hack proof your drupal site- drupalcamp hyderabad

©2016 Acquia Inc. — Confidential and Proprietary

Hack Proof your drupal siteHack Proof your drupal site

Naveen ValechaMarch 5, 2017


Agenda

– Common Security Strategies– SQL Injection– Cross-Site Scripting(XSS)– Cross Site Request Forgery(CSRF)– Access bypass(Node access bypass & Menu access

bypass)– Correct use of drupal_goto unless leads to vulnerability– Security Improvements in Drupal 8– Contributed Modules and how to use securely


Who am I?

– Drupal 6, 7, 8 contributor– Git Administrator– Maintainer of

groups.drupal.org– Maintainer of Captcha,

http_response_headers


Common Security Strategies

– Trust - Who can do what on the website.– Software Updates - Update your softwares(Server,

Webserver, Drupal, etc.)– Security Misconfigurations

Securing your website : https://www.drupal.org/security/secure-configuration

https://www.drupal.org/security/secure-configuration


Permissions

– Be careful with site owning permissions.– Similarly with the text formats.– User 1 name should not be simple like “admin”, don’t

use in general use, it has all permissions.


Security Misconfigurations

– Disable php error reporting (admin/config/development/logging)

– Disable PHP filter Module.– Make sure php files are not writable by server.– Remove write permissions for www-data

-rw-r----- 1 neal www-data index.php

drwxr-x--- 32 neal www-data modules/

drwxrwx--- 7 www-data neal sites/default/files/


SQL Injection

Attacker can supply messy parameters passed.

SQL injection:

<?php

db_query("SELECT uid FROM {users} u WHERE u.name =

'" . $_GET['user'] . "'");

?>


SQL Injection - Exploit

http://example.dev/?user=x%27%3B%20DROP% 20table%20node%3B%20--

Query: SELECT uid FROM users u WHERE u.name = 'x'; DROP table node; --'

This will delete your node table.Leads to data loss and will break your website.


SQL Injection -Correct Usage

<?php

db_query("SELECT uid FROM {users} u WHERE u.name = :name", array(':name' => $_GET['user']));

OR

db_select('users', 'u') ->fields('u', array('uid')) ->condition('u.name', $_GET['user']) ->execute();

?>


Cross site Scripting(XSS)

– Attackers can inject client-side script into web pages to access bypass the security policy.

– Any data added via form-fields should be sanitized before printing.


XSS - Exploit Result

– Attackers can inject client-side script into web pages to access bypass the security policy.

– Any data added via form-fields should be sanitized before printing.


XSS - Exploit Result

Handle text in Secure fashion : https://www.drupal.org/node/28984

https://www.drupal.org/node/28984


XSS - Correct Usage


Cross-site Request Forgery(CSRF)

function pizza_menu() {

$items['admin/pizza/%/delete'] = array(

'title' => 'Pizza',

'description' => 'Delete the pizza.',

'page callback' => 'pizza_delete',

'access arguments' => array('administer pizza'),

'file' => 'pizza.admin.inc',

);

function pizza_delete() {

$nid = arg(2);

node_delete($nid);

cache_clear_all();

drupal_goto('admin/pizza');

}


CSRF - Exploit

Attackers can post somewhere http://d7vulnerable.

dev/admin/pizza/1/delete

like this

<img src=”http://d7vulnerable.dev/admin/pizza/1/delete”></img>


CSRF - Protection

– Confirmation Forms– Security tokens in the url

http://d7vulnerable.dev/admin/pizza/1/delete?token=blaski23ijuinfiknerja_eiriwe_rmewhfuihacnuhierwn

Use the Form api to avoid CSRF https://www.drupal.org/node/178896

Protecting your Drupal against CSRF : https://docs.acquia.

com/articles/protecting-your-drupal-module-against-cross-site-request-forgeries


https://docs.acquia.





Node Access bypass

This vulnerability is usually found in the modules,which expose the node table data.This can be fixed by adding the node_access tag in the query and using the access api.

Node Access bypass Fix of a sample module: http://cgit.drupalcode.

org/webform_references/commit/?id=e006970

http://cgit.drupalcode.org/webform_references/commit/?id=e006970




Node Access bypass - Exploit


Node Access bypass - Protection


Menu Access bypass

This rarely happens in Drupal contrib projects.This can be handled

by the permissions and by checking the #access

https://www.drupal.org/node/2344569#comment-

9528911

Menu Access bypass Fix for a sample module: http://cgit.drupalcode.

org/path_alias_picker/commit/?id=b795df0





http://cgit.drupalcode.org/path_alias_picker/commit/?id=b795df0




Correct Usage of drupal_goto

– We usually use the drupal_goto to redirect the user to some other page.This does a 30X redirect .We usually suggest to use $form[‘redirect’] in the forms instead of drupal_goto.

– Incorrect usage of drupal_goto leads to Open Redirect


drupal_goto - Exploit


drupal_goto - Prevention


Recovery Strategies

– Restore from backup– Update your code– Change your passwords– Audit your code


How Drupal 8 is more secure?

– Twig– Removed php input filter– Configuration Management– Automated CSRF tokens via route definitions– Trusted host patterns enforced for requests– Clickjacking protection enabled by default– Core JavaScript API Compatible with CSP– Composer


Twig

– Cross-Site Scripting (XSS)

– Sql Injection– Auto-escaping– Can’t add arbitrary code

into template– Easier for non-coders


Twig - Continued


Twig | Using Securely

– All the html should be output by a template. – Use the {{ variable|t }} function to escape output– Filters can be applied to the output

– t() function {{ variable|t }}– Don’t use the raw filter


Twig | Using Securely Links

– https://www.drupal.org/node/2489544– https://www.drupal.org/node/2357633– https://www.drupal.org/node/2486991– https://www.drupal.org/node/1920746– https://www.drupal.org/node/1918824– https://www.drupal.org/node/2296163














PHP Filter Removed from Core

– Remote code execution– Performance issues





Configuration Management

– Site configuration exportable, manageable as code– Exported configuration as Yaml Files– Easily Manageable via VCS


Automated CSRF protection in route definitions

– Added Automation CSRF protection in route

definitions

– Common Vulnerability in Drupal 7

– In correction usage of


Automated CSRF protection in route definitions


Trusted host patterns

– Http host header can be spoofed which would cause

Drupal to render based on the spoofed value.

– This could results issues like links being rendered to a

spoofed value.

– Drupal Core’s status page reports a large red error.


Trusted host patterns


Clickjacking protection enabled by default

– Prevents the site from being served inside an iframe

– This blocks click-jacking attacks

– https://www.drupal.org/node/2514152




Clickjacking protection enabled by default


Core Javascript API compatible with CSP

– Javascript settings are now using application/json not

loaded as inline-scripts

– No Support for adding inline-javascript in core but work is

going on here https://www.drupal.org/node/2391025

Change Record: https://www.drupal.org/node/2513818




Composer

– Dependency Manager for PHP

– Enables to declare the libraries the project depend on.

– Prevent from hacking the code

– CI integration


Composer


Using Contributed projects Securely


Contrib Modules

– Seckit– Http Response Headers– Encrypt and its family modules– Honeypot– Captcha– Password Policy– TFA


Seckit

– Cross-site Scripting(XSS)– Cross-site Request Forgery– Clickjacking– SSL/TLS


HTTP Response Headers

– Allows to configure list of allowed http headers– Set 'Cache-Control' or 'Expires' header to set/reset

cache behaviour of browser/cache servers.– Set 'X-Frame-Options' to restrict your pages rendering

on a frame.– Set 'WWW-Authenticate' to set authentication to

pages.


Encrypt and Family Modules - Field Encrypt

– Provides the ability to encrypt the field values.

– Provides field specific configuration for encryption


Encrypt and Family Modules - Real AES

– Provides new encryption plugin for the Encrypt module.

– Provides field specific configuration for encryption


Encrypt and Family Modules - Webform Encrypt

– Provides the ability to encrypt the field values of the webform

– Provides component specific configuration for encryption.


Captcha

– Used for determining whether the user is human– Anti-spam module for protecting the forms on the sites

from robots


Honeypot

– Uses timestamp methods on the forms to prevent spam.

– Anti-spam module for protecting the forms on the sites from bots


Password Policy

– Provides a way to enforce restrictions on user passwords by defining password policies.

– Ensure site users must set strong passwords.


Questions?


We are hiring!

https://www.acquia.com/careers/open-positions




Thank you!