hack-proof your drupal app

Post on 27-Jan-2015

108 Views

Category:

Technology

0 Downloads

Preview:

Click to see full reader

DESCRIPTION

 

TRANSCRIPT

Hack-proof Your Drupal App

Key Habits of Secure Drupal Coding

Hack-proof Your Drupal App DrupalCamp NH 2011

http://twitter.com/ebeyrent

http://drupal.org/user/23897

Introductions

Permissions API

Permissions Superuser

Crowd SSO

LDAP Extended Groups

Context Local Tasks

Search Lucene Biblio

Search Lucene Attachments

Search Lucene OG

Visual Search API

My Modules

Hack-proof Your Drupal App DrupalCamp NH 2011

Erich Beyrent

Agenda Secrets to Securing a Social Network Key Habits of Secure Drupal Coding Vulnerability Detection to Remediation Security Resources for Drupal Applications See For Yourself - demonstrations of application

attacks Discussions

Hack-proof Your Drupal App DrupalCamp NH 2011

Have you ever...

Hack-proof Your Drupal App DrupalCamp NH 2011

Hack-proof Your Drupal App DrupalCamp NH 2011

Source: http://www.flickr.com/photos/wili/233621595/

HILARITY DID NOT ENSUE

Hack-proof Your Drupal App DrupalCamp NH 2011

The Results 120 vulnerabilities were discovered

XSS CSRF SQL Injection Insufficient Authorization

Hack-proof Your Drupal App DrupalCamp NH 2011

What Was Learned 90% of the vulnerabilities existed in the theme Untrusted data from the query string was printed

without filtering Custom search forms were insecure crossdomain.xml caused vulnerabilities

Hack-proof Your Drupal App DrupalCamp NH 2011

Fixing The Problems Completely reviewed the theme, implementing

Drupal output filters Code was audited to ensure sanitization of all

user data Rewrote the search forms to sanitize user data and

use the Form API Implemented web services proxy

Hack-proof Your Drupal App DrupalCamp NH 2011

Drupal Security Report• Authored by Ben Jeavons and Greg

Knaddison

• Provides an analysis of the current state of security in Drupal

• Reports on the number of vulnerabilities by type reported in SAs for Drupal core and contributed modules

Hack-proof Your Drupal App DrupalCamp NH 2011

Source: Drupal Security Reporthttp://drupalsecurityreport.org/

June 2005 – March 2010

Hack-proof Your Drupal App DrupalCamp NH 2011

By The Numbers

Source: http://www.cvedetails.com/vendor/1367/Drupal.html

Hack-proof Your Drupal App DrupalCamp NH 2011

Wrap your output

Hack-proof Your Drupal App DrupalCamp NH 2011

Key Habits of Secure Drupal Coding

Wrap your output Protect your database

Hack-proof Your Drupal App DrupalCamp NH 2011

Key Habits of Secure Drupal Coding

Wrap your output Protect your database Beware user input

Hack-proof Your Drupal App DrupalCamp NH 2011

Key Habits of Secure Drupal Coding

Wrap your output Protect your database Beware user input AJAX risks

Hack-proof Your Drupal App DrupalCamp NH 2011

Key Habits of Secure Drupal Coding

RealityHack-proof Your Drupal App DrupalCamp NH 2011

YouTube (July 2010)

Reality Security experts estimate that 66% of websites

are vulnerable to XSS attacks (Jeremiah Grossman, WhiteHat Security)

The vast majority of vulnerabilities in Drupal are in XSS attacks

Hack-proof Your Drupal App DrupalCamp NH 2011

Why?• Drupal has at least 8 different APIs for

sanitizing output

• Security presentations are given at DrupalCons and DrupalCamps all around the world

• Drupal Security Announcements

Hack-proof Your Drupal App DrupalCamp NH 2011

Wrap Your Outputcheck_plain()

Hack-proof Your Drupal App DrupalCamp NH 2011

check_plain() This is for simple text without any markup. Encodes special characters in a plain-text string

for display as HTML. Checks for UTF-8 to prevent cross site scripting

attacks on Internet Explorer 6. Don't use this when using the t(), l(); use

placeholders

Hack-proof Your Drupal App DrupalCamp NH 2011

Wrap Your Outputcheck_plain()check_markup()

Hack-proof Your Drupal App DrupalCamp NH 2011

check_markup() This is for text which contains markup in some

language Runs all the enabled filters on a piece of text.

Hack-proof Your Drupal App DrupalCamp NH 2011

Wrap Your Outputcheck_plain()check_markup()filter_xss()

Hack-proof Your Drupal App DrupalCamp NH 2011

filter_xss() Filters an HTML string to prevent cross-site-

scripting (XSS) vulnerabilities. Removes characters and constructs that can trick

browsers. Makes sure all HTML entities are well-formed. Makes sure all HTML tags and attributes are well-

formed. Makes sure no HTML tags contain URLs with a

disallowed protocol (e.g. javascript:).Source: http://http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss/7

Hack-proof Your Drupal App DrupalCamp NH 2011

Wrap Your Outputcheck_plain()check_markup()filter_xss()filter_xss_admin()

Hack-proof Your Drupal App DrupalCamp NH 2011

filter_xss_admin() Very permissive XSS/HTML filter for

admin-only use. .

Use only for fields where it is impractical to use the whole filter system, but where some (mainly inline) mark-up is desired (so check_plain() is not acceptable).

Allows all tags that can be used inside an HTML body, save for scripts and styles.

Source:http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss_admin/7

Hack-proof Your Drupal App DrupalCamp NH 2011

t() String translation, sanitizes your output if

used properly

t(“Input @s", array('@s' => $string));

Hack-proof Your Drupal App DrupalCamp NH 2011

l() Filters link text and protects against bad

protocols

GOOD print l($content, $link);

BAD print '<a href="' . $link . '">' . $content .

'</a>';

Hack-proof Your Drupal App DrupalCamp NH 2011

drupal_set_title()

In Drupal 7, sanitized output by default!

drupal_set_title($tainted, CHECK_PLAIN);

Hack-proof Your Drupal App DrupalCamp NH 2011

Protect Your Databasedb_query()

Hack-proof Your Drupal App DrupalCamp NH 2011

db_query() Runs a query in the database with arguments to

the query, passed in as separate parameters, which are escaped to prevent SQL injection attacks.

Hack-proof Your Drupal App DrupalCamp NH 2011

db_query() CORRECT:

db_query(“INSERT INTO {table} VALUES (%d, '%s')”, $node->profile_age, $node->profile_firstname);

WRONG: db_query(“SELECT * FROM table

WHERE field = $node->profile_age”);

Hack-proof Your Drupal App DrupalCamp NH 2011

Protect Your Databasedb_query()db_rewrite_sql() – Not in Drupal 7

Hack-proof Your Drupal App DrupalCamp NH 2011

db_rewrite_sql() Rewrites node, taxonomy and comment queries

to respect Drupal's node access mechanism. Protects against unauthorized access to

content.

Hack-proof Your Drupal App DrupalCamp NH 2011

db_rewrite_sql() CORRECT:

db_query(db_rewrite_sql( “SELECT * FROM {node} WHERE uid = %d”, $uid));

INCORRECT: db_query(“SELECT * FROM

{node} WHERE uid = %d”, $uid);

Hack-proof Your Drupal App DrupalCamp NH 2011

Beware User Input Sources of user input:

Form fields Uploaded files Query string Other sites

Hack-proof Your Drupal App DrupalCamp NH 2011

This is an exploited comment.

<link rel="stylesheet" type="text/css" href="http://ha.ckers.org/xss.js{"><script>alert('xss');</script>}body{font-family:{" />

Hack-proof Your Drupal App DrupalCamp NH 2011

AJAX Risks AJAX transactions are not private Eval() is not 100% safe; use JSONP

Hack-proof Your Drupal App DrupalCamp NH 2011

Sanitize output Use the Form API Use parameterized queries Leave core intact Grant minimal permissions Use HTTPS for social websites Keep core and modules up to date!

Hack-proof Your Drupal App DrupalCamp NH 2011

Things Good Drupalers Do

Printing raw values Modifying data with $_GET Parameterized queries? WTF? Hacking core and killing kittens Allowing untrusted users to post the

following tags: script, img, iframe, embed, object, input, link, style, meta, frameset, div, base, table, tr, td

Allowing untrusted users to post full HTML

Things That Will Bite You

Hack-proof Your Drupal App DrupalCamp NH 2011

“drupal” is NOT a good admin password!!

(neither is “lapurd”)

Other Common Mistakes<?php

global $user;

// Bad – this will escalate the privileges

$user = user_load(array('uid' => $uid));

?>

<?php

global $user;

// SAFE – do this instead

$account = user_load(array('uid' => $uid));

?>

Hack-proof Your Drupal App DrupalCamp NH 2011

Other Common Mistakes Improper URL access

Incorrect usage of 'access callback' in hook_menu()

Lack of security settings on views Writing forms in HTML

Use the Form API to provide automatic CSRF protection

Hack-proof Your Drupal App DrupalCamp NH 2011

Other Common Mistakes Unvalidated and open redirects

Iframes, drupal_goto, location.href Promiscuous crossdomain.xml files

Hack-proof Your Drupal App DrupalCamp NH 2011

Hack-proof Your Drupal App DrupalCamp NH 2011

Don't Trust User Input!

http://drupal.org Writing Secure Code (http://drupal.org/writing-

secure-code) Handle Text in a Secure Fashion (

http://drupal.org/node/28984) Secure File Permissions:

http://drupal.org/node/244924 Drupal Security Team

Drupal Security Resources

Hack-proof Your Drupal App DrupalCamp NH 2011

Coder (http://drupal.org/project/coder) Security Review (http://

drupal.org/project/security_review) Secure Code Review (http://

drupal.org/project/secure_code_review) Secure Permissions (http://

drupal.org/project/secure_permissions)

Modules

Hack-proof Your Drupal App DrupalCamp NH 2011

Pro Drupal Development book (VanDyk) Cracking Drupal: A Drop in the Bucket

(Knaddison) XSS Scripting Attacks (Grossman)

Books

Hack-proof Your Drupal App DrupalCamp NH 2011

Questions?

Hack-proof Your Drupal App DrupalCamp NH 2011

top related