SlideShare a Scribd company logo

Hack Proof Your Drupal Site

Naveen Valecha
Naveen Valecha

Hack Proof your drupal site.

Engineering
1 of 27
Download to read offline
Hack proof your drupal site Naveen Valecha, Software Engineer at www.qed42.com http://blog.valechatech.com Twitter : @NaveenvalechaNV QED42
QED42 Do you think Hackers are Magicians ?
Topics ● Common Security Strategies ● SQL Injection ● Cross-Site Scripting(XSS) ● Cross Site Request Forgery(CSRF) ● Access bypass(Node access bypass & Menu access bypass) ● Correct use of drupal_goto unless leads to vulnerability QED42
Common Security Strategies ● Trust - Who can do what on the website. ● Software Updates - Update your softwares(Server, Webserver, Drupal, etc.) ● Security Misconfigurations Securing your website : https://www.drupal.org/security/secure-configuration QED42
Permissions ● Be careful with site owning permissions. ● Similarly with the text formats. ● User 1 name should not be simple like “admin”, don’t use in general use, it has all permissions. QED42
Security Misconfigurtions ● Disable php error reporting (admin/config/development/logging) ● Disable PHP filter Module. ● Make sure php files are not writeable by server. ● Remove write permissions for www-data -rw-r----- 1 neal www-data index.php drwxr-x--- 32 neal www-data modules/ drwxrwx--- 7 www-data neal sites/default/files/ QED42
SQL Injection Attacker can supply messy parameters passed. SQL injection: <?php db_query("SELECT uid FROM {users} u WHERE u.name = '" . $_GET['user'] . "'"); ?> QED42
http://example.dev/?user=x%27%3B%20DROP% 20table%20node%3B%20-- Query: SELECT uid FROM users u WHERE u.name = 'x'; DROP table node; --' This will delete your node table.Leads to data loss and will break your website. QED42 SQL Injection - Exploit
<?php db_query("SELECT uid FROM {users} u WHERE u.name = : name", array(':name' => $_GET['user'])); OR db_select('users', 'u') ->fields('u', array('uid')) ->condition('u.name', $_GET['user']) ->execute(); ?> QED42 SQL Injection -Correct Usage
Cross site Scripting(XSS) ● Attackers can inject client-side script into web pages to access bypass the security policy. ● Any data added via form-fields should be sanitized before printing. QED42
XSS - Exploit Result http://d7vulnerable. dev/admin/pizza print $row->title print check_plain($row->title); QED42 Handle text in Secure fashion : https://www.drupal.org/node/28984
XSS - Correct Usage QED42
QED42http://drupalscout.com/sites/default/files/article_files/filtering_text_0.pdf
Cross-site Request Forgery(CSRF) function pizza_menu() { $items['admin/pizza/%/delete'] = array( 'title' => 'Pizza', 'description' => 'Delete the pizza.', 'page callback' => 'pizza_delete', 'access arguments' => array('administer pizza'), 'file' => 'pizza.admin.inc', ); function pizza_delete() { $nid = arg(2); node_delete($nid); cache_clear_all(); drupal_goto('admin/pizza'); } QED42
CSRF - Exploit Attackers can post somewhere http://d7vulnerable. dev/admin/pizza/1/delete like this <img src=”http://d7vulnerable.dev/admin/pizza/1/delete”></img> QED42
CSRF - Protection ● Confirmation Forms ● Security tokens in the url http://d7vulnerable. dev/admin/pizza/1/delete? token=blaski23ijuinfiknerja_eiriwe_rmewhfuihacnuhierwn Use the Form api to avoid CSRF https://www.drupal.org/node/178896 Protecting your Drupal againts CSRF : https://docs.acquia. com/articles/protecting-your-drupal-module-against-cross-site- request-forgeries QED42
Node Access bypass This vulnerability is usually found in the project applications,which expose the node table data.This can be fixed by adding the node_access tag in the query and using the access api. Node Access bypass Fix of a sample module http://cgit.drupalcode. org/webform_references/commit/?id=e006970 QED42
Node Access bypass - Exploit QED42
Node Access bypass - Protection QED42
Menu Access bypass This rarely happens in Drupal, found rarely while reviewing project applications.This can be handled by the permissions and by checking the #access https://www.drupal.org/node/2344569#comment- 9528911 Menu Access bypass Fix for a sample module http://cgit.drupalcode. org/path_alias_picker/commit/?id=b795df0 QED42
Correct Usage of drupal_goto ● We usually use the drupal_goto to redirect the user to some other page.This does a 30X redirect .We usually suggest to use $form [‘redirect’] in the forms instead of drupal_goto. ● Incorrect usage of drupal_goto leads to Open Redirect QED42
drupal_goto - Exploit QED42
drupal_goto - Prevention QED42
Recovery Strategies ● Restore from backup ● Update your code ● Change your passwords ● Audit your code QED42
Useful Security Modules ● Security Review: check your site for misconfiguration https://drupal. org/project/security_review ● Paranoia: no PHP eval() from the web interface https://drupal.org/project/paranoia ● Seckit: Content Security Policy, Origin checks against CSRF https://drupal. org/project/seckit ● Many More…. QED42
References ● http://www.drupal.org/writing-secure-code ● https://www.drupal.org/project/issues/search? issue_tags=PAReview%3A%20security ● http://drupalsecurityreport.org/ ● https://groups.drupal.org/security ● https://www.drupal.org/security/secure- configuration ● http://heine.familiedeelstra.com/ QED42
https://github.com/naveenvalecha/exploitedpizza THANK YOU! Questions ? QED42

Recommended

Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowAcquia
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
Secure your site
Secure your siteSecure your site
Secure your siteMatthew Farina
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 

Recommended

Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowAcquia
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 
Secure your site
Secure your siteSecure your site
Secure your siteMatthew Farina
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Philippe Gamache
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpressn|u - The Open Security Community
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Drupal security
Drupal securityDrupal security
Drupal securityJozef Toth
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Configuring CQ Security
Configuring CQ SecurityConfiguring CQ Security
Configuring CQ Securityconnectwebex
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013Chris Hales
 
On-page SEO for Drupal
On-page SEO for DrupalOn-page SEO for Drupal
On-page SEO for DrupalSvilen Sabev
 
Selenium WebDriver
Selenium WebDriverSelenium WebDriver
Selenium WebDriverRajathi-QA
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Josef Cacek
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itTim Plummer
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Rakesh Kachhadiya
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Philippe Gamache
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 

More Related Content

What's hot

Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Philippe Gamache
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Drupal security
Drupal securityDrupal security
Drupal securityJozef Toth
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Configuring CQ Security
Configuring CQ SecurityConfiguring CQ Security
Configuring CQ Securityconnectwebex
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013Chris Hales
 
On-page SEO for Drupal
On-page SEO for DrupalOn-page SEO for Drupal
On-page SEO for DrupalSvilen Sabev
 
Selenium WebDriver
Selenium WebDriverSelenium WebDriver
Selenium WebDriverRajathi-QA
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Josef Cacek
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itTim Plummer
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Rakesh Kachhadiya
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Philippe Gamache
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 

What's hot (20)

Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpress
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Drupal security
Drupal securityDrupal security
Drupal security
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Configuring CQ Security
Configuring CQ SecurityConfiguring CQ Security
Configuring CQ Security
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
 
A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013
 
On-page SEO for Drupal
On-page SEO for DrupalOn-page SEO for Drupal
On-page SEO for Drupal
 
Selenium WebDriver
Selenium WebDriverSelenium WebDriver
Selenium WebDriver
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning Talk
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecture
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking it
 
Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
 

Similar to Hack Proof Your Drupal Site

Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 
Pyramid Deployment and Maintenance
Pyramid Deployment and MaintenancePyramid Deployment and Maintenance
Pyramid Deployment and MaintenanceJazkarta, Inc.
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploySimon Su
 
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটিWordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটিFaysal Shahi
 
You must know about CodeIgniter Popular Library
You must know about CodeIgniter Popular LibraryYou must know about CodeIgniter Popular Library
You must know about CodeIgniter Popular LibraryBo-Yi Wu
 
What the heck went wrong?
What the heck went wrong?What the heck went wrong?
What the heck went wrong?Andy McKay
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
The Magic of Advanced Debugging
The Magic of Advanced DebuggingThe Magic of Advanced Debugging
The Magic of Advanced DebuggingIvelina Dimova
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
 
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.Graham Dumpleton
 
Zend\Expressive - höher, schneller, weiter
Zend\Expressive - höher, schneller, weiterZend\Expressive - höher, schneller, weiter
Zend\Expressive - höher, schneller, weiterRalf Eggert
 
Beyond the WordPress 5 minute Install
Beyond the WordPress 5 minute InstallBeyond the WordPress 5 minute Install
Beyond the WordPress 5 minute InstallSteve Taylor
 
Live deployment, ci, drupal
Live deployment, ci, drupalLive deployment, ci, drupal
Live deployment, ci, drupalAndrii Podanenko
 
Andy Postnikov - Drupal 7 vs Drupal 8: от бутстрапа до рендера
Andy Postnikov - Drupal 7 vs Drupal 8: от бутстрапа до рендераAndy Postnikov - Drupal 7 vs Drupal 8: от бутстрапа до рендера
Andy Postnikov - Drupal 7 vs Drupal 8: от бутстрапа до рендераLEDC 2016
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!Cláudio André
 

Similar to Hack Proof Your Drupal Site (20)

Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 
Pyramid Deployment and Maintenance
Pyramid Deployment and MaintenancePyramid Deployment and Maintenance
Pyramid Deployment and Maintenance
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploy
 
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটিWordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
WordPress Security - ওয়ার্ডপ্রেসের সিকিউরিটি
 
You must know about CodeIgniter Popular Library
You must know about CodeIgniter Popular LibraryYou must know about CodeIgniter Popular Library
You must know about CodeIgniter Popular Library
 
What the heck went wrong?
What the heck went wrong?What the heck went wrong?
What the heck went wrong?
 
Pyramid deployment
Pyramid deploymentPyramid deployment
Pyramid deployment
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
The Magic of Advanced Debugging
The Magic of Advanced DebuggingThe Magic of Advanced Debugging
The Magic of Advanced Debugging
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
 
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
 
Write php deploy everywhere
Write php deploy everywhereWrite php deploy everywhere
Write php deploy everywhere
 
Zend\Expressive - höher, schneller, weiter
Zend\Expressive - höher, schneller, weiterZend\Expressive - höher, schneller, weiter
Zend\Expressive - höher, schneller, weiter
 
Beyond the WordPress 5 minute Install
Beyond the WordPress 5 minute InstallBeyond the WordPress 5 minute Install
Beyond the WordPress 5 minute Install
 
Live deployment, ci, drupal
Live deployment, ci, drupalLive deployment, ci, drupal
Live deployment, ci, drupal
 
Andy Postnikov - Drupal 7 vs Drupal 8: от бутстрапа до рендера
Andy Postnikov - Drupal 7 vs Drupal 8: от бутстрапа до рендераAndy Postnikov - Drupal 7 vs Drupal 8: от бутстрапа до рендера
Andy Postnikov - Drupal 7 vs Drupal 8: от бутстрапа до рендера
 
Lviv 2013 d7 vs d8
Lviv 2013 d7 vs d8Lviv 2013 d7 vs d8
Lviv 2013 d7 vs d8
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!
 

Recently uploaded

CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfAsst.prof M.Gokilavani
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...asadnawaz62
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHC Sai Kiran
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionDr.Costas Sachpazis
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfme23b1001
 
Effects of rheological properties on mixing
Effects of rheological properties on mixingEffects of rheological properties on mixing
Effects of rheological properties on mixingviprabot1
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...Chandu841456
 

Recently uploaded (20)

CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECH
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective IntroductionSachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
Sachpazis Costas: Geotechnical Engineering: A student's Perspective Introduction
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdf
 
Effects of rheological properties on mixing
Effects of rheological properties on mixingEffects of rheological properties on mixing
Effects of rheological properties on mixing
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...
 

Hack Proof Your Drupal Site

  • 1. Hack proof your drupal site Naveen Valecha, Software Engineer at www.qed42.com http://blog.valechatech.com Twitter : @NaveenvalechaNV QED42
  • 2. QED42 Do you think Hackers are Magicians ?
  • 3. Topics ● Common Security Strategies ● SQL Injection ● Cross-Site Scripting(XSS) ● Cross Site Request Forgery(CSRF) ● Access bypass(Node access bypass & Menu access bypass) ● Correct use of drupal_goto unless leads to vulnerability QED42
  • 4. Common Security Strategies ● Trust - Who can do what on the website. ● Software Updates - Update your softwares(Server, Webserver, Drupal, etc.) ● Security Misconfigurations Securing your website : https://www.drupal.org/security/secure-configuration QED42
  • 5. Permissions ● Be careful with site owning permissions. ● Similarly with the text formats. ● User 1 name should not be simple like “admin”, don’t use in general use, it has all permissions. QED42
  • 6. Security Misconfigurtions ● Disable php error reporting (admin/config/development/logging) ● Disable PHP filter Module. ● Make sure php files are not writeable by server. ● Remove write permissions for www-data -rw-r----- 1 neal www-data index.php drwxr-x--- 32 neal www-data modules/ drwxrwx--- 7 www-data neal sites/default/files/ QED42
  • 7. SQL Injection Attacker can supply messy parameters passed. SQL injection: <?php db_query("SELECT uid FROM {users} u WHERE u.name = '" . $_GET['user'] . "'"); ?> QED42
  • 8. http://example.dev/?user=x%27%3B%20DROP% 20table%20node%3B%20-- Query: SELECT uid FROM users u WHERE u.name = 'x'; DROP table node; --' This will delete your node table.Leads to data loss and will break your website. QED42 SQL Injection - Exploit
  • 9. <?php db_query("SELECT uid FROM {users} u WHERE u.name = : name", array(':name' => $_GET['user'])); OR db_select('users', 'u') ->fields('u', array('uid')) ->condition('u.name', $_GET['user']) ->execute(); ?> QED42 SQL Injection -Correct Usage
  • 10. Cross site Scripting(XSS) ● Attackers can inject client-side script into web pages to access bypass the security policy. ● Any data added via form-fields should be sanitized before printing. QED42
  • 11. XSS - Exploit Result http://d7vulnerable. dev/admin/pizza print $row->title print check_plain($row->title); QED42 Handle text in Secure fashion : https://www.drupal.org/node/28984
  • 12. XSS - Correct Usage QED42
  • 14. Cross-site Request Forgery(CSRF) function pizza_menu() { $items['admin/pizza/%/delete'] = array( 'title' => 'Pizza', 'description' => 'Delete the pizza.', 'page callback' => 'pizza_delete', 'access arguments' => array('administer pizza'), 'file' => 'pizza.admin.inc', ); function pizza_delete() { $nid = arg(2); node_delete($nid); cache_clear_all(); drupal_goto('admin/pizza'); } QED42
  • 15. CSRF - Exploit Attackers can post somewhere http://d7vulnerable. dev/admin/pizza/1/delete like this <img src=”http://d7vulnerable.dev/admin/pizza/1/delete”></img> QED42
  • 16. CSRF - Protection ● Confirmation Forms ● Security tokens in the url http://d7vulnerable. dev/admin/pizza/1/delete? token=blaski23ijuinfiknerja_eiriwe_rmewhfuihacnuhierwn Use the Form api to avoid CSRF https://www.drupal.org/node/178896 Protecting your Drupal againts CSRF : https://docs.acquia. com/articles/protecting-your-drupal-module-against-cross-site- request-forgeries QED42
  • 17. Node Access bypass This vulnerability is usually found in the project applications,which expose the node table data.This can be fixed by adding the node_access tag in the query and using the access api. Node Access bypass Fix of a sample module http://cgit.drupalcode. org/webform_references/commit/?id=e006970 QED42
  • 18. Node Access bypass - Exploit QED42
  • 19. Node Access bypass - Protection QED42
  • 20. Menu Access bypass This rarely happens in Drupal, found rarely while reviewing project applications.This can be handled by the permissions and by checking the #access https://www.drupal.org/node/2344569#comment- 9528911 Menu Access bypass Fix for a sample module http://cgit.drupalcode. org/path_alias_picker/commit/?id=b795df0 QED42
  • 21. Correct Usage of drupal_goto ● We usually use the drupal_goto to redirect the user to some other page.This does a 30X redirect .We usually suggest to use $form [‘redirect’] in the forms instead of drupal_goto. ● Incorrect usage of drupal_goto leads to Open Redirect QED42
  • 24. Recovery Strategies ● Restore from backup ● Update your code ● Change your passwords ● Audit your code QED42
  • 25. Useful Security Modules ● Security Review: check your site for misconfiguration https://drupal. org/project/security_review ● Paranoia: no PHP eval() from the web interface https://drupal.org/project/paranoia ● Seckit: Content Security Policy, Origin checks against CSRF https://drupal. org/project/seckit ● Many More…. QED42
  • 26. References ● http://www.drupal.org/writing-secure-code ● https://www.drupal.org/project/issues/search? issue_tags=PAReview%3A%20security ● http://drupalsecurityreport.org/ ● https://groups.drupal.org/security ● https://www.drupal.org/security/secure- configuration ● http://heine.familiedeelstra.com/ QED42