Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

on

  • 26,907 views

Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout ...

Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout your development process and live maintenance.


About the Presenter:

Ben Jeavons is a member of the Drupal Security team and co-author of the Drupal Security Report. As an engineer at Acquia he works on the Acquia Network including the security and performance analysis tool, Acquia Insight.

Experience Level: Intermediate

Statistics

Views

Total Views
26,907
Views on SlideShare
26,278
Embed Views
629

Actions

Likes
3
Downloads
110
Comments
3

14 Embeds 629

http://harnoorsingh.com 281
http://www.nyccamp.org 139
http://soviders.org 95
http://nyccamp.org 36
http://www.soviderstech.site90.net 34
http://www.soviders.org 28
http://www.pinterest.com 5
http://translate.googleusercontent.com 3
http://plus.url.google.com 2
http://webcache.googleusercontent.com 2
http://www.appsgeyser.com 1
http://2012.nyccamp.org 1
http://soviderstech.site90.net 1
http://www.nyccamp.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Free Download : http://gg.gg/114bb
    Hi I just wanna share something to you guys..
    I am using a great tool, as of now it is still
    working perfect.. you can download the full file
    for free here
    Are you sure you want to
    Your message goes here
    Processing…
  • I Got The Full File, I Just Wanna Share to You Guyszz.. It's Working You Can The Download The Full File + Instructions Here : http://gg.gg/setupexe
    Are you sure you want to
    Your message goes here
    Processing…
  • hacking files
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Hack Into Drupal Sites (or, How to Secure Your Drupal Site) Presentation Transcript

  • 1. Secure your Drupalsite by firsthacking into it
  • 2. Think like a hackerhttp://www.flickr.com/photos/31246066@N04/4252587897/
  • 3. How sites get hackedXSSInsecure environmentStolen accessOutdated code, known vulnerabilities
  • 4. XSS Demo • Malicious Javascript is entered • Admin unknowingly executes • Javascript alters admin-only settings • Changes admin password • Puts site offlinehttp://www.flickr.com/photos/paolo_rosa/5088971947/
  • 5. https://vimeo.com/15447718
  • 6. Ben JeavonsDrupaler for 5 yearsMember of Drupal Security Team@benswords
  • 7. Drupal vulnerabilities by popularity 12% 7% 4% 3% 48% 10% 16%XSS Access Bypass CSRFAuthentication/Session Arbitrary Code Execution SQL InjectionOthers reported in core and contrib SAs from 6/1/2005 through 3/24/2010
  • 8. Cross Site Scripting
  • 9. Cross Site ScriptingXSSJavascript Performing actions without your intentEverything you can do XSS can do faster
  • 10. Stored XSS Step 1 RequestAttacker Drupal DB JS JS
  • 11. Stored XSS Step 2 RequestVictim Drupal DB Response JS JS
  • 12. Stored XSS Step 3Victim Request Drupal DB JS JS
  • 13. $node = node_load($nid);$title = $node->title;drupal_set_title($title);...(later, in page.tpl.php)...<h1><?php print $title; ?></h1>
  • 14. Fixing XSSIdentify where the data came from User input!
  • 15. user agentlanguagetime zonereferrer& more HTTP request headersLots of tools/ways to modifythese for requests
  • 16. Fixing XSSIdentify where the data came fromIs that data being filtered or escaped beforeoutput?
  • 17. Raw InputFilteredOutput
  • 18. $node = node_load($nid);$title = $node->title;$safe = check_plain($title);drupal_set_title($safe);...(later, in page.tpl.php)...<h1><?php print $title; ?></h1>
  • 19. XSS in Themes<div class=”stuff”><?php print $node->field_stuff[0][‘value’];?>
  • 20. <div class=”stuff”><?phpprint $node->field_stuff[0][‘safe’];// OR$stuff = $node->field_stuff[0];print content_format(‘field_stuff’, $stuff);?>
  • 21. Sanitize user input for output$msg = variable_get(‘my_msg’,‘’);print check_plain($msg);
  • 22. Test for XSS vulnerability<script>alert(‘xss yo’)</script>github.com / unn / vuln
  • 23. Insecure Environment
  • 24. Insecure EnvironmentLock down your stack Admin tools and access to themPrinciple of least privilege Give out only necessary permissions
  • 25. Insecure Environment/devel/variable/phpMyAdmin
  • 26. Insecure EnvironmentMake backupsTest that they workSecure access to backups
  • 27. Center for Health Transformation’s records were “found by The New York Times in an unsecured archived version of the site”http://www.nytimes.com/2011/11/30/us/politics/gingrich-gave-push-to-clients-not-just-ideas.htmlhttp://www.flickr.com/photos/mjb/208218519/
  • 28. Insecure Environment/sites/default/files/backup_migrate/
  • 29. Stolen Access
  • 30. SSLRun Drupal on full TLS/SSLsecurepages & securepages_prevent_hijackhttp://drupalscout.com/node/17Use a valid certificate
  • 31. SFTP“Secure” FTPYour host should provide itIf not, consider a new one
  • 32. Stay up-to-date
  • 33. Stay up-to-dateKnow and apply security updates Security AdvisoriesNot just Drupal third-party libraries (TinyMCE) PHP, operating system
  • 34. /CHANGELOG.txt
  • 35. Automationhttp://www.flickr.com/photos/hubmedia/2141860216/
  • 36. Steps to a mostly automated review Security Review: drupal.org/project/security_review Hacked: drupal.org/project/hacked Coder: drupal.org/project/coder Secure Code Review drupal.org/project/secure_code_review Vuln: github.com/unn/vuln More: http://drupalscout.com/node/11
  • 37. in-depth, hands-on security training drupalcon.org bit.ly/drupalcon-security
  • 38. Read drupal.org/security/writing-secure-code drupalscout.com crackingdrupal.comConverse groups.drupal.org/best-practices-drupal-security ben.jeavons@acquia.com @benswords