Drupal Security Basics for the DrupalJax January Meetup
Post on 27-Jan-2015
116 Views
Preview:
DESCRIPTION
Transcript
Drupal Security Basics
Chris HalesDevOps Director
@chris_hales
Agenda● Is Drupal Secure?● OWASP Top 10 Security Risks● Drupal Security Resources● Staying Informed● Q & A
@Mediacurrent
Is Drupal Secure?
Drupal SecurityDrupal is very secure out of the box as long as it’s configured with a little care. We can attribute a lot of this to the efforts put forth by the community. That includes every contributor who has developed code for Drupal or user who has taken the time to report an issue.
Let’s look at some common security problems found in many web applications and how Drupal handles them.
@Mediacurrent
OWASPTop 10
OWASP
The OWASP Top 10 - 2013 is as follows:● A1 Injection● A2 Broken Authentication and Session Management● A3 Cross-Site Scripting (XSS)● A4 Insecure Direct Object References● A5 Security Misconfiguration● A6 Sensitive Data Exposure● A7 Missing Function Level Access Control● A8 Cross-Site Request Forgery (CSRF)● A9 Using Components with Known Vulnerabilities● A10 Unvalidated Redirects and Forwards
@Mediacurrent
InjectionInjection attacks occur when an attacker can insert data into a web application that can be interpreted or executed for malicious intent.
SQL injection is the probably the most commonly discussed type of attack but being able to insert code, such as within a comment form, or upload a file containing code that an attacker could later execute, such as a custom php script, also apply.
@Mediacurrent
InjectionFile InjectionDrupal’s file management system controls what types of files can be uploaded by filtering the extensions and also limits where files can are stored.
SQL InjectionDrupal's database API sanitizes queries and D7 was designed to make it harder for developers to write insecure queries. Always use the API and use placeholders!
@Mediacurrent
Broken AuthBroken Authentication and Session ManagementExamples include:● Storing passwords as plain text or in a known insecure
hashing algorithm, such as md5.● Storing passwords that do not adhere to a policy such as
enforced alpha+numeric+punctuation.● Poor session invalidation such as infinite session cookies
that could linger on an insecure system.
@Mediacurrent
Broken AuthBroken Authentication and Session Management● Drupal salts user passwords in addition to hashing them
2^15 times as a default.● Drupal will create a salt string but it is also configurable
and may be included from a file for added security.● Existing sessions are destroyed on login/logout limiting
the ability for an attacker to hijack a stale session.● Several contrib modules enhance user security.
@Mediacurrent
XSSCross-site Scripting (XSS)XSS attacks occur when an attacker injects malicious code into an otherwise harmless web application. These are very common vulnerabilities and occur when a web application doesn't properly sanitize user input.
They can range from the rather simplistic or very complex.<body onload=alert('Alert!')>
Studies show that more than 60% of sites have an XSS vulnerability.
@Mediacurrent
XSSCross-site Scripting (XSS)Drupal has several API functions for filtering user submitted data to prevent XSS attacks.
Be sure you know and understand the proper use of these functions when writing custom code.
check_url (URLs)check_plain (plain text)
check_markup (rich text)filter_xss (html)
And don’t forget about t() and l().
@Mediacurrent
Object ReferencesInsecure Direct Object ReferencesIf the application does not verify that a user should be able to access an object this is an insecure direct object reference flaw.
Drupal Views are a good example of where this can occur. If you forget to include a “published” filter the view could display unpublished listings to a user role not normally able to see them.
@Mediacurrent
Object ReferencesInsecure Direct Object References● Drupal’s Form API sanitizes user input and validates
submissions.● The Menu system handles permission checks for system
paths and .htaccess has rules to keep prying eyes away from module and theme files.
● Functions such as node_access() and user_access() are available when writing custom code.
● Numerous contrib modules exist that enhance core security.
@Mediacurrent
MisconfigurationSecurity MisconfigurationA simple misconfiguration can completely bypass all your other efforts to secure your site and the data it has stored.
@Mediacurrent
MisconfigurationSecurity MisconfigurationDrupal 7 out of the box is very secure but you must be diligent about reviewing permissions when new modules are added.
Several contrib modules are available to help with permission audits and to prevent accidental changes or privilege escalation.
Security Review module, Secure Permissions module
@Mediacurrent
Data LeakageSensitive Data ExposureA common place for attackers to retrieve information is from site backups. If the data isn’t stored using encryption or if the encryption algorithm is weak or otherwise ineffective data leakage is possible.
@Mediacurrent
Data LeakageSensitive Data Exposure● Passwords are salted and hashed.● Site specific key randomly generated during site install
which can be used for reversible encryption.● Contrib solutions offer a number of encryption frameworks
for storing sensitive data.
@Mediacurrent
Access ControlMissing Function Level Access ControlUser access is made available to functions and features programmatically and with access enforcement mechanisms in place.
@Mediacurrent
Access ControlMissing Function Level Access ControlDrupal has an extensive permissions based access control system in place that checks for user authorization before an action can be taken.
@Mediacurrent
CSRFCross-site Request Forgery (CSRF, XSRF)With this type of exploit the attacker tricks the victim into triggering an action via their browser.
<img src="http://example.com/user/logout" />
@Mediacurrent
CSRFCross-site Request Forgery (CSRF)Similar to XSS Drupal has built in CSRF protection:● Drupal’s Form API uses POST submissions.● The Form API uses tokens which are validated with
submissions.
@Mediacurrent
Contrib DangersUsing Components With Known VulnerabilitiesUsing libraries or contrib modules with known security vulnerabilities is a quick way to become a spam infested site.
@Mediacurrent
Contrib DangersUsing Components With Known VulnerabilitiesThere are many ways to stay up to date on Drupal core and contrib modules.● Use the Update Status module and configure it to notify
you when new release are available.● Join the security mailing list to receive weekly updates on
recently discovered security concerns related to Drupal.● Join mailing lists for any 3rd party library you use such as
WYSIWYG editors.
@Mediacurrent
RedirectsUnvalidated Redirects and ForwardsAttackers are able to craft malicious URLs to redirect users to resources of their choosing or to bypass access controls.
@Mediacurrent
RedirectsUnvalidated Redirects and Forwards● Drupal’s internal page redirects can not be used to bypass
the menu and user access systems.● Use the proper API functions such as drupal_goto and the
Form API #redirect in your custom code.
@Mediacurrent
ResourcesSecuring your Site - https://drupal.org/security/secure-configurationWrite Secure Code - https://drupal.org/writing-secure-codeCoding Standards - https://drupal.org/coding-standardsSecurity Group - https://groups.drupal.org/securityCracking Drupal - http://crackingdrupal.com/Drupal Scout - http://drupalscout.comFile Permissions - https://drupal.org/node/244924
@Mediacurrent
Moduleshttps://drupal.org/project/coderhttps://drupal.org/project/security_reviewhttps://drupal.org/project/secure_permissionshttps://drupal.org/project/secure_code_reviewhttps://drupal.org/project/security_checkhttps://drupal.org/project/paranoiahttps://drupal.org/project/securepages
@Mediacurrent
Stay InformedGetting HelpIRC - #drupalTwitter - @drupalsecuritySecurity Forums - https://drupal.org/forum/1188
Do you think your site was hacked? https://drupal.org/node/213320
Weekly Announcements - https://drupal.org/node/406142
Visit https://drupal.org/security for further information.
@Mediacurrent
Thank You!
Questions?@Mediacurent Mediacurrent.com
slideshare.net/mediacurrent
top related