drupal and security - advice for site builders and coders
TRANSCRIPT
Drupal and Security Advice for Site Builders and Coders
Arunkumar Kuppuswamy Software Engineer Innoppl [email protected]: +91 80986 41508
● Security Vulnerabilities● General Tips● Server Environment● Site Configurations● Personal Practices● Drupal Configuration● Writing Custom Codes
Agenda
● Drupal is an open-source CMS and or framework● 2.2% of websites in Internet are running using
Drupal● 3rd Popular CMS in world.● Reliability● Scalability● A huge dedicated community
Why Drupal ?
https://w3techs.com/technologies/overview/content_management/all
Do you think Drupal is the Right choice ?
- System flaw or weakness in an application● Cross Site Scripting (XSS)● Broken Authentication● Gain Information / Privileges● SQL Injection● Bypass something● CSRF
Security vulnerabilities
● Cross Site Scripting● Code in the browser● Making requests● Parsing responses● Javascript, Flash, Java, etc.
What is XSS?
● Filter text● On output to browser● As late as reasonable● Some API filters where reasonable● t() and \Drupal::translation()->formatPlural()
with @text and %text placeholders
Fixing XSS?
- User to access the system without going through the security clearance● User can see or do something● That permissions/access should prevent
What is Access Bypass?
● Creating PermissionsMODULE_NAME.permissions.yml
Fixing Access Bypass
● Menu CallbacksMODULE_NAME.routing.yml
Fixing Access Bypass
● Node access○ hook_node_access()
● User access○ hook_user_access()
● Entity access○ hook_entity_access()
● Field access○ hook_field_access()
Fixing Access Bypass
Fixing Access Bypass?
● User has permission to Access
● Use behat
Fixing Access Bypass?
- Executing malicious SQL statements.● Incorrectly filtered escape characters● Incorrect type handling● Blind Conditional SQL injection
SQL Injection
Drupal SQL Injection Sample Code
Drupal SQL Injection Sample Code
● Database abstraction layer
● Adding tags to your queries
Fixing SQL Injection
Unauthorized commands are transmitted from a user that the website trusts.● Path that does not confirm intent● <img src="http://example.com/node/1/quickdelete" >● Mostly in Form submissions
What is CSRF?
● Use Form API: confirmation forms
● Send and validate tokens : Drupal::csrfToken()● Using a secret cookie● Multi-Step Transactions● HTTPS
Fixing CSRF?
● YAML route definition for a protected link● Protected Ajax request
Fixing CSRF?
● Protected Ajax request
Fixing CSRF?
● Roles and permissions● Keep your site settings secure
○ Text formats○ PHP module○ PHP in other modules
Secure site configuration
● File permissions: web server user forbidden to change code
● PHP execution: restrict in .htaccess or Nginx config
● Drupal handbook for securing your site
Secure site configuration
● Secure Login● Paranoia● Security Review● Permissions Lock● Hacked!● Password policy / Password strength● Two Factor Authentication● Shield● Security Kit
Modules Enhancing Security
● Stronger password hashing / salt● Login flood control
○ prevents brute-force credential guessing● Protected cron
○ prevents Denial of Service attacks
Drupal 8
Update Settings
● Automatically sanitizes strings on output● No PHP in templates● You can't run SQL queries● Twig auto-escaping : htmlspecialchars()
Drupal 8: Twig
● Filtered HTML format● Limiting users to using only images local
Content Entry & Filtering Improved
Choosing Contrib Modules
● Use HTTPS, SSH, SFTP● Strong password policy● Server – LAMP stack● Require SSH keys● Take & verify your backups
○ Sanitize backups before sharing
General Tips
● Drupal Security Team○ Keep Drupal code secure in core and contrib○ Educate the community on security best
practices1. Developers2. Site builders3. Site administrators and users4. Decision makers
○ Security Advisory for every security release○ @drupalsecurity and Security Group
Security Process
Security Issue
Code Maintainer
Team Security
New Release
● https://www.oakleys.org.uk/blog/2017/01/how_to_secure_a_drupal_website
● https://pantheon.io/blog/9-tips-and-tricks-securing-your-drupal-site-pantheon
● https://www.drupal.org/documentation/is-drupal-secure● https://www.drupal.org/security/secure-configuration● https://www.ostraining.com/blog/drupal/8-things-drupal-security/● https://www.keycdn.com/blog/drupal-security/
References:
Any Queries ?
Thank you!