Drupal Security
27
Security in Drupal
-
Upload
ran-bar-zik -
Category
Technology
-
view
489 -
download
0
Transcript of Drupal Security
Security in Drupal
Ran Bar-Zik
● Enterprise Scale Software Developer● Site: internet-israel.com● twitter: @barzik
Hackers in puplar media
Hackers in reality
Securing server is important
● The best server protection will not secure your application.
● The best application protection will not secure your server.
XSS - Running my JS in other site
XSS - Why is it bad?
Drupal XSS filter
filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'))
XSS - not only in <script>● <video poster=javascript:alert(1)//></video>● <video onerror="alert(1)"><source></source></video>● <picture><img srcset="x" onerror="alert(1)"></picture>
And much more @ https://html5sec.org/
Client side validation is not enough
But it is important, because it can help us to pinpoint attacks.
Sanitizing the output as well
It is important to sanitize output.
We are validating\sanitizing input.We are sanitizing output.
Example in Drupal - source
<body class=”<?php print arg(0); ?>”></body>
Example in Drupal - attack
mydrupal.com/”<script>alert(‘ff’)</script>
Example in Drupal - source
print $_SERVER['HTTP_REFERER'];
You came from $_SERVER['HTTP_REFERER'], but you got 404
Cross Site Request Forgery - CSRF
CSRF example
Form GET : http://www.mysite.com/?action=delete&nid=NID
Attacker link:<a href=”http://www.mysite.com/?action=delete&nid=NID”>
<img src=”See_bar_naked.png” /></a>
Form Tokens - print the tokenif(!isset($form['#token'])) { $form['#token'] = $form_id; $form['form_token'] = array( '#id' => drupal_html_id('edit-' . $form_id . '-form-token'), '#type' => 'token', '#default_value' => mymodule_generate_token($form['#token']), ); }
Form tokens - generate the tokenfunction mymodule_generate_token($form_id){ $secret = 'my-unique-string';
return drupal_hmac_base64($form_id, $secret. drupal_get_private_key() . drupal_get_hash_salt());}
Form tokens - verify tokenfunction mymodule_check_valid_token($form_token, $form_id){ return ($form_token == mymodule_generate_token($form_id));}
SQL injection
SQLi - sourcefunction show_user_profile() {if('user_profile' == arg(0) {arg(1) == $account_id;db_query("SELECT * FROM users WHERE uid = $account_id”)->fetchObject()//Display issues}
SQLi - attack
use the query: user_profle/1'; DROP TABLE users; --'/
Module pitfalls
Does your module include:● check_plain● token● xss● ->fetch_object● Intergration with VIEWS?
Mundane stuff to do
● Avoid Brute force login attacks ● DO NOT download modules\themes from
untrusted source.● Install Security Review Module
Hide the fact that you use Drupal
Conclusion
● It is important to know about major security hazards.
● You do not need to be an hacker.● Backup often, update more than often.
Thank you!
