Drupal and security - Advice for Site Builders and Coders
1 like1,587 views
The document provides an overview of security best practices for Drupal site builders and developers, detailing common vulnerabilities such as XSS, SQL injection, and access bypass. It emphasizes the importance of proper configurations, secure coding practices, and the use of Drupal's built-in security features. Additionally, it includes resources for further reading and maintaining a secure Drupal environment.
Drupal and security - Advice for Site Builders and Coders
- 1. Drupal and SecurityAdvice for Site Builders and Coders Arunkumar Kuppuswamy Software Engineer Innoppl Technologies [email protected] Phone: +91 80986 41508
- 2. ● Security Vulnerabilities ● General Tips ● Server Environment ● Site Configurations ● Personal Practices ● Drupal Configuration ● Writing Custom Codes Agenda
- 3. ● Drupal is an open-source CMS and or framework ● 2.2% of websites in Internet are running using Drupal ● 3rd Popular CMS in world. ● Reliability ● Scalability ● A huge dedicated community Why Drupal ?
- 4. https://w3techs.com/technologies/overview/content_management/all Do you think Drupal is the Right choice ?
- 7. - System flaw or weakness in an application ● Cross Site Scripting (XSS) ● Broken Authentication ● Gain Information / Privileges ● SQL Injection ● Bypass something ● CSRF Security vulnerabilities
- 8. ● Cross Site Scripting ● Code in the browser ● Making requests ● Parsing responses ● Javascript, Flash, Java, etc. What is XSS?
- 9. ● Filter text ● On output to browser ● As late as reasonable ● Some API filters where reasonable ● t() and Drupal::translation()->formatPlural() with @text and %text placeholders Fixing XSS?
- 11. - User to access the system without going through the security clearance ● User can see or do something ● That permissions/access should prevent What is Access Bypass?
- 12. ● Creating Permissions MODULE_NAME.permissions.yml Fixing Access Bypass
- 13. ● Menu Callbacks MODULE_NAME.routing.yml Fixing Access Bypass
- 14. ● Node access ○ hook_node_access() ● User access ○ hook_user_access() ● Entity access ○ hook_entity_access() ● Field access ○ hook_field_access() Fixing Access Bypass
- 16. ● User has permission to Access ● Use behat Fixing Access Bypass?
- 17. - Executing malicious SQL statements. ● Incorrectly filtered escape characters ● Incorrect type handling ● Blind Conditional SQL injection SQL Injection
- 18. Drupal SQL Injection Sample Code
- 19. Drupal SQL Injection Sample Code
- 20. ● Database abstraction layer ● Adding tags to your queries Fixing SQL Injection
- 21. Unauthorized commands are transmitted from a user that the website trusts. ● Path that does not confirm intent ● <img src="http://example.com/node/1/quickdelete" > ● Mostly in Form submissions What is CSRF?
- 22. ● Use Form API: confirmation forms ● Send and validate tokens : Drupal::csrfToken() ● Using a secret cookie ● Multi-Step Transactions ● HTTPS Fixing CSRF?
- 23. ● YAML route definition for a protected link ● Protected Ajax request Fixing CSRF?
- 24. ● Protected Ajax request Fixing CSRF?
- 25. ● Roles and permissions ● Keep your site settings secure ○ Text formats ○ PHP module ○ PHP in other modules Secure site configuration
- 26. ● File permissions: web server user forbidden to change code ● PHP execution: restrict in .htaccess or Nginx config ● Drupal handbook for securing your site Secure site configuration
- 27. ● Secure Login ● Paranoia ● Security Review ● Permissions Lock ● Hacked! ● Password policy / Password strength ● Two Factor Authentication ● Shield ● Security Kit Modules Enhancing Security
- 28. ● Stronger password hashing / salt ● Login flood control ○ prevents brute-force credential guessing ● Protected cron ○ prevents Denial of Service attacks Drupal 8
- 29. Update Settings
- 30. ● Automatically sanitizes strings on output ● No PHP in templates ● You can't run SQL queries ● Twig auto-escaping : htmlspecialchars() Drupal 8: Twig
- 32. ● Filtered HTML format ● Limiting users to using only images local Content Entry & Filtering Improved
- 34. ● Use HTTPS, SSH, SFTP ● Strong password policy ● Server – LAMP stack ● Require SSH keys ● Take & verify your backups ○ Sanitize backups before sharing General Tips
- 35. ● Drupal Security Team ○ Keep Drupal code secure in core and contrib ○ Educate the community on security best practices 1. Developers 2. Site builders 3. Site administrators and users 4. Decision makers ○ Security Advisory for every security release ○ @drupalsecurityandSecurity Group Security Process
- 36. Security Issue Code Maintainer Team Security New Release
- 37. ● https://www.oakleys.org.uk/blog/2017/01/how_to_secure_a_drupal _website ● https://pantheon.io/blog/9-tips-and-tricks-securing-your-drupal-site -pantheon ● https://www.drupal.org/documentation/is-drupal-secure ● https://www.drupal.org/security/secure-configuration ● https://www.ostraining.com/blog/drupal/8-things-drupal-security/ ● https://www.keycdn.com/blog/drupal-security/ References:
- 38. Any Queries ?
- 39. Thank you!