi I just wanna share something to you guys..
    I am using a great tool, as of now it is still
    working perfect.. you can download the full file
    for free here
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I Got The Full File, I Just Wanna Share to You Guyszz.. It's Working You Can The Download The Full File + Instructions Here : http://gg.gg/setupexe
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • hacking files
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
32,988
On Slideshare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
151
Comments
3
Likes
4
Embeds 0
No embeds

No notes for slide

Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

  1. 1. Secure your Drupalsite by firsthacking into it
  2. 2. Think like a hackerhttp://www.flickr.com/photos/31246066@N04/4252587897/
  3. 3. How sites get hackedXSSInsecure environmentStolen accessOutdated code, known vulnerabilities
  4. 4. XSS Demo • Malicious Javascript is entered • Admin unknowingly executes • Javascript alters admin-only settings • Changes admin password • Puts site offlinehttp://www.flickr.com/photos/paolo_rosa/5088971947/
  5. 5. https://vimeo.com/15447718
  6. 6. Ben JeavonsDrupaler for 5 yearsMember of Drupal Security Team@benswords
  7. 7. Drupal vulnerabilities by popularity 12% 7% 4% 3% 48% 10% 16%XSS Access Bypass CSRFAuthentication/Session Arbitrary Code Execution SQL InjectionOthers reported in core and contrib SAs from 6/1/2005 through 3/24/2010
  8. 8. Cross Site Scripting
  9. 9. Cross Site ScriptingXSSJavascript Performing actions without your intentEverything you can do XSS can do faster
  10. 10. Stored XSS Step 1 RequestAttacker Drupal DB JS JS
  11. 11. Stored XSS Step 2 RequestVictim Drupal DB Response JS JS
  12. 12. Stored XSS Step 3Victim Request Drupal DB JS JS
  13. 13. $node = node_load($nid);$title = $node->title;drupal_set_title($title);...(later, in page.tpl.php)...<h1><?php print $title; ?></h1>
  14. 14. Fixing XSSIdentify where the data came from User input!
  15. 15. user agentlanguagetime zonereferrer& more HTTP request headersLots of tools/ways to modifythese for requests
  16. 16. Fixing XSSIdentify where the data came fromIs that data being filtered or escaped beforeoutput?
  17. 17. Raw InputFilteredOutput
  18. 18. $node = node_load($nid);$title = $node->title;$safe = check_plain($title);drupal_set_title($safe);...(later, in page.tpl.php)...<h1><?php print $title; ?></h1>
  19. 19. XSS in Themes<div class=”stuff”><?php print $node->field_stuff[0][‘value’];?>
  20. 20. <div class=”stuff”><?phpprint $node->field_stuff[0][‘safe’];// OR$stuff = $node->field_stuff[0];print content_format(‘field_stuff’, $stuff);?>
  21. 21. Sanitize user input for output$msg = variable_get(‘my_msg’,‘’);print check_plain($msg);
  22. 22. Test for XSS vulnerability<script>alert(‘xss yo’)</script>github.com / unn / vuln
  23. 23. Insecure Environment
  24. 24. Insecure EnvironmentLock down your stack Admin tools and access to themPrinciple of least privilege Give out only necessary permissions
  25. 25. Insecure Environment/devel/variable/phpMyAdmin
  26. 26. Insecure EnvironmentMake backupsTest that they workSecure access to backups
  27. 27. Center for Health Transformation’s records were “found by The New York Times in an unsecured archived version of the site”http://www.nytimes.com/2011/11/30/us/politics/gingrich-gave-push-to-clients-not-just-ideas.htmlhttp://www.flickr.com/photos/mjb/208218519/
  28. 28. Insecure Environment/sites/default/files/backup_migrate/
  29. 29. Stolen Access
  30. 30. SSLRun Drupal on full TLS/SSLsecurepages & securepages_prevent_hijackhttp://drupalscout.com/node/17Use a valid certificate
  31. 31. SFTP“Secure” FTPYour host should provide itIf not, consider a new one
  32. 32. Stay up-to-date
  33. 33. Stay up-to-dateKnow and apply security updates Security AdvisoriesNot just Drupal third-party libraries (TinyMCE) PHP, operating system
  34. 34. /CHANGELOG.txt
  35. 35. Automationhttp://www.flickr.com/photos/hubmedia/2141860216/
  36. 36. Steps to a mostly automated review Security Review: drupal.org/project/security_review Hacked: drupal.org/project/hacked Coder: drupal.org/project/coder Secure Code Review drupal.org/project/secure_code_review Vuln: github.com/unn/vuln More: http://drupalscout.com/node/11
  37. 37. in-depth, hands-on security training drupalcon.org bit.ly/drupalcon-security
  38. 38. Read drupal.org/security/writing-secure-code drupalscout.com crackingdrupal.comConverse groups.drupal.org/best-practices-drupal-security ben.jeavons@acquia.com @benswords
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×