Being! Black Hat with Drupal - Anand Toshniwal

1. Being !BlackHat with
Drupal
- Anand Toshniwal
@toshniwal_anand

2. AGENDA
❏ Importance of secure coding
❏ Database security
❏ Session hijacking
❏ Text security
❏ Cross-site scripting
❏ Safely impersonating another user

3. Why secure coding is important?
❏ Security isn’t an option
❏ Link in the chain on design security
❏ Security by obscurity is myth
❏ Proactive prevention is more effective than reactive detection
❏ Hackers, crackers and attackers

4. Database Access
db_query(‘SELECT n.title FROM {node} n WHERE n.nid = ‘ . $_GET[‘nid’] );
Good practice
[D7] db_query(‘SELECT n.title FROM {node} n WHERE n.nid = :nid’, array(‘:nid’ => $_GET[‘nid’]));
[D8] Database::getConnection()->query(‘SELECT n.title FROM {node} n
WHERE n.nid = :nid’, [‘:nid’ =>
$_GET[‘nid’]]);
Bad practice

5. Dynamic queries
❏ If the query parts vary
❏ Select queries may be either static or dynamic
❏ To support multiple database servers easily
❏ Provides structural interface
❏ To enforce security checks

6. SESSION HIJACKING

7. Session ID
user
user’s
browser
Access
page
Drupal
Drupal receives
session ID

8. Handle Text in Secure Fashion

9. a. <?php print l(check_plain($title), 'node/'. $nid); ?>
b. <?php print l($title, 'node/'. $nid); ?>
2.
a. <?php print '<a href="/' . $url . '">'; ?>
b. <?php print '<a href="/'. check_plain($url) .'">'; ?>
c. <?php print '<a href="/'. check_url($url) .'">'; ?>
Choose the correct option

10. 3.
a. $form['text1'] = array(
'#type' => 'textfield',
'#default_value' => check_plain($u_supplied),
);
b. $form[select1] = array(
'#type' => 'select',
'#default_value' => 0,
'#options' => node_get_types('names'),
);
Choose the correct option

11. Sanitization for backend use
Text Replacement
❏ @variable
$this->placeholderFormat('This will force HTML-escaping of the replacement
value: @text', ['@text' => (string)$safe_string_interface_object));
❏ %variable
$string = "%output_text";
$arguments = ['%output_text' => 'text output here.'];
$this->placeholderFormat($string, $arguments);

12. ❏ :variable
$this->placeholderFormat('<a href=":url">@variable</a>', [':url' => $url,
'@variable' => $variable]);

13. Cross-site scripting (xss) attack

14. Cross-site scripting (xss) attack

15. Safely Impersonating Another User

16. Drupal 7
global $user;
$original_user = $user;
$old_state = drupal_save_session();
drupal_save_session(FALSE);
$user = user_load(1);
// Take your action here
$user = $original_user;
drupal_save_session($old_state);

17. Drupal 8
$accountSwitcher = Drupal::service('account_switcher');
$account = DrupaluserEntityUser::load(2);
$accountSwitcher->switchTo($account);
// Take your action here. If your code fails, then you should catch an
exception
// and switch back (see below).
// Restore user account.
$accountSwitcher->switchBack();