Drupal Development
   Security Essentials




Because unnecessary exposure is embarrassing.
I’m not a guru.
I’m not a guru.
     Khalid Baheyeldin            Gerhard Killesreiter
                                                   ...
Reasons to be concerned
Reasons to be concerned




                     Security hole
Reasons to be concerned
1. Security holes can lose time and money




                                            Security...
Reasons to be concerned
1. Security holes can lose time and money
2. Or get you sued




                                 ...
Reasons to be concerned
1. Security holes can lose time and money
2. Or get you sued
3. Or be terribly embarrassing




  ...
Reasons to be concerned
1. Security holes can lose time and money
2. Or get you sued
3. Or be terribly embarrassing
4. Use...
Reasons to be concerned
1. Security holes can lose time and money
2. Or get you sued
3. Or be terribly embarrassing
4. Use...
Reasons to be concerned
1. Security holes can lose time and money
2. Or get you sued
3. Or be terribly embarrassing
4. Use...
What we’re going to cover
What we’re going to cover
1. Set up a free dev environment to play
What we’re going to cover
1. Set up a free dev environment to play
2. The golden rule of Drupal security
What we’re going to cover
1. Set up a free dev environment to play
2. The golden rule of Drupal security
3. A quick definit...
What we’re going to cover
1. Set up a free dev environment to play
2. The golden rule of Drupal security
3. A quick definit...
What we’re going to cover
1. Set up a free dev environment to play
2. The golden rule of Drupal security
3. A quick definit...
What we’re going to cover
1. Set up a free dev environment to play
2. The golden rule of Drupal security
3. A quick definit...
Set up a free dev enviornment
Set up a free dev enviornment
1. Don’t have an editor? Browse with Filezilla http://filezilla-
   project.org/ and open in ...
Set up a free dev enviornment
1. Don’t have an editor? Browse with Filezilla http://filezilla-
   project.org/ and open in ...
Set up a free dev enviornment
1. Don’t have an editor? Browse with Filezilla http://filezilla-
   project.org/ and open in ...
Set up a free dev enviornment
1. Don’t have an editor? Browse with Filezilla http://filezilla-
   project.org/ and open in ...
The Golden Rule of Drupal Security
The Golden Rule of Drupal Security
           Whatchoothink?
The Golden Rule of Drupal Security
           Whatchoothink?


         Use the APIs.
The Golden Rule of Drupal Security
           Whatchoothink?


         Use the APIs.
           This isn’t so bad.
The Golden Rule of Drupal Security
           Whatchoothink?


         Use the APIs.
           This isn’t so bad.
The Golden Rule of Drupal Security
                               Whatchoothink?


                          Use the APIs....
The Golden Rule of Drupal Security
                               Whatchoothink?


                          Use the APIs....
The Golden Rule of Drupal Security
                               Whatchoothink?


                          Use the APIs....
Common Attaxss
Common Attaxss

XSS - Cross-Site Scripting
Common Attaxss

XSS - Cross-Site Scripting
SQL Injection
Common Attaxss

XSS - Cross-Site Scripting
SQL Injection
DOS - Denial of service
Common Attaxss

XSS - Cross-Site Scripting
SQL Injection
DOS - Denial of service
CSRF - Cross Site Request Forgeries
Our arsenal of functions
                  We need guns. 10 or so guns.

String filtering




         Links


Access contr...
Our arsenal of functions
                        We need guns. 10 or so guns.

String filtering   t()




         Links


...
Our arsenal of functions
                     We need guns. 10 or so guns.

String filtering   t()
                  check_...
Our arsenal of functions
                    We need guns. 10 or so guns.

String filtering   t()
                  check_p...
Our arsenal of functions
                     We need guns. 10 or so guns.

String filtering   t()
                  check_...
Our arsenal of functions
                         We need guns. 10 or so guns.

String filtering   t()
                  ch...
Our arsenal of functions
                     We need guns. 10 or so guns.

String filtering   t()
                  check_...
Our arsenal of functions
                      We need guns. 10 or so guns.

String filtering   t()
                  check...
Our arsenal of functions
                      We need guns. 10 or so guns.

String filtering   t()
                  check...
Our arsenal of functions
                      We need guns. 10 or so guns.

String filtering   t()
                  check...
Our arsenal of functions
                      We need guns. 10 or so guns.

String filtering   t()
                  check...
Our arsenal of functions
                      We need guns. 10 or so guns.

String filtering   t()
                  check...
Protects against:

XSS
                    t()
Protects against:

XSS
                                   t()
    Purpose: Filters out the malicious, leaves the
    delic...
Protects against:

XSS
                                   t()
    Purpose: Filters out the malicious, leaves the
    delic...
Protects against:

XSS
                                   t()
    Purpose: Filters out the malicious, leaves the
    delic...
Protects against:

XSS                             Mo’ about t()
                              3 variable replacement opti...
Protects against:

XSS                             Mo’ about t()
                              3 variable replacement opti...
Protects against:

XSS                             Mo’ about t()
                              3 variable replacement opti...
Protects against:

XSS                             Mo’ about t()
                              3 variable replacement opti...
Protects against:

XSS                               Mo’ about t()
                                3 variable replacement ...
Protects against:

XSS                               Mo’ about t()
                                3 variable replacement ...
Protects against:

XSS                               Mo’ about t()
                                3 variable replacement ...
Protects against:

XSS                 Mo’ about t()
Protects against:

XSS                 Mo’ about t()
                    format_plural() is nice
Protects against:

XSS                 Mo’ about t()
                    format_plural() is nice




                    D...
Protects against:

XSS                 Mo’ about t()
                    format_plural() is nice




                    D...
Protects against:

XSS                          Mo’ about t()
                              format_plural() is nice




  ...
Protects against:

XSS                         Mo’ about t()
                             format_plural() is nice




    ...
Protects against:

XSS                         Mo’ about t()
                             format_plural() is nice




    ...
Protects against:

XSS                         Mo’ about t()
                              format_plural() is nice




   ...
Protects against:

XSS
                    check_plain()
Protects against:

XSS
                             check_plain()




     Purpose: Filters malicious toppings. Converts t...
Protects against:

XSS
                             check_plain()




     Purpose: Filters malicious toppings. Converts t...
Protects against:

XSS
                    check_markup()
Protects against:

XSS
                                 check_markup()




                    Purpose: Applies content fil...
Protects against:

XSS
                                  check_markup()




                    Purpose: Applies content fi...
Protects against:

XSS
                                  check_markup()




                    Purpose: Applies content fi...
Protects against:

XSS
                    filter_xss_admin()
Protects against:

XSS
                               filter_xss_admin()




                    Purpose: Lets through all ...
Protects against:

XSS
                               filter_xss_admin()




                    Purpose: Lets through all ...
Protects against:

XSS
                    l() and URL()
Protects against:

XSS
                              l() and URL()
Purpose: Laconic linking tool for leading without losin...
Protects against:

XSS
                                l() and URL()
Purpose: Laconic linking tool for leading without los...
Protects against:

XSS
                                l() and URL()
Purpose: Laconic linking tool for leading without los...
Protects against:

XSS
                                l() and URL()
Purpose: Laconic linking tool for leading without los...
Protects against:

XSS
                                l() and URL()
Purpose: Laconic linking tool for leading without los...
Protects against:

XSS, DOS
                    user_access()
Protects against:

XSS, DOS
                            user_access()
       Purpose: Keep users from accessing stuff they...
Protects against:

XSS, DOS
                         user_access()
   Purpose: Keep users from accessing stuff they’re not...
Protects against:

XSS, DOS
                         user_access()
   Purpose: Keep users from accessing stuff they’re not...
Protects against:

XSS, DOS
                         user_access()
   Purpose: Keep users from accessing stuff they’re not...
Protects against:

XSS, DOS
                         user_access()
   Purpose: Keep users from accessing stuff they’re not...
Protects against:

XSS, DOS
                    user_access()   continued
Protects against:

XSS, DOS
                                   user_access()   continued


                    1. Granular...
Protects against:

XSS, DOS
                                 user_access()               continued


                    1...
Protects against:

XSS, DOS
                                 user_access()              continued


                    1....
Protects against:

XSS, DOS
                                 user_access()               continued


                    1...
Protects against:

SQL injection
                    db_query()     is
                             WTF r
                ...
Protects against:

SQL injection
                                  db_query()                is
                          ...
Protects against:

SQL injection
                                  db_query()                is
                          ...
Protects against:

SQL injection
                                  db_query()                is
                          ...
Protects against:

SQL injection       db_query()   continued
Protects against:

SQL injection            db_query()          continued




                    1. Wrap brackets around ...
Protects against:

SQL injection                    db_query()             continued




                           1. Wra...
Protects against:

SQL injection                    db_query()             continued




                           1. Wra...
Protects against:

SQL injection                    db_query()             continued




                           1. Wra...
Protects against:

SQL injection                    db_query()             continued




                           1. Wra...
Protects against:

SQL injection                    db_query()             continued




                           1. Wra...
Protects against:

SQL injection                    db_query()             continued




                           1. Wra...
Protects against:

DOS, SQL injection
                     db_query_range()        ,o field o
                             ...
Protects against:

DOS, SQL injection
                           db_query_range()                       ,o field o
        ...
Protects against:

DOS, SQL injection
                           db_query_range()                       ,o field o
        ...
Protects against:

DOS, SQL injection
                           db_query_range()                       ,o field o
        ...
Protects against:

CSRF
                    drupal_get_token()
Protects against:

CSRF
                    drupal_get_token()
Purpose: Verify the source of a request (i.e. GET or POST)
Protects against:

CSRF
                    drupal_get_token()
Purpose: Verify the source of a request (i.e. GET or POST)
...
Protects against:

CSRF
                    drupal_get_token()
Purpose: Verify the source of a request (i.e. GET or POST)
...
Protects against:

CSRF
                    drupal_get_token()   cont’d
Protects against:

CSRF
                    drupal_get_token()           cont’d


                       Let’s look at the...
Protects against:

CSRF
                    drupal_get_token()           cont’d


                       Let’s look at the...
Protects against:

CSRF
                    drupal_get_token()              cont’d


                       Let’s look at ...
Protects against:

CSRF
                    drupal_get_token()              cont’d


                       Let’s look at ...
Protects against:

CSRF
                           drupal_get_token()                     cont’d


                       ...
Protects against:

CSRF
                           drupal_get_token()                     cont’d


                       ...
Protects against:

CSRF
                           drupal_get_token()                    cont’d


                        ...
More security tips for your
      consideration
More security tips for your
      consideration
 1. Use the Form(s) API, it does a lot of heavy lifting
More security tips for your
      consideration
 1. Use the Form(s) API, it does a lot of heavy lifting
 2. Set permission...
More security tips for your
      consideration
 1. Use the Form(s) API, it does a lot of heavy lifting
 2. Set permission...
More security tips for your
      consideration
 1. Use the Form(s) API, it does a lot of heavy lifting
 2. Set permission...
There. Now we’re covered.
My info
                 Chris Shattuck
                                                                                e ...
Upcoming SlideShare
Loading in …5
×

Drupal Development Security Essentials

2,178 views

Published on

Slides for the Drupal Development Security Essentials presentation at the Pacific Northwest Drupal Summit.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,178
On SlideShare
0
From Embeds
0
Number of Embeds
29
Actions
Shares
0
Downloads
89
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Drupal Development Security Essentials

  1. 1. Drupal Development Security Essentials Because unnecessary exposure is embarrassing.
  2. 2. I’m not a guru.
  3. 3. I’m not a guru. Khalid Baheyeldin Gerhard Killesreiter These f olks are Joshua Brauer Andy Kirkham Dries Buytaert Greg Knaddison Angela Byron Kieran Lal (coordinator) Drupal Security Team Robert Castelo Adam Light http://drupal.org/security-team Nathaniel Catchpole John Morahan Stéphane Corlosquet Karoly Negyesi Heine Deelstra (team leader) Stella Power Neil Drumm David Rothstein Ben Jeavons Jakub Suchy Dmitri Gaskin Mori Sugimoto (coordinator) James Gilliland David Strauss Charlie Gordon Oleg Terenchuk Gábor Hojtsy Damien Tournoud Morbus Iff Moshe Weitzman Bart Jansens Peter Wolanin Barry Jaspan Derek Wright Chris Johnson Dave Reid
  4. 4. Reasons to be concerned
  5. 5. Reasons to be concerned Security hole
  6. 6. Reasons to be concerned 1. Security holes can lose time and money Security hole
  7. 7. Reasons to be concerned 1. Security holes can lose time and money 2. Or get you sued Security hole
  8. 8. Reasons to be concerned 1. Security holes can lose time and money 2. Or get you sued 3. Or be terribly embarrassing Security hole
  9. 9. Reasons to be concerned 1. Security holes can lose time and money 2. Or get you sued 3. Or be terribly embarrassing 4. Users are slow to upgrade (your old code can be around for a long time) Security hole
  10. 10. Reasons to be concerned 1. Security holes can lose time and money 2. Or get you sued 3. Or be terribly embarrassing 4. Users are slow to upgrade (your old code can be around for a long time) 5. If you want a Drupal CVS account, your request can get a red flag if you’re not following basic security protocol Security hole
  11. 11. Reasons to be concerned 1. Security holes can lose time and money 2. Or get you sued 3. Or be terribly embarrassing 4. Users are slow to upgrade (your old code can be around for a long time) 5. If you want a Drupal CVS account, your request can get a red flag if you’re not following basic security protocol 6. Drupal is becoming a more and more attractive Security hole target
  12. 12. What we’re going to cover
  13. 13. What we’re going to cover 1. Set up a free dev environment to play
  14. 14. What we’re going to cover 1. Set up a free dev environment to play 2. The golden rule of Drupal security
  15. 15. What we’re going to cover 1. Set up a free dev environment to play 2. The golden rule of Drupal security 3. A quick definition of common attaxss
  16. 16. What we’re going to cover 1. Set up a free dev environment to play 2. The golden rule of Drupal security 3. A quick definition of common attaxss 4. Our arsenal of functions (+ examples)
  17. 17. What we’re going to cover 1. Set up a free dev environment to play 2. The golden rule of Drupal security 3. A quick definition of common attaxss 4. Our arsenal of functions (+ examples) 5. Questions (maybe even some answers!)
  18. 18. What we’re going to cover 1. Set up a free dev environment to play 2. The golden rule of Drupal security 3. A quick definition of common attaxss 4. Our arsenal of functions (+ examples) 5. Questions (maybe even some answers!)
  19. 19. Set up a free dev enviornment
  20. 20. Set up a free dev enviornment 1. Don’t have an editor? Browse with Filezilla http://filezilla- project.org/ and open in text editor.
  21. 21. Set up a free dev enviornment 1. Don’t have an editor? Browse with Filezilla http://filezilla- project.org/ and open in text editor. 2. Sign up for an account at http://webenabled.com
  22. 22. Set up a free dev enviornment 1. Don’t have an editor? Browse with Filezilla http://filezilla- project.org/ and open in text editor. 2. Sign up for an account at http://webenabled.com 3. After signing in, create an Acquia appliation (has a bunch of modules already bundled)
  23. 23. Set up a free dev enviornment 1. Don’t have an editor? Browse with Filezilla http://filezilla- project.org/ and open in text editor. 2. Sign up for an account at http://webenabled.com 3. After signing in, create an Acquia appliation (has a bunch of modules already bundled) 4. Copy the SSH info, and connect using your editor.
  24. 24. The Golden Rule of Drupal Security
  25. 25. The Golden Rule of Drupal Security Whatchoothink?
  26. 26. The Golden Rule of Drupal Security Whatchoothink? Use the APIs.
  27. 27. The Golden Rule of Drupal Security Whatchoothink? Use the APIs. This isn’t so bad.
  28. 28. The Golden Rule of Drupal Security Whatchoothink? Use the APIs. This isn’t so bad.
  29. 29. The Golden Rule of Drupal Security Whatchoothink? Use the APIs. This isn’t so bad. APIs take a little while to learn
  30. 30. The Golden Rule of Drupal Security Whatchoothink? Use the APIs. This isn’t so bad. APIs take a little while to learn
  31. 31. The Golden Rule of Drupal Security Whatchoothink? Use the APIs. This isn’t so bad. APIs take a little while to learn Nearly every security-related function has awesome side benefits.
  32. 32. Common Attaxss
  33. 33. Common Attaxss XSS - Cross-Site Scripting
  34. 34. Common Attaxss XSS - Cross-Site Scripting SQL Injection
  35. 35. Common Attaxss XSS - Cross-Site Scripting SQL Injection DOS - Denial of service
  36. 36. Common Attaxss XSS - Cross-Site Scripting SQL Injection DOS - Denial of service CSRF - Cross Site Request Forgeries
  37. 37. Our arsenal of functions We need guns. 10 or so guns. String filtering Links Access control Database Data passing
  38. 38. Our arsenal of functions We need guns. 10 or so guns. String filtering t() Links Access control Database Data passing
  39. 39. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () Links Access control Database Data passing
  40. 40. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () Links Access control Database Data passing
  41. 41. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links Access control Database Data passing
  42. 42. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () Access control Database Data passing
  43. 43. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () Access control Database Data passing
  44. 44. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () ‘ Access control Database Data passing
  45. 45. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () ‘ Access control user_access () Database Data passing
  46. 46. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () ‘ Access control user_access () Database db_query () Data passing
  47. 47. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () ‘ Access control user_access () Database db_query () db_query_range () Data passing
  48. 48. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () ‘ Access control user_access () Database db_query () db_query_range () Data passing drupal_get_token ()
  49. 49. Protects against: XSS t()
  50. 50. Protects against: XSS t() Purpose: Filters out the malicious, leaves the delicious.
  51. 51. Protects against: XSS t() Purpose: Filters out the malicious, leaves the delicious. Bonus: Makes your text translatable into other languages (Internationalization module) or overridable though config (String Overrides module)
  52. 52. Protects against: XSS t() Purpose: Filters out the malicious, leaves the delicious. Bonus: Makes your text translatable into other languages (Internationalization module) or overridable though config (String Overrides module) Example:
  53. 53. Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths)
  54. 54. Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering
  55. 55. Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering @ - Plain text
  56. 56. Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering @ - Plain text % - Highlighted
  57. 57. Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering @ - Plain text % - Highlighted t(“I !pity the foo’”, “<strong>pity</strong>”) I pity the foo’
  58. 58. Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering @ - Plain text % - Highlighted t(“I !pity the foo’”, “<strong>pity</strong>”) I pity the foo’ t(“I @pity the foo’”, “<strong>pity</strong>”) I <strong>pity</strong> the foo’
  59. 59. Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering @ - Plain text % - Highlighted t(“I !pity the foo’”, “<strong>pity</strong>”) I pity the foo’ t(“I @pity the foo’”, “<strong>pity</strong>”) I <strong>pity</strong> the foo’ t(“I %pity the foo’”, “<strong>pity</strong>”) I <strong>pity</strong> the foo’
  60. 60. Protects against: XSS Mo’ about t()
  61. 61. Protects against: XSS Mo’ about t() format_plural() is nice
  62. 62. Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript
  63. 63. Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript Caveats
  64. 64. Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript Caveats 1. Don’t use l()
  65. 65. Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript Caveats 1. Don’t use l() 2. Wrap t() around entire sentences
  66. 66. Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript Caveats 1. Don’t use l() 2. Wrap t() around entire sentences 3. Avoid escaping quotation marks
  67. 67. Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript Caveats 1. Don’t use l() 2. Wrap t() around entire sentences 3. Avoid escaping quotation marks 4. Don’t pass a variable through t()
  68. 68. Protects against: XSS check_plain()
  69. 69. Protects against: XSS check_plain() Purpose: Filters malicious toppings. Converts to plain text, as advertised.
  70. 70. Protects against: XSS check_plain() Purpose: Filters malicious toppings. Converts to plain text, as advertised.
  71. 71. Protects against: XSS check_markup()
  72. 72. Protects against: XSS check_markup() Purpose: Applies content filters to content. Super cool.
  73. 73. Protects against: XSS check_markup() Purpose: Applies content filters to content. Super cool. Bonus: Filters do more than filter, they also embed stuff like blocks, views, images and links without giving the user unnecessary access.
  74. 74. Protects against: XSS check_markup() Purpose: Applies content filters to content. Super cool. Bonus: Filters do more than filter, they also embed stuff like blocks, views, images and links without giving the user unnecessary access.
  75. 75. Protects against: XSS filter_xss_admin()
  76. 76. Protects against: XSS filter_xss_admin() Purpose: Lets through all HTML except styles and scripts.
  77. 77. Protects against: XSS filter_xss_admin() Purpose: Lets through all HTML except styles and scripts.
  78. 78. Protects against: XSS l() and URL()
  79. 79. Protects against: XSS l() and URL() Purpose: Laconic linking tool for leading without losing location.
  80. 80. Protects against: XSS l() and URL() Purpose: Laconic linking tool for leading without losing location. Bonus: Filters out HTML by default, but also insures that the URL is always pointing to the right place, even if Drupal moves.
  81. 81. Protects against: XSS l() and URL() Purpose: Laconic linking tool for leading without losing location. Bonus: Filters out HTML by default, but also insures that the URL is always pointing to the right place, even if Drupal moves.
  82. 82. Protects against: XSS l() and URL() Purpose: Laconic linking tool for leading without losing location. Bonus: Filters out HTML by default, but also insures that the URL is always pointing to the right place, even if Drupal moves.
  83. 83. Protects against: XSS l() and URL() Purpose: Laconic linking tool for leading without losing location. Bonus: Filters out HTML by default, but also insures that the URL is always pointing to the right place, even if Drupal moves. Other luscious options: attributes, query, fragment, html, alias
  84. 84. Protects against: XSS, DOS user_access()
  85. 85. Protects against: XSS, DOS user_access() Purpose: Keep users from accessing stuff they’re not supposed to.
  86. 86. Protects against: XSS, DOS user_access() Purpose: Keep users from accessing stuff they’re not supposed to. Step 1: Implement hook_perm()
  87. 87. Protects against: XSS, DOS user_access() Purpose: Keep users from accessing stuff they’re not supposed to. Step 1: Implement hook_perm() Step 2: Use user_access() to check permissions
  88. 88. Protects against: XSS, DOS user_access() Purpose: Keep users from accessing stuff they’re not supposed to. Step 1: Implement hook_perm() Step 2: Use user_access() to check permissions
  89. 89. Protects against: XSS, DOS user_access() Purpose: Keep users from accessing stuff they’re not supposed to. Step 1: Implement hook_perm() Step 2: Use user_access() to check permissions
  90. 90. Protects against: XSS, DOS user_access() continued
  91. 91. Protects against: XSS, DOS user_access() continued 1. Granularity is a virtue
  92. 92. Protects against: XSS, DOS user_access() continued 1. Granularity is a virtue 2. Access control doesn’t work unless you use it
  93. 93. Protects against: XSS, DOS user_access() continued 1. Granularity is a virtue 2. Access control doesn’t work unless you use it 3. Be cautious about using other module’s permissions
  94. 94. Protects against: XSS, DOS user_access() continued 1. Granularity is a virtue 2. Access control doesn’t work unless you use it 3. Be cautious about using other module’s permissions 4. It’s not just about your users, it’s also about the hackers posing as your users.
  95. 95. Protects against: SQL injection db_query() is WTF r a t hat be ? doing
  96. 96. Protects against: SQL injection db_query() is WTF r a t hat be ? doing Purpose: Filters out inaccurate and potentially malicious material out of a database query.
  97. 97. Protects against: SQL injection db_query() is WTF r a t hat be ? doing Purpose: Filters out inaccurate and potentially malicious material out of a database query. Bonus: Instantly makes your queries cross-database compatible.
  98. 98. Protects against: SQL injection db_query() is WTF r a t hat be ? doing Purpose: Filters out inaccurate and potentially malicious material out of a database query. Bonus: Instantly makes your queries cross-database compatible.
  99. 99. Protects against: SQL injection db_query() continued
  100. 100. Protects against: SQL injection db_query() continued 1. Wrap brackets around table names
  101. 101. Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders
  102. 102. Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders %s - String
  103. 103. Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders %s - String %d - Integer / Number
  104. 104. Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders %s - String %d - Integer / Number %% - For LIKE queries
  105. 105. Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders %s - String %d - Integer / Number %% - For LIKE queries 3. Note that there is usually a Drupal equivilant to MySQL functions, such as:
  106. 106. Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders %s - String %d - Integer / Number %% - For LIKE queries 3. Note that there is usually a Drupal equivilant to MySQL functions, such as: mysql_fetch_array = db_fetch_array mysql_result - db_result mysql_fetch_object - db_fetch_object (see a pattern?)
  107. 107. Protects against: DOS, SQL injection db_query_range() ,o field o f Gre etings ou* know o *y ng? gr ass, d bear’s doi at w hat th
  108. 108. Protects against: DOS, SQL injection db_query_range() ,o field o f Gre etings ou* know o *y ng? gr ass, d bear’s doi at w hat th Purpose: Limits the number of results returned
  109. 109. Protects against: DOS, SQL injection db_query_range() ,o field o f Gre etings ou* know o *y ng? gr ass, d bear’s doi at w hat th Purpose: Limits the number of results returned Bonus: Also helps with database compatability
  110. 110. Protects against: DOS, SQL injection db_query_range() ,o field o f Gre etings ou* know o *y ng? gr ass, d bear’s doi at w hat th Purpose: Limits the number of results returned Bonus: Also helps with database compatability
  111. 111. Protects against: CSRF drupal_get_token()
  112. 112. Protects against: CSRF drupal_get_token() Purpose: Verify the source of a request (i.e. GET or POST)
  113. 113. Protects against: CSRF drupal_get_token() Purpose: Verify the source of a request (i.e. GET or POST) Step 1: Set the token drupal_prepare_form() in /includes/form.inc
  114. 114. Protects against: CSRF drupal_get_token() Purpose: Verify the source of a request (i.e. GET or POST) Step 1: Set the token drupal_prepare_form() in /includes/form.inc Step 2: Check the token drupal_validate_form() in /includes/form.inc
  115. 115. Protects against: CSRF drupal_get_token() cont’d
  116. 116. Protects against: CSRF drupal_get_token() cont’d Let’s look at the code:
  117. 117. Protects against: CSRF drupal_get_token() cont’d Let’s look at the code:
  118. 118. Protects against: CSRF drupal_get_token() cont’d Let’s look at the code: /includes/common.inc
  119. 119. Protects against: CSRF drupal_get_token() cont’d Let’s look at the code: /includes/common.inc Works for AJAX, too!
  120. 120. Protects against: CSRF drupal_get_token() cont’d Let’s look at the code: /includes/common.inc Works for AJAX, too! 1. Set a hidden input with a token
  121. 121. Protects against: CSRF drupal_get_token() cont’d Let’s look at the code: /includes/common.inc Works for AJAX, too! 1. Set a hidden input with a token 2. Pass the value in the AJAX call
  122. 122. Protects against: CSRF drupal_get_token() cont’d Let’s look at the code: /includes/common.inc Works for AJAX, too! 1. Set a hidden input with a token 2. Pass the value in the AJAX call 3. Check it server-side before processing
  123. 123. More security tips for your consideration
  124. 124. More security tips for your consideration 1. Use the Form(s) API, it does a lot of heavy lifting
  125. 125. More security tips for your consideration 1. Use the Form(s) API, it does a lot of heavy lifting 2. Set permissions properly
  126. 126. More security tips for your consideration 1. Use the Form(s) API, it does a lot of heavy lifting 2. Set permissions properly 3. Don’t use User One for regular admin tasks
  127. 127. More security tips for your consideration 1. Use the Form(s) API, it does a lot of heavy lifting 2. Set permissions properly 3. Don’t use User One for regular admin tasks 4. SSL certificates aren’t a cure-all
  128. 128. There. Now we’re covered.
  129. 129. My info Chris Shattuck e s s http://chrisshattuck.com Twitter: stompeers e l a m S h I sell Drupal development tutorial videos at http://buildamodule.com I also do Drupal consulting User Experience (UX) . Interface Design (UI) . jQuery integration Drupal Training . Guerrilla Usability . Module Development

×