hack-proof your drupal app

Hack-proof Your Drupal App

Key Habits of Secure Drupal Coding

Hack-proof Your Drupal App DrupalCamp NH 2011

http://twitter.com/ebeyrent

http://drupal.org/user/23897

Introductions

Permissions API

Permissions Superuser

Crowd SSO

LDAP Extended Groups

Context Local Tasks

Search Lucene Biblio

Search Lucene Attachments

Search Lucene OG

Visual Search API

My Modules


Erich Beyrent

Agenda Secrets to Securing a Social Network Key Habits of Secure Drupal Coding Vulnerability Detection to Remediation Security Resources for Drupal Applications See For Yourself - demonstrations of application

attacks Discussions


Have you ever...



Source: http://www.flickr.com/photos/wili/233621595/

HILARITY DID NOT ENSUE


The Results 120 vulnerabilities were discovered

XSS CSRF SQL Injection Insufficient Authorization


What Was Learned 90% of the vulnerabilities existed in the theme Untrusted data from the query string was printed

without filtering Custom search forms were insecure crossdomain.xml caused vulnerabilities


Fixing The Problems Completely reviewed the theme, implementing

Drupal output filters Code was audited to ensure sanitization of all

user data Rewrote the search forms to sanitize user data and

use the Form API Implemented web services proxy


Drupal Security Report• Authored by Ben Jeavons and Greg

Knaddison

• Provides an analysis of the current state of security in Drupal

• Reports on the number of vulnerabilities by type reported in SAs for Drupal core and contributed modules


Source: Drupal Security Reporthttp://drupalsecurityreport.org/

June 2005 – March 2010


By The Numbers

Source: http://www.cvedetails.com/vendor/1367/Drupal.html


Wrap your output



Wrap your output Protect your database



Wrap your output Protect your database Beware user input



Wrap your output Protect your database Beware user input AJAX risks



RealityHack-proof Your Drupal App DrupalCamp NH 2011

YouTube (July 2010)

Reality Security experts estimate that 66% of websites

are vulnerable to XSS attacks (Jeremiah Grossman, WhiteHat Security)

The vast majority of vulnerabilities in Drupal are in XSS attacks


Why?• Drupal has at least 8 different APIs for

sanitizing output

• Security presentations are given at DrupalCons and DrupalCamps all around the world

• Drupal Security Announcements


Wrap Your Outputcheck_plain()


check_plain() This is for simple text without any markup. Encodes special characters in a plain-text string

for display as HTML. Checks for UTF-8 to prevent cross site scripting

attacks on Internet Explorer 6. Don't use this when using the t(), l(); use

placeholders


Wrap Your Outputcheck_plain()check_markup()


check_markup() This is for text which contains markup in some

language Runs all the enabled filters on a piece of text.


Wrap Your Outputcheck_plain()check_markup()filter_xss()


filter_xss() Filters an HTML string to prevent cross-site-

scripting (XSS) vulnerabilities. Removes characters and constructs that can trick

browsers. Makes sure all HTML entities are well-formed. Makes sure all HTML tags and attributes are well-

formed. Makes sure no HTML tags contain URLs with a

disallowed protocol (e.g. javascript:).Source: http://http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss/7


Wrap Your Outputcheck_plain()check_markup()filter_xss()filter_xss_admin()


filter_xss_admin() Very permissive XSS/HTML filter for

admin-only use. .

Use only for fields where it is impractical to use the whole filter system, but where some (mainly inline) mark-up is desired (so check_plain() is not acceptable).

Allows all tags that can be used inside an HTML body, save for scripts and styles.

Source:http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss_admin/7


http://api.drupal.org/api/drupal/includes--bootstrap.inc/function/check_plain/7

t() String translation, sanitizes your output if

used properly

t(“Input @s", array('@s' => $string));


l() Filters link text and protects against bad

protocols

GOOD print l($content, $link);

BAD print '<a href="' . $link . '">' . $content .

'</a>';


drupal_set_title()

In Drupal 7, sanitized output by default!

drupal_set_title($tainted, CHECK_PLAIN);


Protect Your Databasedb_query()


db_query() Runs a query in the database with arguments to

the query, passed in as separate parameters, which are escaped to prevent SQL injection attacks.


db_query() CORRECT:

db_query(“INSERT INTO {table} VALUES (%d, '%s')”, $node->profile_age, $node->profile_firstname);

WRONG: db_query(“SELECT * FROM table

WHERE field = $node->profile_age”);


Protect Your Databasedb_query()db_rewrite_sql() – Not in Drupal 7


db_rewrite_sql() Rewrites node, taxonomy and comment queries

to respect Drupal's node access mechanism. Protects against unauthorized access to

content.


db_rewrite_sql() CORRECT:

db_query(db_rewrite_sql( “SELECT * FROM {node} WHERE uid = %d”, $uid));

INCORRECT: db_query(“SELECT * FROM

{node} WHERE uid = %d”, $uid);


Beware User Input Sources of user input:

Form fields Uploaded files Query string Other sites


This is an exploited comment.

<link rel="stylesheet" type="text/css" href="http://ha.ckers.org/xss.js{"><script>alert('xss');</script>}body{font-family:{" />


AJAX Risks AJAX transactions are not private Eval() is not 100% safe; use JSONP


Sanitize output Use the Form API Use parameterized queries Leave core intact Grant minimal permissions Use HTTPS for social websites Keep core and modules up to date!


Things Good Drupalers Do

Printing raw values Modifying data with $_GET Parameterized queries? WTF? Hacking core and killing kittens Allowing untrusted users to post the

following tags: script, img, iframe, embed, object, input, link, style, meta, frameset, div, base, table, tr, td

Allowing untrusted users to post full HTML

Things That Will Bite You


“drupal” is NOT a good admin password!!

(neither is “lapurd”)

Other Common Mistakes<?php

global $user;

// Bad – this will escalate the privileges

$user = user_load(array('uid' => $uid));

?>

<?php

global $user;

// SAFE – do this instead

$account = user_load(array('uid' => $uid));

?>


Other Common Mistakes Improper URL access

Incorrect usage of 'access callback' in hook_menu()

Lack of security settings on views Writing forms in HTML

Use the Form API to provide automatic CSRF protection


Other Common Mistakes Unvalidated and open redirects

Iframes, drupal_goto, location.href Promiscuous crossdomain.xml files



Don't Trust User Input!

http://drupal.org Writing Secure Code (http://drupal.org/writing-

secure-code) Handle Text in a Secure Fashion (

http://drupal.org/node/28984) Secure File Permissions:

http://drupal.org/node/244924 Drupal Security Team

Drupal Security Resources


http://drupal.org/

http://drupal.org/

http://drupal.org/node/28984

Coder (http://drupal.org/project/coder) Security Review (http://

drupal.org/project/security_review) Secure Code Review (http://

drupal.org/project/secure_code_review) Secure Permissions (http://

drupal.org/project/secure_permissions)

Modules


http://drupal.org/project/coder



http://drupal.org/project/security_review

http://drupal.org/project/security_review

http://drupal.org/project/secure_code_review

http://drupal.org/project/secure_code_review

http://drupal.org/project/secure_permissions

http://drupal.org/project/secure_permissions

Pro Drupal Development book (VanDyk) Cracking Drupal: A Drop in the Bucket

(Knaddison) XSS Scripting Attacks (Grossman)

Books


Questions?


hack-proof your drupal app

Technology

drupal app drupalcamp

drupal core

drupal reports

drupal applications

output hack

xss hack

plain hack

vulnerabilities hack