SlideShare a Scribd company logo

Hack-Proof Your Drupal App

Download as PPT, PDF
Erich Beyrent
Erich Beyrent

This document discusses how to secure Drupal applications by discussing key habits of secure coding in Drupal such as sanitizing output, protecting the database from SQL injection, and beingware of user input. It provides examples of functions to sanitize output like check_plain(), check_markup(), and filter_xss(). It also discusses common mistakes that can lead to vulnerabilities and lists security resources for Drupal developers.

Technology
1 of 50
Downloaded 83 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Hack-proof Your Drupal App Key Habits of Secure Drupal Coding Hack-proof Your Drupal App DrupalCamp NH 2011
http://twitter.com/ebeyrent http://drupal.org/user/23897 Introductions Permissions API Permissions Superuser Crowd SSO LDAP Extended Groups Context Local Tasks Search Lucene Biblio Search Lucene Attachments Search Lucene OG Visual Search API My Modules Hack-proof Your Drupal App DrupalCamp NH 2011 Erich Beyrent
Agenda Secrets to Securing a Social Network Key Habits of Secure Drupal Coding Vulnerability Detection to Remediation Security Resources for Drupal Applications See For Yourself - demonstrations of application attacks Discussions Hack-proof Your Drupal App DrupalCamp NH 2011
Have you ever... Hack-proof Your Drupal App DrupalCamp NH 2011
Hack-proof Your Drupal App DrupalCamp NH 2011 Source: http://www.flickr.com/photos/wili/233621595/
HILARITY DID NOT ENSUE Hack-proof Your Drupal App DrupalCamp NH 2011
The Results 120 vulnerabilities were discovered XSS CSRF SQL Injection Insufficient Authorization Hack-proof Your Drupal App DrupalCamp NH 2011
What Was Learned 90% of the vulnerabilities existed in the theme Untrusted data from the query string was printed without filtering Custom search forms were insecure crossdomain.xml caused vulnerabilities Hack-proof Your Drupal App DrupalCamp NH 2011
Fixing The Problems Completely reviewed the theme, implementing Drupal output filters Code was audited to ensure sanitization of all user data Rewrote the search forms to sanitize user data and use the Form API Implemented web services proxy Hack-proof Your Drupal App DrupalCamp NH 2011
Drupal Security Report Authored by Ben Jeavons and Greg Knaddison Provides an analysis of the current state of security in Drupal Reports on the number of vulnerabilities by type reported in SAs for Drupal core and contributed modules Hack-proof Your Drupal App DrupalCamp NH 2011
Source: Drupal Security Report http://drupalsecurityreport.org/ June 2005 – March 2010 Hack-proof Your Drupal App DrupalCamp NH 2011 By The Numbers
Source: http://www.cvedetails.com/vendor/1367/Drupal.html Hack-proof Your Drupal App DrupalCamp NH 2011
Wrap your output Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
Wrap your output Protect your database Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
Wrap your output Protect your database Beware user input Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
Wrap your output Protect your database Beware user input AJAX risks Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
Reality Hack-proof Your Drupal App DrupalCamp NH 2011 YouTube (July 2010)
Reality Security experts estimate that 66% of websites are vulnerable to XSS attacks (Jeremiah Grossman, WhiteHat Security) The vast majority of vulnerabilities in Drupal are in XSS attacks Hack-proof Your Drupal App DrupalCamp NH 2011
Why? Drupal has at least 8 different APIs for sanitizing output Security presentations are given at DrupalCons and DrupalCamps all around the world Drupal Security Announcements Hack-proof Your Drupal App DrupalCamp NH 2011
Wrap Your Output check_plain() Hack-proof Your Drupal App DrupalCamp NH 2011
check_plain() This is for simple text without any markup. Encodes special characters in a plain-text string for display as HTML. Checks for UTF-8 to prevent cross site scripting attacks on Internet Explorer 6. Don't use this when using the t(), l(); use placeholders Hack-proof Your Drupal App DrupalCamp NH 2011
Wrap Your Output check_plain() check_markup() Hack-proof Your Drupal App DrupalCamp NH 2011
check_markup() This is for text which contains markup in some language Runs all the enabled filters on a piece of text. Hack-proof Your Drupal App DrupalCamp NH 2011
Wrap Your Output check_plain() check_markup() filter_xss() Hack-proof Your Drupal App DrupalCamp NH 2011
filter_xss() Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities. Removes characters and constructs that can trick browsers. Makes sure all HTML entities are well-formed. Makes sure all HTML tags and attributes are well-formed. Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:). Source: http://http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss/7 Hack-proof Your Drupal App DrupalCamp NH 2011
Wrap Your Output check_plain() check_markup() filter_xss() filter_xss_admin() Hack-proof Your Drupal App DrupalCamp NH 2011
filter_xss_admin() Very permissive XSS/HTML filter for admin-only use. . Use only for fields where it is impractical to use the whole filter system, but where some (mainly inline) mark-up is desired (so check_plain () is not acceptable). Allows all tags that can be used inside an HTML body, save for scripts and styles. Source:http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss_admin/7 Hack-proof Your Drupal App DrupalCamp NH 2011
t() String translation, sanitizes your output if used properly t(“Input @s", array('@s' => $string)); Hack-proof Your Drupal App DrupalCamp NH 2011
l() Filters link text and protects against bad protocols GOOD print l($content, $link); BAD print '<a href=&quot;' . $link . '&quot;>' . $content . '</a>'; Hack-proof Your Drupal App DrupalCamp NH 2011
drupal_set_title() In Drupal 7, sanitized output by default! drupal_set_title($tainted, CHECK_PLAIN); Hack-proof Your Drupal App DrupalCamp NH 2011
Protect Your Database db_query() Hack-proof Your Drupal App DrupalCamp NH 2011
db_query() Runs a query in the database with arguments to the query, passed in as separate parameters, which are escaped to prevent SQL injection attacks. Hack-proof Your Drupal App DrupalCamp NH 2011
db_query() CORRECT: db_query(“INSERT INTO {table} VALUES (%d, '%s')”, $node->profile_age, $node->profile_firstname); WRONG: db_query(“SELECT * FROM table WHERE field = $node->profile_age”); Hack-proof Your Drupal App DrupalCamp NH 2011
Protect Your Database db_query() db_rewrite_sql() – Not in Drupal 7 Hack-proof Your Drupal App DrupalCamp NH 2011
db_rewrite_sql() Rewrites node, taxonomy and comment queries to respect Drupal's node access mechanism. Protects against unauthorized access to content. Hack-proof Your Drupal App DrupalCamp NH 2011
db_rewrite_sql() CORRECT: db_query(db_rewrite_sql( “SELECT * FROM {node} WHERE uid = %d”, $uid)); INCORRECT: db_query(“SELECT * FROM {node} WHERE uid = %d”, $uid); Hack-proof Your Drupal App DrupalCamp NH 2011
Beware User Input Sources of user input: Form fields Uploaded files Query string Other sites Hack-proof Your Drupal App DrupalCamp NH 2011
This is an exploited comment. <link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://ha.ckers.org/xss.js{&quot;><script>alert('xss');</script>}body{font-family:{&quot; /> Hack-proof Your Drupal App DrupalCamp NH 2011
AJAX Risks AJAX transactions are not private Eval() is not 100% safe; use JSONP Hack-proof Your Drupal App DrupalCamp NH 2011
Sanitize output Use the Form API Use parameterized queries Leave core intact Grant minimal permissions Use HTTPS for social websites Keep core and modules up to date! Hack-proof Your Drupal App DrupalCamp NH 2011 Things Good Drupalers Do
Printing raw values Modifying data with $_GET Parameterized queries? WTF? Hacking core and killing kittens Allowing untrusted users to post the following tags: script, img, iframe, embed, object, input, link, style, meta, frameset, div, base, table, tr, td Allowing untrusted users to post full HTML Things That Will Bite You Hack-proof Your Drupal App DrupalCamp NH 2011
“ drupal” is NOT a good admin password!! (neither is “lapurd”)
Other Common Mistakes <?php global $user; // Bad – this will escalate the privileges $user = user_load(array('uid' => $uid)); ?> <?php global $user; // SAFE – do this instead $account = user_load(array('uid' => $uid)); ?> Hack-proof Your Drupal App DrupalCamp NH 2011
Other Common Mistakes Improper URL access Incorrect usage of 'access callback' in hook_menu() Lack of security settings on views Writing forms in HTML Use the Form API to provide automatic CSRF protection Hack-proof Your Drupal App DrupalCamp NH 2011
Other Common Mistakes Unvalidated and open redirects Iframes, drupal_goto, location.href Promiscuous crossdomain.xml files Hack-proof Your Drupal App DrupalCamp NH 2011
Don't Trust User Input! Hack-proof Your Drupal App DrupalCamp NH 2011
http:// drupal.org Writing Secure Code (http://drupal.org/writing-secure-code) Handle Text in a Secure Fashion ( http://drupal.org/node/28984 ) Secure File Permissions: http://drupal.org/node/244924 Drupal Security Team Drupal Security Resources Hack-proof Your Drupal App DrupalCamp NH 2011
Coder ( http:// drupal.org /project/coder ) Security Review ( http:// drupal.org/project/security_review ) Secure Code Review ( http:// drupal.org/project/secure_code_review ) Secure Permissions ( http:// drupal.org/project/secure_permissions ) Modules Hack-proof Your Drupal App DrupalCamp NH 2011
Pro Drupal Development book (VanDyk) Cracking Drupal: A Drop in the Bucket (Knaddison) XSS Scripting Attacks (Grossman) Books Hack-proof Your Drupal App DrupalCamp NH 2011
Questions? Hack-proof Your Drupal App DrupalCamp NH 2011

More Related Content

What's hot (16)

PPTX
Oracle SQL Developer: 3 Features You're Not Using But Should Be
Jeff Smith
 
PDF
Apache Spark - Intro to Large-scale recommendations with Apache Spark and Python
Christian Perone
 
PPTX
Power Shell and Sharepoint 2013
Mohan Arumugam
 
PDF
What to expect when you're Incubating
Julian Hyde
 
PDF
Configure Your Projects with Apache Tamaya
Anatole Tresch
 
PPTX
PLSQL Developer tips and tricks
Patrick Barel
 
PPTX
SQLcl overview - A new Command Line Interface for Oracle Database
Jeff Smith
 
PPTX
Turbocharge SQL Performance in PL/SQL with Bulk Processing
Steven Feuerstein
 
PPTX
Integration patterns in AEM 6
Yuval Ararat
 
PDF
The Django Web Application Framework
Simon Willison
 
PDF
Building a Dynamic Website Using Django
Nathan Eror
 
PPTX
Spark SQL Tutorial | Spark SQL Using Scala | Apache Spark Tutorial For Beginn...
Simplilearn
 
PDF
Managing Millions of Tests Using Databricks
Databricks
 
PPTX
Oracle REST Data Services: POUG Edition
Jeff Smith
 
PPTX
Debugging PL/SQL with Oracle SQL Developer
Jeff Smith
 
PDF
Correctness and Performance of Apache Spark SQL with Bogdan Ghit and Nicolas ...
Databricks
 
Oracle SQL Developer: 3 Features You're Not Using But Should Be
Jeff Smith
 
Apache Spark - Intro to Large-scale recommendations with Apache Spark and Python
Christian Perone
 
Power Shell and Sharepoint 2013
Mohan Arumugam
 
What to expect when you're Incubating
Julian Hyde
 
Configure Your Projects with Apache Tamaya
Anatole Tresch
 
PLSQL Developer tips and tricks
Patrick Barel
 
SQLcl overview - A new Command Line Interface for Oracle Database
Jeff Smith
 
Turbocharge SQL Performance in PL/SQL with Bulk Processing
Steven Feuerstein
 
Integration patterns in AEM 6
Yuval Ararat
 
The Django Web Application Framework
Simon Willison
 
Building a Dynamic Website Using Django
Nathan Eror
 
Spark SQL Tutorial | Spark SQL Using Scala | Apache Spark Tutorial For Beginn...
Simplilearn
 
Managing Millions of Tests Using Databricks
Databricks
 
Oracle REST Data Services: POUG Edition
Jeff Smith
 
Debugging PL/SQL with Oracle SQL Developer
Jeff Smith
 
Correctness and Performance of Apache Spark SQL with Bogdan Ghit and Nicolas ...
Databricks
 

Viewers also liked (20)

PPT
Valentine symbols
teachers2011
 
PPT
Staging Drupal: Change Management Strategies for Drupal
Erich Beyrent
 
PPTX
Burj Khalifa
Algonquin College
 
PDF
Digital Mayflower - Data Pilgrimage with the Drupal Migrate Module
Erich Beyrent
 
PPTX
My favourite pastime
Algonquin College
 
PDF
How to hack electronics
Planning-ness
 
PPTX
From PHP to Hack as a Stack and Back
Timothy Chandler
 
PPT
Introduction to Hacking for University Hack Day
Christian Heilmann
 
PDF
Hack Day Sharing at D-Link
Joseph Chiang
 
PPTX
Welcome to hack
Timothy Chandler
 
KEY
StoryWorld 2012 Story Hack Presentation
storycode
 
PDF
HHVM Hack
Masaaki Yonebayashi
 
PDF
Shut up and hack
Philip Tellis
 
PDF
ZONOSTYLE Creation Hack TV Vol.1 "Happy Nomad Working"
Keizo Kurazono
 
PPT
Building Web Hack Interfaces
Christian Heilmann
 
PDF
HTML5: friend or foe (to Flash)?
Remy Sharp
 
PPT
Library hack
Hamish Curry
 
PDF
Open Hack London - Introduction to YQL
Christian Heilmann
 
PPTX
Introduction of UX/UI & Growth Hack and Management for Rapid Growth
Yoshiaki Ieda
 
PDF
Top 20 tools I use to hack and grow a B2B saas business
Wai Hong Fong
 
Valentine symbols
teachers2011
 
Staging Drupal: Change Management Strategies for Drupal
Erich Beyrent
 
Burj Khalifa
Algonquin College
 
Digital Mayflower - Data Pilgrimage with the Drupal Migrate Module
Erich Beyrent
 
My favourite pastime
Algonquin College
 
How to hack electronics
Planning-ness
 
From PHP to Hack as a Stack and Back
Timothy Chandler
 
Introduction to Hacking for University Hack Day
Christian Heilmann
 
Hack Day Sharing at D-Link
Joseph Chiang
 
Welcome to hack
Timothy Chandler
 
StoryWorld 2012 Story Hack Presentation
storycode
 
HHVM Hack
Masaaki Yonebayashi
 
Shut up and hack
Philip Tellis
 
ZONOSTYLE Creation Hack TV Vol.1 "Happy Nomad Working"
Keizo Kurazono
 
Building Web Hack Interfaces
Christian Heilmann
 
HTML5: friend or foe (to Flash)?
Remy Sharp
 
Library hack
Hamish Curry
 
Open Hack London - Introduction to YQL
Christian Heilmann
 
Introduction of UX/UI & Growth Hack and Management for Rapid Growth
Yoshiaki Ieda
 
Top 20 tools I use to hack and grow a B2B saas business
Wai Hong Fong
 

Similar to Hack-Proof Your Drupal App (20)

PDF
Doing Drupal security right from Drupalcon London
Gábor Hojtsy
 
PDF
Drupal campleuven: Secure Drupal Development
Steven Van den Hout
 
PDF
Drupal Security from Drupalcamp Cologne 2009
Gábor Hojtsy
 
PDF
Doing Drupal security right
Gábor Hojtsy
 
PDF
Drupal Security from Drupalcamp Bratislava
Gábor Hojtsy
 
PDF
Drupal security
Jozef Toth
 
PDF
Drupal and security - Advice for Site Builders and Coders
Arunkumar Kupppuswamy
 
ODP
Drupal Security Hardening
Gerald Villorente
 
ODP
Drupal Security Hardening
Gerald Villorente
 
ODP
Scout xss csrf_security_presentation_chicago
knaddison
 
PDF
Drupal Security Seminar
Calibrate
 
PPTX
OWASP Top 10 vs Drupal - OWASP Benelux 2012
ZIONSECURITY
 
PPT
Securing Drupal 7: Do not get Hacked or Spammed to death!
Adelle Frank
 
PPTX
Let's write secure Drupal code! - DrupalCamp London 2019
Balázs Tatár
 
ODP
Drupal Security for Coders and Themers - XSS and CSRF
knaddison
 
PDF
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
PPT
Drupal security
Techday7
 
PDF
Attacking Drupal
Greg Foss
 
PDF
Acquia Drupal Certification
Philip Norton
 
PDF
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
nyccamp
 
Doing Drupal security right from Drupalcon London
Gábor Hojtsy
 
Drupal campleuven: Secure Drupal Development
Steven Van den Hout
 
Drupal Security from Drupalcamp Cologne 2009
Gábor Hojtsy
 
Doing Drupal security right
Gábor Hojtsy
 
Drupal Security from Drupalcamp Bratislava
Gábor Hojtsy
 
Drupal security
Jozef Toth
 
Drupal and security - Advice for Site Builders and Coders
Arunkumar Kupppuswamy
 
Drupal Security Hardening
Gerald Villorente
 
Drupal Security Hardening
Gerald Villorente
 
Scout xss csrf_security_presentation_chicago
knaddison
 
Drupal Security Seminar
Calibrate
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
ZIONSECURITY
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Adelle Frank
 
Let's write secure Drupal code! - DrupalCamp London 2019
Balázs Tatár
 
Drupal Security for Coders and Themers - XSS and CSRF
knaddison
 
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
Drupal security
Techday7
 
Attacking Drupal
Greg Foss
 
Acquia Drupal Certification
Philip Norton
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
nyccamp
 

Recently uploaded (20)

PDF
Biography of Daniel Podor.pdf
Daniel Podor
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
July Patch Tuesday
Ivanti
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
IoT-Powered Industrial Transformation – Smart Manufacturing to Connected Heal...
Rejig Digital
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
Biography of Daniel Podor.pdf
Daniel Podor
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
July Patch Tuesday
Ivanti
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
IoT-Powered Industrial Transformation – Smart Manufacturing to Connected Heal...
Rejig Digital
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 

Hack-Proof Your Drupal App

  • 1. Hack-proof Your Drupal App Key Habits of Secure Drupal Coding Hack-proof Your Drupal App DrupalCamp NH 2011
  • 2. http://twitter.com/ebeyrent http://drupal.org/user/23897 Introductions Permissions API Permissions Superuser Crowd SSO LDAP Extended Groups Context Local Tasks Search Lucene Biblio Search Lucene Attachments Search Lucene OG Visual Search API My Modules Hack-proof Your Drupal App DrupalCamp NH 2011 Erich Beyrent
  • 3. Agenda Secrets to Securing a Social Network Key Habits of Secure Drupal Coding Vulnerability Detection to Remediation Security Resources for Drupal Applications See For Yourself - demonstrations of application attacks Discussions Hack-proof Your Drupal App DrupalCamp NH 2011
  • 4. Have you ever... Hack-proof Your Drupal App DrupalCamp NH 2011
  • 5. Hack-proof Your Drupal App DrupalCamp NH 2011 Source: http://www.flickr.com/photos/wili/233621595/
  • 6. HILARITY DID NOT ENSUE Hack-proof Your Drupal App DrupalCamp NH 2011
  • 7. The Results 120 vulnerabilities were discovered XSS CSRF SQL Injection Insufficient Authorization Hack-proof Your Drupal App DrupalCamp NH 2011
  • 8. What Was Learned 90% of the vulnerabilities existed in the theme Untrusted data from the query string was printed without filtering Custom search forms were insecure crossdomain.xml caused vulnerabilities Hack-proof Your Drupal App DrupalCamp NH 2011
  • 9. Fixing The Problems Completely reviewed the theme, implementing Drupal output filters Code was audited to ensure sanitization of all user data Rewrote the search forms to sanitize user data and use the Form API Implemented web services proxy Hack-proof Your Drupal App DrupalCamp NH 2011
  • 10. Drupal Security Report Authored by Ben Jeavons and Greg Knaddison Provides an analysis of the current state of security in Drupal Reports on the number of vulnerabilities by type reported in SAs for Drupal core and contributed modules Hack-proof Your Drupal App DrupalCamp NH 2011
  • 11. Source: Drupal Security Report http://drupalsecurityreport.org/ June 2005 – March 2010 Hack-proof Your Drupal App DrupalCamp NH 2011 By The Numbers
  • 13. Wrap your output Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
  • 14. Wrap your output Protect your database Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
  • 15. Wrap your output Protect your database Beware user input Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
  • 16. Wrap your output Protect your database Beware user input AJAX risks Hack-proof Your Drupal App DrupalCamp NH 2011 Key Habits of Secure Drupal Coding
  • 17. Reality Hack-proof Your Drupal App DrupalCamp NH 2011 YouTube (July 2010)
  • 18. Reality Security experts estimate that 66% of websites are vulnerable to XSS attacks (Jeremiah Grossman, WhiteHat Security) The vast majority of vulnerabilities in Drupal are in XSS attacks Hack-proof Your Drupal App DrupalCamp NH 2011
  • 19. Why? Drupal has at least 8 different APIs for sanitizing output Security presentations are given at DrupalCons and DrupalCamps all around the world Drupal Security Announcements Hack-proof Your Drupal App DrupalCamp NH 2011
  • 20. Wrap Your Output check_plain() Hack-proof Your Drupal App DrupalCamp NH 2011
  • 21. check_plain() This is for simple text without any markup. Encodes special characters in a plain-text string for display as HTML. Checks for UTF-8 to prevent cross site scripting attacks on Internet Explorer 6. Don't use this when using the t(), l(); use placeholders Hack-proof Your Drupal App DrupalCamp NH 2011
  • 22. Wrap Your Output check_plain() check_markup() Hack-proof Your Drupal App DrupalCamp NH 2011
  • 23. check_markup() This is for text which contains markup in some language Runs all the enabled filters on a piece of text. Hack-proof Your Drupal App DrupalCamp NH 2011
  • 24. Wrap Your Output check_plain() check_markup() filter_xss() Hack-proof Your Drupal App DrupalCamp NH 2011
  • 25. filter_xss() Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities. Removes characters and constructs that can trick browsers. Makes sure all HTML entities are well-formed. Makes sure all HTML tags and attributes are well-formed. Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:). Source: http://http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss/7 Hack-proof Your Drupal App DrupalCamp NH 2011
  • 26. Wrap Your Output check_plain() check_markup() filter_xss() filter_xss_admin() Hack-proof Your Drupal App DrupalCamp NH 2011
  • 27. filter_xss_admin() Very permissive XSS/HTML filter for admin-only use. . Use only for fields where it is impractical to use the whole filter system, but where some (mainly inline) mark-up is desired (so check_plain () is not acceptable). Allows all tags that can be used inside an HTML body, save for scripts and styles. Source:http://api.drupal.org/api/drupal/includes--common.inc/function/filter_xss_admin/7 Hack-proof Your Drupal App DrupalCamp NH 2011
  • 28. t() String translation, sanitizes your output if used properly t(“Input @s&quot;, array('@s' => $string)); Hack-proof Your Drupal App DrupalCamp NH 2011
  • 29. l() Filters link text and protects against bad protocols GOOD print l($content, $link); BAD print '<a href=&quot;' . $link . '&quot;>' . $content . '</a>'; Hack-proof Your Drupal App DrupalCamp NH 2011
  • 30. drupal_set_title() In Drupal 7, sanitized output by default! drupal_set_title($tainted, CHECK_PLAIN); Hack-proof Your Drupal App DrupalCamp NH 2011
  • 31. Protect Your Database db_query() Hack-proof Your Drupal App DrupalCamp NH 2011
  • 32. db_query() Runs a query in the database with arguments to the query, passed in as separate parameters, which are escaped to prevent SQL injection attacks. Hack-proof Your Drupal App DrupalCamp NH 2011
  • 33. db_query() CORRECT: db_query(“INSERT INTO {table} VALUES (%d, '%s')”, $node->profile_age, $node->profile_firstname); WRONG: db_query(“SELECT * FROM table WHERE field = $node->profile_age”); Hack-proof Your Drupal App DrupalCamp NH 2011
  • 34. Protect Your Database db_query() db_rewrite_sql() – Not in Drupal 7 Hack-proof Your Drupal App DrupalCamp NH 2011
  • 35. db_rewrite_sql() Rewrites node, taxonomy and comment queries to respect Drupal's node access mechanism. Protects against unauthorized access to content. Hack-proof Your Drupal App DrupalCamp NH 2011
  • 36. db_rewrite_sql() CORRECT: db_query(db_rewrite_sql( “SELECT * FROM {node} WHERE uid = %d”, $uid)); INCORRECT: db_query(“SELECT * FROM {node} WHERE uid = %d”, $uid); Hack-proof Your Drupal App DrupalCamp NH 2011
  • 37. Beware User Input Sources of user input: Form fields Uploaded files Query string Other sites Hack-proof Your Drupal App DrupalCamp NH 2011
  • 38. This is an exploited comment. <link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://ha.ckers.org/xss.js{&quot;><script>alert('xss');</script>}body{font-family:{&quot; /> Hack-proof Your Drupal App DrupalCamp NH 2011
  • 39. AJAX Risks AJAX transactions are not private Eval() is not 100% safe; use JSONP Hack-proof Your Drupal App DrupalCamp NH 2011
  • 40. Sanitize output Use the Form API Use parameterized queries Leave core intact Grant minimal permissions Use HTTPS for social websites Keep core and modules up to date! Hack-proof Your Drupal App DrupalCamp NH 2011 Things Good Drupalers Do
  • 41. Printing raw values Modifying data with $_GET Parameterized queries? WTF? Hacking core and killing kittens Allowing untrusted users to post the following tags: script, img, iframe, embed, object, input, link, style, meta, frameset, div, base, table, tr, td Allowing untrusted users to post full HTML Things That Will Bite You Hack-proof Your Drupal App DrupalCamp NH 2011
  • 42. “ drupal” is NOT a good admin password!! (neither is “lapurd”)
  • 43. Other Common Mistakes <?php global $user; // Bad – this will escalate the privileges $user = user_load(array('uid' => $uid)); ?> <?php global $user; // SAFE – do this instead $account = user_load(array('uid' => $uid)); ?> Hack-proof Your Drupal App DrupalCamp NH 2011
  • 44. Other Common Mistakes Improper URL access Incorrect usage of 'access callback' in hook_menu() Lack of security settings on views Writing forms in HTML Use the Form API to provide automatic CSRF protection Hack-proof Your Drupal App DrupalCamp NH 2011
  • 45. Other Common Mistakes Unvalidated and open redirects Iframes, drupal_goto, location.href Promiscuous crossdomain.xml files Hack-proof Your Drupal App DrupalCamp NH 2011
  • 46. Don't Trust User Input! Hack-proof Your Drupal App DrupalCamp NH 2011
  • 47. http:// drupal.org Writing Secure Code (http://drupal.org/writing-secure-code) Handle Text in a Secure Fashion ( http://drupal.org/node/28984 ) Secure File Permissions: http://drupal.org/node/244924 Drupal Security Team Drupal Security Resources Hack-proof Your Drupal App DrupalCamp NH 2011
  • 48. Coder ( http:// drupal.org /project/coder ) Security Review ( http:// drupal.org/project/security_review ) Secure Code Review ( http:// drupal.org/project/secure_code_review ) Secure Permissions ( http:// drupal.org/project/secure_permissions ) Modules Hack-proof Your Drupal App DrupalCamp NH 2011
  • 49. Pro Drupal Development book (VanDyk) Cracking Drupal: A Drop in the Bucket (Knaddison) XSS Scripting Attacks (Grossman) Books Hack-proof Your Drupal App DrupalCamp NH 2011
  • 50. Questions? Hack-proof Your Drupal App DrupalCamp NH 2011

Editor's Notes

  • #12: collected and analyzed from June 1, 2005 through March 24, 2010