From Drupal 7 to Drupal 8 - Drupal Intensive Course Overview
Hack-Proof Your Drupal App
-
Upload
erich-beyrent -
Category
Technology
-
view
110 -
download
0
description
Transcript of Hack-Proof Your Drupal App
![Page 1: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/1.jpg)
Hack-proof Your Drupal App
Key Habits of Secure Drupal Coding
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 2: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/2.jpg)
http://twitter.com/ebeyrent
http://drupal.org/user/23897
Introductions
Permissions API
Permissions Superuser
Crowd SSO
LDAP Extended Groups
Context Local Tasks
Search Lucene Biblio
Search Lucene Attachments
Search Lucene OG
Visual Search API
My Modules
Hack-proof Your Drupal App DrupalCamp NH 2011
Erich Beyrent
![Page 3: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/3.jpg)
Agenda Secrets to Securing a Social Network Key Habits of Secure Drupal Coding Vulnerability Detection to Remediation Security Resources for Drupal Applications See For Yourself - demonstrations of application
attacks Discussions
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 4: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/4.jpg)
Have you ever...
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 5: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/5.jpg)
Hack-proof Your Drupal App DrupalCamp NH 2011
Source: http://www.flickr.com/photos/wili/233621595/
![Page 6: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/6.jpg)
HILARITY DID NOT ENSUE
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 7: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/7.jpg)
The Results 120 vulnerabilities were discovered
XSS CSRF SQL Injection Insufficient Authorization
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 8: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/8.jpg)
What Was Learned 90% of the vulnerabilities existed in the theme Untrusted data from the query string was printed
without filtering Custom search forms were insecure crossdomain.xml caused vulnerabilities
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 9: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/9.jpg)
Fixing The Problems Completely reviewed the theme, implementing
Drupal output filters Code was audited to ensure sanitization of all
user data Rewrote the search forms to sanitize user data and
use the Form API Implemented web services proxy
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 10: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/10.jpg)
Drupal Security Report• Authored by Ben Jeavons and Greg
Knaddison
• Provides an analysis of the current state of security in Drupal
• Reports on the number of vulnerabilities by type reported in SAs for Drupal core and contributed modules
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 11: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/11.jpg)
Source: Drupal Security Reporthttp://drupalsecurityreport.org/
June 2005 – March 2010
Hack-proof Your Drupal App DrupalCamp NH 2011
By The Numbers
![Page 12: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/12.jpg)
Source: http://www.cvedetails.com/vendor/1367/Drupal.html
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 13: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/13.jpg)
Wrap your output
Hack-proof Your Drupal App DrupalCamp NH 2011
Key Habits of Secure Drupal Coding
![Page 14: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/14.jpg)
Wrap your output Protect your database
Hack-proof Your Drupal App DrupalCamp NH 2011
Key Habits of Secure Drupal Coding
![Page 15: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/15.jpg)
Wrap your output Protect your database Beware user input
Hack-proof Your Drupal App DrupalCamp NH 2011
Key Habits of Secure Drupal Coding
![Page 16: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/16.jpg)
Wrap your output Protect your database Beware user input AJAX risks
Hack-proof Your Drupal App DrupalCamp NH 2011
Key Habits of Secure Drupal Coding
![Page 17: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/17.jpg)
RealityHack-proof Your Drupal App DrupalCamp NH 2011
YouTube (July 2010)
![Page 18: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/18.jpg)
Reality Security experts estimate that 66% of websites
are vulnerable to XSS attacks (Jeremiah Grossman, WhiteHat Security)
The vast majority of vulnerabilities in Drupal are in XSS attacks
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 19: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/19.jpg)
Why?• Drupal has at least 8 different APIs for
sanitizing output
• Security presentations are given at DrupalCons and DrupalCamps all around the world
• Drupal Security Announcements
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 20: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/20.jpg)
Wrap Your Outputcheck_plain()
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 21: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/21.jpg)
check_plain() This is for simple text without any markup. Encodes special characters in a plain-text string
for display as HTML. Checks for UTF-8 to prevent cross site scripting
attacks on Internet Explorer 6. Don't use this when using the t(), l(); use
placeholders
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 22: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/22.jpg)
Wrap Your Outputcheck_plain()check_markup()
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 23: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/23.jpg)
check_markup() This is for text which contains markup in some
language Runs all the enabled filters on a piece of text.
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 24: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/24.jpg)
Wrap Your Outputcheck_plain()check_markup()filter_xss()
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 25: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/25.jpg)
filter_xss() Filters an HTML string to prevent cross-site-
scripting (XSS) vulnerabilities. Removes characters and constructs that can trick
browsers. Makes sure all HTML entities are well-formed. Makes sure all HTML tags and attributes are well-
formed. Makes sure no HTML tags contain URLs with a
disallowed protocol (e.g. javascript:).Source: http://http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss/7
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 26: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/26.jpg)
Wrap Your Outputcheck_plain()check_markup()filter_xss()filter_xss_admin()
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 27: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/27.jpg)
filter_xss_admin() Very permissive XSS/HTML filter for
admin-only use. .
Use only for fields where it is impractical to use the whole filter system, but where some (mainly inline) mark-up is desired (so check_plain() is not acceptable).
Allows all tags that can be used inside an HTML body, save for scripts and styles.
Source:http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss_admin/7
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 28: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/28.jpg)
t() String translation, sanitizes your output if
used properly
t(“Input @s", array('@s' => $string));
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 29: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/29.jpg)
l() Filters link text and protects against bad
protocols
GOOD print l($content, $link);
BAD print '<a href="' . $link . '">' . $content .
'</a>';
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 30: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/30.jpg)
drupal_set_title()
In Drupal 7, sanitized output by default!
drupal_set_title($tainted, CHECK_PLAIN);
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 31: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/31.jpg)
Protect Your Databasedb_query()
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 32: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/32.jpg)
db_query() Runs a query in the database with arguments to
the query, passed in as separate parameters, which are escaped to prevent SQL injection attacks.
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 33: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/33.jpg)
db_query() CORRECT:
db_query(“INSERT INTO {table} VALUES (%d, '%s')”, $node->profile_age, $node->profile_firstname);
WRONG: db_query(“SELECT * FROM table
WHERE field = $node->profile_age”);
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 34: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/34.jpg)
Protect Your Databasedb_query()db_rewrite_sql() – Not in Drupal 7
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 35: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/35.jpg)
db_rewrite_sql() Rewrites node, taxonomy and comment queries
to respect Drupal's node access mechanism. Protects against unauthorized access to
content.
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 36: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/36.jpg)
db_rewrite_sql() CORRECT:
db_query(db_rewrite_sql( “SELECT * FROM {node} WHERE uid = %d”, $uid));
INCORRECT: db_query(“SELECT * FROM
{node} WHERE uid = %d”, $uid);
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 37: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/37.jpg)
Beware User Input Sources of user input:
Form fields Uploaded files Query string Other sites
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 38: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/38.jpg)
This is an exploited comment.
<link rel="stylesheet" type="text/css" href="http://ha.ckers.org/xss.js{"><script>alert('xss');</script>}body{font-family:{" />
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 39: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/39.jpg)
AJAX Risks AJAX transactions are not private Eval() is not 100% safe; use JSONP
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 40: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/40.jpg)
Sanitize output Use the Form API Use parameterized queries Leave core intact Grant minimal permissions Use HTTPS for social websites Keep core and modules up to date!
Hack-proof Your Drupal App DrupalCamp NH 2011
Things Good Drupalers Do
![Page 41: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/41.jpg)
Printing raw values Modifying data with $_GET Parameterized queries? WTF? Hacking core and killing kittens Allowing untrusted users to post the
following tags: script, img, iframe, embed, object, input, link, style, meta, frameset, div, base, table, tr, td
Allowing untrusted users to post full HTML
Things That Will Bite You
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 42: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/42.jpg)
“drupal” is NOT a good admin password!!
(neither is “lapurd”)
![Page 43: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/43.jpg)
Other Common Mistakes<?php
global $user;
// Bad – this will escalate the privileges
$user = user_load(array('uid' => $uid));
?>
<?php
global $user;
// SAFE – do this instead
$account = user_load(array('uid' => $uid));
?>
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 44: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/44.jpg)
Other Common Mistakes Improper URL access
Incorrect usage of 'access callback' in hook_menu()
Lack of security settings on views Writing forms in HTML
Use the Form API to provide automatic CSRF protection
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 45: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/45.jpg)
Other Common Mistakes Unvalidated and open redirects
Iframes, drupal_goto, location.href Promiscuous crossdomain.xml files
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 46: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/46.jpg)
Hack-proof Your Drupal App DrupalCamp NH 2011
Don't Trust User Input!
![Page 47: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/47.jpg)
http://drupal.org Writing Secure Code (http://drupal.org/writing-
secure-code) Handle Text in a Secure Fashion (
http://drupal.org/node/28984) Secure File Permissions:
http://drupal.org/node/244924 Drupal Security Team
Drupal Security Resources
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 48: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/48.jpg)
Coder (http://drupal.org/project/coder) Security Review (http://
drupal.org/project/security_review) Secure Code Review (http://
drupal.org/project/secure_code_review) Secure Permissions (http://
drupal.org/project/secure_permissions)
Modules
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 49: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/49.jpg)
Pro Drupal Development book (VanDyk) Cracking Drupal: A Drop in the Bucket
(Knaddison) XSS Scripting Attacks (Grossman)
Books
Hack-proof Your Drupal App DrupalCamp NH 2011
![Page 50: Hack-Proof Your Drupal App](https://reader035.fdocuments.net/reader035/viewer/2022070304/54c792d44a7959af108b4699/html5/thumbnails/50.jpg)
Questions?
Hack-proof Your Drupal App DrupalCamp NH 2011