hack-proof your drupal app
DESCRIPTION
TRANSCRIPT
Hack-proof Your Drupal App
Key Habits of Secure Drupal Coding
Hack-proof Your Drupal App DrupalCamp NH 2011
http://twitter.com/ebeyrent
http://drupal.org/user/23897
Introductions
Permissions API
Permissions Superuser
Crowd SSO
LDAP Extended Groups
Context Local Tasks
Search Lucene Biblio
Search Lucene Attachments
Search Lucene OG
Visual Search API
My Modules
Hack-proof Your Drupal App DrupalCamp NH 2011
Erich Beyrent
Agenda Secrets to Securing a Social Network Key Habits of Secure Drupal Coding Vulnerability Detection to Remediation Security Resources for Drupal Applications See For Yourself - demonstrations of application
attacks Discussions
Hack-proof Your Drupal App DrupalCamp NH 2011
Have you ever...
Hack-proof Your Drupal App DrupalCamp NH 2011
Hack-proof Your Drupal App DrupalCamp NH 2011
Source: http://www.flickr.com/photos/wili/233621595/
HILARITY DID NOT ENSUE
Hack-proof Your Drupal App DrupalCamp NH 2011
The Results 120 vulnerabilities were discovered
XSS CSRF SQL Injection Insufficient Authorization
Hack-proof Your Drupal App DrupalCamp NH 2011
What Was Learned 90% of the vulnerabilities existed in the theme Untrusted data from the query string was printed
without filtering Custom search forms were insecure crossdomain.xml caused vulnerabilities
Hack-proof Your Drupal App DrupalCamp NH 2011
Fixing The Problems Completely reviewed the theme, implementing
Drupal output filters Code was audited to ensure sanitization of all
user data Rewrote the search forms to sanitize user data and
use the Form API Implemented web services proxy
Hack-proof Your Drupal App DrupalCamp NH 2011
Drupal Security Report• Authored by Ben Jeavons and Greg
Knaddison
• Provides an analysis of the current state of security in Drupal
• Reports on the number of vulnerabilities by type reported in SAs for Drupal core and contributed modules
Hack-proof Your Drupal App DrupalCamp NH 2011
Source: Drupal Security Reporthttp://drupalsecurityreport.org/
June 2005 – March 2010
Hack-proof Your Drupal App DrupalCamp NH 2011
By The Numbers
Source: http://www.cvedetails.com/vendor/1367/Drupal.html
Hack-proof Your Drupal App DrupalCamp NH 2011
Wrap your output
Hack-proof Your Drupal App DrupalCamp NH 2011
Key Habits of Secure Drupal Coding
Wrap your output Protect your database
Hack-proof Your Drupal App DrupalCamp NH 2011
Key Habits of Secure Drupal Coding
Wrap your output Protect your database Beware user input
Hack-proof Your Drupal App DrupalCamp NH 2011
Key Habits of Secure Drupal Coding
Wrap your output Protect your database Beware user input AJAX risks
Hack-proof Your Drupal App DrupalCamp NH 2011
Key Habits of Secure Drupal Coding
RealityHack-proof Your Drupal App DrupalCamp NH 2011
YouTube (July 2010)
Reality Security experts estimate that 66% of websites
are vulnerable to XSS attacks (Jeremiah Grossman, WhiteHat Security)
The vast majority of vulnerabilities in Drupal are in XSS attacks
Hack-proof Your Drupal App DrupalCamp NH 2011
Why?• Drupal has at least 8 different APIs for
sanitizing output
• Security presentations are given at DrupalCons and DrupalCamps all around the world
• Drupal Security Announcements
Hack-proof Your Drupal App DrupalCamp NH 2011
Wrap Your Outputcheck_plain()
Hack-proof Your Drupal App DrupalCamp NH 2011
check_plain() This is for simple text without any markup. Encodes special characters in a plain-text string
for display as HTML. Checks for UTF-8 to prevent cross site scripting
attacks on Internet Explorer 6. Don't use this when using the t(), l(); use
placeholders
Hack-proof Your Drupal App DrupalCamp NH 2011
Wrap Your Outputcheck_plain()check_markup()
Hack-proof Your Drupal App DrupalCamp NH 2011
check_markup() This is for text which contains markup in some
language Runs all the enabled filters on a piece of text.
Hack-proof Your Drupal App DrupalCamp NH 2011
Wrap Your Outputcheck_plain()check_markup()filter_xss()
Hack-proof Your Drupal App DrupalCamp NH 2011
filter_xss() Filters an HTML string to prevent cross-site-
scripting (XSS) vulnerabilities. Removes characters and constructs that can trick
browsers. Makes sure all HTML entities are well-formed. Makes sure all HTML tags and attributes are well-
formed. Makes sure no HTML tags contain URLs with a
disallowed protocol (e.g. javascript:).Source: http://http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss/7
Hack-proof Your Drupal App DrupalCamp NH 2011
Wrap Your Outputcheck_plain()check_markup()filter_xss()filter_xss_admin()
Hack-proof Your Drupal App DrupalCamp NH 2011
filter_xss_admin() Very permissive XSS/HTML filter for
admin-only use. .
Use only for fields where it is impractical to use the whole filter system, but where some (mainly inline) mark-up is desired (so check_plain() is not acceptable).
Allows all tags that can be used inside an HTML body, save for scripts and styles.
Source:http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss_admin/7
Hack-proof Your Drupal App DrupalCamp NH 2011
t() String translation, sanitizes your output if
used properly
t(“Input @s", array('@s' => $string));
Hack-proof Your Drupal App DrupalCamp NH 2011
l() Filters link text and protects against bad
protocols
GOOD print l($content, $link);
BAD print '<a href="' . $link . '">' . $content .
'</a>';
Hack-proof Your Drupal App DrupalCamp NH 2011
drupal_set_title()
In Drupal 7, sanitized output by default!
drupal_set_title($tainted, CHECK_PLAIN);
Hack-proof Your Drupal App DrupalCamp NH 2011
Protect Your Databasedb_query()
Hack-proof Your Drupal App DrupalCamp NH 2011
db_query() Runs a query in the database with arguments to
the query, passed in as separate parameters, which are escaped to prevent SQL injection attacks.
Hack-proof Your Drupal App DrupalCamp NH 2011
db_query() CORRECT:
db_query(“INSERT INTO {table} VALUES (%d, '%s')”, $node->profile_age, $node->profile_firstname);
WRONG: db_query(“SELECT * FROM table
WHERE field = $node->profile_age”);
Hack-proof Your Drupal App DrupalCamp NH 2011
Protect Your Databasedb_query()db_rewrite_sql() – Not in Drupal 7
Hack-proof Your Drupal App DrupalCamp NH 2011
db_rewrite_sql() Rewrites node, taxonomy and comment queries
to respect Drupal's node access mechanism. Protects against unauthorized access to
content.
Hack-proof Your Drupal App DrupalCamp NH 2011
db_rewrite_sql() CORRECT:
db_query(db_rewrite_sql( “SELECT * FROM {node} WHERE uid = %d”, $uid));
INCORRECT: db_query(“SELECT * FROM
{node} WHERE uid = %d”, $uid);
Hack-proof Your Drupal App DrupalCamp NH 2011
Beware User Input Sources of user input:
Form fields Uploaded files Query string Other sites
Hack-proof Your Drupal App DrupalCamp NH 2011
This is an exploited comment.
<link rel="stylesheet" type="text/css" href="http://ha.ckers.org/xss.js{"><script>alert('xss');</script>}body{font-family:{" />
Hack-proof Your Drupal App DrupalCamp NH 2011
AJAX Risks AJAX transactions are not private Eval() is not 100% safe; use JSONP
Hack-proof Your Drupal App DrupalCamp NH 2011
Sanitize output Use the Form API Use parameterized queries Leave core intact Grant minimal permissions Use HTTPS for social websites Keep core and modules up to date!
Hack-proof Your Drupal App DrupalCamp NH 2011
Things Good Drupalers Do
Printing raw values Modifying data with $_GET Parameterized queries? WTF? Hacking core and killing kittens Allowing untrusted users to post the
following tags: script, img, iframe, embed, object, input, link, style, meta, frameset, div, base, table, tr, td
Allowing untrusted users to post full HTML
Things That Will Bite You
Hack-proof Your Drupal App DrupalCamp NH 2011
“drupal” is NOT a good admin password!!
(neither is “lapurd”)
Other Common Mistakes<?php
global $user;
// Bad – this will escalate the privileges
$user = user_load(array('uid' => $uid));
?>
<?php
global $user;
// SAFE – do this instead
$account = user_load(array('uid' => $uid));
?>
Hack-proof Your Drupal App DrupalCamp NH 2011
Other Common Mistakes Improper URL access
Incorrect usage of 'access callback' in hook_menu()
Lack of security settings on views Writing forms in HTML
Use the Form API to provide automatic CSRF protection
Hack-proof Your Drupal App DrupalCamp NH 2011
Other Common Mistakes Unvalidated and open redirects
Iframes, drupal_goto, location.href Promiscuous crossdomain.xml files
Hack-proof Your Drupal App DrupalCamp NH 2011
Hack-proof Your Drupal App DrupalCamp NH 2011
Don't Trust User Input!
http://drupal.org Writing Secure Code (http://drupal.org/writing-
secure-code) Handle Text in a Secure Fashion (
http://drupal.org/node/28984) Secure File Permissions:
http://drupal.org/node/244924 Drupal Security Team
Drupal Security Resources
Hack-proof Your Drupal App DrupalCamp NH 2011
Coder (http://drupal.org/project/coder) Security Review (http://
drupal.org/project/security_review) Secure Code Review (http://
drupal.org/project/secure_code_review) Secure Permissions (http://
drupal.org/project/secure_permissions)
Modules
Hack-proof Your Drupal App DrupalCamp NH 2011
Pro Drupal Development book (VanDyk) Cracking Drupal: A Drop in the Bucket
(Knaddison) XSS Scripting Attacks (Grossman)
Books
Hack-proof Your Drupal App DrupalCamp NH 2011
Questions?
Hack-proof Your Drupal App DrupalCamp NH 2011