Hack Proof your drupal site.

1. Hack proof your drupal site
Naveen Valecha, Software Engineer at www.qed42.com
http://blog.valechatech.com Twitter : @NaveenvalechaNV
QED42

2. QED42
Do you think
Hackers are
Magicians ?

3. Topics
● Common Security Strategies
● SQL Injection
● Cross-Site Scripting(XSS)
● Cross Site Request Forgery(CSRF)
● Access bypass(Node access bypass & Menu
access bypass)
● Correct use of drupal_goto unless leads to
vulnerability
QED42

4. Common Security Strategies
● Trust - Who can do what on the
website.
● Software Updates - Update your
softwares(Server, Webserver, Drupal,
etc.)
● Security Misconfigurations
Securing your website : https://www.drupal.org/security/secure-configuration
QED42

5. Permissions
● Be careful with site owning
permissions.
● Similarly with the text formats.
● User 1 name should not be simple like
“admin”, don’t use in general use, it
has all permissions.
QED42

6. Security Misconfigurtions
● Disable php error reporting
(admin/config/development/logging)
● Disable PHP filter Module.
● Make sure php files are not writeable by server.
● Remove write permissions for www-data
-rw-r----- 1 neal www-data index.php
drwxr-x--- 32 neal www-data modules/
drwxrwx--- 7 www-data neal sites/default/files/
QED42

7. SQL Injection
Attacker can supply messy parameters passed.
SQL injection:
<?php
db_query("SELECT uid FROM {users} u WHERE u.name =
'" . $_GET['user'] . "'");
?>
QED42

8. http://example.dev/?user=x%27%3B%20DROP%
20table%20node%3B%20--
Query: SELECT uid FROM users u WHERE u.name =
'x'; DROP
table node; --'
This will delete your node table.Leads to data loss and
will break your website.
QED42
SQL Injection - Exploit

9. <?php
db_query("SELECT uid FROM {users} u WHERE u.name = :
name",
array(':name' => $_GET['user']));
OR
db_select('users', 'u')
->fields('u', array('uid'))
->condition('u.name', $_GET['user'])
->execute();
?>
QED42
SQL Injection -Correct Usage

10. Cross site Scripting(XSS)
● Attackers can inject client-side script
into web pages to access bypass the
security policy.
● Any data added via form-fields
should be sanitized before printing.
QED42

11. XSS - Exploit Result
http://d7vulnerable.
dev/admin/pizza
print $row->title
print check_plain($row->title);
QED42
Handle text in Secure fashion : https://www.drupal.org/node/28984

12. XSS - Correct Usage
QED42

13. QED42http://drupalscout.com/sites/default/files/article_files/filtering_text_0.pdf

14. Cross-site Request Forgery(CSRF)
function pizza_menu() {
$items['admin/pizza/%/delete'] = array(
'title' => 'Pizza',
'description' => 'Delete the pizza.',
'page callback' => 'pizza_delete',
'access arguments' => array('administer pizza'),
'file' => 'pizza.admin.inc',
);
function pizza_delete() {
$nid = arg(2);
node_delete($nid);
cache_clear_all();
drupal_goto('admin/pizza');
} QED42

15. CSRF - Exploit
Attackers can post somewhere http://d7vulnerable.
dev/admin/pizza/1/delete
like this
<img src=”http://d7vulnerable.dev/admin/pizza/1/delete”></img>
QED42

16. CSRF - Protection
● Confirmation Forms
● Security tokens in the url http://d7vulnerable.
dev/admin/pizza/1/delete?
token=blaski23ijuinfiknerja_eiriwe_rmewhfuihacnuhierwn
Use the Form api to avoid CSRF
https://www.drupal.org/node/178896
Protecting your Drupal againts CSRF : https://docs.acquia.
com/articles/protecting-your-drupal-module-against-cross-site-
request-forgeries
QED42

17. Node Access bypass
This vulnerability is usually found in the project
applications,which expose the node table data.This
can be fixed by adding the node_access tag in the
query and using the access api.
Node Access bypass Fix of a sample module
http://cgit.drupalcode.
org/webform_references/commit/?id=e006970
QED42

18. Node Access bypass - Exploit
QED42

19. Node Access bypass - Protection
QED42

20. Menu Access bypass
This rarely happens in Drupal, found rarely while
reviewing project applications.This can be handled
by the permissions and by checking the #access
https://www.drupal.org/node/2344569#comment-
9528911
Menu Access bypass Fix for a sample module
http://cgit.drupalcode.
org/path_alias_picker/commit/?id=b795df0
QED42

21. Correct Usage of drupal_goto
● We usually use the drupal_goto to redirect the
user to some other page.This does a 30X
redirect .We usually suggest to use $form
[‘redirect’] in the forms instead of drupal_goto.
● Incorrect usage of drupal_goto leads to Open
Redirect
QED42

22. drupal_goto - Exploit
QED42

23. drupal_goto - Prevention
QED42

24. Recovery Strategies
● Restore from backup
● Update your code
● Change your passwords
● Audit your code
QED42

25. Useful Security Modules
● Security Review: check your site for
misconfiguration https://drupal.
org/project/security_review
● Paranoia: no PHP eval() from the web interface
https://drupal.org/project/paranoia
● Seckit: Content Security Policy, Origin checks
against CSRF https://drupal. org/project/seckit
● Many More….
QED42

26. References
● http://www.drupal.org/writing-secure-code
● https://www.drupal.org/project/issues/search?
issue_tags=PAReview%3A%20security
● http://drupalsecurityreport.org/
● https://groups.drupal.org/security
● https://www.drupal.org/security/secure-
configuration
● http://heine.familiedeelstra.com/
QED42

27. https://github.com/naveenvalecha/exploitedpizza
THANK YOU!
Questions ?
QED42