Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

38,719 views
38,134 views

Published on

Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout your development process and live maintenance.


About the Presenter:

Ben Jeavons is a member of the Drupal Security team and co-author of the Drupal Security Report. As an engineer at Acquia he works on the Acquia Network including the security and performance analysis tool, Acquia Insight.

Experience Level: Intermediate

Published in: Technology
3 Comments
4 Likes
Statistics
Notes
  • Free Download : http://gg.gg/114bb
    Hi I just wanna share something to you guys..
    I am using a great tool, as of now it is still
    working perfect.. you can download the full file
    for free here
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I Got The Full File, I Just Wanna Share to You Guyszz.. It's Working You Can The Download The Full File + Instructions Here : http://gg.gg/setupexe
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • hacking files
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
38,719
On SlideShare
0
From Embeds
0
Number of Embeds
705
Actions
Shares
0
Downloads
170
Comments
3
Likes
4
Embeds 0
No embeds

No notes for slide

Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

  1. 1. Secure your Drupalsite by firsthacking into it
  2. 2. Think like a hackerhttp://www.flickr.com/photos/31246066@N04/4252587897/
  3. 3. How sites get hackedXSSInsecure environmentStolen accessOutdated code, known vulnerabilities
  4. 4. XSS Demo • Malicious Javascript is entered • Admin unknowingly executes • Javascript alters admin-only settings • Changes admin password • Puts site offlinehttp://www.flickr.com/photos/paolo_rosa/5088971947/
  5. 5. https://vimeo.com/15447718
  6. 6. Ben JeavonsDrupaler for 5 yearsMember of Drupal Security Team@benswords
  7. 7. Drupal vulnerabilities by popularity 12% 7% 4% 3% 48% 10% 16%XSS Access Bypass CSRFAuthentication/Session Arbitrary Code Execution SQL InjectionOthers reported in core and contrib SAs from 6/1/2005 through 3/24/2010
  8. 8. Cross Site Scripting
  9. 9. Cross Site ScriptingXSSJavascript Performing actions without your intentEverything you can do XSS can do faster
  10. 10. Stored XSS Step 1 RequestAttacker Drupal DB JS JS
  11. 11. Stored XSS Step 2 RequestVictim Drupal DB Response JS JS
  12. 12. Stored XSS Step 3Victim Request Drupal DB JS JS
  13. 13. $node = node_load($nid);$title = $node->title;drupal_set_title($title);...(later, in page.tpl.php)...<h1><?php print $title; ?></h1>
  14. 14. Fixing XSSIdentify where the data came from User input!
  15. 15. user agentlanguagetime zonereferrer& more HTTP request headersLots of tools/ways to modifythese for requests
  16. 16. Fixing XSSIdentify where the data came fromIs that data being filtered or escaped beforeoutput?
  17. 17. Raw InputFilteredOutput
  18. 18. $node = node_load($nid);$title = $node->title;$safe = check_plain($title);drupal_set_title($safe);...(later, in page.tpl.php)...<h1><?php print $title; ?></h1>
  19. 19. XSS in Themes<div class=”stuff”><?php print $node->field_stuff[0][‘value’];?>
  20. 20. <div class=”stuff”><?phpprint $node->field_stuff[0][‘safe’];// OR$stuff = $node->field_stuff[0];print content_format(‘field_stuff’, $stuff);?>
  21. 21. Sanitize user input for output$msg = variable_get(‘my_msg’,‘’);print check_plain($msg);
  22. 22. Test for XSS vulnerability<script>alert(‘xss yo’)</script>github.com / unn / vuln
  23. 23. Insecure Environment
  24. 24. Insecure EnvironmentLock down your stack Admin tools and access to themPrinciple of least privilege Give out only necessary permissions
  25. 25. Insecure Environment/devel/variable/phpMyAdmin
  26. 26. Insecure EnvironmentMake backupsTest that they workSecure access to backups
  27. 27. Center for Health Transformation’s records were “found by The New York Times in an unsecured archived version of the site”http://www.nytimes.com/2011/11/30/us/politics/gingrich-gave-push-to-clients-not-just-ideas.htmlhttp://www.flickr.com/photos/mjb/208218519/
  28. 28. Insecure Environment/sites/default/files/backup_migrate/
  29. 29. Stolen Access
  30. 30. SSLRun Drupal on full TLS/SSLsecurepages & securepages_prevent_hijackhttp://drupalscout.com/node/17Use a valid certificate
  31. 31. SFTP“Secure” FTPYour host should provide itIf not, consider a new one
  32. 32. Stay up-to-date
  33. 33. Stay up-to-dateKnow and apply security updates Security AdvisoriesNot just Drupal third-party libraries (TinyMCE) PHP, operating system
  34. 34. /CHANGELOG.txt
  35. 35. Automationhttp://www.flickr.com/photos/hubmedia/2141860216/
  36. 36. Steps to a mostly automated review Security Review: drupal.org/project/security_review Hacked: drupal.org/project/hacked Coder: drupal.org/project/coder Secure Code Review drupal.org/project/secure_code_review Vuln: github.com/unn/vuln More: http://drupalscout.com/node/11
  37. 37. in-depth, hands-on security training drupalcon.org bit.ly/drupalcon-security
  38. 38. Read drupal.org/security/writing-secure-code drupalscout.com crackingdrupal.comConverse groups.drupal.org/best-practices-drupal-security ben.jeavons@acquia.com @benswords

×