The document discusses the security of Drupal sites, addressing vulnerabilities such as XSS, CSRF, and session fixation, and emphasizes the importance of secure coding practices and regular updates. It outlines how to identify these security issues, report vulnerabilities, and the responsibilities of the Drupal security team in resolving them. Additionally, it provides resources for both securing Drupal sites and writing secure code.

2. Are you sure that
your site is secure?
secure

3. Site security
● Trusted, experienced
and secure hosting
● Secure code
● Security updates

4. Security Updates
● Subscribe to Security-news
http://lists.drupal.org/mailman/listinfo/security-news
● Use Drupal 7 core module Update Manager.

5. How secure is Drupal code?
code

6. Types of vulnerabilities

7. Is Your Drupal-site
Code Secure?

8. Speaker: Vlad Savitsky
Working at
Skype: vlad_savitsky
ICQ: 205535814
vlad.savitsky@gmail.com
+38096 530 27 12

9. Challenge
● http://google-gruyere.appspot.com/start
● Gruyere /ɡruːˈjɛər/ - a small, cheesy web
application that allows its users to publish snippets
of text and store assorted files.
● "Unfortunately," Gruyere has multiple security
bugs ranging from cross-site scripting and cross-
site request forgery, to information disclosure, denial
of service, and remote code execution.
The goal is to discover bugs in Gruyere.

10. Cross-site scripting (XSS)
● Allows attackers to inject script into Web pages
viewed by other users.
● http://en.wikipedia.org/wiki/Cross-site_scripting

11. Handling Data
Golden Rule
● Store exactly what the user typed.
● When handling and outputting text in HTML,
you need to be careful that proper filtering or
escaping is done.

12. 1. User sends some data
User Input
Drupal
User
Invalid Input Code
Validated
User Input
Database

13. 2. Attacker sends code
1. Input
JS
Drupal
User
Code
2. Not Well
Validated
Input
JS
Database

14. 3. User request a page
1. Request
Drupal
User JS
3. Not Well Code
Escaped Data
2. SQL-Query
JS
Database

15. 4. User runs Attacker's code
Browser
1. View page
User HTML page
Attacker's
2. Send data JavaScript
Code
User

16. Access Bypass
1. Request
/devel/php
Drupal
User
Code
2. Get Access

17. Cross-site request forgery
● Ability to run some actions at server accessing
some URL.
● Also known as a one-click attack or session
riding and abbreviated as CSRF (pronounced
sea-surf) or XSRF.
● http://en.wikipedia.org/wiki/Cross-site_request_forgery

18. 1. Find URL
User Profile
Save
Save
Delete
Delete
http://example.com/user/10/delete
http://example.com/user/10/delete

19. 2. Post URL
Server
1. Post page
User HTML page
2. Send URL
<img
3. Open URL src=”URL” />
Admin

20. Arbitrary code execution
● Ability to execute any commands of the
attacker's choice on a target machine or in a
target process.
● http://en.wikipedia.org/wiki/Arbitrary_code_execution

22. Session fixation
● Session fixation attacks attempt to exploit the
vulnerability of a system which allows one
person to fixate (set) another person's
session identifier (SID).
● Most session fixation attacks are web based,
and most rely on session identifiers being
accepted from URLs (query string) or POST
data.
● http://en.wikipedia.org/wiki/Session_fixation

23. 1. Send URL with SID
1. Send URL
http://example.com/node/2?sid=123
User Admin
2. Login
Drupal http://example.com/user/login?sid=123
Code

24. 2. Get Admin's session
3. Login as admin URL
http://example.com/user/login?sid=123
User
Drupal
Code

25. http://drupal.org/project/sharedsignon

26. http://drupal.org/node/592488

27. How to find a vulnerability?

28. XSS high-risk zones
● theme(). ● Templates (.tpl.php).
● t() and l(). ● Theme's code.
● dpm(). ● Preprocess functions.
● echo(). ● $form_state values.
● var_dump(). ● Validation messages
● console.log(). and default values.
● watchdog(). ● Field type 'select' and
'options' attribute.
● drupal_set_message().
● drupal_set_title().

29. XSS Test
<script>alert('xss');</script>
<img src=”notfound.png” onerror=”alert('xss');”>
watchdog('type',
'message <script
type="text/javascript">alert("xss");</script>');

31. How to find XSRF?
● Inspect hook_menu().
● Inspect AJAX callbacks.
● If secure tokens not used used then XSRF is
possible
● See drupal_get_token().

32. Access bypass
● Check hook_permissions().
● Search for permission names.
● Check 'access_callback's in hook_menu().
● Check if code works correctly with other
contributed modules and respects their
access restrictions.

33. Code Execution
● Search for 'eval', 'system' and etc.
● Check code includes.
● Check if files with code could be executed.
● Search for php input format for blocks, nodes,
fields and etc.
● Check if modules like devel, php and etc.
enabled.
● Check if uploading files with php-code is
possible.

34. SQL injection
● Static queries.

35. Drupal Security Team

36. Goals of the security team
● Resolve reported security issues.
● Provide assistance for contributed module
maintainers in resolving security issues.
● Provide documentation on how to write
secure code.
● Provide documentation on securing your site.

37. How to report
a security issue
● Do not post in the issue tracker or discuss it in IRC.
● Mail to security@drupal.org
● Provide as many details as you can. At least:
● Drupal version and/or module version.
● Steps to reproduce the problem.
● Do not disclose the vulnerability to anyone before
the advisory is issued.
● You will be credited in the security announcement.

38. How the security team
works with issues?
● Review the issue and evaluate the potential
impact on all supported releases of Drupal.
● If it is indeed a valid problem, the security team is
mobilized to eliminate it.
● New versions are created and tested.
● New packages are created and uploaded to
Drupal.org.
● When an issue has been fixed, use all available
communication channels to inform users of steps
that must be taken to protect themselves.

39. Issues with
contributed modules
● The module maintainer is contacted with a
deadline.
● When the maintainer fixes the problem, the
security team issues an advisory.
● If the maintainer does not fix the problem
within the deadline, an advisory is issued,
recommending disabling the module and the
project on Drupal.org is unpublished.

40. Additional Reading
● Core Security Advisories
http://drupal.org/security
● Contributed Project Security Advisories
http://drupal.org/security/contrib
● The Drupal Security Team
http://drupal.org/security-team
● Secure confguration of your Drupal site
http://drupal.org/security/secure-confguration
● Writing secure code
http://drupal.org/writing-secure-code
● Cracking Drupal – The Drupal security book
http://crackingdrupal.com/
● This paper's website
http://drupalsecurityreport.org
● OWASP Top Ten Project
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

41. Questions to speaker
Vlad Savitsky
http://shvetsgroup.com
Skype: vlad_savitsky
ICQ: 205535814
vlad.savitsky@gmail.com
+38 096 530 27 12