Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

Secure your Drupal site by ﬁrst hacking into it

Think like a hacker http://www.ﬂickr.com/photos/31246066@N04/4252587897/

How sites get hacked XSS Insecure environment Stolen access Outdated code, known vulnerabilities

XSS Demo • Malicious Javascript is entered • Admin unknowingly executes • Javascript alters admin-only settings • Changes admin password • Puts site ofﬂine http://www.ﬂickr.com/photos/paolo_rosa/5088971947/

Ben Jeavons Drupaler for 5 years Member of Drupal Security Team @benswords

Drupal vulnerabilities by popularity 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others reported in core and contrib SAs from 6/1/2005 through 3/24/2010

Cross Site Scripting XSS Javascript Performing actions without your intent Everything you can do XSS can do faster

Stored XSS Step 1 Request Attacker Drupal DB JS JS

Stored XSS Step 2 Request Victim Drupal DB Response JS JS

Stored XSS Step 3 Victim Request Drupal DB JS JS

$node = node_load($nid); $title = $node->title; drupal_set_title($title); ... (later, in page.tpl.php) ... <h1><?php print $title; ?></h1>

Fixing XSS Identify where the data came from User input!

user agent language time zone referrer & more HTTP request headers Lots of tools/ways to modify these for requests

Fixing XSS Identify where the data came from Is that data being ﬁltered or escaped before output?

$node = node_load($nid); $title = $node->title; $safe = check_plain($title); drupal_set_title($safe); ... (later, in page.tpl.php) ... <h1><?php print $title; ?></h1>

XSS in Themes <div class=”stuff”> <?php print $node->field_stuff[0][‘value’]; ?>

<div class=”stuff”> <?php print $node->field_stuff[0][‘safe’]; // OR $stuff = $node->field_stuff[0]; print content_format(‘field_stuff’, $stuff); ?>

Sanitize user input for output $msg = variable_get(‘my_msg’,‘’); print check_plain($msg);

Test for XSS vulnerability <script>alert(‘xss yo’)</script> github.com / unn / vuln

Insecure Environment Lock down your stack Admin tools and access to them Principle of least privilege Give out only necessary permissions

Insecure Environment /devel/variable /phpMyAdmin

Insecure Environment Make backups Test that they work Secure access to backups

Center for Health Transformation’s records were “found by The New York Times in an unsecured archived version of the site” http://www.nytimes.com/2011/11/30/us/politics/gingrich-gave-push-to-clients-not-just-ideas.html http://www.ﬂickr.com/photos/mjb/208218519/

Insecure Environment /sites/default/ﬁles/backup_migrate/

SSL Run Drupal on full TLS/SSL securepages & securepages_prevent_hijack http://drupalscout.com/node/17 Use a valid certiﬁcate

SFTP “Secure” FTP Your host should provide it If not, consider a new one

Stay up-to-date Know and apply security updates Security Advisories Not just Drupal third-party libraries (TinyMCE) PHP, operating system

Automation http://www.ﬂickr.com/photos/hubmedia/2141860216/

Steps to a mostly automated review Security Review: drupal.org/project/security_review Hacked: drupal.org/project/hacked Coder: drupal.org/project/coder Secure Code Review drupal.org/project/secure_code_review Vuln: github.com/unn/vuln More: http://drupalscout.com/node/11

in-depth, hands-on security training drupalcon.org bit.ly/drupalcon-security

Read drupal.org/security/writing-secure-code drupalscout.com crackingdrupal.com Converse groups.drupal.org/best-practices-drupal-security ben.jeavons@acquia.com @benswords

Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

More Related Content

What's hot

Similar to Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

More from nyccamp

Recently uploaded

Hack Into Drupal Sites (or, How to Secure Your Drupal Site)