Steven Van den Hout, profile picture
Uploaded bySteven Van den Hout
PDF, PPTX267 views

Drupal campleuven: Secure Drupal Development

The document discusses secure Drupal development practices, emphasizing that security is an ongoing process and highlighting the importance of keeping Drupal installations and contributed modules up to date to mitigate vulnerabilities. It addresses common security issues such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF), and offers strategies for preventing them through best practices in coding and configuration. Additionally, it points to various tools and resources for monitoring and enhancing security in Drupal applications.

Embed presentation

Download as PDF, PPTX
Secure  Drupal  Development   Steven  Van  den  Hout  
@stevenvdhout http://dgo.to/@svdhout Steven Van den Hout
IS DRUPAL SECURE? 1
MANY EYES MAKE FOR SECURE CODE IS OPEN SOURCE SECURE? -  Security by obscurity -  Open code does not make it easier for hackers -  Open Source makes people look at it -  Popularity gets more eyes and more peer-reviews •  Bad open-source software as bad •  as bad private software.
VULNERABILITIES OWASP -  Injection -  Cross Site Scripting - XSS -  Broken Authentication and Session Management -  Cross Site Request Forgery - CSRF -  Security Misconfguration -  Failure to Restrict URL Access   -  Access bypas
REPORTED VULNERABILITIES
IS DRUPAL SECURE? -  Safe by design (Core and API) -  Security Team -  Highly organised -  Documented process for Security Advisories and Updates -  Thousands of maintainers, users and experts -  Support: Drupal 6/7, Core & Contributed Modules
KEEP YOUR DRUPAL WEBSITE SECURE 2
SECURITY IS A PROCESS NOT AN EVENT
•  FROM REPORTED ISSUE TO SECURITY UPDATE A DRUPAL SECURITY RELEASE
YOU’RE SAFE UNTIL RELEASE SECURITY UPDATE PRIVATE DISCLOSURE
UPDATES   Always stay up to date -  Keep up with latest security releases Update Workflow -  Hacked module + diff -  Drush up
KNOW WHEN AN UPDATE IS NEEDED UPDATE MANAGER
INSIGHT INTO HEALTH OF YOUR DRUPAL WEBSITE STATUS MONITORING Tools -  Droptor.com (https://drupal.org/project/droptor) -  Acquia Insight (https://drupal.org/project/ acquia_connector) -  Nagios (https://drupal.org/project/nagios) -  Drupalmonitor.com (https://drupal.org/project/ drupalmonitor) -  …
BUILD A SECURE DRUPAL WEBSITE 3
CONTRIBUTED MODULES
CONTRIBUTED MODULES Quality assurance -  Usage -  Number of open issues -  Closed/Open ratio -  Response time   Good quality usually means good security     Manual code reviews for less used modules      
UPDATES   Always stay up to date -  Keep up with latest security releases Update Workflow -  Hacked module + diff -  Drush up
PATCHES   Contrib patches   Read the entire issue     Commit custom patches   Help out   Feedback from other users (maintainers)   Patch might get commited      Patch management   Move module to patched   Create a patches.txt   Keep patches      
CUSTOM MODULES
SECURITY PYRAMID   Menu & Node Access   Form API   DB API   Theme        
HACKS AND HOW TO PREVENT THEM
SQL INJECTION   "SELECT * FROM user WHERE name = '$name'"     "SELECT * FROM user WHERE name = 'Robert'; DROP TABLE students;'"       h4p://xkcd.com/327/  
SQL INJECTION   Placeholders       db_query(“SELECT * FROM users WHERE name = :user”, array(':user' => $user);       Dynamic Queries         $query = db_select('user', 'u')   ->fields('u')   ->where('name', $user)   ->execute();  
XSS (cross site scripting)   EXECUTING ABRITRARY JAVASCRIPT CODE ON THE PAGE
XSS (cross site scripting)   User Input       Title   Body   Log message   Url   Post   User-Agent   Headers      
XSS (cross site scripting)   Validate forms       User input should never contain javascript       Form api         Never use $_POST variables   $form_state['values']     Form caching  
XSS (cross site scripting)   Input formats   Never use full_html       Filter Functions             check_url()   check_plain()   check_markup()   filter_xss()  
XSS (cross site scripting)   h4p://drupalscout.com/knowledge-­‐base/drupal-­‐text-­‐filtering-­‐cheat-­‐sheet-­‐drupal-­‐6  
XSS (cross site scripting)   Functions       t()     l() drupal_set_title()         @var => plain text   %var => plain text   !var => full html!  
CSRF (cross site request forgery)   Taking action without confirming intent       <a href=”/delete/user/1”>Delete user 1</a>       Image Tag         <img src=”/delete/user/1”>   A hacker posts a comment to the administrator.   When the administrator views the image, user 1 gets deleted      
CSRF (cross site request forgery)   Token (aka Nonce)      
ACCESS BYPASS   VIEW CONTENT A USER IS NOT SUPPOSED TO
ACCESS BYPASS   View content a user is not supposed to       $query = db_select('node', 'n')->fields('n');   Also shows nodes that user doesn't have acces to       $query->addTag('node_access')         Rewrite the query based on the node_access table  
ACCESS BYPASS   Bad custom caching       Administrator visits a block listing nodes.   The block gets cached     The cached block with all nodes is shown to the anonymous user     Add role id to custom caching  
ACCESS BYPASS   Rabbit_hole module       Rabbit Hole is a module that adds the ability to control what should happen when an entity is being viewed at its own page. Page manager can do the same.   Field access         $form['#access'] = custom_access_callback();   Menu access         $item['access callback'] = 'custom_access_callback',  
CORRECT USE OF API   Form API   Validation Form state Drupal_valid_token    DB API   db_select, db_insert, placeholders   $query->addTag(‘node_access’);      Filter   check_url, check_plain, check_markup, filter_xss, …   t(), l(), drupal_set_title(), …      
THEMES
THEMES   Themer not responsible      Preprocess functions      
CONFIGURATION
PERMISSIONS   Permission management      If Joe from advertising can give the full html filter format to anonymous user, don't bother to think about security       Split up permissions      The default permissions don't cover every use case      
PERMISSIONS  
FILTER FORMATS   Never use full_html       Use filtered_html instead.       Never use phpfilter       Use a custom module for code   Versioning   Bad performance (eval)      
CHECKLIST
CHECKLIST   Never use   full_html Php filter       Permissions             Trusted users only Split up permissions   API             Preprocess functions check_plain, filter_xss DB API Form API Tokens Menu/Node Access  
GREAT   HOW ABOUT DRUPAL 8?
FURTHER READING
FURTHER READING   Books   Cracking Drupal !!   Pro Drupal Development Online   https://drupal.org/writing-secure-code   https://drupal.org/node/360052   http://munich2012.drupal.org/program/sessions/think-hacker-secure-drupal-code.html   http://drupalscout.com/knowledge-base   Video   How to avoid All your base are belong to us (drupalcon Denver)      

More Related Content

PDF
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
PDF
OWASP Top 10 at International PHP Conference 2014 in Berlin
byTobias Zander
 
PPT
SQL Injection in PHP
byDave Ross
 
PDF
Making Joomla Insecure - Explaining security by breaking it
byTim Plummer
 
PDF
Your Last manual Assessment
bydevgrega
 
PDF
A Drush Primer - DrupalCamp Chattanooga 2013
byChris Hales
 
PPT
Introduction to SQL Injection
byjpubal
 
PPT
WordPress Plugins: ur doin it wrong
byWill Norris
 
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
OWASP Top 10 at International PHP Conference 2014 in Berlin
byTobias Zander
 
SQL Injection in PHP
byDave Ross
 
Making Joomla Insecure - Explaining security by breaking it
byTim Plummer
 
Your Last manual Assessment
bydevgrega
 
A Drush Primer - DrupalCamp Chattanooga 2013
byChris Hales
 
Introduction to SQL Injection
byjpubal
 
WordPress Plugins: ur doin it wrong
byWill Norris
 

Similar to Drupal campleuven: Secure Drupal Development

PDF
Drupal Security Seminar
byCalibrate
 
PDF
Drupal Security from Drupalcamp Bratislava
byGábor Hojtsy
 
PDF
Drupal Security from Drupalcamp Cologne 2009
byGábor Hojtsy
 
PDF
Doing Drupal security right
byGábor Hojtsy
 
PDF
Doing Drupal security right from Drupalcon London
byGábor Hojtsy
 
PPT
Hack-Proof Your Drupal App
byErich Beyrent
 
ODP
Drupal Security Hardening
byGerald Villorente
 
ODP
Drupal Security Hardening
byGerald Villorente
 
PDF
Drupal security
byJozef Toth
 
PDF
Drupal and security - Advice for Site Builders and Coders
byArunkumar Kupppuswamy
 
PDF
Fix me if you can - DrupalCon prague
byhernanibf
 
PDF
Hack proof your drupal site- DrupalCamp Hyderabad
byNaveen Valecha
 
PDF
Drupal Security Basics for the DrupalJax January Meetup
byChris Hales
 
PPT
Drupal security
byTechday7
 
PDF
Looking for Vulnerable Code. Vlad Savitsky
byVlad Savitsky
 
PPT
Securing Drupal 7: Do not get Hacked or Spammed to death!
byAdelle Frank
 
PPTX
OWASP Top 10 vs Drupal - OWASP Benelux 2012
byZIONSECURITY
 
KEY
Drupal Security Intro
byCash Williams
 
PDF
Attacking Drupal
byGreg Foss
 
PDF
Acquia Drupal Certification
byPhilip Norton
 
Drupal Security Seminar
byCalibrate
 
Drupal Security from Drupalcamp Bratislava
byGábor Hojtsy
 
Drupal Security from Drupalcamp Cologne 2009
byGábor Hojtsy
 
Doing Drupal security right
byGábor Hojtsy
 
Doing Drupal security right from Drupalcon London
byGábor Hojtsy
 
Hack-Proof Your Drupal App
byErich Beyrent
 
Drupal Security Hardening
byGerald Villorente
 
Drupal Security Hardening
byGerald Villorente
 
Drupal security
byJozef Toth
 
Drupal and security - Advice for Site Builders and Coders
byArunkumar Kupppuswamy
 
Fix me if you can - DrupalCon prague
byhernanibf
 
Hack proof your drupal site- DrupalCamp Hyderabad
byNaveen Valecha
 
Drupal Security Basics for the DrupalJax January Meetup
byChris Hales
 
Drupal security
byTechday7
 
Looking for Vulnerable Code. Vlad Savitsky
byVlad Savitsky
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
byAdelle Frank
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
byZIONSECURITY
 
Drupal Security Intro
byCash Williams
 
Attacking Drupal
byGreg Foss
 
Acquia Drupal Certification
byPhilip Norton
 

Recently uploaded

PPTX
Mind Sound Resonance Technique (MSRT) Teacher Training Course.pptx
byKaruna Yoga Vidya Peetham
 
PPTX
TOPFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.ppX
bycontactvidyawan
 
PPTX
Cybersecurity cyber incident Weeks_7_to_9.pptx
byriaz59
 
PDF
Darknet Master Tor and Deep Web Secrets (Procolo Scotto).pdf
bykuldeepbauddh1
 
PDF
AI Girlfriend Platforms Compared 2026 AI Angels Janitor AI Character AI Candy AI
byAi Angels
 
PDF
HYBRID APP DEVELOPMENT AND TECHNOLOGY 01
bydavidjohansen1597
 
PDF
Think before you Click (Ligap Project) - SI Ebhonu at FGGC.pdf
bySylvester Ebhonu
 
Mind Sound Resonance Technique (MSRT) Teacher Training Course.pptx
byKaruna Yoga Vidya Peetham
 
TOPFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.ppX
bycontactvidyawan
 
Cybersecurity cyber incident Weeks_7_to_9.pptx
byriaz59
 
Darknet Master Tor and Deep Web Secrets (Procolo Scotto).pdf
bykuldeepbauddh1
 
AI Girlfriend Platforms Compared 2026 AI Angels Janitor AI Character AI Candy AI
byAi Angels
 
HYBRID APP DEVELOPMENT AND TECHNOLOGY 01
bydavidjohansen1597
 
Think before you Click (Ligap Project) - SI Ebhonu at FGGC.pdf
bySylvester Ebhonu
 

Drupal campleuven: Secure Drupal Development

  • 1.
    Secure  Drupal  Development   Steven  Van  den  Hout  
  • 2.
  • 3.
  • 4.
    MANY EYES MAKEFOR SECURE CODE IS OPEN SOURCE SECURE? -  Security by obscurity -  Open code does not make it easier for hackers -  Open Source makes people look at it -  Popularity gets more eyes and more peer-reviews •  Bad open-source software as bad •  as bad private software.
  • 5.
    VULNERABILITIES OWASP -  Injection -  CrossSite Scripting - XSS -  Broken Authentication and Session Management -  Cross Site Request Forgery - CSRF -  Security Misconfguration -  Failure to Restrict URL Access   -  Access bypas
  • 6.
  • 7.
    IS DRUPAL SECURE? - Safe by design (Core and API) -  Security Team -  Highly organised -  Documented process for Security Advisories and Updates -  Thousands of maintainers, users and experts -  Support: Drupal 6/7, Core & Contributed Modules
  • 8.
    KEEP YOUR DRUPALWEBSITE SECURE 2
  • 9.
    SECURITY IS APROCESS NOT AN EVENT
  • 10.
    •  FROM REPORTEDISSUE TO SECURITY UPDATE A DRUPAL SECURITY RELEASE
  • 13.
    YOU’RE SAFE UNTILRELEASE SECURITY UPDATE PRIVATE DISCLOSURE
  • 14.
    UPDATES   Always stayup to date -  Keep up with latest security releases Update Workflow -  Hacked module + diff -  Drush up
  • 15.
    KNOW WHEN ANUPDATE IS NEEDED UPDATE MANAGER
  • 16.
    INSIGHT INTO HEALTHOF YOUR DRUPAL WEBSITE STATUS MONITORING Tools -  Droptor.com (https://drupal.org/project/droptor) -  Acquia Insight (https://drupal.org/project/ acquia_connector) -  Nagios (https://drupal.org/project/nagios) -  Drupalmonitor.com (https://drupal.org/project/ drupalmonitor) -  …
  • 18.
  • 19.
  • 20.
    CONTRIBUTED MODULES Quality assurance - Usage -  Number of open issues -  Closed/Open ratio -  Response time   Good quality usually means good security     Manual code reviews for less used modules      
  • 21.
    UPDATES   Always stayup to date -  Keep up with latest security releases Update Workflow -  Hacked module + diff -  Drush up
  • 22.
    PATCHES   Contrib patches   Read the entire issue     Commit custom patches   Help out   Feedback from other users (maintainers)   Patch might get commited      Patch management   Move module to patched   Create a patches.txt   Keep patches      
  • 23.
  • 24.
    SECURITY PYRAMID   Menu& Node Access   Form API   DB API   Theme        
  • 25.
    HACKS AND HOW TOPREVENT THEM
  • 26.
    SQL INJECTION   "SELECT* FROM user WHERE name = '$name'"     "SELECT * FROM user WHERE name = 'Robert'; DROP TABLE students;'"       h4p://xkcd.com/327/  
  • 27.
    SQL INJECTION   Placeholders       db_query(“SELECT * FROM users WHERE name = :user”, array(':user' => $user);       Dynamic Queries         $query = db_select('user', 'u')   ->fields('u')   ->where('name', $user)   ->execute();  
  • 28.
    XSS (cross sitescripting)   EXECUTING ABRITRARY JAVASCRIPT CODE ON THE PAGE
  • 29.
    XSS (cross sitescripting)   User Input       Title   Body   Log message   Url   Post   User-Agent   Headers      
  • 30.
    XSS (cross sitescripting)   Validate forms       User input should never contain javascript       Form api         Never use $_POST variables   $form_state['values']     Form caching  
  • 31.
    XSS (cross sitescripting)   Input formats   Never use full_html       Filter Functions             check_url()   check_plain()   check_markup()   filter_xss()  
  • 32.
    XSS (cross sitescripting)   h4p://drupalscout.com/knowledge-­‐base/drupal-­‐text-­‐filtering-­‐cheat-­‐sheet-­‐drupal-­‐6  
  • 33.
    XSS (cross sitescripting)   Functions       t()     l() drupal_set_title()         @var => plain text   %var => plain text   !var => full html!  
  • 34.
    CSRF (cross siterequest forgery)   Taking action without confirming intent       <a href=”/delete/user/1”>Delete user 1</a>       Image Tag         <img src=”/delete/user/1”>   A hacker posts a comment to the administrator.   When the administrator views the image, user 1 gets deleted      
  • 35.
    CSRF (cross siterequest forgery)   Token (aka Nonce)      
  • 36.
    ACCESS BYPASS   VIEWCONTENT A USER IS NOT SUPPOSED TO
  • 37.
    ACCESS BYPASS   Viewcontent a user is not supposed to       $query = db_select('node', 'n')->fields('n');   Also shows nodes that user doesn't have acces to       $query->addTag('node_access')         Rewrite the query based on the node_access table  
  • 38.
    ACCESS BYPASS   Badcustom caching       Administrator visits a block listing nodes.   The block gets cached     The cached block with all nodes is shown to the anonymous user     Add role id to custom caching  
  • 39.
    ACCESS BYPASS   Rabbit_holemodule       Rabbit Hole is a module that adds the ability to control what should happen when an entity is being viewed at its own page. Page manager can do the same.   Field access         $form['#access'] = custom_access_callback();   Menu access         $item['access callback'] = 'custom_access_callback',  
  • 40.
    CORRECT USE OFAPI   Form API   Validation Form state Drupal_valid_token    DB API   db_select, db_insert, placeholders   $query->addTag(‘node_access’);      Filter   check_url, check_plain, check_markup, filter_xss, …   t(), l(), drupal_set_title(), …      
  • 41.
  • 42.
    THEMES   Themer notresponsible      Preprocess functions      
  • 43.
  • 44.
    PERMISSIONS   Permission management      If Joe from advertising can give the full html filter format to anonymous user, don't bother to think about security       Split up permissions      The default permissions don't cover every use case      
  • 45.
  • 46.
    FILTER FORMATS   Neveruse full_html       Use filtered_html instead.       Never use phpfilter       Use a custom module for code   Versioning   Bad performance (eval)      
  • 47.
  • 48.
    CHECKLIST   Never use   full_html Php filter       Permissions             Trusted users only Split up permissions   API             Preprocess functions check_plain, filter_xss DB API Form API Tokens Menu/Node Access  
  • 49.
  • 50.
  • 51.
    FURTHER READING   Books   Cracking Drupal !!   Pro Drupal Development Online   https://drupal.org/writing-secure-code   https://drupal.org/node/360052   http://munich2012.drupal.org/program/sessions/think-hacker-secure-drupal-code.html   http://drupalscout.com/knowledge-base   Video   How to avoid All your base are belong to us (drupalcon Denver)