Drupal Security Basics for the DrupalJax January Meetup


Published on

Basic security presentation for the Jacksonville, FL Drupal user group on how Drupal deals with the OWASP top 10 security risks of 2013.

I'l be expanding this to include additional details and examples in the next version.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Drupal Security Basics for the DrupalJax January Meetup

  1. 1. Drupal Security Basics
  2. 2. Chris Hales DevOps Director @chris_hales
  3. 3. @Mediacurrent Agenda ● ● ● ● ● Is Drupal Secure? OWASP Top 10 Security Risks Drupal Security Resources Staying Informed Q&A
  4. 4. Is Drupal Secure?
  5. 5. @Mediacurrent Drupal Security Drupal is very secure out of the box as long as it’s configured with a little care. We can attribute a lot of this to the efforts put forth by the community. That includes every contributor who has developed code for Drupal or user who has taken the time to report an issue. Let’s look at some common security problems found in many web applications and how Drupal handles them.
  6. 6. OWASP Top 10
  7. 7. @Mediacurrent OWASP The OWASP Top 10 - 2013 is as follows: ● A1 Injection ● A2 Broken Authentication and Session Management ● A3 Cross-Site Scripting (XSS) ● A4 Insecure Direct Object References ● A5 Security Misconfiguration ● A6 Sensitive Data Exposure ● A7 Missing Function Level Access Control ● A8 Cross-Site Request Forgery (CSRF) ● A9 Using Components with Known Vulnerabilities ● A10 Unvalidated Redirects and Forwards
  8. 8. @Mediacurrent Injection Injection attacks occur when an attacker can insert data into a web application that can be interpreted or executed for malicious intent. SQL injection is the probably the most commonly discussed type of attack but being able to insert code, such as within a comment form, or upload a file containing code that an attacker could later execute, such as a custom php script, also apply.
  9. 9. @Mediacurrent Injection File Injection Drupal’s file management system controls what types of files can be uploaded by filtering the extensions and also limits where files can are stored. SQL Injection Drupal's database API sanitizes queries and D7 was designed to make it harder for developers to write insecure queries. Always use the API and use placeholders!
  10. 10. @Mediacurrent Broken Auth Broken Authentication and Session Management Examples include: ● Storing passwords as plain text or in a known insecure hashing algorithm, such as md5. ● Storing passwords that do not adhere to a policy such as enforced alpha+numeric+punctuation. ● Poor session invalidation such as infinite session cookies that could linger on an insecure system.
  11. 11. @Mediacurrent Broken Auth Broken Authentication and Session Management ● Drupal salts user passwords in addition to hashing them 2^15 times as a default. ● Drupal will create a salt string but it is also configurable and may be included from a file for added security. ● Existing sessions are destroyed on login/logout limiting the ability for an attacker to hijack a stale session. ● Several contrib modules enhance user security.
  12. 12. @Mediacurrent XSS Cross-site Scripting (XSS) XSS attacks occur when an attacker injects malicious code into an otherwise harmless web application. These are very common vulnerabilities and occur when a web application doesn't properly sanitize user input. They can range from the rather simplistic or very complex. <body onload=alert('Alert!')> Studies show that more than 60% of sites have an XSS vulnerability.
  13. 13. @Mediacurrent XSS Cross-site Scripting (XSS) Drupal has several API functions for filtering user submitted data to prevent XSS attacks. Be sure you know and understand the proper use of these functions when writing custom code. check_url (URLs) check_plain (plain text) check_markup (rich text) filter_xss (html) And don’t forget about t() and l().
  14. 14. @Mediacurrent Object References Insecure Direct Object References If the application does not verify that a user should be able to access an object this is an insecure direct object reference flaw. Drupal Views are a good example of where this can occur. If you forget to include a “published” filter the view could display unpublished listings to a user role not normally able to see them.
  15. 15. @Mediacurrent Object References Insecure Direct Object References ● Drupal’s Form API sanitizes user input and validates submissions. ● The Menu system handles permission checks for system paths and .htaccess has rules to keep prying eyes away from module and theme files. ● Functions such as node_access() and user_access() are available when writing custom code. ● Numerous contrib modules exist that enhance core security.
  16. 16. @Mediacurrent Misconfiguration Security Misconfiguration A simple misconfiguration can completely bypass all your other efforts to secure your site and the data it has stored.
  17. 17. @Mediacurrent Misconfiguration Security Misconfiguration Drupal 7 out of the box is very secure but you must be diligent about reviewing permissions when new modules are added. Several contrib modules are available to help with permission audits and to prevent accidental changes or privilege escalation. Security Review module, Secure Permissions module
  18. 18. @Mediacurrent Data Leakage Sensitive Data Exposure A common place for attackers to retrieve information is from site backups. If the data isn’t stored using encryption or if the encryption algorithm is weak or otherwise ineffective data leakage is possible.
  19. 19. @Mediacurrent Data Leakage Sensitive Data Exposure ● Passwords are salted and hashed. ● Site specific key randomly generated during site install which can be used for reversible encryption. ● Contrib solutions offer a number of encryption frameworks for storing sensitive data.
  20. 20. @Mediacurrent Access Control Missing Function Level Access Control User access is made available to functions and features programmatically and with access enforcement mechanisms in place.
  21. 21. @Mediacurrent Access Control Missing Function Level Access Control Drupal has an extensive permissions based access control system in place that checks for user authorization before an action can be taken.
  22. 22. @Mediacurrent CSRF Cross-site Request Forgery (CSRF, XSRF) With this type of exploit the attacker tricks the victim into triggering an action via their browser. <img src="http://example.com/user/logout" />
  23. 23. @Mediacurrent CSRF Cross-site Request Forgery (CSRF) Similar to XSS Drupal has built in CSRF protection: ● Drupal’s Form API uses POST submissions. ● The Form API uses tokens which are validated with submissions.
  24. 24. @Mediacurrent Contrib Dangers Using Components With Known Vulnerabilities Using libraries or contrib modules with known security vulnerabilities is a quick way to become a spam infested site.
  25. 25. @Mediacurrent Contrib Dangers Using Components With Known Vulnerabilities There are many ways to stay up to date on Drupal core and contrib modules. ● Use the Update Status module and configure it to notify you when new release are available. ● Join the security mailing list to receive weekly updates on recently discovered security concerns related to Drupal. ● Join mailing lists for any 3rd party library you use such as WYSIWYG editors.
  26. 26. @Mediacurrent Redirects Unvalidated Redirects and Forwards Attackers are able to craft malicious URLs to redirect users to resources of their choosing or to bypass access controls.
  27. 27. @Mediacurrent Redirects Unvalidated Redirects and Forwards ● Drupal’s internal page redirects can not be used to bypass the menu and user access systems. ● Use the proper API functions such as drupal_goto and the Form API #redirect in your custom code.
  28. 28. @Mediacurrent Resources Securing your Site - https://drupal.org/security/secure-configuration Write Secure Code - https://drupal.org/writing-secure-code Coding Standards - https://drupal.org/coding-standards Security Group - https://groups.drupal.org/security Cracking Drupal - http://crackingdrupal.com/ Drupal Scout - http://drupalscout.com File Permissions - https://drupal.org/node/244924
  29. 29. @Mediacurrent Modules https://drupal.org/project/coder https://drupal.org/project/security_review https://drupal.org/project/secure_permissions https://drupal.org/project/secure_code_review https://drupal.org/project/security_check https://drupal.org/project/paranoia https://drupal.org/project/securepages
  30. 30. @Mediacurrent Stay Informed Getting Help IRC - #drupal Twitter - @drupalsecurity Security Forums - https://drupal.org/forum/1188 Do you think your site was hacked? https://drupal.org/node/213320 Weekly Announcements - https://drupal.org/node/406142 Visit https://drupal.org/security for further information.
  31. 31. Thank You! Questions? @Mediacurent Mediacurrent.com slideshare.net/mediacurrent