Drupal Security
-
Upload
ran-bar-zik -
Category
Technology
-
view
489 -
download
0
Transcript of Drupal Security
Securing server is important
● The best server protection will not secure your application.
● The best application protection will not secure your server.
Drupal XSS filter
filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'))
XSS - not only in <script>● <video poster=javascript:alert(1)//></video>● <video onerror="alert(1)"><source></source></video>● <picture><img srcset="x" onerror="alert(1)"></picture>
And much more @ https://html5sec.org/
Client side validation is not enough
But it is important, because it can help us to pinpoint attacks.
Sanitizing the output as well
It is important to sanitize output.
We are validating\sanitizing input.We are sanitizing output.
Example in Drupal - source
print $_SERVER['HTTP_REFERER'];
You came from $_SERVER['HTTP_REFERER'], but you got 404
CSRF example
Form GET : http://www.mysite.com/?action=delete&nid=NID
Attacker link:<a href=”http://www.mysite.com/?action=delete&nid=NID”>
<img src=”See_bar_naked.png” /></a>
Form Tokens - print the tokenif(!isset($form['#token'])) { $form['#token'] = $form_id; $form['form_token'] = array( '#id' => drupal_html_id('edit-' . $form_id . '-form-token'), '#type' => 'token', '#default_value' => mymodule_generate_token($form['#token']), ); }
Form tokens - generate the tokenfunction mymodule_generate_token($form_id){ $secret = 'my-unique-string';
return drupal_hmac_base64($form_id, $secret. drupal_get_private_key() . drupal_get_hash_salt());}
Form tokens - verify tokenfunction mymodule_check_valid_token($form_token, $form_id){ return ($form_token == mymodule_generate_token($form_id));}
SQLi - sourcefunction show_user_profile() {if('user_profile' == arg(0) {arg(1) == $account_id;db_query("SELECT * FROM users WHERE uid = $account_id”)->fetchObject()//Display issues}
Module pitfalls
Does your module include:● check_plain● token● xss● ->fetch_object● Intergration with VIEWS?
Mundane stuff to do
● Avoid Brute force login attacks ● DO NOT download modules\themes from
untrusted source.● Install Security Review Module
Conclusion
● It is important to know about major security hazards.
● You do not need to be an hacker.● Backup often, update more than often.