In this session, I'll show the most common vulnerabilities that our Drupal code can have and how we should be prepared to avoid such an insecure code to be released.
The presentation covers trends in vulnerabilities, starting in general aspects then showing Drupal specific ones.
I'll also speak about what we should do if we find any vulnerabilities in contributed solutions.
All backgrounds are welcome from Drupal site builders to contributed projects' maintainers! Every one of you will be able to learn and improve your security awareness as being an active participant in the session. Be ready for some showcases where we'll check Drupal 7 and 8 codes that are vulnerable and will fix them in live!
https://drupalcampkyiv.org/node/27
2. Who am I?
Tatar Balazs Janos
@tatarbj
Works with Drupal since 2007
CTO @ Petend
Drupal Security Correspondent @ EC
Active mentor @ Mentoring community group
Provisional member @ Drupal Security Team
SecOSdreamer @ Secure Open Source day
DRUPALCAMP
KYIV’19
17. Client side vulnerability
Unfiltered output
Never trust any user input.
We’ve seen the demo before ;)
Cross Site Scripting
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
21. Everyone has a bingo card (check your bag!)
If you answer well, mark the number!
Wrong answer = no number!
First who shouts BINGO! wins the price!
Rules and etiquette
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
42. Use behat/automated tests.
<script>alert('XSS')</script>
<img src="a" onerror="alert('title')">
Check your filters and user roles.
Do not give too many options to untrusted users!
Protection against Cross Site Scripting
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
44. User can access/do something.
Menu items can be defined to be
accessed/denied.
Many access systems: node, entity, field, views...
Access bypass
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
57. Restricted permissions make Drupal
sites more secure by calling
restrict_permission() method.
Tatar Balazs Janos - @tatarbj
?
DRUPALCAMP
KYIV’19
58. Restricted permissions make Drupal
sites more secure by calling
restrict_permission() method.
Tatar Balazs Janos - @tatarbj
?
DRUPALCAMP
KYIV’19
59. Restricted permissions make Drupal
sites more secure by raising
attention on the permission page.
Tatar Balazs Janos - @tatarbj
?
DRUPALCAMP
KYIV’19
66. Visit node/nid and other urls
Visit anything/%node
Use behat/automated tests.
node_access, entity_access
Menu definitions
user_access for permissions
$query->addTag('node_access')
Protection against Access bypass
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
68. Unauthorized access to database resources.
Do not trust any user input.
SA-CORE-2014-005 – Highly critical D7 SA
SQL Injection
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
79. Use always drupal Database API!
db_query with :placeholder (deprecated in D8,
in D9 will be removed)
Filter parameters
Check the queries in code.
username' AND 1=1
POST requests by curl
Protection against SQL Injection
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
80. Round 4
Ready for some other code?
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
81. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
}
}
?>
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
82. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
}
}
?>
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
83. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
do {
// Find a secure random number within the range needed.
$index = ord(drupal_random_bytes(1));
} while ($index > $len);
$pass .= $allowable_characters[$index];
}
}
?>
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
102. Cross Site Request Forgery
vulnerability is in the TOP10 of
OWASP list from 2017.
Tatar Balazs Janos - @tatarbj
?
DRUPALCAMP
KYIV’19
103. Cross Site Request Forgery
vulnerability is in the TOP10 of
OWASP list from 2017.
Tatar Balazs Janos - @tatarbj
?
DRUPALCAMP
KYIV’19
104. Cross Site Request Forgery
vulnerability is not in the TOP10 of
OWASP list from 2017, but was in 2013.
Tatar Balazs Janos - @tatarbj
?
DRUPALCAMP
KYIV’19
115. *https://events.drupal.org/sites/default/files/slides/pwolanin-2017-09-ways-drupal8-d.pdf
Many ways Drupal 8 is more secure!*
Twig templates for HTML generation
Removed PHP format
Site configuration exportable, versionable
User content entry and filtering improvements
User session and session always in ID handling
Automated CSRF token protection
Trusted host patterns enforced for requests
Single statement execution for SQL
Clickjacking protection
Content security policy compatibility with Core Javascript API
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
117. Security advisories are for
Only stable modules
No alpha, beta, dev
d.org hosted projects
@Maintainers: If you are contacted, be supportive!
Drupal Security Team
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19