Drupal SecurityDrupal’s solutions, and how to maintain site security                              - Bakiyanathan R        ...
9 out of 10 websites have serious          vulnerabilities       WhiteHat Security          www.techday7.com
The Top 10 Web Security Issues*...and how Drupal addresses them             www.techday7.com
Cross-Site Scripting    www.techday7.com
How Drupal prevents...• Drupal has a system of input filters that  remove potential XSS exploits from user input.• The For...
Injection FlawsUsername:                                               SELECT uid FROM users Administrator” OR uid=1 OR “1...
How Drupal prevents...• Drupal provides a database API with built-in  SQL injection attack prevention.• Drupal provides a ...
Malicious File Execution• Code vulnerable to remote file inclusion (RFI)  allows attackers to include hostile code and  da...
How Drupal prevents...• PHP has a configurable base directory for  inclusions. Using this option limits possible  attacks ...
Insecure Direct Object ReferenceA direct object reference occurs when adeveloper exposes a reference to aninternal impleme...
How Drupal prevents...• Drupal’s menu and form APIs encourage  validating and sanitizing data submitted from  users.• When...
Cross-Site Request Forgery• CSRF is an attack which forces an end user to  execute unwanted actions on a web  application ...
How Drupal prevents...• Drupal filters out scripting variations of this  attack, leaving only simpler ones.• The simpler C...
Information LeakageEx: Cannot connect to database.(mysql://rootuser:password@localhost:/db)
How Drupal prevents...• Administrators can configure Drupal to  privately log errors, intercepting them before  they ever ...
Broken Authentication• Account credentials and session tokens are  often not properly protected.• Authentication and sessi...
How Drupal prevents...• Authentication cookies are not modifiable by  site users.• User sessions (and related cookies) are...
Insecure Cryptographic Storage• Web applications rarely use cryptographic  functions properly to protect data and  credent...
How Drupal prevents...• Passwords are stored using a one-way hash.• Drupal provides a randomly generated private  key for ...
Insecure Communications• Applications frequently fail to encrypt  network traffic when it is necessary to protect  sensiti...
How Drupal prevents...• As a PHP-based system, Drupal can use  Apache’s widely-trusted SSL support.• If only part of the s...
Failure to Restrict URL Access• Frequently, an application only protects  sensitive functionality by preventing the  displ...
How Drupal prevents...• Drupal uses an integrated URL/access control  system.• Every URL in the system must have access  c...
Unvalidated input• When users submit information to sites, their  input must be checked for validity using Drupal  Form AP...
Writing secure codeUse check functions on output to prevent cross site scripting attacksNo piece of user-submitted content...
Use the database abstraction layer to avoid SQL injection attacks For example, never concatenate data directly into SQL qu...
www.techday7.com
Upcoming SlideShare
Loading in …5
×

Drupal security

4,708 views

Published on

Drupal Event - Techday7 Presentation on Apr-21-2012 by R. Bakiyanathan.

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
No Downloads
Views
Total views
4,708
On SlideShare
0
From Embeds
0
Number of Embeds
192
Actions
Shares
0
Downloads
38
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide
  • rfgtgyhygghyhtg
  • Drupal security

    1. 1. Drupal SecurityDrupal’s solutions, and how to maintain site security - Bakiyanathan R www.techday7.com
    2. 2. 9 out of 10 websites have serious vulnerabilities WhiteHat Security www.techday7.com
    3. 3. The Top 10 Web Security Issues*...and how Drupal addresses them www.techday7.com
    4. 4. Cross-Site Scripting www.techday7.com
    5. 5. How Drupal prevents...• Drupal has a system of input filters that remove potential XSS exploits from user input.• The Form API verifies that a user loaded a form before submitting it. This verification makes effective XSS against Drupal sites considerably more difficult. www.techday7.com
    6. 6. Injection FlawsUsername: SELECT uid FROM users Administrator” OR uid=1 OR “1”=“1 WHEREPassword name=“Administrator” OR uid=1 •••••••••••• OR “1”=“1” AND password=“kjsdkjds” Login www.techday7.com
    7. 7. How Drupal prevents...• Drupal provides a database API with built-in SQL injection attack prevention.• Drupal provides a set of functions to process URLs and SQL arguments, making security an easy choice for developers. www.techday7.com
    8. 8. Malicious File Execution• Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise.• Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users• Ex : http://mydomain.com/show.php?page=../ install.php
    9. 9. How Drupal prevents...• PHP has a configurable base directory for inclusions. Using this option limits possible attacks to only the Drupal directories.• Drupal modules generally offer no entry point except through Drupal’s secure URL/menu handler. So, while users may be able to load arbitrary PHP files, the “attacks” will have no effect.• Prevention of “insecure direct object reference” attacks also helps here. www.techday7.com
    10. 10. Insecure Direct Object ReferenceA direct object reference occurs when adeveloper exposes a reference to aninternal implementation object, such as afile, directory, database record, orkey, as a URL or form parameter.Ex : http://mydomain.com?page=/etc/group•It will show the Groups details of the Server. www.techday7.com
    11. 11. How Drupal prevents...• Drupal’s menu and form APIs encourage validating and sanitizing data submitted from users.• When object references are passed through the Form API, Drupal core protects the values from tampering by site users.• Drupal and PHP provide file and session APIs that allow convenient and secure object reference passing. www.techday7.com
    12. 12. Cross-Site Request Forgery• CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.• CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data. www.techday7.com
    13. 13. How Drupal prevents...• Drupal filters out scripting variations of this attack, leaving only simpler ones.• The simpler CSRF attacks fail when attacking Drupal because the Form API isolates state changing operations behind POST requests.• The Form API also requires loading forms prior to submission, making CSRF attacks much harder. www.techday7.com
    14. 14. Information LeakageEx: Cannot connect to database.(mysql://rootuser:password@localhost:/db)
    15. 15. How Drupal prevents...• Administrators can configure Drupal to privately log errors, intercepting them before they ever reach users.• Drupal never displays password information when experiencing database connection issues.• Drupal ships with a .htaccess file preventing many forms of snooping. www.techday7.com
    16. 16. Broken Authentication• Account credentials and session tokens are often not properly protected.• Authentication and session management includes all aspects of handling user authentication and managing active sessions. www.techday7.com
    17. 17. How Drupal prevents...• Authentication cookies are not modifiable by site users.• User sessions (and related cookies) are completely destroyed and recreated on login and logout.• User name, ID, and password are only managed on the server side, not in the user’s cookie. Passwords are never emailed.• Session cookies are named uniquely for each Drupal installation www.techday7.com
    18. 18. Insecure Cryptographic Storage• Web applications rarely use cryptographic functions properly to protect data and credentials.• Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud. www.techday7.com
    19. 19. How Drupal prevents...• Passwords are stored using a one-way hash.• Drupal provides a randomly generated private key for every installation www.techday7.com
    20. 20. Insecure Communications• Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. www.techday7.com
    21. 21. How Drupal prevents...• As a PHP-based system, Drupal can use Apache’s widely-trusted SSL support.• If only part of the site is behind SSL, administrators can install modules to make certain URLs available only through a secure connection. Ex: $conf[https] = TRUE need to be in settings.php www.techday7.com
    22. 22. Failure to Restrict URL Access• Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users.• Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.”• Ex: http://mydomain.com/user/10/delete www.techday7.com
    23. 23. How Drupal prevents...• Drupal uses an integrated URL/access control system.• Every URL in the system must have access control configured. www.techday7.com
    24. 24. Unvalidated input• When users submit information to sites, their input must be checked for validity using Drupal Form API. Form Api User Input Validated Form Processor Rejected Input Is User have access Is user input ok? to submit form?
    25. 25. Writing secure codeUse check functions on output to prevent cross site scripting attacksNo piece of user-submitted content should ever be placed as-is into HTML. Use check plain or theme(placeholder) for plain text. Use check markup or filter_xss for markup containing text. Use the t() function with @ or % placeholders to construct safe, translatablestrings.Ex:drupal_set_message(t("Your favorite color is $color!")); // No input checking!drupal_set_message(Your favorite color is . check_plain($color));drupal_set_message(t(Your favorite color is @color, array(@color => $color)));
    26. 26. Use the database abstraction layer to avoid SQL injection attacks For example, never concatenate data directly into SQL queries, like this:<?php db_query(SELECT foo FROM {table} t WHERE t.name = . $_GET[user]); ?><?php db_query("SELECT foo FROM {table} t WHERE t.name = %s ", $_GET[user]); ?> Use db_rewrite_sql to respect node access restrictions. <?php $result = db_query(db_rewrite_sql("SELECT n.nid, n.title FROM {node} n")); ?> www.techday7.com
    27. 27. www.techday7.com

    ×