This document discusses how to hack proof a Drupal site. It covers common security strategies like permissions and software updates. It then details specific vulnerabilities like SQL injection, cross-site scripting, cross-site request forgery, node access bypass, and improper use of drupal_goto. For each vulnerability, it provides an example of an exploit and the proper way to prevent that exploit. It concludes with recommendations on security modules, references, and recovery strategies.

1. Hack proof your drupal site
Naveen Valecha, Software Engineer at www.qed42.com
http://blog.valechatech.com Twitter : @NaveenvalechaNV
QED42

2. QED42
Do you think
Hackers are
Magicians ?

3. Topics
● Common Security Strategies
● SQL Injection
● Cross-Site Scripting(XSS)
● Cross Site Request Forgery(CSRF)
● Access bypass(Node access bypass & Menu
access bypass)
● Correct use of drupal_goto unless leads to
vulnerability
QED42

4. Common Security Strategies
● Trust - Who can do what on the
website.
● Software Updates - Update your
softwares(Server, Webserver, Drupal,
etc.)
● Security Misconfigurations
Securing your website : https://www.drupal.org/security/secure-configuration
QED42

5. Permissions
● Be careful with site owning
permissions.
● Similarly with the text formats.
● User 1 name should not be simple like
“admin”, don’t use in general use, it
has all permissions.
QED42

6. Security Misconfigurtions
● Disable php error reporting
(admin/config/development/logging)
● Disable PHP filter Module.
● Make sure php files are not writeable by server.
● Remove write permissions for www-data
-rw-r----- 1 neal www-data index.php
drwxr-x--- 32 neal www-data modules/
drwxrwx--- 7 www-data neal sites/default/files/
QED42

7. SQL Injection
Attacker can supply messy parameters passed.
SQL injection:
<?php
db_query("SELECT uid FROM {users} u WHERE u.name =
'" . $_GET['user'] . "'");
?>
QED42

8. http://example.dev/?user=x%27%3B%20DROP%
20table%20node%3B%20--
Query: SELECT uid FROM users u WHERE u.name =
'x'; DROP
table node; --'
This will delete your node table.Leads to data loss and
will break your website.
QED42
SQL Injection - Exploit

9. <?php
db_query("SELECT uid FROM {users} u WHERE u.name = :
name",
array(':name' => $_GET['user']));
OR
db_select('users', 'u')
->fields('u', array('uid'))
->condition('u.name', $_GET['user'])
->execute();
?>
QED42
SQL Injection -Correct Usage

10. Cross site Scripting(XSS)
● Attackers can inject client-side script
into web pages to access bypass the
security policy.
● Any data added via form-fields
should be sanitized before printing.
QED42

11. XSS - Exploit Result
http://d7vulnerable.
dev/admin/pizza
print $row->title
print check_plain($row->title);
QED42
Handle text in Secure fashion : https://www.drupal.org/node/28984

12. XSS - Correct Usage
QED42

13. QED42http://drupalscout.com/sites/default/files/article_files/filtering_text_0.pdf

14. Cross-site Request Forgery(CSRF)
function pizza_menu() {
$items['admin/pizza/%/delete'] = array(
'title' => 'Pizza',
'description' => 'Delete the pizza.',
'page callback' => 'pizza_delete',
'access arguments' => array('administer pizza'),
'file' => 'pizza.admin.inc',
);
function pizza_delete() {
$nid = arg(2);
node_delete($nid);
cache_clear_all();
drupal_goto('admin/pizza');
} QED42

15. CSRF - Exploit
Attackers can post somewhere http://d7vulnerable.
dev/admin/pizza/1/delete
like this
<img src=”http://d7vulnerable.dev/admin/pizza/1/delete”></img>
QED42

16. CSRF - Protection
● Confirmation Forms
● Security tokens in the url http://d7vulnerable.
dev/admin/pizza/1/delete?
token=blaski23ijuinfiknerja_eiriwe_rmewhfuihacnuhierwn
Use the Form api to avoid CSRF
https://www.drupal.org/node/178896
Protecting your Drupal againts CSRF : https://docs.acquia.
com/articles/protecting-your-drupal-module-against-cross-site-
request-forgeries
QED42

17. Node Access bypass
This vulnerability is usually found in the project
applications,which expose the node table data.This
can be fixed by adding the node_access tag in the
query and using the access api.
Node Access bypass Fix of a sample module
http://cgit.drupalcode.
org/webform_references/commit/?id=e006970
QED42

18. Node Access bypass - Exploit
QED42

19. Node Access bypass - Protection
QED42

20. Menu Access bypass
This rarely happens in Drupal, found rarely while
reviewing project applications.This can be handled
by the permissions and by checking the #access
https://www.drupal.org/node/2344569#comment-
9528911
Menu Access bypass Fix for a sample module
http://cgit.drupalcode.
org/path_alias_picker/commit/?id=b795df0
QED42

21. Correct Usage of drupal_goto
● We usually use the drupal_goto to redirect the
user to some other page.This does a 30X
redirect .We usually suggest to use $form
[‘redirect’] in the forms instead of drupal_goto.
● Incorrect usage of drupal_goto leads to Open
Redirect
QED42

22. drupal_goto - Exploit
QED42

23. drupal_goto - Prevention
QED42

24. Recovery Strategies
● Restore from backup
● Update your code
● Change your passwords
● Audit your code
QED42

25. Useful Security Modules
● Security Review: check your site for
misconfiguration https://drupal.
org/project/security_review
● Paranoia: no PHP eval() from the web interface
https://drupal.org/project/paranoia
● Seckit: Content Security Policy, Origin checks
against CSRF https://drupal. org/project/seckit
● Many More….
QED42

26. References
● http://www.drupal.org/writing-secure-code
● https://www.drupal.org/project/issues/search?
issue_tags=PAReview%3A%20security
● http://drupalsecurityreport.org/
● https://groups.drupal.org/security
● https://www.drupal.org/security/secure-
configuration
● http://heine.familiedeelstra.com/
QED42

27. https://github.com/naveenvalecha/exploitedpizza
THANK YOU!
Questions ?
QED42