

Anatomy of Vulnerabilities

Protecting against Vulnerabilities

Kite Systems is an Agile development house which means the client is actively involved all the way through the development process. We build high quality, secure platforms using Java J2EE, Microsoft .NET, Ruby on Rails, PHP and Python.

Join Us

About myself, Gerald Villorente

Web Developer/themer at Kite Systems Inc.

Drupal developer since 2010

Drupal PH kids mentor

Is Drupal Secure?

A site is secure if:private data is kept private,

the site cannot be forced offline or into a degraded mode by a remote visitor

the site resources are used only for their intended purposes

the site content can be edited only by appropriate users.

State of being SECURE

Week spot of web applications

For Drupal developer who wants to deliver an applications, security do not ends with proper use of Drupal security API:OS (MS, Unix, BSD, OS X)

Web Server (Apache, IIS, Nginx, ...)

Web Platform (php, .NET, ...)

Other Services (ftp, )

Web applications - attacks against authentication & authorization, site structure, input validation, app logic

database - sql injection

availability - DoS attacks

Common Drupal attacks





jQuery.get(Drupal.settings.basePath + 'user/1/edit', function (data, status) { if (status == 'success') { // Extract the token and other required data var matches = data.match(/id="edit-user-profile-form-form-token" value="([a-z0-9])"/); var token = matches[1]; // Post the minimum amount of fields. Other fields get their default values. var payload = { "form_id": 'user_profile_form', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; + 'user/1/edit', payload); } } );}

Other Attacks


Remote code execution- Exploiting register_globals in PHP

require ($page . ".php");


Counter Measures

Proper use of Drupal API

Coding Standard (coder, code_sniffer)- Coder & Sniffer demo

Keep up with security patches and minor releases

Permission by role (hook_perm, user_access)


SSL (Secure Socket Layer)

Counter Measures (cont.)

File permission

Apache Hardening

Disable unneeded modules

Implement ModSecurity, Request Filtering, Anti-Evasion Techniques, HTTP Filtering Rules, Full Audit Logging, HTTPS Intercepting, Chroot Functionality, Mask Web Server Identity

Document root restriction allow Apache to only go to /path/to/public_html

Apache Hardening

Chrooting Apache

$ mkdir -p /var/chroot/apache

$ adduser --home /var/chroot/apache --shell /bin/false \ --no-create-home --system --group juandelacruz

PHP Hardening (part 1)

turn off register_globals

open_basedir - restrict php file access to only certain directories


expose_php - remove php info from http headers


safe_mode - php can use only files which it is an owner


PHP Hardening (part 2)

Suhoshin- php engine protection with couple of patches- range of runtime protection, session protection, filtering features and logging- features

Drupal Hardening

Keep updated

Coding standard

Install only trusted module, check issue queue

Use captcha, login_security, single_login, password_policy, salt

user permission

input formats and filter

Drupal Hardening: Coding Standard

Never write and/or execute sql commands manually, use Drupal DB layer

use db_query() properly

don't writedb_query("SELECT * FROM {users} WHERE name = '$username'");

write thisdb_query("SELECT * FROM {users} WHERE name = '%s'", $username);

placeholders are: %s, %d, %f, %b, %%

use db_rewrite_sql to respect node access restrictions$result = db_query(db_rewrite_sql("SELECT n.nid, n.title FROM {node} n"));

Drupal Hardening: Form API

never write forms that manually uses Drupal's Forms API

Forms API protects you from invalid form data

Forms API protects you against CSRF

don't trust js for input validation - its easy to disable it. If you want to use it always check user data on server side.

when using AJAX use drupal_get_token and drupal_check_token:

Calculate hash of defined string, user session and site specific secret code

Drupal Hardening: File Upload

file_validate_is_image - check if file is really an image

check_file - check if file is uploaded via HTTP POST

file_check_location - Check if a file is really located inside $directory

set disk quotes properly - you don't want to fill server hard disk

Drupal Hardening: Respect and define new permissions

consider to use hook_perm in your module

wrap your code with user_access

filter_access($format) check if user has access to requested filter format

use menu access arguments

if (user_access('some permission')) { .... }

Drupal Hardening: Dont trust user input

Filter user input, sanitize the outputInput Format

filter_xss() - Filters HTML to prevent XSS

check_plain() - Encodes special characters in a plain-text string for display as HTML

check_url() - filter dangerous protocol

check_markup - Run all the enabled filters on a piece of text

Drupal Hardening: Dont trust user input

Again, think like a hacker...

Use penetration testing tool- Metasploit framework- Nessus- Nikto- Backbox and Backtrack

Fix, audit, fix ...


Top Related