©2016 Acquia Inc. — Confidential and Proprietary
Hack Proof your drupal siteHack Proof your drupal site
Naveen ValechaMarch 5, 2017
©2016 Acquia Inc. — Confidential and Proprietary
Agenda
– Common Security Strategies– SQL Injection– Cross-Site Scripting(XSS)– Cross Site Request Forgery(CSRF)– Access bypass(Node access bypass & Menu access
bypass)– Correct use of drupal_goto unless leads to vulnerability– Security Improvements in Drupal 8– Contributed Modules and how to use securely
©2016 Acquia Inc. — Confidential and Proprietary
Who am I?
– Drupal 6, 7, 8 contributor– Git Administrator– Maintainer of
groups.drupal.org– Maintainer of Captcha,
http_response_headers
©2016 Acquia Inc. — Confidential and Proprietary
Common Security Strategies
– Trust - Who can do what on the website.– Software Updates - Update your softwares(Server,
Webserver, Drupal, etc.)– Security Misconfigurations
Securing your website : https://www.drupal.org/security/secure-configuration
©2016 Acquia Inc. — Confidential and Proprietary
Permissions
– Be careful with site owning permissions.– Similarly with the text formats.– User 1 name should not be simple like “admin”, don’t
use in general use, it has all permissions.
©2016 Acquia Inc. — Confidential and Proprietary
Security Misconfigurations
– Disable php error reporting (admin/config/development/logging)
– Disable PHP filter Module.– Make sure php files are not writable by server.– Remove write permissions for www-data
-rw-r----- 1 neal www-data index.php
drwxr-x--- 32 neal www-data modules/
drwxrwx--- 7 www-data neal sites/default/files/
©2016 Acquia Inc. — Confidential and Proprietary
SQL Injection
Attacker can supply messy parameters passed.
SQL injection:
<?php
db_query("SELECT uid FROM {users} u WHERE u.name =
'" . $_GET['user'] . "'");
?>
©2016 Acquia Inc. — Confidential and Proprietary
SQL Injection - Exploit
http://example.dev/?user=x%27%3B%20DROP% 20table%20node%3B%20--
Query: SELECT uid FROM users u WHERE u.name = 'x'; DROP table node; --'
This will delete your node table.Leads to data loss and will break your website.
©2016 Acquia Inc. — Confidential and Proprietary
SQL Injection -Correct Usage
<?php
db_query("SELECT uid FROM {users} u WHERE u.name = :name", array(':name' => $_GET['user']));
OR
db_select('users', 'u') ->fields('u', array('uid')) ->condition('u.name', $_GET['user']) ->execute();
?>
©2016 Acquia Inc. — Confidential and Proprietary
Cross site Scripting(XSS)
– Attackers can inject client-side script into web pages to access bypass the security policy.
– Any data added via form-fields should be sanitized before printing.
©2016 Acquia Inc. — Confidential and Proprietary
XSS - Exploit Result
– Attackers can inject client-side script into web pages to access bypass the security policy.
– Any data added via form-fields should be sanitized before printing.
©2016 Acquia Inc. — Confidential and Proprietary
XSS - Exploit Result
Handle text in Secure fashion : https://www.drupal.org/node/28984
©2016 Acquia Inc. — Confidential and Proprietary
Cross-site Request Forgery(CSRF)
function pizza_menu() {
$items['admin/pizza/%/delete'] = array(
'title' => 'Pizza',
'description' => 'Delete the pizza.',
'page callback' => 'pizza_delete',
'access arguments' => array('administer pizza'),
'file' => 'pizza.admin.inc',
);
function pizza_delete() {
$nid = arg(2);
node_delete($nid);
cache_clear_all();
drupal_goto('admin/pizza');
}
©2016 Acquia Inc. — Confidential and Proprietary
CSRF - Exploit
Attackers can post somewhere http://d7vulnerable.
dev/admin/pizza/1/delete
like this
<img src=”http://d7vulnerable.dev/admin/pizza/1/delete”></img>
©2016 Acquia Inc. — Confidential and Proprietary
CSRF - Protection
– Confirmation Forms– Security tokens in the url
http://d7vulnerable.dev/admin/pizza/1/delete?token=blaski23ijuinfiknerja_eiriwe_rmewhfuihacnuhierwn
Use the Form api to avoid CSRF https://www.drupal.org/node/178896
Protecting your Drupal against CSRF : https://docs.acquia.
com/articles/protecting-your-drupal-module-against-cross-site-request-forgeries
©2016 Acquia Inc. — Confidential and Proprietary
Node Access bypass
This vulnerability is usually found in the modules,which expose the node table data.This can be fixed by adding the node_access tag in the query and using the access api.
Node Access bypass Fix of a sample module: http://cgit.drupalcode.
org/webform_references/commit/?id=e006970
©2016 Acquia Inc. — Confidential and Proprietary
Menu Access bypass
This rarely happens in Drupal contrib projects.This can be handled
by the permissions and by checking the #access
https://www.drupal.org/node/2344569#comment-
9528911
Menu Access bypass Fix for a sample module: http://cgit.drupalcode.
org/path_alias_picker/commit/?id=b795df0
©2016 Acquia Inc. — Confidential and Proprietary
Correct Usage of drupal_goto
– We usually use the drupal_goto to redirect the user to some other page.This does a 30X redirect .We usually suggest to use $form[‘redirect’] in the forms instead of drupal_goto.
– Incorrect usage of drupal_goto leads to Open Redirect
©2016 Acquia Inc. — Confidential and Proprietary
Recovery Strategies
– Restore from backup– Update your code– Change your passwords– Audit your code
©2016 Acquia Inc. — Confidential and Proprietary
How Drupal 8 is more secure?
– Twig– Removed php input filter– Configuration Management– Automated CSRF tokens via route definitions– Trusted host patterns enforced for requests– Clickjacking protection enabled by default– Core JavaScript API Compatible with CSP– Composer
©2016 Acquia Inc. — Confidential and Proprietary
Twig
– Cross-Site Scripting (XSS)
– Sql Injection– Auto-escaping– Can’t add arbitrary code
into template– Easier for non-coders
©2016 Acquia Inc. — Confidential and Proprietary
Twig | Using Securely
– All the html should be output by a template. – Use the {{ variable|t }} function to escape output– Filters can be applied to the output
– t() function {{ variable|t }}– Don’t use the raw filter
©2016 Acquia Inc. — Confidential and Proprietary
Twig | Using Securely Links
– https://www.drupal.org/node/2489544– https://www.drupal.org/node/2357633– https://www.drupal.org/node/2486991– https://www.drupal.org/node/1920746– https://www.drupal.org/node/1918824– https://www.drupal.org/node/2296163
©2016 Acquia Inc. — Confidential and Proprietary
PHP Filter Removed from Core
– Remote code execution– Performance issues
https://www.drupal.org/node/2088811
©2016 Acquia Inc. — Confidential and Proprietary
Configuration Management
– Site configuration exportable, manageable as code– Exported configuration as Yaml Files– Easily Manageable via VCS
©2016 Acquia Inc. — Confidential and Proprietary
Automated CSRF protection in route definitions
– Added Automation CSRF protection in route
definitions
– Common Vulnerability in Drupal 7
– In correction usage of
©2016 Acquia Inc. — Confidential and Proprietary
Trusted host patterns
– Http host header can be spoofed which would cause
Drupal to render based on the spoofed value.
– This could results issues like links being rendered to a
spoofed value.
– Drupal Core’s status page reports a large red error.
©2016 Acquia Inc. — Confidential and Proprietary
Clickjacking protection enabled by default
– Prevents the site from being served inside an iframe
– This blocks click-jacking attacks
– https://www.drupal.org/node/2514152
©2016 Acquia Inc. — Confidential and Proprietary
Core Javascript API compatible with CSP
– Javascript settings are now using application/json not
loaded as inline-scripts
– No Support for adding inline-javascript in core but work is
going on here https://www.drupal.org/node/2391025
Change Record: https://www.drupal.org/node/2513818
©2016 Acquia Inc. — Confidential and Proprietary
Composer
– Dependency Manager for PHP
– Enables to declare the libraries the project depend on.
– Prevent from hacking the code
– CI integration
©2016 Acquia Inc. — Confidential and Proprietary
Contrib Modules
– Seckit– Http Response Headers– Encrypt and its family modules– Honeypot– Captcha– Password Policy– TFA
©2016 Acquia Inc. — Confidential and Proprietary
Seckit
– Cross-site Scripting(XSS)– Cross-site Request Forgery– Clickjacking– SSL/TLS
©2016 Acquia Inc. — Confidential and Proprietary
HTTP Response Headers
– Allows to configure list of allowed http headers– Set 'Cache-Control' or 'Expires' header to set/reset
cache behaviour of browser/cache servers.– Set 'X-Frame-Options' to restrict your pages rendering
on a frame.– Set 'WWW-Authenticate' to set authentication to
pages.
©2016 Acquia Inc. — Confidential and Proprietary
Encrypt and Family Modules - Field Encrypt
– Provides the ability to encrypt the field values.
– Provides field specific configuration for encryption
©2016 Acquia Inc. — Confidential and Proprietary
Encrypt and Family Modules - Real AES
– Provides new encryption plugin for the Encrypt module.
– Provides field specific configuration for encryption
©2016 Acquia Inc. — Confidential and Proprietary
Encrypt and Family Modules - Webform Encrypt
– Provides the ability to encrypt the field values of the webform
– Provides component specific configuration for encryption.
©2016 Acquia Inc. — Confidential and Proprietary
Captcha
– Used for determining whether the user is human– Anti-spam module for protecting the forms on the sites
from robots
©2016 Acquia Inc. — Confidential and Proprietary
Honeypot
– Uses timestamp methods on the forms to prevent spam.
– Anti-spam module for protecting the forms on the sites from bots
©2016 Acquia Inc. — Confidential and Proprietary
Password Policy
– Provides a way to enforce restrictions on user passwords by defining password policies.
– Ensure site users must set strong passwords.
©2016 Acquia Inc. — Confidential and Proprietary
We are hiring!
https://www.acquia.com/careers/open-positions