Top Banner
Drupal Security Basics
31

Drupal Security Basics for the DrupalJax January Meetup

Jan 27, 2015

Download

Technology

Chris Hales

Basic security presentation for the Jacksonville, FL Drupal user group on how Drupal deals with the OWASP top 10 security risks of 2013.

I'l be expanding this to include additional details and examples in the next version.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Drupal Security Basics for the DrupalJax January Meetup

Drupal Security Basics

Page 2: Drupal Security Basics for the DrupalJax January Meetup

Chris HalesDevOps Director

@chris_hales

Page 3: Drupal Security Basics for the DrupalJax January Meetup

Agenda● Is Drupal Secure?● OWASP Top 10 Security Risks● Drupal Security Resources● Staying Informed● Q & A

@Mediacurrent

Page 4: Drupal Security Basics for the DrupalJax January Meetup

Is Drupal Secure?

Page 5: Drupal Security Basics for the DrupalJax January Meetup

Drupal SecurityDrupal is very secure out of the box as long as it’s configured with a little care. We can attribute a lot of this to the efforts put forth by the community. That includes every contributor who has developed code for Drupal or user who has taken the time to report an issue.

Let’s look at some common security problems found in many web applications and how Drupal handles them.

@Mediacurrent

Page 6: Drupal Security Basics for the DrupalJax January Meetup

OWASPTop 10

Page 7: Drupal Security Basics for the DrupalJax January Meetup

OWASP

The OWASP Top 10 - 2013 is as follows:● A1 Injection● A2 Broken Authentication and Session Management● A3 Cross-Site Scripting (XSS)● A4 Insecure Direct Object References● A5 Security Misconfiguration● A6 Sensitive Data Exposure● A7 Missing Function Level Access Control● A8 Cross-Site Request Forgery (CSRF)● A9 Using Components with Known Vulnerabilities● A10 Unvalidated Redirects and Forwards

@Mediacurrent

Page 8: Drupal Security Basics for the DrupalJax January Meetup

InjectionInjection attacks occur when an attacker can insert data into a web application that can be interpreted or executed for malicious intent.

SQL injection is the probably the most commonly discussed type of attack but being able to insert code, such as within a comment form, or upload a file containing code that an attacker could later execute, such as a custom php script, also apply.

@Mediacurrent

Page 9: Drupal Security Basics for the DrupalJax January Meetup

InjectionFile InjectionDrupal’s file management system controls what types of files can be uploaded by filtering the extensions and also limits where files can are stored.

SQL InjectionDrupal's database API sanitizes queries and D7 was designed to make it harder for developers to write insecure queries. Always use the API and use placeholders!

@Mediacurrent

Page 10: Drupal Security Basics for the DrupalJax January Meetup

Broken AuthBroken Authentication and Session ManagementExamples include:● Storing passwords as plain text or in a known insecure

hashing algorithm, such as md5.● Storing passwords that do not adhere to a policy such as

enforced alpha+numeric+punctuation.● Poor session invalidation such as infinite session cookies

that could linger on an insecure system.

@Mediacurrent

Page 11: Drupal Security Basics for the DrupalJax January Meetup

Broken AuthBroken Authentication and Session Management● Drupal salts user passwords in addition to hashing them

2^15 times as a default.● Drupal will create a salt string but it is also configurable

and may be included from a file for added security.● Existing sessions are destroyed on login/logout limiting

the ability for an attacker to hijack a stale session.● Several contrib modules enhance user security.

@Mediacurrent

Page 12: Drupal Security Basics for the DrupalJax January Meetup

XSSCross-site Scripting (XSS)XSS attacks occur when an attacker injects malicious code into an otherwise harmless web application. These are very common vulnerabilities and occur when a web application doesn't properly sanitize user input.

They can range from the rather simplistic or very complex.<body onload=alert('Alert!')>

Studies show that more than 60% of sites have an XSS vulnerability.

@Mediacurrent

Page 13: Drupal Security Basics for the DrupalJax January Meetup

XSSCross-site Scripting (XSS)Drupal has several API functions for filtering user submitted data to prevent XSS attacks.

Be sure you know and understand the proper use of these functions when writing custom code.

check_url (URLs)check_plain (plain text)

check_markup (rich text)filter_xss (html)

And don’t forget about t() and l().

@Mediacurrent

Page 14: Drupal Security Basics for the DrupalJax January Meetup

Object ReferencesInsecure Direct Object ReferencesIf the application does not verify that a user should be able to access an object this is an insecure direct object reference flaw.

Drupal Views are a good example of where this can occur. If you forget to include a “published” filter the view could display unpublished listings to a user role not normally able to see them.

@Mediacurrent

Page 15: Drupal Security Basics for the DrupalJax January Meetup

Object ReferencesInsecure Direct Object References● Drupal’s Form API sanitizes user input and validates

submissions.● The Menu system handles permission checks for system

paths and .htaccess has rules to keep prying eyes away from module and theme files.

● Functions such as node_access() and user_access() are available when writing custom code.

● Numerous contrib modules exist that enhance core security.

@Mediacurrent

Page 16: Drupal Security Basics for the DrupalJax January Meetup

MisconfigurationSecurity MisconfigurationA simple misconfiguration can completely bypass all your other efforts to secure your site and the data it has stored.

@Mediacurrent

Page 17: Drupal Security Basics for the DrupalJax January Meetup

MisconfigurationSecurity MisconfigurationDrupal 7 out of the box is very secure but you must be diligent about reviewing permissions when new modules are added.

Several contrib modules are available to help with permission audits and to prevent accidental changes or privilege escalation.

Security Review module, Secure Permissions module

@Mediacurrent

Page 18: Drupal Security Basics for the DrupalJax January Meetup

Data LeakageSensitive Data ExposureA common place for attackers to retrieve information is from site backups. If the data isn’t stored using encryption or if the encryption algorithm is weak or otherwise ineffective data leakage is possible.

@Mediacurrent

Page 19: Drupal Security Basics for the DrupalJax January Meetup

Data LeakageSensitive Data Exposure● Passwords are salted and hashed.● Site specific key randomly generated during site install

which can be used for reversible encryption.● Contrib solutions offer a number of encryption frameworks

for storing sensitive data.

@Mediacurrent

Page 20: Drupal Security Basics for the DrupalJax January Meetup

Access ControlMissing Function Level Access ControlUser access is made available to functions and features programmatically and with access enforcement mechanisms in place.

@Mediacurrent

Page 21: Drupal Security Basics for the DrupalJax January Meetup

Access ControlMissing Function Level Access ControlDrupal has an extensive permissions based access control system in place that checks for user authorization before an action can be taken.

@Mediacurrent

Page 22: Drupal Security Basics for the DrupalJax January Meetup

CSRFCross-site Request Forgery (CSRF, XSRF)With this type of exploit the attacker tricks the victim into triggering an action via their browser.

<img src="http://example.com/user/logout" />

@Mediacurrent

Page 23: Drupal Security Basics for the DrupalJax January Meetup

CSRFCross-site Request Forgery (CSRF)Similar to XSS Drupal has built in CSRF protection:● Drupal’s Form API uses POST submissions.● The Form API uses tokens which are validated with

submissions.

@Mediacurrent

Page 24: Drupal Security Basics for the DrupalJax January Meetup

Contrib DangersUsing Components With Known VulnerabilitiesUsing libraries or contrib modules with known security vulnerabilities is a quick way to become a spam infested site.

@Mediacurrent

Page 25: Drupal Security Basics for the DrupalJax January Meetup

Contrib DangersUsing Components With Known VulnerabilitiesThere are many ways to stay up to date on Drupal core and contrib modules.● Use the Update Status module and configure it to notify

you when new release are available.● Join the security mailing list to receive weekly updates on

recently discovered security concerns related to Drupal.● Join mailing lists for any 3rd party library you use such as

WYSIWYG editors.

@Mediacurrent

Page 26: Drupal Security Basics for the DrupalJax January Meetup

RedirectsUnvalidated Redirects and ForwardsAttackers are able to craft malicious URLs to redirect users to resources of their choosing or to bypass access controls.

@Mediacurrent

Page 27: Drupal Security Basics for the DrupalJax January Meetup

RedirectsUnvalidated Redirects and Forwards● Drupal’s internal page redirects can not be used to bypass

the menu and user access systems.● Use the proper API functions such as drupal_goto and the

Form API #redirect in your custom code.

@Mediacurrent

Page 28: Drupal Security Basics for the DrupalJax January Meetup

ResourcesSecuring your Site - https://drupal.org/security/secure-configurationWrite Secure Code - https://drupal.org/writing-secure-codeCoding Standards - https://drupal.org/coding-standardsSecurity Group - https://groups.drupal.org/securityCracking Drupal - http://crackingdrupal.com/Drupal Scout - http://drupalscout.comFile Permissions - https://drupal.org/node/244924

@Mediacurrent

Page 30: Drupal Security Basics for the DrupalJax January Meetup

Stay InformedGetting HelpIRC - #drupalTwitter - @drupalsecuritySecurity Forums - https://drupal.org/forum/1188

Do you think your site was hacked? https://drupal.org/node/213320

Weekly Announcements - https://drupal.org/node/406142

Visit https://drupal.org/security for further information.

@Mediacurrent

Page 31: Drupal Security Basics for the DrupalJax January Meetup

Thank You!

Questions?@Mediacurent Mediacurrent.com

slideshare.net/mediacurrent