The recent SA-CORE-2014-005 vulnerability has demonstrated that hackers have learnt how to take advantage of Drupal’s functionality to infect a site and go unnoticed. Site builders and site maintainers have a large role to play in preventing these kinds of disasters. Security doesn’t have to be a pain to implement and plan for. The primary goal of this session is to give people a solid basis in the most common security issues so they can quickly identify those security issues. From there, we'll move into some other common pain-points of site builders like frequently made mistakes, modules to enhance security, and evaluating contributed module quality.

1. Drupal and SecurityAdvice for Site Builders and Coders
Arunkumar Kuppuswamy
Software Engineer
Innoppl Technologies
arunkumar1.akk@gmail.com
Phone: +91 80986 41508

2. ● Security Vulnerabilities
● General Tips
● Server Environment
● Site Configurations
● Personal Practices
● Drupal Configuration
● Writing Custom Codes
Agenda

3. ● Drupal is an open-source CMS and or framework
● 2.2% of websites in Internet are running using
Drupal
● 3rd Popular CMS in world.
● Reliability
● Scalability
● A huge dedicated community
Why Drupal ?

4. https://w3techs.com/technologies/overview/content_management/all
Do you think Drupal is the Right choice ?

5. Source: CVE Details

6. Source: CVE Details

7. - System flaw or weakness in an application
● Cross Site Scripting (XSS)
● Broken Authentication
● Gain Information / Privileges
● SQL Injection
● Bypass something
● CSRF
Security vulnerabilities

8. ● Cross Site Scripting
● Code in the browser
● Making requests
● Parsing responses
● Javascript, Flash, Java, etc.
What is XSS?

9. ● Filter text
● On output to browser
● As late as reasonable
● Some API filters where reasonable
● t() and Drupal::translation()->formatPlural()
with @text and %text placeholders
Fixing XSS?

11. - User to access the system without going through
the security clearance
● User can see or do something
● That permissions/access should prevent
What is Access Bypass?

12. ● Creating Permissions
MODULE_NAME.permissions.yml
Fixing Access Bypass

13. ● Menu Callbacks
MODULE_NAME.routing.yml
Fixing Access Bypass

14. ● Node access
○ hook_node_access()
● User access
○ hook_user_access()
● Entity access
○ hook_entity_access()
● Field access
○ hook_field_access()
Fixing Access Bypass

15. Fixing Access Bypass?

16. ● User has permission to Access
● Use behat
Fixing Access Bypass?

17. - Executing malicious SQL statements.
● Incorrectly filtered escape characters
● Incorrect type handling
● Blind Conditional SQL injection
SQL Injection

18. Drupal SQL Injection Sample Code

19. Drupal SQL Injection Sample Code

20. ● Database abstraction layer
● Adding tags to your queries
Fixing SQL Injection

21. Unauthorized commands are transmitted from a user that
the website trusts.
● Path that does not confirm intent
● <img src="http://example.com/node/1/quickdelete" >
● Mostly in Form submissions
What is CSRF?

22. ● Use Form API: confirmation forms
● Send and validate tokens : Drupal::csrfToken()
● Using a secret cookie
● Multi-Step Transactions
● HTTPS
Fixing CSRF?

23. ● YAML route definition for a protected link
● Protected Ajax request
Fixing CSRF?

24. ● Protected Ajax request
Fixing CSRF?

25. ● Roles and permissions
● Keep your site settings secure
○ Text formats
○ PHP module
○ PHP in other modules
Secure site configuration

26. ● File permissions: web server user forbidden to
change code
● PHP execution: restrict in .htaccess or Nginx
config
● Drupal handbook for securing your site
Secure site configuration

27. ● Secure Login
● Paranoia
● Security Review
● Permissions Lock
● Hacked!
● Password policy / Password strength
● Two Factor Authentication
● Shield
● Security Kit
Modules Enhancing Security

28. ● Stronger password hashing / salt
● Login flood control
○ prevents brute-force credential guessing
● Protected cron
○ prevents Denial of Service attacks
Drupal 8

29. Update Settings

30. ● Automatically sanitizes strings on output
● No PHP in templates
● You can't run SQL queries
● Twig auto-escaping : htmlspecialchars()
Drupal 8: Twig

32. ● Filtered HTML format
● Limiting users to using only images local
Content Entry & Filtering Improved

33. Choosing Contrib Modules

34. ● Use HTTPS, SSH, SFTP
● Strong password policy
● Server – LAMP stack
● Require SSH keys
● Take & verify your backups
○ Sanitize backups before sharing
General Tips

35. ● Drupal Security Team
○ Keep Drupal code secure in core and contrib
○ Educate the community on security best
practices
1. Developers
2. Site builders
3. Site administrators and users
4. Decision makers
○ Security Advisory for every security release
○ @drupalsecurityandSecurity Group
Security Process

36. Security Issue
Code Maintainer
Team Security
New Release

37. ● https://www.oakleys.org.uk/blog/2017/01/how_to_secure_a_drupal
_website
● https://pantheon.io/blog/9-tips-and-tricks-securing-your-drupal-site
-pantheon
● https://www.drupal.org/documentation/is-drupal-secure
● https://www.drupal.org/security/secure-configuration
● https://www.ostraining.com/blog/drupal/8-things-drupal-security/
● https://www.keycdn.com/blog/drupal-security/
References:

38. Any Queries ?

39. Thank you!