Drupal and Security Advice for Site Builders and Coders Arunkumar Kuppuswamy Software Engineer Innoppl Technologies [email protected] Phone: +91 80986 41508
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Drupal and Security Advice for Site Builders and Coders
Arunkumar Kuppuswamy Software Engineer Innoppl [email protected]: +91 80986 41508
● Security Vulnerabilities● General Tips● Server Environment● Site Configurations● Personal Practices● Drupal Configuration● Writing Custom Codes
Agenda
● Drupal is an open-source CMS and or framework● 2.2% of websites in Internet are running using
Drupal● 3rd Popular CMS in world.● Reliability● Scalability● A huge dedicated community
Why Drupal ?
https://w3techs.com/technologies/overview/content_management/all
Do you think Drupal is the Right choice ?
- System flaw or weakness in an application● Cross Site Scripting (XSS)● Broken Authentication● Gain Information / Privileges● SQL Injection● Bypass something● CSRF
Security vulnerabilities
● Cross Site Scripting● Code in the browser● Making requests● Parsing responses● Javascript, Flash, Java, etc.
What is XSS?
● Filter text● On output to browser● As late as reasonable● Some API filters where reasonable● t() and \Drupal::translation()->formatPlural()
with @text and %text placeholders
Fixing XSS?
- User to access the system without going through the security clearance● User can see or do something● That permissions/access should prevent
What is Access Bypass?
● Creating PermissionsMODULE_NAME.permissions.yml
Fixing Access Bypass
● Menu CallbacksMODULE_NAME.routing.yml
Fixing Access Bypass
● Node access○ hook_node_access()
● User access○ hook_user_access()
● Entity access○ hook_entity_access()
● Field access○ hook_field_access()
Fixing Access Bypass
Fixing Access Bypass?
● User has permission to Access
● Use behat
Fixing Access Bypass?
- Executing malicious SQL statements.● Incorrectly filtered escape characters● Incorrect type handling● Blind Conditional SQL injection
SQL Injection
Drupal SQL Injection Sample Code
Drupal SQL Injection Sample Code
● Database abstraction layer
● Adding tags to your queries
Fixing SQL Injection
Unauthorized commands are transmitted from a user that the website trusts.● Path that does not confirm intent● <img src="http://example.com/node/1/quickdelete" >● Mostly in Form submissions
What is CSRF?
● Use Form API: confirmation forms
● Send and validate tokens : Drupal::csrfToken()● Using a secret cookie● Multi-Step Transactions● HTTPS
Fixing CSRF?
● YAML route definition for a protected link● Protected Ajax request
Fixing CSRF?
● Protected Ajax request
Fixing CSRF?
● Roles and permissions● Keep your site settings secure
○ Text formats○ PHP module○ PHP in other modules
Secure site configuration
● File permissions: web server user forbidden to change code
● PHP execution: restrict in .htaccess or Nginx config
● Drupal handbook for securing your site
Secure site configuration
● Secure Login● Paranoia● Security Review● Permissions Lock● Hacked!● Password policy / Password strength● Two Factor Authentication● Shield● Security Kit
Modules Enhancing Security
● Stronger password hashing / salt● Login flood control
○ prevents brute-force credential guessing● Protected cron
○ prevents Denial of Service attacks
Drupal 8
Update Settings
● Automatically sanitizes strings on output● No PHP in templates● You can't run SQL queries● Twig auto-escaping : htmlspecialchars()
Drupal 8: Twig
● Filtered HTML format● Limiting users to using only images local
Content Entry & Filtering Improved
Choosing Contrib Modules
● Use HTTPS, SSH, SFTP● Strong password policy● Server – LAMP stack● Require SSH keys● Take & verify your backups
○ Sanitize backups before sharing
General Tips
● Drupal Security Team○ Keep Drupal code secure in core and contrib○ Educate the community on security best
practices1. Developers2. Site builders3. Site administrators and users4. Decision makers
○ Security Advisory for every security release○ @drupalsecurity and Security Group
Security Process
Security Issue
Code Maintainer
Team Security
New Release
● https://www.oakleys.org.uk/blog/2017/01/how_to_secure_a_drupal_website
● https://pantheon.io/blog/9-tips-and-tricks-securing-your-drupal-site-pantheon
● https://www.drupal.org/documentation/is-drupal-secure● https://www.drupal.org/security/secure-configuration● https://www.ostraining.com/blog/drupal/8-things-drupal-security/● https://www.keycdn.com/blog/drupal-security/
References:
Any Queries ?
Thank you!
Related Documents
