O slideshow foi denunciado.

Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

6

Compartilhar

Próximos SlideShares
Attacking Drupal
Attacking Drupal
Carregando em…3
×
1 de 46
1 de 46

Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

6

Compartilhar

Baixar para ler offline

Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout your development process and live maintenance.


About the Presenter:

Ben Jeavons is a member of the Drupal Security team and co-author of the Drupal Security Report. As an engineer at Acquia he works on the Acquia Network including the security and performance analysis tool, Acquia Insight.

Experience Level: Intermediate

Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout your development process and live maintenance.


About the Presenter:

Ben Jeavons is a member of the Drupal Security team and co-author of the Drupal Security Report. As an engineer at Acquia he works on the Acquia Network including the security and performance analysis tool, Acquia Insight.

Experience Level: Intermediate

Mais Conteúdo rRelacionado

Audiolivros relacionados

Gratuito durante 14 dias do Scribd

Ver tudo

Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

  1. 1. Secure your Drupal site by first hacking into it
  2. 2. Think like a hacker http://www.flickr.com/photos/31246066@N04/4252587897/
  3. 3. How sites get hacked XSS Insecure environment Stolen access Outdated code, known vulnerabilities
  4. 4. XSS Demo • Malicious Javascript is entered • Admin unknowingly executes • Javascript alters admin-only settings • Changes admin password • Puts site offline http://www.flickr.com/photos/paolo_rosa/5088971947/
  5. 5. https://vimeo.com/15447718
  6. 6. Ben Jeavons Drupaler for 5 years Member of Drupal Security Team @benswords
  7. 7. Drupal vulnerabilities by popularity 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others reported in core and contrib SAs from 6/1/2005 through 3/24/2010
  8. 8. Cross Site Scripting
  9. 9. Cross Site Scripting XSS Javascript Performing actions without your intent Everything you can do XSS can do faster
  10. 10. Stored XSS Step 1 Request Attacker Drupal DB JS JS
  11. 11. Stored XSS Step 2 Request Victim Drupal DB Response JS JS
  12. 12. Stored XSS Step 3 Victim Request Drupal DB JS JS
  13. 13. $node = node_load($nid); $title = $node->title; drupal_set_title($title); ... (later, in page.tpl.php) ... <h1><?php print $title; ?></h1>
  14. 14. Fixing XSS Identify where the data came from User input!
  15. 15. user agent language time zone referrer & more HTTP request headers Lots of tools/ways to modify these for requests
  16. 16. Fixing XSS Identify where the data came from Is that data being filtered or escaped before output?
  17. 17. Raw Input Filtered Output
  18. 18. $node = node_load($nid); $title = $node->title; $safe = check_plain($title); drupal_set_title($safe); ... (later, in page.tpl.php) ... <h1><?php print $title; ?></h1>
  19. 19. XSS in Themes <div class=”stuff”> <?php print $node->field_stuff[0][‘value’]; ?>
  20. 20. <div class=”stuff”> <?php print $node->field_stuff[0][‘safe’]; // OR $stuff = $node->field_stuff[0]; print content_format(‘field_stuff’, $stuff); ?>
  21. 21. Sanitize user input for output $msg = variable_get(‘my_msg’,‘’); print check_plain($msg);
  22. 22. Test for XSS vulnerability <script>alert(‘xss yo’)</script> github.com / unn / vuln
  23. 23. Insecure Environment
  24. 24. Insecure Environment Lock down your stack Admin tools and access to them Principle of least privilege Give out only necessary permissions
  25. 25. Insecure Environment /devel/variable /phpMyAdmin
  26. 26. Insecure Environment Make backups Test that they work Secure access to backups
  27. 27. Center for Health Transformation’s records were “found by The New York Times in an unsecured archived version of the site” http://www.nytimes.com/2011/11/30/us/politics/gingrich-gave-push-to-clients-not-just-ideas.html http://www.flickr.com/photos/mjb/208218519/
  28. 28. Insecure Environment /sites/default/files/backup_migrate/
  29. 29. Stolen Access
  30. 30. SSL Run Drupal on full TLS/SSL securepages & securepages_prevent_hijack http://drupalscout.com/node/17 Use a valid certificate
  31. 31. SFTP “Secure” FTP Your host should provide it If not, consider a new one
  32. 32. Stay up-to-date
  33. 33. Stay up-to-date Know and apply security updates Security Advisories Not just Drupal third-party libraries (TinyMCE) PHP, operating system
  34. 34. /CHANGELOG.txt
  35. 35. Automation http://www.flickr.com/photos/hubmedia/2141860216/
  36. 36. Steps to a mostly automated review Security Review: drupal.org/project/security_review Hacked: drupal.org/project/hacked Coder: drupal.org/project/coder Secure Code Review drupal.org/project/secure_code_review Vuln: github.com/unn/vuln More: http://drupalscout.com/node/11
  37. 37. in-depth, hands-on security training drupalcon.org bit.ly/drupalcon-security
  38. 38. Read drupal.org/security/writing-secure-code drupalscout.com crackingdrupal.com Converse groups.drupal.org/best-practices-drupal-security ben.jeavons@acquia.com @benswords

×