Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

•

6 likes•39,067 views

Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout your development process and live maintenance. About the Presenter: Ben Jeavons is a member of the Drupal Security team and co-author of the Drupal Security Report. As an engineer at Acquia he works on the Acquia Network including the security and performance analysis tool, Acquia Insight. Experience Level: Intermediate

Technology

Secure your Drupal
site by ﬁrst
hacking into it

Think like a hacker

http://www.ﬂickr.com/photos/31246066@N04/4252587897/

How sites get hacked

XSS

Insecure environment

Stolen access

Outdated code, known vulnerabilities

XSS Demo

• Malicious Javascript is entered
• Admin unknowingly executes
• Javascript alters admin-only settings
• Changes admin password
• Puts site ofﬂine
http://www.ﬂickr.com/photos/paolo_rosa/5088971947/

Ben Jeavons
Drupaler for 5 years

Member of Drupal Security Team
@benswords

Drupal vulnerabilities by popularity

12%

7%

4%

3% 48%

10%

16%

XSS Access Bypass CSRF
Authentication/Session Arbitrary Code Execution SQL Injection
Others
reported in core and contrib SAs from 6/1/2005 through 3/24/2010

Cross Site Scripting

XSS
Javascript
Performing actions without your intent
Everything you can do XSS can do faster

Stored XSS Step 1

Request

Attacker Drupal DB
JS
JS

Stored XSS Step 2
Request

Victim Drupal DB
Response

JS JS

Stored XSS Step 3

Victim Request
Drupal DB

JS JS

$node = node_load($nid);
$title = $node->title;
drupal_set_title($title);
...
(later, in page.tpl.php)
...
<h1><?php print $title; ?></h1>

Fixing XSS

Identify where the data came from
User input!

user agent
language
time zone
referrer
& more HTTP request headers

Lots of tools/ways to modify
these for requests

Fixing XSS

Identify where the data came from
Is that data being ﬁltered or escaped before
output?

$node = node_load($nid);
$title = $node->title;
$safe = check_plain($title);
drupal_set_title($safe);
...
(later, in page.tpl.php)
...
<h1><?php print $title; ?></h1>

XSS in Themes

<div class=”stuff”>
<?php
print $node->field_stuff[0][‘value’];
?>

<div class=”stuff”>
<?php
print $node->field_stuff[0][‘safe’];
// OR
$stuff = $node->field_stuff[0];
print content_format(‘field_stuff’, $stuff);

?>

Sanitize user input for output

$msg = variable_get(‘my_msg’,‘’);

print check_plain($msg);

Test for XSS vulnerability

<script>alert(‘xss yo’)</script>

github.com / unn / vuln

Insecure Environment

Lock down your stack
Admin tools and access to them
Principle of least privilege
Give out only necessary permissions

Insecure Environment

/devel/variable
/phpMyAdmin

Insecure Environment

Make backups
Test that they work
Secure access to backups

Center for Health
Transformation’s
records were
“found by The New
York Times in an
unsecured archived
version of the site”

http://www.nytimes.com/2011/11/30/us/politics/gingrich-gave-push-to-clients-not-just-ideas.html
http://www.ﬂickr.com/photos/mjb/208218519/

Insecure Environment

/sites/default/ﬁles/backup_migrate/

SSL

Run Drupal on full TLS/SSL

securepages & securepages_prevent_hijack

http://drupalscout.com/node/17

Use a valid certiﬁcate

SFTP

“Secure” FTP

Your host should provide it

If not, consider a new one

Stay up-to-date
Know and apply security updates

Security Advisories

Not just Drupal

third-party libraries (TinyMCE)

PHP, operating system

Automation

http://www.ﬂickr.com/photos/hubmedia/2141860216/

Steps to a mostly automated review
Security Review: drupal.org/project/security_review
Hacked: drupal.org/project/hacked
Coder: drupal.org/project/coder
Secure Code Review
drupal.org/project/secure_code_review
Vuln: github.com/unn/vuln
More: http://drupalscout.com/node/11

in-depth, hands-on security training
drupalcon.org
bit.ly/drupalcon-security

Read

drupal.org/security/writing-secure-code

drupalscout.com

crackingdrupal.com

Converse

groups.drupal.org/best-practices-drupal-security

ben.jeavons@acquia.com

@benswords

What's hot

Advanced Client Side Exploitation Using BeEF

1N3

Did "cloud computing" and "big data" buzzwords bring new challenges for security testers? Apart from complexity of Hadoop installations and number of interfaces, standard techniques can be applied to test for: web application vulnerabilities, SSL security and encryption at rest. We tested popular Hadoop environments and found a few critical vulnerabilities, which for sure cast a shadow on big data security.

Big problems with big data – Hadoop interfaces security

SecuRing

DVWA(Damn Vulnerabilities Web Application)

Soham Kansodaria

I got 99 trends and a # is all of them

Roberto Suggi Liverani

WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties. Follow Jason on Twitter: http://twitter.com/jhaddix Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs

How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...

bugcrowd

OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.

Ten Commandments of Secure Coding

Mateusz Olejarka

Phu appsec13

drewz lin

Nessus and Reporting Karma

n|u - The Open Security Community

Agenda: · XML today · XML/XPath injection - Demo · Compiled XPath queries · DTD use and abuse - document validations - entity expansions - denial of service - Demo - arbitrary uri access (egress) - parameters - file enumeration and theft - Demo - CSRF on internal systems - Demo? · Framework defaults limits/restrictions · Mitigations · Lessons learned · Verifying your XML systems for potential threats Note: 1. All of them inclusive of sample code for exploits and prevention. Language(C#, Java, php)/Platform(Windows/Linux) agnostic wherever possible. 2. It is imperative at this juncture, that you are aware of most attack scenarios against XML, because the framework defaults may not protect you, hence you may be vulnerable, you might have not found it yet. 3. The session is a bit biased towards DTD abuse in XML systems, as the Injection concepts and remediation remain common in XML when compared to Sql injection.

Devouring Security XML Attack surface and Defences

gmaran23

Web security for developers

Sunny Neo

Security Testing - Zap It

Manjyot Singh

Drupal Security Intro

Cash Williams

Html5 hacking

Iftach Ian Amit

Entity provider selection confusion attacks in JAX-RS applications

Mikhail Egorov

We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Most every organization in the world have something in common – they have had websites compromised in some way. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.

Top Ten Web Application Defenses v12

Jim Manico

Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems. The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.

OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017

Philippe Gamache

One important concept in web application security is defense in depth. You protect your server, your network, your database and your application, but what about the user browser? Can it be done? Yes! Several new technologies and protocols to assist security has been added to the browsers. Several should be added, activated and configure from your web server or web page. In this presentation we will explore these technologies and learn how to use them. You’ll learn about the Robots meta tags (for crawlers indexing), Browsing Compatibility, XSS and Clickjaking Protection, SSL/TLS Control, and Content Security Policy.

Browser Serving Your Web Application Security - NorthEast PHP 2017

Philippe Gamache

Hunting for security bugs in AEM webapps

Mikhail Egorov

The security of an application is a continuous struggle between solid proactive controls and quality in SDLC versus human weakness and resource restrictions. As the pentester's experience confirms, unfortunatelly even in high-risk (e.g. banking) applications, developed by recognized vendors, the latter often wins - and we end up with critical vulnerabilities. One of the primary reasons is lack of mechanisms enforcing secure code by default, as opposed to manual adding security per each function. Whenever the secure configuration is not default, there will almost inevitably be bugs, especially in complex systems. I will pinpoint what should be taken into consideration in the architecture and design process of the application. I will show solutions that impose security in ways difficult to circumvent unintentionally by creative developers. I will also share with the audience the pentester's (=attacker's) perspective, and a few clever tricks that made the pentest (=attack) painful, or just rendered the scenarios irrelevant.

Applications secure by default

SecuRing

Cross Site Scripting Defense is difficult. The Java Programming language does not provide native key defenses necessary to throughly prevent XSS. As technologies such as Content Security Policy emerge, we still need pragmatic advice to stop XSS in legacy applications as well as new applications using traditional Java frameworks. First generation encoding libraries had both performance and completeness problems that prevent developers from through, production-safe XSS defense. This talk will deeply review the OWASP Java Encoder Project and the OWASP HTML Sanitizer Project and give detailed code samples highlighting their use. Additional advice on next-generation JavaScript and JSON workflows using the OWASP JSON Sanitizer will also be reviewed.

Cross Site Scripting (XSS) Defense with Java

Jim Manico

What's hot (20)

Advanced Client Side Exploitation Using BeEF

Big problems with big data – Hadoop interfaces security

DVWA(Damn Vulnerabilities Web Application)

I got 99 trends and a # is all of them

How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...

Ten Commandments of Secure Coding

Phu appsec13

Nessus and Reporting Karma

Devouring Security XML Attack surface and Defences

Web security for developers

Security Testing - Zap It

Drupal Security Intro

Html5 hacking

Entity provider selection confusion attacks in JAX-RS applications

Top Ten Web Application Defenses v12

OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017

Browser Serving Your Web Application Security - NorthEast PHP 2017

Hunting for security bugs in AEM webapps

Applications secure by default

Cross Site Scripting (XSS) Defense with Java

Similar to Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon

Priyanka Aash

Romulus OWASP

Grupo Gesfor I+D+i

In this talk, Barney will be discussing and demonstrating how to: - Use nginx, Varnish and Apache together in a "SPDY sandwich" to support HTTP 2.0 - Setting up SSL properly to mitigate against attack vectors - Performance improvements with mod_pagespeed and nginx - Deploying Drupal sites with Docker containers Barney is a Technical Team Leader at Inviqa, a Drupal Association member and writes for Techportal on using technologies to improve website performance. He first started using PHP professionally in 2003, and has over seventeen years experience in software development. He is an advocate of Scrum methodology and has an interest in performance optimization, researching and speaking on various techniques to improve user experience through faster load times.

Next Generation DevOps in Drupal: DrupalCamp London 2014

Barney Hanlon

Xebia Knowledge Exchange - Owasp Top Ten

Publicis Sapient Engineering

Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure

MongoDB

In this presentation we will be looking at: Common threats to the security of your website. The various attack surfaces of a website; from the server, down the wire to presentation in the client browser. Simple approaches to mitigating these threats. Keeping web applications free from malicious attack is an arms race. From bruteforce attacks against your server through to browser based attacks to your pages once delivered (e.g. XSS, click jacking, cross site request forgery (CSRF)); there are many ways in which your web site is susceptible to attack. Fortunately there are several established counter measures that are simply (if rarely) implemented that are effective in mitigating such threats. We will look at the various modes of attack, review some real world examples and see how counter measures can be put in place. The presentation is aimed at anyone responsible for delivering information over the web regardless of whether they are responsible for the hosting and administration of their web site. Covering measures you can implement yourself and measures you may wish supported by your hosting provider. Topics covered: Server hardening through the use of firewalls, TLS/SSL implementation to protect delivery across the wire and Secure response headers and Content Security Policies to protect your page once received by the user's browser.

End to end web security

George Boobyer

Information Security Engineering

Md. Hasan Basri (Angel)

Owasp Indy Q2 2012 Cheat Sheet Overview

owaspindy

DerbyCon 2016 Nick Landers @monoxgas External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.

Outlook and Exchange for the bad guys

Nick Landers

RSA APJ Velociraptor Lab

Velocidex Enterprises

Los procedimientos relacionados con Respuesta a Incidentes y Análisis Forense son diferentes en la nube respecto a cuando se realizan en entornos tradicionales, locales. Veremos las diferencias entre el análisis forense digital tradicional y el relacionado con sistemas en la nube de AWS, Azure o Google Compute Platform. Cuando se trata de la nube y nos movemos en un entorno totalmente virtual nos enfrentamos a desafíos que son diferentes al mundo tradicional. Lo que antes era hardware, ahora es software. Con los proveedores de infraestructura en la nube trabajamos con APIs, creamos, eliminamos o modificamos cualquier recurso con una llamada a su API. Disponemos de balanceadores, servidores, routers, firewalls, bases de datos, WAFs, sistemas de cifrado y muchos recursos más a sin abrir una caja y sin tocar un cable. A golpe de comando. Es lo que conocemos como Infraestructura como código. Si lo puedes programar, lo puedes automatizar. ¿Como podemos aprovecharnos de ello desde el punto de vista de la respuesta a incidentes, análisis forense o incluso hardening automatizado?

Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...

RootedCON

Automate or die! Rootedcon 2017

Toni de la Fuente

Slides

vti

WebApps_Lecture_15.ppt

OmprakashVerma56

Speaker: Tom Spitzer, Vice President, Engineering, EC Wise, Inc. Session Type: 40 minute main track session Level: 200 (Intermediate) Track: Security MongoDB Community Server provides a wide range of capabilities for securing your MongoDB installation. In this session, we will focus on access control features, including authentication and authorization mechanisms, that enable you to enforce a least privilege model on user accounts. We will also discuss strategies for enabling and maintaining service and application accounts. Next we will present the encryption capabilities that are available in the community edition and discuss their benefits and possible shortcomings. Finally, we will talk about application level protections your developers can implement to keep risky code from getting to your MongoDB instance. What You Will Learn: - The workings of the MongoDB User Management Interface, the Authentication Database, basic Authentication mechanisms (SCRAM-SHA-1 and certificates), Roles, and Role Based Access controls – plus best practices for using these features to improve the security of your database. - How to use TLS/SSL for transport encryption, application encryption options, and field level redaction. - How injection attacks work and how to minimize the risk of injection attacks.

It's a Dangerous World

MongoDB

HTML5 Security

Ville Säävuori

CRESTCon Asia 2018 - Config Password Encryption Gone Wrong

Keith Lee

Attendees will learn the best web application security practices used by major US government entities. The presentation will cover network configuration, caching, replication, common web application vulnerabilities, and how making these changes will result in better web site performance and user satisfaction. The five most common types of web application attacks will be explained, along with simple ways to prevent them.

Do you lose sleep at night?

Nathan Van Gheem

Palestra ministrada no OWASP Floripa Day - Florianópolis - SC | A palestra tem como objetivo mostrar os conceitos e funcionamento de algumas funcionalidades que foram adicionadas ao HTML5, levando em consideração os aspectos de segurança do client-side. Para as funcionalidades destacadas, foram criados cenários de ataques visando ilustrar a obtenção de informações sensíves armazenadas no browser ou até mesmo usar o browser da vítima para lançar ataques contra outros sistemas. Através da exploração das funcionalidades existentes no HTML5, técnicas de exploração como XSS e CSRF, tornam-se mais poderosas e eficientes, sendo possível em alguns casos contornar algumas restrições do Same Origin Policiy (SOP).

Building Client-Side Attacks with HTML5 Features

Conviso Application Security

The DNSSEC key signing key (or KSK) of the DNS root zone will be changed in the summer of 2017. During the time between July and October, all DNSSEC validating resolver need to get the new key material. In this webinar we explain the KSK roll, how DNS resolver will load the new KSK with the RFC 5011 protocol and how a DNS administrator can verify that the new KSK is present in the resolvers configuration.

The DNSSEC KSK of the root rolls

Men and Mice

Similar to Hack Into Drupal Sites (or, How to Secure Your Drupal Site) (20)

(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon

Romulus OWASP

Next Generation DevOps in Drupal: DrupalCamp London 2014

Xebia Knowledge Exchange - Owasp Top Ten

Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure

End to end web security

Information Security Engineering

Owasp Indy Q2 2012 Cheat Sheet Overview

Outlook and Exchange for the bad guys

RSA APJ Velociraptor Lab

Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...

Automate or die! Rootedcon 2017

Slides

WebApps_Lecture_15.ppt

It's a Dangerous World

HTML5 Security

CRESTCon Asia 2018 - Config Password Encryption Gone Wrong

Do you lose sleep at night?

Building Client-Side Attacks with HTML5 Features

The DNSSEC KSK of the root rolls

More from nyccamp

Drupal is an enigma to its initiates and a sonic screwdriver to its experts. In module-land, users solve their own problems, the result being a myriad of puzzle pieces. Every ambitious drupal-focused company is building shortcuts to combine these pieces, be that through their own vertical Distributions, reusable Features or demo frameworks with Drolutions. What markets will Drupal conquer as these concepts mature? How can start-ups and enterprises leverage Drupal's rapid development velocity? How can you play your part in Drupal's vertical revolution?

Drupal As A Jigsaw

nyccamp

Use A/B testing to monitor the impact of changes of web page elements that lead to more downloads, user contributed content, increased revenues, or whatever result you want to achieve. A/B testing involves testing two versions of a website - an A version (the control) and a B version (the variation) - with live traffic and measuring the effect each version has on your conversion rate. Results of A/B tests are used to make informed decisions about how to structure and present content on a site. There is no longer a need to guess what the site's user response is to changes, simply test and look at the trends in the data. The power and ease of use of the Optimizely framework is further enhanced using the Optimizely Drupal module. We will discuss the current and future integration of A/B testing with Drupal and Optimizely using the Optimizely Drupal module in detail. The presentation will end with a discussion of what future integration of Optimizely with Drupal is desired to further leverage the partnership.

A/B Testing and Optimizely Module

nyccamp

Behat is a tool that makes behavior driven development (BDD) possible. With BDD, you write human-readable stories that describe the behavior of your Drupal site. These stories can then be auto-tested against your website, whether in the midst of development, or on a live site. And yes, it’s as cool as it sounds! Behat, if embraced by enough Drupal folks, has the potential to vastly improve the way we build and test Drupal websites. Testing language can be developed by module maintainers, and allow nearly codefree testing to be developed by everyone, as needed, per site. Behat IS NOT unit testing nor a specification testing tool. Behat is a Scenario-oriented BDD framework with functional testing capabilities as part of a communication process between stake-holders and developers. Think Agile User Stories meets Selenium. Behat is currently used to test Drupal.org, allowing a variety of coders to work on a single site, and ensure that no existing functionality will break as they add new features. Or as it's migrated from one version to another. Imagine that on your site. We will review Behat (and Mink, and related code), how to use it with Drupal, Drush, and the existing modules/code to support that. We will demo live testing, and so how easy it is to write tests, with and without code.

Behat - human-readable automated testing

nyccamp

In all the years of designing for Drupal, the one thing I have learned is to always borrow from the best and build it into a base theme. Now, I know you’re saying to yourself — not another base theme. But why not? If I told you your theme could be responsive from the start, have flexible regions that you didn't have to design for, and that you could avoid the JQuery conflicts that plague Drupal 7, would you be interested?

ALL YOUR BASE (THEMES) ARE BELONG TO US

nyccamp

A key concept in Drupal Commerce is the Product Display vs Product model used to separate physical products from their display on the website. Depending on your point of view, this makes perfect sense or is a conceptual or practical nightmare. However you feel about it, understanding the reasoning behind the concept is essential when it comes to planning and implementing a Drupal Commerce project. http://nyccamp.org/sessions/drupal-commerce-product-vs-display-conundrum-and-how-explain-it-customer

Drupal Commerce - The Product vs Display Conundrum and How to Explain it to a...

nyccamp

Promotions Vouchers and Offers in Drupal Commerce

nyccamp

Our clients often come to Drupal with expectations about the features of a content management system (CMS). In many cases, Drupal handles the features they expect. However, not all editorial tools are a part of Drupal Core, and Drupal has addressed these tools with various contributed modules. As a result, Drupal’s editorial space generally lacks a consistent workflow and interface. Ideally suited to the needs of universities. Workbench incorporates contributed modules and has some new features of its own: Hierarchical permission inheritance by “Sections” not just content types Extensible workflow states Single repository for media management Modify live content without publishing changes immediately Workbench provides a unified interface for managing content. In effect, Workbench hides Drupal from you and makes content management about your institution and your website, not about Drupal. Speaker(s): Ken Rickard Experience Level: Beginner

Workbench: Managing Content Management

nyccamp

Most development shops make use of a "development/staging/production" server model. Maintaining code, content, and configurations across multiple environments can be a bit tricky, particularly since drupal doesn't currently provide any native means to separate configuration from content. This session would discuss the various methods to make sure that your development server looks like your production server. We will touch on version control, the backup and migrate module, and the features module, as well as integrating a deployment management software such as hudson or aegir, and how to scale these solutions from a small application to a large enterprise server architecture. Speaker(s): Nick Hepner Experience Level: Intermediate

Deployment Strategies: Managing Code, Content, and Configurations

nyccamp

Between design and Drupal theme we change gears dramatically in process and thinking. As designers, we craft our work with wowing users in mind, and as themers, we strive to architect the design and make it pop. We can better unify these approaches to save time and work better. Drupal is adept at making virtually any design look great. What can we achieve in design, both individually and as a community? How can we build diverse designs seamlessly without a hitch along the way? We'll talk about how to improve every step of a process, from prototypes to wireframes. We'll discuss resolving complications like handovers in markup and themes that, due to a design's particularities or a time crunch, end up hacky and impossible to extend. We'll also dwell briefly on important ideas like accessibility and semantics, all while creating Drupal-ready designs and themes that perform perfectly across the board! Here's a brief summary of what we'll tackle: Some design principles, including Drupal's Drupal-aware: Design with Drupal, not for Drupal One design, many layout possibilities Thinking about Drupal's structure and markup How to write an awesome theme Drupal code standards and conventions Contributing good themes To Drupal and beyond: Code that lasts This session is geared toward designers with some HTML/CSS background and theming beginners. We will also work with a little painless PHP. Speaker(s): Preston So Experience Level: Beginner

Drupal Aware Design: Good Techniques for Better Themes

nyccamp

In this session we’ll take a look at 7 unique higher education case studies showcasing the diversity of Drupal solutions in the .edu space. The case studies show Drupal as a solution for everything from departmental web presences to university wide web publishing solutions and learning management systems. Culled from interviews with university IT teams across the country from private to public both large and small, we’ll examine implementation choices, lessons learned and the business reasons that made Drupal the right choice. Keypoints: We'll identify the top issues facing Higher Education and how Drupal can help address them. We'll take a look at seven case studies of Drupal in use in higher ed: - Drupal as Unit CMS - College of Fine Arts, UT Austin - Drupal as Flagship - Duke University - Drupal as Intranet - California State University, Monterey Bay - Drupal as LMS - ELMS, Penn State University - Drupal as Lingua Franca - Stanford University - Drupal as University Wide Solution - Yale University - Drupal as OOTB software - Open Academy, University of California, Berkeley We’ll look at lessons learned and resources available to higher education Drupal implementers. This Session has been presented at Drupal Camp UT Austin.

Drupal and Higher Education

nyccamp

A New Theme Layer for Drupal 8

nyccamp

Is your site ready for the mobile web? Are you sure? Go ahead, check it on your phone, and your kid's phone, and a tablet, and some Android dealies, and a Bleakberry. And a TV or two. I'll wait. That was an eye-opener, right? Web design and front end development has never been more complex than it is now, and it's likely to get worse before it gets better. Should you design your site "Mobile First"? How about "Adaptive" or "Responsive"? What's the difference between those again? I want to talk about why you might want to choose these approaches to your project. CSS is also not really up to the task of managing all this complexity. Sure, it *can* do it, but pure CSS strains almost to the breaking point under the pressure. So let's welcome Sass to the party. Sass is a CSS preprocessor that gives CSS authors the tools we've been aching for in creating and managing large and complex CSS projects. We'll cover a few of the Sass basics, but the real value here is in the more sophisticated tools that let you manage all the moving parts necessary in creating all this new-fangled wizardry. We'll cover: - Mobile First - Adaptive Design - Responsive Design - Stand-alone mobile options - Sass - Mobile-focused tools - Compass - Survival Kit - Susy

Mobile and Responsive Design with Sass

nyccamp

The Apache Solr Search Integration module provides integration with the (free, open-source) Apache Solr server. This great combination of Drupal with a powerful and flexible search server will make your site irresistible to visitors by providing advanced search features like faceting filtering and by delivering the most relevant search results from your site. The module has been re-written for Drupal 7 to integrate with Facet API and those changes have been backported to a new Drupal 6 branch. Thus, you can use this module for all your projects, as well as setting up a shared search index that allows you to search across different Drupal 6 and Drupal 7 sites. This talk will focus on explaining configurations options in the admin UI to help you quickly and confidently configure the facets, pages, related content blocks, and other features for your site. Highlights may include: - What are the key Solr concepts you need to understand to get the most out of Solr integration? - How is the module admin UI organized? - How do I configure facets, sorts, and content recommendation blocks? - How can I use additional modules to index file attachments?

Drupal and Apache Solr Search Go Together Like Pizza and Beer for Your Site

nyccamp

This session will address how complex social networks of various types can be built with Drupal. The nuances of Feeds, Walls, Sharing (both private and public), Friends, Following, and (most importantly) Privacy will be explored, and options for building these features with Drupal will be discussed, with examples from the real world. This is an advanced session but anyone with social-networking dreams would benefit from learning the challenges in building one. How do you make a network "Social"? A Drupal site is a network of users and content, but it is not inherently social. It's greatest original feature was the ability for multiple users to collaborate in managing the system. We'll talk about what makes networks social and what makes them fun: Feeds, Activity, & Sharing. "News Feeds" can show not only your friend's content, but your friends-of-your-friends content when the target is your friend. Sound complicated? It is! "Activity" is when you become friends with someone, join the site, "like" something, commented on something... the list goes on. Without activity display, a social network feels more like a MySpace than Facebook. But be careful... if you list each new activity all of your friends make, it can get clogged with redundant announcements. Learn how we devised a system that lets us smartly group recent activity taken by user, taxonomy term, or node. Great social networks may be easy to use, but the logic behind true social networks is very complex. The Details - Building news feeds for friends and "followed" terms with Search API with Apache Solr - How to let users "share" content and write on other users "walls". - Creating an "activity" system that shows users activity around the site and can group similar activity together. - Privacy & Permissions: How to give control where control is due. About the Speaker Jonathan is the Founder & CTO of ThinkDrop Consulting, a Drupal consulting company in Brooklyn, New York and has been developing with Drupal for more than 7 years, coding with PHP for more than 11 years, and hypertexting with HTML since 1997. This session was originally given at DrupalCampNYC 10 in December of 2012 Slides available at https://docs.google.com/present/view?id=dg3sc8t9_2cbxfbnqg NOTE: I apologize for the layout problems, Google Docs Presentations look different on different operating systems Experience Level: Advanced

Building Social Networks

nyccamp

Drupal 8 development is underway, and there are some very exciting things coming down the pipe. I'll bring you up to speed with what's going on in the major Drupal 8 Core initiatives and by the time we're finished, you will have tangible ways to get involved in the next iteration of Drupal. This presentation is based on webchick's Drupal 8 slides. Since Drupal 8 is under very active development, the slides/presentation will change between now and the time I give it. I will upload the new version too.

The State of Drupal 8

nyccamp

Building Social Networks

nyccamp

The migrate module provides a flexible framework for migrating content into Drupal from other sources (e.g., when converting a web site from another CMS to Drupal). Out-of-the-box, support for creating core Drupal objects such as nodes, users, files, terms, and comments are included - it can easily be extended for migrating other kinds of content. The power comes from an object oriented API that's tricky to get started with - We'll walk through the various classes in the module and how they work together to manage migrations. I am currently looking for co-presenters or to present in a panel format as I feel we can all have something to learn from each other. UPDATE July 21, 2012: Thank you to everyone that was able to come out to the session. I know it was a complex topic. As another resource, you can take a look at the code from the example I displayed today at https://bitbucket.org/btmash/redcat_new_migration. Obviously, the migration won't work (the db needs to exist) but the code should hopefully be helpful. Cheers!

Move Into Drupal Using The Migrate Module

nyccamp

Want to automate testing on your site? don't know coding? No Problem! Selenium to your rescue!! Drupal + Selenium = Drulenium In this session I will demonstrate how Selenium can be used to - Build the site - Generate test content - Deploy Dev -> Stage -> Prod - Automate Testing Selenium IDE is an integrated development environment for Selenium scripts. It is implemented as a Firefox extension, and allows you to record, edit, and debug tests. Selenium IDE includes the entire Selenium Core, allowing you to easily and quickly record and play back tests in the actual environment that they will run." Experience Level: Beginner

Drulenium - Testing Made Easy

nyccamp

This talk will look at the features and changes in the Node Access system for Drupal 7. Out of the box, Drupal is a great system for creating and managing content. However, there are cases where your needs require additional requirements for which users can create, view, edit and delete content. To solve this problem, Drupal provides its Node Access system. Node Access provides an API for determining the grants, or permissions, that a user has for each node. By understanding how these grants work, a module developer can create and enforce complex access rules. We will cover some (or all) of the following topics. - Node Access compared to user_access() and other permission checks. - How Drupal grants node permissions. - The node_access() function. - hook_node_access() compared to {node_access}. - Controlling permission to create content. - Using hook_node_access(). - When to write a Node Access module. - The {node_access} table and its role. - Defining your moduleâs access rules. - Using hook_node_access_records(). - Using hook_node_grants(). - Rebuilding the {node_access} table. - Modifying the behavior of other modules. - Using hook_node_access_records_alter(). - Using hook_node_grants_alter(). - Testing and debugging you module. - Using Devel Node Access - Roadmap for Drupal 8 Ken Rickard is the maintainer of the Domain Access module and wrote several of the patches for Node Access in Drupal 7.

Node Access in Drupal 7 (and Drupal 8)

nyccamp

More from nyccamp (19)

Drupal As A Jigsaw

A/B Testing and Optimizely Module

Behat - human-readable automated testing

ALL YOUR BASE (THEMES) ARE BELONG TO US

Drupal Commerce - The Product vs Display Conundrum and How to Explain it to a...

Promotions Vouchers and Offers in Drupal Commerce

Workbench: Managing Content Management

Deployment Strategies: Managing Code, Content, and Configurations

Drupal Aware Design: Good Techniques for Better Themes

Drupal and Higher Education

A New Theme Layer for Drupal 8

Mobile and Responsive Design with Sass

Drupal and Apache Solr Search Go Together Like Pizza and Beer for Your Site

Building Social Networks

The State of Drupal 8

Building Social Networks

Move Into Drupal Using The Migrate Module

Drulenium - Testing Made Easy

Node Access in Drupal 7 (and Drupal 8)

Recently uploaded

Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application. In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics. Length: 30 minutes Session Overview ------------------------------------------- During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana: - What out-of-the-box solutions are available for real-time monitoring JMeter tests? - What are the benefits of integrating InfluxDB and Grafana into the load testing stack? - Which features are provided by Grafana? - Demonstration of InfluxDB and Grafana using a practice web application To view the webinar recording, go to: https://www.rttsweb.com/jmeter-integration-webinar

JMeter webinar - integration with InfluxDB and Grafana

RTTS

ScyllaDB has the potential to deliver impressive performance and scalability. The better you understand how it works, the more you can squeeze out of it. But before you squeeze, make sure you know what to monitor! Watch our experienced Postgres developer work through monitoring and performance strategies that help him understand what mistakes he’s made moving to NoSQL. And learn with him as our database performance expert offers friendly guidance on how to use monitoring and performance tuning to get his sample Rust application on the right track. This webinar focuses on using monitoring and performance tuning to discover and correct mistakes that commonly occur when developers move from SQL to NoSQL. For example: - Common issues getting up and running with the monitoring stack - Using the CQL optimizations dashboard - Common issues causing high latency in a node - Common issues causing replica imbalance - What a healthy system looks like in terms of memory - Key metrics to keep an eye on This isn’t “Death-by-Powerpoint.” We’ll walk through problems encountered while migrating a real application from Postgres to ScyllaDB – and try to fix them live as well.

Optimizing NoSQL Performance Through Observability

ScyllaDB

Bits & Pixels using AI for Good.........

Alison B. Lowndes

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

IESVE for Early Stage Design and Planning

IES VE

In this session, we will showcase how to revolutionize automated testing for your software, automation, and QA teams with UiPath Test Suite. In part 1 of UiPath test automation using UiPath Test Suite – developer series, we will cover, Software testing overview What is software testing Why software testing is required Typical test types and levels Continuous testing and challenges Introduction to UiPath Test Suite UiPath Test Suite family of products Speaker: Atul Trikha, Chief Technologist & Solutions Architect, Peraton and UiPath MVP Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

UiPath Test Automation using UiPath Test Suite series, part 1

DianaGray10

New customer? New industry? New cloud? New team? A lot to handle! How to ensure the success of the project? Start it well! I've created the 3 areas of focus at the beginning of the project that helped me in multiple roles (BA, PO, and Consultant). Learn from real-world experiences and discover how these insights can empower you to deliver unparalleled value to your customers right from the project's start.

Powerful Start- the Key to Project Success, Barbara Laskowska

CzechDreamin

In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring. Learn about: • The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks. • Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective. • Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification. • Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process. Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Inflectra

ODC, Data Fabric and Architecture User Group

CatarinaPereira64715

Knowledge engineering: from people to machines and back

Elena Simperl

This talk focuses on the practical aspects of integrating various telephony systems with Salesforce, drawing on examples from implementations in the Czech scene. It aims to inform attendees about the spectrum of telephony solutions available, from small to large scale, and their compatibility with Salesforce. The presentation will highlight key considerations for selecting a telephony provider that integrates smoothly with Salesforce, including important questions to support the decision-making process. It will also discuss methods for integrating existing telephony systems with Salesforce, aimed at companies contemplating or in the process of adopting this CRM platform. The discussion is designed to provide a straightforward overview of the steps and considerations involved in telephony and Salesforce integration, with an emphasis on functionality, compatibility, and the practical experiences of Czech companies.

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...

CzechDreamin

Discover the essentials of performance testing in the IT sector with our concise guide. Learn about various testing types such as load, stress, endurance, spike, scalability, and volume testing. Understand key performance metrics like response time, throughput, CPU and memory utilization, and error rate. Explore top tools like Apache JMeter, LoadRunner, Gatling, Neoload, and BlazeMeter. Gain insights into best practices for defining objectives, creating realistic scenarios, automating tests, and optimizing performance to ensure user satisfaction, reliability, scalability, and cost efficiency. Ideal for developers, QA engineers, and IT professionals. Visit Expeed Software for more information. https://expeed.com/

In-Depth Performance Testing Guide for IT Professionals

Expeed Software

Join us as we dive into the latest updates to the UiPath Orchestrator API, including new limits and features for 2024. Discover how these changes can enhance your automation projects and streamline your workflows. 📚 Overview of UiPath Orchestrator API 🔧 Recent changes to API limits 🛠️ How to adapt to new limits 📋 Best practices for using the Orchestrator API efficiently ❓ Q&A session

Exploring UiPath Orchestrator API: updates and limits in 2024 🚀

DianaGray10

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Product School

The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.

Search and Society: Reimagining Information Access for Radical Futures

Bhaskar Mitra

Already know how to write a basic SOQL query? Great! But what about an *aggregate* SOQL query? You know, the kind that uses aggregate functions like COUNT & MAX along with GROUP BY and HAVING clauses? No? Well, get ready to learn how to slice & dice your org’s data right inside your own dev console. From finding duplicate records to prototyping summary & matrix reports, learn the ins and outs of aggregate queries during this fast-paced but admin-friendly session on advanced SOQL concepts.

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

CzechDreamin

PLAI - Acceleration Program for Generative A.I. Startups

Stefano

Agentic RAG What it is its types applications and implementation.pdf

ChristopherTHyatt

Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to: Create a campaign using Mailchimp with merge tags/fields Send an interactive Slack channel message (using buttons) Have the message received by managers and peers along with a test email for review But there’s more: In a second workflow supporting the same use case, you’ll see: Your campaign sent to target colleagues for approval If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team But—if the “Reject” button is pushed, colleagues will be alerted via Slack message Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors. And... Speakers: Akshay Agnihotri, Product Manager Charlie Greenberg, Host

Connector Corner: Automate dynamic content and events by pushing a button

DianaGray10

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Product School

Recently uploaded (20)

JMeter webinar - integration with InfluxDB and Grafana

Optimizing NoSQL Performance Through Observability

Bits & Pixels using AI for Good.........

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

IESVE for Early Stage Design and Planning

UiPath Test Automation using UiPath Test Suite series, part 1

Powerful Start- the Key to Project Success, Barbara Laskowska

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

ODC, Data Fabric and Architecture User Group

Knowledge engineering: from people to machines and back

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...

In-Depth Performance Testing Guide for IT Professionals

Exploring UiPath Orchestrator API: updates and limits in 2024 🚀

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Search and Society: Reimagining Information Access for Radical Futures

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

PLAI - Acceleration Program for Generative A.I. Startups

Agentic RAG What it is its types applications and implementation.pdf

Connector Corner: Automate dynamic content and events by pushing a button

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

1. Secure your Drupal site by ﬁrst hacking into it

2. Think like a hacker http://www.ﬂickr.com/photos/31246066@N04/4252587897/

3. How sites get hacked XSS Insecure environment Stolen access Outdated code, known vulnerabilities

4. XSS Demo • Malicious Javascript is entered • Admin unknowingly executes • Javascript alters admin-only settings • Changes admin password • Puts site ofﬂine http://www.ﬂickr.com/photos/paolo_rosa/5088971947/

5. https://vimeo.com/15447718

6. Ben Jeavons Drupaler for 5 years Member of Drupal Security Team @benswords

7. Drupal vulnerabilities by popularity 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others reported in core and contrib SAs from 6/1/2005 through 3/24/2010

8. Cross Site Scripting

9. Cross Site Scripting XSS Javascript Performing actions without your intent Everything you can do XSS can do faster

10. Stored XSS Step 1 Request Attacker Drupal DB JS JS

11. Stored XSS Step 2 Request Victim Drupal DB Response JS JS

12. Stored XSS Step 3 Victim Request Drupal DB JS JS

13. $node = node_load($nid); $title = $node->title; drupal_set_title($title); ... (later, in page.tpl.php) ... <h1><?php print $title; ?></h1>

14. Fixing XSS Identify where the data came from User input!

15.

16.

17.

18. user agent language time zone referrer & more HTTP request headers Lots of tools/ways to modify these for requests

19. Fixing XSS Identify where the data came from Is that data being ﬁltered or escaped before output?

20.

21. Raw Input Filtered Output

22.

23. $node = node_load($nid); $title = $node->title; $safe = check_plain($title); drupal_set_title($safe); ... (later, in page.tpl.php) ... <h1><?php print $title; ?></h1>

24. XSS in Themes <div class=”stuff”> <?php print $node->field_stuff[0][‘value’]; ?>

25. <div class=”stuff”> <?php print $node->field_stuff[0][‘safe’]; // OR $stuff = $node->field_stuff[0]; print content_format(‘field_stuff’, $stuff); ?>

26. Sanitize user input for output $msg = variable_get(‘my_msg’,‘’); print check_plain($msg);

27. Test for XSS vulnerability <script>alert(‘xss yo’)</script> github.com / unn / vuln

28. Insecure Environment

29. Insecure Environment Lock down your stack Admin tools and access to them Principle of least privilege Give out only necessary permissions

30.

31. Insecure Environment /devel/variable /phpMyAdmin

32. Insecure Environment Make backups Test that they work Secure access to backups

33. Center for Health Transformation’s records were “found by The New York Times in an unsecured archived version of the site” http://www.nytimes.com/2011/11/30/us/politics/gingrich-gave-push-to-clients-not-just-ideas.html http://www.ﬂickr.com/photos/mjb/208218519/

34. Insecure Environment /sites/default/ﬁles/backup_migrate/

35. Stolen Access

36.

37.

38. SSL Run Drupal on full TLS/SSL securepages & securepages_prevent_hijack http://drupalscout.com/node/17 Use a valid certiﬁcate

39. SFTP “Secure” FTP Your host should provide it If not, consider a new one

40. Stay up-to-date

41. Stay up-to-date Know and apply security updates Security Advisories Not just Drupal third-party libraries (TinyMCE) PHP, operating system

42. /CHANGELOG.txt

43. Automation http://www.ﬂickr.com/photos/hubmedia/2141860216/

44. Steps to a mostly automated review Security Review: drupal.org/project/security_review Hacked: drupal.org/project/hacked Coder: drupal.org/project/coder Secure Code Review drupal.org/project/secure_code_review Vuln: github.com/unn/vuln More: http://drupalscout.com/node/11

45. in-depth, hands-on security training drupalcon.org bit.ly/drupalcon-security

46. Read drupal.org/security/writing-secure-code drupalscout.com crackingdrupal.com Converse groups.drupal.org/best-practices-drupal-security ben.jeavons@acquia.com @benswords

Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

Similar to Hack Into Drupal Sites (or, How to Secure Your Drupal Site) (20)

More from nyccamp

More from nyccamp (19)

Recently uploaded

Recently uploaded (20)

Hack Into Drupal Sites (or, How to Secure Your Drupal Site)