SlideShare uma empresa Scribd logo

Drupal security

Jozef Toth
Jozef Toth

Gabor Hojtsy

Tecnologia
1 de 49
Drupal security Gábor Hojtsy , Acquia February 27. 2010, Drupalcamp Bratislava With special thanks to Four Kitchens, Greg Knaddison and Jakub Suchy
Why I’m here? • Stepping in for Jakub Suchy • Co-maintainer to Drupal 6 • De-facto member of the security team
Are you affected?
With relatively simple holes, your administrator user can be taken over.
Open Web Application Security Project’s Top 10 risks http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf
Security misconfiguration
Secure server • Avoid using FTP at all cost (Total Commander is the enemy) • Who do you share your server with? Are you confident? • Keep your OS, PHP, SQL server, etc. up to date
Secure Drupal • Is your admin password “admin”? • Look at all “administer *” permissions • “administer filters” can take over a site • Use update.module, watch the security news (Wednesdays)
Secure Drupal • Avoid any kind of PHP input, write your own modules instead • Watch your input formats (you can be googled)
Injection
index.php?id=12 mysql_query(“UPDATE mytable SET value = ‘”. $value .”’ WHERE id = ”. $_GET[‘id’]);
Drupal approach • db_query(“UPDATE {mytable} SET value = ‘%s’ WHERE id = %d”, $value, $id); • If you need to include dynamic table or column names in your query, see db_escape_table()
Cross Site Scripting (XSS)
index.php?id=12 print $_GET[‘id’]; $output .= $node->title; Giving full HTML access.
66% likeliness a website has Cross site scripting issues http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf
jQuery.get('/user/1/edit', function (data, status) { if (status == 'success') { var p = /id="edit-user-edit-form-token" value="([a-z0-9]*)"/; var matches = data.match(p); var token = matches[1]; var payload = { "form_id": 'user_edit', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; jQuery.post('/user/1/edit', payload); } } ); Example from Heine Deelstra, Drupal Security team lead http://heine.familiedeelstra.com/change-password-xss
Drupal approach • check_plain() to escape text to HTML • check_markup() to format text to HTML • filter_xss() to filter text to HTML • filter_xss_admin() to filter admin text to HTML • node_view($node) instead of $node->body
Drupal approach • t(), format_plural() placeholders: %name, @url, !insecure t(‘%name has a blog at <a href=”@url”>@url</a>’, array(‘@url’ => valid_url($user->profile_blog), ‘%name’ => $user->name)); • Use Drupal.t(), Drupal.formatPlural() in JS.
Authentication & sessions
• Weak password storage and account management • Session hijacking / fixation • Lack of session timeout / logout
Drupal approach • Passwords are stored encrypted • Session IDs changed when permissions change • Drupal works with Apache’s SSL transport • Modules to set certain URLs to use SSL
Insecure direct object references
index.php?id=12 db_query(“SELECT * FROM {user} WHERE id = %d”, $_GET[‘id’]);
Drupal approach • Menu system handles permission checking • user_access(‘administer nodes’, $account) • node_access(‘edit’, $node, $account); • db_query(db_rewrite_sql(‘SELECT title FROM {node} n’)); • Form API checks for data validity
Cross Site Request Forgery (CSRF)
http://example.com/index.php? delete=12 <img src=”http://example.com/ index.php?delete=12” />
Drupal approach • Form API works with POST submissions by default (makes it harder) • Form API includes form tokens, requires form retrieval before submission, checks valid values • drupal_valid_token() provided to generate/validate tokens for GET requests
Failure to restrict URL access
Drupal approach • Menu system uses access callback and access arguments • Continually review permissions
Unvalidated redirections
http://example.com/index.php? target=evil.com
Drupal approach • Drupal has various internal redirections, which use local paths and generate URLs based on them • Look for use of drupal_goto() and Form API #redirect instances in your modules to validate their compliance
Insecure cryptographic storage
Drupal approach • Drupal stores user passwords encrypted with a one-way hash • Different randomly generated private key is provided on each site, which can be used to do reversible encryption • Up to you to ensure backups are properly protected
Insufficient transport protection
Drupal approach • Run Drupal on top of full SSL • Use securepages and securepages_prevent_hijack to wall your important pages • http://crackingdrupal.com/blog/ greggles/drupal-and-ssl-multiple- recipes-possible-solutions • Use a valid certificate
Is Open Source secure?
“Open Source is secure” • Open Source makes people look at it • Popularity gets more eyes • There are always more smart people to find and fix problems
“Open Source is insecure” • People can equally find holes • Some people (inadvertently) disclose issues in the public • Fix becomes public and can / will be reviewed
Is Drupal secure?
Developers and users • Drupal APIs are designed to be secure • It is eventually up to programmers to use them that way • http://drupal.org/writing-secure-code • Tools designed for security can still be misconfigured
Drupal security team A team of volunteers working to ensure best security of Drupal and thousands of contributed modules
Design. Educate. Fix.
What’s supported? • Drupal core and all(!) contributed project on drupal.org • Not actively looking for vulnerabilities in contributed modules • Stable releases and development versions (for very popular modules) • Only current and one earlier versions are supported: now 6.x, 5.x
Points of contact • Releases at http://drupal.org/security • Reporting issues: http://drupal.org/ node/101494 • Reporting cracked sites: http:// drupal.org/node/213320
These slides are (CC) Images used: http://www.flickr.com/photos/rtv/2398561954/ http://www.flickr.com/photos/jonk/19422564/ http://www.flickr.com/photos/duncan/2693141693/ http://www.flickr.com/photos/duncan/2742371814 http://www.flickr.com/photos/jontintinjordan/3736095793/ http://www.flickr.com/photos/djbrady/2304740173/ http://www.flickr.com/photos/inkytwist/2654071573/ http://www.flickr.com/photos/duncan/2741594585/ http://www.flickr.com/photos/shellysblogger/2924699161/ http://www.flickr.com/photos/blogumentary/434097609/ http://www.flickr.com/photos/glamhag/2214986176/ http://www.flickr.com/photos/duncan/2693140217/ This presentation is © Gábor Hojtsy Licensed: Licensed: http://creativecommons.org/licenses/by-nc-sa/2.0/
Questions?
Thank you! Gábor Hojtsy, Acquia http://twitter.com/gaborhojtsy

Recomendados

On-page SEO for Drupal
On-page SEO for DrupalOn-page SEO for Drupal
On-page SEO for DrupalSvilen Sabev
 
Scout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoScout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoknaddison
 
Web scraping 101 with goutte
Web scraping 101 with goutteWeb scraping 101 with goutte
Web scraping 101 with goutteJoshua Copeland
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Securityn|u - The Open Security Community
 
Scraping the web with Laravel, Dusk, Docker, and PHP
Scraping the web with Laravel, Dusk, Docker, and PHPScraping the web with Laravel, Dusk, Docker, and PHP
Scraping the web with Laravel, Dusk, Docker, and PHPPaul Redmond
 
Web Scraping In Ruby Utosc 2009.Key
Web Scraping In Ruby Utosc 2009.KeyWeb Scraping In Ruby Utosc 2009.Key
Web Scraping In Ruby Utosc 2009.Keyjtzemp
 
Web crawler synopsis
Web crawler synopsisWeb crawler synopsis
Web crawler synopsisMayur Garg
 

Recomendados

On-page SEO for Drupal
On-page SEO for DrupalOn-page SEO for Drupal
On-page SEO for DrupalSvilen Sabev
 
Scout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoScout xss csrf_security_presentation_chicago
Scout xss csrf_security_presentation_chicagoknaddison
 
Web scraping 101 with goutte
Web scraping 101 with goutteWeb scraping 101 with goutte
Web scraping 101 with goutteJoshua Copeland
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Securityn|u - The Open Security Community
 
Scraping the web with Laravel, Dusk, Docker, and PHP
Scraping the web with Laravel, Dusk, Docker, and PHPScraping the web with Laravel, Dusk, Docker, and PHP
Scraping the web with Laravel, Dusk, Docker, and PHPPaul Redmond
 
Web Scraping In Ruby Utosc 2009.Key
Web Scraping In Ruby Utosc 2009.KeyWeb Scraping In Ruby Utosc 2009.Key
Web Scraping In Ruby Utosc 2009.Keyjtzemp
 
Web crawler synopsis
Web crawler synopsisWeb crawler synopsis
Web crawler synopsisMayur Garg
 
Why Django
Why DjangoWhy Django
Why DjangoIdan Gazit
 
Hypermedia: The Missing Element to Building Adaptable Web APIs in Rails
Hypermedia: The Missing Element to Building Adaptable Web APIs in RailsHypermedia: The Missing Element to Building Adaptable Web APIs in Rails
Hypermedia: The Missing Element to Building Adaptable Web APIs in RailsToru Kawamura
 
Beautiful REST+JSON APIs with Ion
Beautiful REST+JSON APIs with IonBeautiful REST+JSON APIs with Ion
Beautiful REST+JSON APIs with IonStormpath
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Reviewing RESTful Web Apps
Reviewing RESTful Web AppsReviewing RESTful Web Apps
Reviewing RESTful Web AppsTakuto Wada
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreStormpath
 
WebCrawler
WebCrawlerWebCrawler
WebCrawlermynameismrslide
 
Introduction to jQuery Mobile - Web Deliver for All
Introduction to jQuery Mobile - Web Deliver for AllIntroduction to jQuery Mobile - Web Deliver for All
Introduction to jQuery Mobile - Web Deliver for AllMarc Grabanski
 
Rest and Rails
Rest and RailsRest and Rails
Rest and RailsChamnap Chhorn
 
1.6 米嘉 gobuildweb
1.6 米嘉 gobuildweb1.6 米嘉 gobuildweb
1.6 米嘉 gobuildwebLeo Zhou
 
Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildSajjad "JJ" Arshad
 
Rest in Rails
Rest in RailsRest in Rails
Rest in RailsChamnap Chhorn
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIStormpath
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreNate Barbettini
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
Drupal Theme Development - DrupalCon Chicago 2011
Drupal Theme Development - DrupalCon Chicago 2011Drupal Theme Development - DrupalCon Chicago 2011
Drupal Theme Development - DrupalCon Chicago 2011Ryan Price
 
Custom Post Types in Depth at WordCamp Montreal
Custom Post Types in Depth at WordCamp MontrealCustom Post Types in Depth at WordCamp Montreal
Custom Post Types in Depth at WordCamp MontrealJoey Kudish
 
Rails Gems realize RESTful modeling patterns
Rails Gems realize RESTful modeling patternsRails Gems realize RESTful modeling patterns
Rails Gems realize RESTful modeling patternsToru Kawamura
 
Cwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey IntroductionseyCwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey Introductionseyelliando dias
 
Free django
Free djangoFree django
Free djangoEugen Oskin
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security rightGábor Hojtsy
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaGábor Hojtsy
 

Mais conteúdo relacionado

Mais procurados

Hypermedia: The Missing Element to Building Adaptable Web APIs in Rails
Hypermedia: The Missing Element to Building Adaptable Web APIs in RailsHypermedia: The Missing Element to Building Adaptable Web APIs in Rails
Hypermedia: The Missing Element to Building Adaptable Web APIs in RailsToru Kawamura
 
Beautiful REST+JSON APIs with Ion
Beautiful REST+JSON APIs with IonBeautiful REST+JSON APIs with Ion
Beautiful REST+JSON APIs with IonStormpath
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Reviewing RESTful Web Apps
Reviewing RESTful Web AppsReviewing RESTful Web Apps
Reviewing RESTful Web AppsTakuto Wada
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreStormpath
 
Introduction to jQuery Mobile - Web Deliver for All
Introduction to jQuery Mobile - Web Deliver for AllIntroduction to jQuery Mobile - Web Deliver for All
Introduction to jQuery Mobile - Web Deliver for AllMarc Grabanski
 
1.6 米嘉 gobuildweb
1.6 米嘉 gobuildweb1.6 米嘉 gobuildweb
1.6 米嘉 gobuildwebLeo Zhou
 
Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildSajjad "JJ" Arshad
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIStormpath
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreNate Barbettini
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
Drupal Theme Development - DrupalCon Chicago 2011
Drupal Theme Development - DrupalCon Chicago 2011Drupal Theme Development - DrupalCon Chicago 2011
Drupal Theme Development - DrupalCon Chicago 2011Ryan Price
 
Custom Post Types in Depth at WordCamp Montreal
Custom Post Types in Depth at WordCamp MontrealCustom Post Types in Depth at WordCamp Montreal
Custom Post Types in Depth at WordCamp MontrealJoey Kudish
 
Rails Gems realize RESTful modeling patterns
Rails Gems realize RESTful modeling patternsRails Gems realize RESTful modeling patterns
Rails Gems realize RESTful modeling patternsToru Kawamura
 
Cwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey IntroductionseyCwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey Introductionseyelliando dias
 

Mais procurados (20)

Why Django
Why DjangoWhy Django
Why Django
 
Hypermedia: The Missing Element to Building Adaptable Web APIs in Rails
Hypermedia: The Missing Element to Building Adaptable Web APIs in RailsHypermedia: The Missing Element to Building Adaptable Web APIs in Rails
Hypermedia: The Missing Element to Building Adaptable Web APIs in Rails
 
Beautiful REST+JSON APIs with Ion
Beautiful REST+JSON APIs with IonBeautiful REST+JSON APIs with Ion
Beautiful REST+JSON APIs with Ion
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Reviewing RESTful Web Apps
Reviewing RESTful Web AppsReviewing RESTful Web Apps
Reviewing RESTful Web Apps
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET Core
 
WebCrawler
WebCrawlerWebCrawler
WebCrawler
 
Introduction to jQuery Mobile - Web Deliver for All
Introduction to jQuery Mobile - Web Deliver for AllIntroduction to jQuery Mobile - Web Deliver for All
Introduction to jQuery Mobile - Web Deliver for All
 
Rest and Rails
Rest and RailsRest and Rails
Rest and Rails
 
1.6 米嘉 gobuildweb
1.6 米嘉 gobuildweb1.6 米嘉 gobuildweb
1.6 米嘉 gobuildweb
 
Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the Wild
 
Rest in Rails
Rest in RailsRest in Rails
Rest in Rails
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON API
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET Core
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Drupal Theme Development - DrupalCon Chicago 2011
Drupal Theme Development - DrupalCon Chicago 2011Drupal Theme Development - DrupalCon Chicago 2011
Drupal Theme Development - DrupalCon Chicago 2011
 
Custom Post Types in Depth at WordCamp Montreal
Custom Post Types in Depth at WordCamp MontrealCustom Post Types in Depth at WordCamp Montreal
Custom Post Types in Depth at WordCamp Montreal
 
Rails Gems realize RESTful modeling patterns
Rails Gems realize RESTful modeling patternsRails Gems realize RESTful modeling patterns
Rails Gems realize RESTful modeling patterns
 
Cwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey IntroductionseyCwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey Introductionsey
 
Free django
Free djangoFree django
Free django
 

Semelhante a Drupal security

Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security rightGábor Hojtsy
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaGábor Hojtsy
 
Doing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonDoing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonGábor Hojtsy
 
Staying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPStaying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPOscar Merida
 
Staying Sane with Drupal (A Develper's Survival Guide)
Staying Sane with Drupal (A Develper's Survival Guide)Staying Sane with Drupal (A Develper's Survival Guide)
Staying Sane with Drupal (A Develper's Survival Guide)Oscar Merida
 
Drupal security
Drupal securityDrupal security
Drupal securityTechday7
 
Staging Drupal 8 31 09 1 3
Staging Drupal 8 31 09 1 3Staging Drupal 8 31 09 1 3
Staging Drupal 8 31 09 1 3Drupalcon Paris
 
Drupal Security from Drupalcamp Cologne 2009
Drupal Security from Drupalcamp Cologne 2009Drupal Security from Drupalcamp Cologne 2009
Drupal Security from Drupalcamp Cologne 2009Gábor Hojtsy
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 
Drupal 8 - Core and API Changes
Drupal 8 - Core and API ChangesDrupal 8 - Core and API Changes
Drupal 8 - Core and API ChangesShabir Ahmad
 
Extending drupal authentication
Extending drupal authenticationExtending drupal authentication
Extending drupal authenticationCharles Russell
 
Top 8 Improvements in Drupal 8
Top 8 Improvements in Drupal 8Top 8 Improvements in Drupal 8
Top 8 Improvements in Drupal 8Angela Byron
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 
An Introduction to Tornado
An Introduction to TornadoAn Introduction to Tornado
An Introduction to TornadoGavin Roy
 
Absolute Beginners Guide to Drupal
Absolute Beginners Guide to DrupalAbsolute Beginners Guide to Drupal
Absolute Beginners Guide to DrupalRod Martin
 
Django Overview
Django OverviewDjango Overview
Django OverviewBrian Tol
 
Everything You Need to Know About the Top Changes in Drupal 8
Everything You Need to Know About the Top Changes in Drupal 8Everything You Need to Know About the Top Changes in Drupal 8
Everything You Need to Know About the Top Changes in Drupal 8Acquia
 

Semelhante a Drupal security (20)

Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security right
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
 
Doing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonDoing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon London
 
Staying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPStaying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHP
 
Staying Sane with Drupal (A Develper's Survival Guide)
Staying Sane with Drupal (A Develper's Survival Guide)Staying Sane with Drupal (A Develper's Survival Guide)
Staying Sane with Drupal (A Develper's Survival Guide)
 
Drupal security
Drupal securityDrupal security
Drupal security
 
Staging Drupal 8 31 09 1 3
Staging Drupal 8 31 09 1 3Staging Drupal 8 31 09 1 3
Staging Drupal 8 31 09 1 3
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Drupal Security from Drupalcamp Cologne 2009
Drupal Security from Drupalcamp Cologne 2009Drupal Security from Drupalcamp Cologne 2009
Drupal Security from Drupalcamp Cologne 2009
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 
Drupal 8 - Core and API Changes
Drupal 8 - Core and API ChangesDrupal 8 - Core and API Changes
Drupal 8 - Core and API Changes
 
Extending drupal authentication
Extending drupal authenticationExtending drupal authentication
Extending drupal authentication
 
Top 8 Improvements in Drupal 8
Top 8 Improvements in Drupal 8Top 8 Improvements in Drupal 8
Top 8 Improvements in Drupal 8
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!
 
DrupalCon 2011 Highlight
DrupalCon 2011 HighlightDrupalCon 2011 Highlight
DrupalCon 2011 Highlight
 
An Introduction to Tornado
An Introduction to TornadoAn Introduction to Tornado
An Introduction to Tornado
 
Absolute Beginners Guide to Drupal
Absolute Beginners Guide to DrupalAbsolute Beginners Guide to Drupal
Absolute Beginners Guide to Drupal
 
Django Overview
Django OverviewDjango Overview
Django Overview
 
Everything You Need to Know About the Top Changes in Drupal 8
Everything You Need to Know About the Top Changes in Drupal 8Everything You Need to Know About the Top Changes in Drupal 8
Everything You Need to Know About the Top Changes in Drupal 8
 

Mais de Jozef Toth

Drupalfund - crowdfunding the future of Drupal development
Drupalfund - crowdfunding the future of Drupal developmentDrupalfund - crowdfunding the future of Drupal development
Drupalfund - crowdfunding the future of Drupal developmentJozef Toth
 
Drupal 8 logo design concepts
Drupal 8 logo design conceptsDrupal 8 logo design concepts
Drupal 8 logo design conceptsJozef Toth
 
Seo Pro Drupal Developery
Seo Pro Drupal DeveloperySeo Pro Drupal Developery
Seo Pro Drupal DeveloperyJozef Toth
 
Drupal V Biznise
Drupal V BizniseDrupal V Biznise
Drupal V BizniseJozef Toth
 
Drupal V Biznise
Drupal V BizniseDrupal V Biznise
Drupal V BizniseJozef Toth
 
Drupal ako nízkonákladová platforma pre business web aplikácie
Drupal ako nízkonákladová platforma pre business web aplikácieDrupal ako nízkonákladová platforma pre business web aplikácie
Drupal ako nízkonákladová platforma pre business web aplikácieJozef Toth
 
Freelancer's toolbox
Freelancer's toolboxFreelancer's toolbox
Freelancer's toolboxJozef Toth
 
Drupal - Open Source CMS
Drupal - Open Source CMSDrupal - Open Source CMS
Drupal - Open Source CMSJozef Toth
 

Mais de Jozef Toth (9)

Drupalfund - crowdfunding the future of Drupal development
Drupalfund - crowdfunding the future of Drupal developmentDrupalfund - crowdfunding the future of Drupal development
Drupalfund - crowdfunding the future of Drupal development
 
Drupal 8 logo design concepts
Drupal 8 logo design conceptsDrupal 8 logo design concepts
Drupal 8 logo design concepts
 
Seo Pro Drupal Developery
Seo Pro Drupal DeveloperySeo Pro Drupal Developery
Seo Pro Drupal Developery
 
Drupal V Biznise
Drupal V BizniseDrupal V Biznise
Drupal V Biznise
 
Drupal V Biznise
Drupal V BizniseDrupal V Biznise
Drupal V Biznise
 
Co je Drupal
Co je DrupalCo je Drupal
Co je Drupal
 
Drupal ako nízkonákladová platforma pre business web aplikácie
Drupal ako nízkonákladová platforma pre business web aplikácieDrupal ako nízkonákladová platforma pre business web aplikácie
Drupal ako nízkonákladová platforma pre business web aplikácie
 
Freelancer's toolbox
Freelancer's toolboxFreelancer's toolbox
Freelancer's toolbox
 
Drupal - Open Source CMS
Drupal - Open Source CMSDrupal - Open Source CMS
Drupal - Open Source CMS
 

Último

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Último (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

Drupal security

  • 1. Drupal security Gábor Hojtsy , Acquia February 27. 2010, Drupalcamp Bratislava With special thanks to Four Kitchens, Greg Knaddison and Jakub Suchy
  • 2. Why I’m here? • Stepping in for Jakub Suchy • Co-maintainer to Drupal 6 • De-facto member of the security team
  • 4. With relatively simple holes, your administrator user can be taken over.
  • 5. Open Web Application Security Project’s Top 10 risks http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf
  • 7. Secure server • Avoid using FTP at all cost (Total Commander is the enemy) • Who do you share your server with? Are you confident? • Keep your OS, PHP, SQL server, etc. up to date
  • 8. Secure Drupal • Is your admin password “admin”? • Look at all “administer *” permissions • “administer filters” can take over a site • Use update.module, watch the security news (Wednesdays)
  • 9. Secure Drupal • Avoid any kind of PHP input, write your own modules instead • Watch your input formats (you can be googled)
  • 11. index.php?id=12 mysql_query(“UPDATE mytable SET value = ‘”. $value .”’ WHERE id = ”. $_GET[‘id’]);
  • 12. Drupal approach • db_query(“UPDATE {mytable} SET value = ‘%s’ WHERE id = %d”, $value, $id); • If you need to include dynamic table or column names in your query, see db_escape_table()
  • 14. index.php?id=12 print $_GET[‘id’]; $output .= $node->title; Giving full HTML access.
  • 15. 66% likeliness a website has Cross site scripting issues http://www.whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf
  • 16. jQuery.get('/user/1/edit', function (data, status) { if (status == 'success') { var p = /id="edit-user-edit-form-token" value="([a-z0-9]*)"/; var matches = data.match(p); var token = matches[1]; var payload = { "form_id": 'user_edit', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; jQuery.post('/user/1/edit', payload); } } ); Example from Heine Deelstra, Drupal Security team lead http://heine.familiedeelstra.com/change-password-xss
  • 17. Drupal approach • check_plain() to escape text to HTML • check_markup() to format text to HTML • filter_xss() to filter text to HTML • filter_xss_admin() to filter admin text to HTML • node_view($node) instead of $node->body
  • 18. Drupal approach • t(), format_plural() placeholders: %name, @url, !insecure t(‘%name has a blog at <a href=”@url”>@url</a>’, array(‘@url’ => valid_url($user->profile_blog), ‘%name’ => $user->name)); • Use Drupal.t(), Drupal.formatPlural() in JS.
  • 20. • Weak password storage and account management • Session hijacking / fixation • Lack of session timeout / logout
  • 21. Drupal approach • Passwords are stored encrypted • Session IDs changed when permissions change • Drupal works with Apache’s SSL transport • Modules to set certain URLs to use SSL
  • 23. index.php?id=12 db_query(“SELECT * FROM {user} WHERE id = %d”, $_GET[‘id’]);
  • 24. Drupal approach • Menu system handles permission checking • user_access(‘administer nodes’, $account) • node_access(‘edit’, $node, $account); • db_query(db_rewrite_sql(‘SELECT title FROM {node} n’)); • Form API checks for data validity
  • 25. Cross Site Request Forgery (CSRF)
  • 27. Drupal approach • Form API works with POST submissions by default (makes it harder) • Form API includes form tokens, requires form retrieval before submission, checks valid values • drupal_valid_token() provided to generate/validate tokens for GET requests
  • 28. Failure to restrict URL access
  • 29. Drupal approach • Menu system uses access callback and access arguments • Continually review permissions
  • 32. Drupal approach • Drupal has various internal redirections, which use local paths and generate URLs based on them • Look for use of drupal_goto() and Form API #redirect instances in your modules to validate their compliance
  • 34. Drupal approach • Drupal stores user passwords encrypted with a one-way hash • Different randomly generated private key is provided on each site, which can be used to do reversible encryption • Up to you to ensure backups are properly protected
  • 36. Drupal approach • Run Drupal on top of full SSL • Use securepages and securepages_prevent_hijack to wall your important pages • http://crackingdrupal.com/blog/ greggles/drupal-and-ssl-multiple- recipes-possible-solutions • Use a valid certificate
  • 37. Is Open Source secure?
  • 38. “Open Source is secure” • Open Source makes people look at it • Popularity gets more eyes • There are always more smart people to find and fix problems
  • 39. “Open Source is insecure” • People can equally find holes • Some people (inadvertently) disclose issues in the public • Fix becomes public and can / will be reviewed
  • 41. Developers and users • Drupal APIs are designed to be secure • It is eventually up to programmers to use them that way • http://drupal.org/writing-secure-code • Tools designed for security can still be misconfigured
  • 42. Drupal security team A team of volunteers working to ensure best security of Drupal and thousands of contributed modules
  • 44. What’s supported? • Drupal core and all(!) contributed project on drupal.org • Not actively looking for vulnerabilities in contributed modules • Stable releases and development versions (for very popular modules) • Only current and one earlier versions are supported: now 6.x, 5.x
  • 45. Points of contact • Releases at http://drupal.org/security • Reporting issues: http://drupal.org/ node/101494 • Reporting cracked sites: http:// drupal.org/node/213320
  • 46.
  • 47. These slides are (CC) Images used: http://www.flickr.com/photos/rtv/2398561954/ http://www.flickr.com/photos/jonk/19422564/ http://www.flickr.com/photos/duncan/2693141693/ http://www.flickr.com/photos/duncan/2742371814 http://www.flickr.com/photos/jontintinjordan/3736095793/ http://www.flickr.com/photos/djbrady/2304740173/ http://www.flickr.com/photos/inkytwist/2654071573/ http://www.flickr.com/photos/duncan/2741594585/ http://www.flickr.com/photos/shellysblogger/2924699161/ http://www.flickr.com/photos/blogumentary/434097609/ http://www.flickr.com/photos/glamhag/2214986176/ http://www.flickr.com/photos/duncan/2693140217/ This presentation is © Gábor Hojtsy Licensed: Licensed: http://creativecommons.org/licenses/by-nc-sa/2.0/
  • 49. Thank you! Gábor Hojtsy, Acquia http://twitter.com/gaborhojtsy