SlideShare a Scribd company logo

Drupal security - Configuration and process

Gábor Hojtsy, profile picture
Gábor Hojtsy

This document discusses Drupal security best practices. It introduces the presenters and defines common security threats like cross-site scripting. It demonstrates how malicious javascript could hijack an admin account. Charts show the most common vulnerabilities and input formats are discussed as a way to control user input. The document stresses keeping software updated, using backups, and following secure development practices.

Technology
1 of 31
Downloaded 37 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Drupal Security Gábor Hojtsy & Ben Jeavons 24. aug 14:45 VPS.net Tuesday, August 31, 2010
Who we are • Gábor Hojtsy • Ben Jeavons • Drupal 6 co-maintainer • Drupal Security Report • Acquia • Growing Venture Solutions • Security Team Member • Security Team Member Tuesday, August 31, 2010
Web security • Protecting resources from abuse • Protecting data • Protecting available actions • Attackers exploit a weakness to do harm Tuesday, August 31, 2010
Demo • Malicious Javascript is entered • Admin unknowingly executes • Javascript alters admin-only settings • Changes admin password • Puts site offline Tuesday, August 31, 2010
66% likeliness a website has Cross Site Scripting http://whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf Tuesday, August 31, 2010
Vulnerabilities by popularity 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others http://drupalsecurityreport.org Tuesday, August 31, 2010
Lots of risks • Prioritize your actions • Secure configuration • Careful processes • Keep code up-to-date • Audit custom code Tuesday, August 31, 2010
Smart configuration • Control user input • Input formats • Trust • Roles and permissions Tuesday, August 31, 2010
Input formats • Input formats control what happens when user-supplied data is displayed Tuesday, August 31, 2010
Input formats • Filtered HTML for untrusted roles • Full HTML for completely trusted roles Tuesday, August 31, 2010
Filtered HTML • HTML filter • Limits the allowed tags Tuesday, August 31, 2010
Unsafe HTML tags • Script tags or any that allow JS events • <script> • Any that allow URL reference • <img> Tuesday, August 31, 2010
No image tags?! • Image tags allow for CSRF attacks • It’s a matter of trust • Use CCK & imagefield • Use control access to Full HTML Tuesday, August 31, 2010
Trust • Know your roles • Which users have which roles • How roles are granted Tuesday, August 31, 2010
“Super-admin” permissions • Administer permissions • Administer users • Administer filters • Administer content types • Administer site configuration Tuesday, August 31, 2010
Trust • Utilize principle of Least Privilege • Grant only the necessary permissions to carry out the required work Tuesday, August 31, 2010
Tuesday, August 31, 2010
Recovering from attack • Restore from backup • Upgrade to latest security releases • Change your passwords • Audit your configuration & custom code Tuesday, August 31, 2010
Backups • You do have backups, don’t you? • phpMyAdmin > Export • mysqldump on the command line • Be sure to check they worked! Tuesday, August 31, 2010
Open source is secure • Source code is open for people to look at • Popularity means eyes on code • Collaboration increases code quality Tuesday, August 31, 2010
Drupal is secure • Drupal APIs are designed to be secure • http://drupal.org/writing-secure-code Tuesday, August 31, 2010
Drupal security team • Team of volunteers • Support core and all(!) of contrib • Not actively reviewing all contrib projects Tuesday, August 31, 2010
Security Advisories • Only stable project releases • SAs on Wednesdays • New core release types • Bug fix release / Security fix release Tuesday, August 31, 2010
Stay up-to-date • Know about security updates • Security Advisories • Update status module • Mailing list, RSS, Twitter • Apply them! Tuesday, August 31, 2010
Security updates • Most security updates are small • But not always • Apply updates to development instance • Test, then apply to production Tuesday, August 31, 2010
FTP • Do not use it! • Common vector for attack • Really, we’ve moved past plain-text Tuesday, August 31, 2010
SFTP • “Secure” FTP • Your host should provide it • If not, consider a new one Tuesday, August 31, 2010
SSL • Run Drupal on full SSL • Use securepages and securepages_prevent_hijack modules • http://crackingdrupal.com/blog/greggles/ drupal-and-ssl-multiple-recipes-possible- solutions-https • Use a valid certificate Tuesday, August 31, 2010
Security Review • http://drupal.org/project/security_review • File system permissions • Granted “super-admin” permissions • Input formats • Allowed upload extensions • PHP & Javascript in content Tuesday, August 31, 2010
• Security Advisories • http://drupal.org/security • Handbooks • http://drupal.org/security/secure-configuration • http://drupal.org/writing-secure-code • Cracking Drupal Book • http://crackingdrupal.com • http://www.owasp.org/ Tuesday, August 31, 2010
http://cph2010.drupal.org/node/12628 Tuesday, August 31, 2010

More Related Content

PDF
Continuous Integration Testing for Plone Using Hudson
Eric Steele
 
PDF
Realities of Mainlining -- Case of the TOMOYO Linux project
Toshiharu Harada, Ph.D
 
PDF
Plone Conference 2010 – Where we go from here
Eric Steele
 
PPT
Fall 2009 (partial)
smcastle
 
PDF
Exhibition Design Install
Bob Bazemore
 
PDF
Backstage with Drupal localization - Part 1
Gábor Hojtsy
 
PDF
Drupal 8 multilingual APIs
Gábor Hojtsy
 
PDF
Doing Drupal security right
Gábor Hojtsy
 
Continuous Integration Testing for Plone Using Hudson
Eric Steele
 
Realities of Mainlining -- Case of the TOMOYO Linux project
Toshiharu Harada, Ph.D
 
Plone Conference 2010 – Where we go from here
Eric Steele
 
Fall 2009 (partial)
smcastle
 
Exhibition Design Install
Bob Bazemore
 
Backstage with Drupal localization - Part 1
Gábor Hojtsy
 
Drupal 8 multilingual APIs
Gábor Hojtsy
 
Doing Drupal security right
Gábor Hojtsy
 

Similar to Drupal security - Configuration and process (20)

PDF
Drupal Security Dive Into the Code
Greg Knaddison
 
PDF
Pony Pwning Djangocon 2010
Adam Baldwin
 
PDF
So... you want to be a security consultant
abnmi
 
PDF
Web Application Scanning 101
Sasha Nunke
 
PDF
Intro drupal security
knaddison
 
PDF
Protect Your Drupal Site Against Common Security Attacks
Acquia
 
PPTX
Open Source Security
Sander Temme
 
PDF
Understanding and Implementing Website Security
Drew Gorton
 
PDF
Cracking drupal table_of_contents
Acep Zulkipli
 
KEY
Opa @ owasp 2010
IamYoric
 
PDF
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 
PDF
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
PDF
Owasp london training course 2010 - Matteo Meucci
Matteo Meucci
 
PDF
Things that go bump on the web - Web Application Security
Christian Heilmann
 
PDF
Managing and Securing Web 2.0
Jason Edelstein
 
PDF
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Source Conference
 
PDF
Injecting simplicity not SQL BSides Las Vegas 2010
Security Ninja
 
PDF
Crash Course In Brain Surgery
morisson
 
PDF
The Thing That Should Not Be
morisson
 
PDF
Web Security
Gerald Villorente
 
Drupal Security Dive Into the Code
Greg Knaddison
 
Pony Pwning Djangocon 2010
Adam Baldwin
 
So... you want to be a security consultant
abnmi
 
Web Application Scanning 101
Sasha Nunke
 
Intro drupal security
knaddison
 
Protect Your Drupal Site Against Common Security Attacks
Acquia
 
Open Source Security
Sander Temme
 
Understanding and Implementing Website Security
Drew Gorton
 
Cracking drupal table_of_contents
Acep Zulkipli
 
Opa @ owasp 2010
IamYoric
 
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
Owasp london training course 2010 - Matteo Meucci
Matteo Meucci
 
Things that go bump on the web - Web Application Security
Christian Heilmann
 
Managing and Securing Web 2.0
Jason Edelstein
 
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Source Conference
 
Injecting simplicity not SQL BSides Las Vegas 2010
Security Ninja
 
Crash Course In Brain Surgery
morisson
 
The Thing That Should Not Be
morisson
 
Web Security
Gerald Villorente
 
Ad

More from Gábor Hojtsy (18)

PDF
Open source project management at scale
Gábor Hojtsy
 
PDF
Drupal 8.3.0: the features are ready, are you?
Gábor Hojtsy
 
PDF
A Drupal 8 jövője és az oda vezető út
Gábor Hojtsy
 
PDF
Everything multilingual in Drupal 8
Gábor Hojtsy
 
PDF
Everything multilingual in Drupal 8 (2015 November)
Gábor Hojtsy
 
PDF
All the language support in Drupal 8 - At Drupalaton 2014
Gábor Hojtsy
 
PDF
Drupal 8 Multilingual - what to look forward to
Gábor Hojtsy
 
PDF
Doing Drupal security right from Drupalcon London
Gábor Hojtsy
 
PDF
Multilingual Drupal
Gábor Hojtsy
 
PDF
Come for the software, stay for the community
Gábor Hojtsy
 
PDF
Come for the software, stay for the community - How Drupal improves and evolves
Gábor Hojtsy
 
PDF
Drupal Security from Drupalcamp Bratislava
Gábor Hojtsy
 
PDF
Drupal Security from Drupalcamp Cologne 2009
Gábor Hojtsy
 
PDF
Here comes localize.drupal.org!
Gábor Hojtsy
 
PDF
Translate Drupal from Drupalcamp Vienna
Gábor Hojtsy
 
PDF
Translate Drupal from Drupalcamp Prague
Gábor Hojtsy
 
PDF
What's up with Drupal 7?
Gábor Hojtsy
 
PDF
Multilingual Drupal presentation from "Do it With Drupal"
Gábor Hojtsy
 
Open source project management at scale
Gábor Hojtsy
 
Drupal 8.3.0: the features are ready, are you?
Gábor Hojtsy
 
A Drupal 8 jövője és az oda vezető út
Gábor Hojtsy
 
Everything multilingual in Drupal 8
Gábor Hojtsy
 
Everything multilingual in Drupal 8 (2015 November)
Gábor Hojtsy
 
All the language support in Drupal 8 - At Drupalaton 2014
Gábor Hojtsy
 
Drupal 8 Multilingual - what to look forward to
Gábor Hojtsy
 
Doing Drupal security right from Drupalcon London
Gábor Hojtsy
 
Multilingual Drupal
Gábor Hojtsy
 
Come for the software, stay for the community
Gábor Hojtsy
 
Come for the software, stay for the community - How Drupal improves and evolves
Gábor Hojtsy
 
Drupal Security from Drupalcamp Bratislava
Gábor Hojtsy
 
Drupal Security from Drupalcamp Cologne 2009
Gábor Hojtsy
 
Here comes localize.drupal.org!
Gábor Hojtsy
 
Translate Drupal from Drupalcamp Vienna
Gábor Hojtsy
 
Translate Drupal from Drupalcamp Prague
Gábor Hojtsy
 
What's up with Drupal 7?
Gábor Hojtsy
 
Multilingual Drupal presentation from "Do it With Drupal"
Gábor Hojtsy
 
Ad

Recently uploaded (20)

PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 

Drupal security - Configuration and process

  • 1. Drupal Security Gábor Hojtsy & Ben Jeavons 24. aug 14:45 VPS.net Tuesday, August 31, 2010
  • 2. Who we are • Gábor Hojtsy • Ben Jeavons • Drupal 6 co-maintainer • Drupal Security Report • Acquia • Growing Venture Solutions • Security Team Member • Security Team Member Tuesday, August 31, 2010
  • 3. Web security • Protecting resources from abuse • Protecting data • Protecting available actions • Attackers exploit a weakness to do harm Tuesday, August 31, 2010
  • 4. Demo • Malicious Javascript is entered • Admin unknowingly executes • Javascript alters admin-only settings • Changes admin password • Puts site offline Tuesday, August 31, 2010
  • 5. 66% likeliness a website has Cross Site Scripting http://whitehatsec.com/home/assets/presentations/09PPT/PPT_statsfall09_8th.pdf Tuesday, August 31, 2010
  • 6. Vulnerabilities by popularity 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others http://drupalsecurityreport.org Tuesday, August 31, 2010
  • 7. Lots of risks • Prioritize your actions • Secure configuration • Careful processes • Keep code up-to-date • Audit custom code Tuesday, August 31, 2010
  • 8. Smart configuration • Control user input • Input formats • Trust • Roles and permissions Tuesday, August 31, 2010
  • 9. Input formats • Input formats control what happens when user-supplied data is displayed Tuesday, August 31, 2010
  • 10. Input formats • Filtered HTML for untrusted roles • Full HTML for completely trusted roles Tuesday, August 31, 2010
  • 11. Filtered HTML • HTML filter • Limits the allowed tags Tuesday, August 31, 2010
  • 12. Unsafe HTML tags • Script tags or any that allow JS events • <script> • Any that allow URL reference • <img> Tuesday, August 31, 2010
  • 13. No image tags?! • Image tags allow for CSRF attacks • It’s a matter of trust • Use CCK & imagefield • Use control access to Full HTML Tuesday, August 31, 2010
  • 14. Trust • Know your roles • Which users have which roles • How roles are granted Tuesday, August 31, 2010
  • 15. “Super-admin” permissions • Administer permissions • Administer users • Administer filters • Administer content types • Administer site configuration Tuesday, August 31, 2010
  • 16. Trust • Utilize principle of Least Privilege • Grant only the necessary permissions to carry out the required work Tuesday, August 31, 2010
  • 18. Recovering from attack • Restore from backup • Upgrade to latest security releases • Change your passwords • Audit your configuration & custom code Tuesday, August 31, 2010
  • 19. Backups • You do have backups, don’t you? • phpMyAdmin > Export • mysqldump on the command line • Be sure to check they worked! Tuesday, August 31, 2010
  • 20. Open source is secure • Source code is open for people to look at • Popularity means eyes on code • Collaboration increases code quality Tuesday, August 31, 2010
  • 21. Drupal is secure • Drupal APIs are designed to be secure • http://drupal.org/writing-secure-code Tuesday, August 31, 2010
  • 22. Drupal security team • Team of volunteers • Support core and all(!) of contrib • Not actively reviewing all contrib projects Tuesday, August 31, 2010
  • 23. Security Advisories • Only stable project releases • SAs on Wednesdays • New core release types • Bug fix release / Security fix release Tuesday, August 31, 2010
  • 24. Stay up-to-date • Know about security updates • Security Advisories • Update status module • Mailing list, RSS, Twitter • Apply them! Tuesday, August 31, 2010
  • 25. Security updates • Most security updates are small • But not always • Apply updates to development instance • Test, then apply to production Tuesday, August 31, 2010
  • 26. FTP • Do not use it! • Common vector for attack • Really, we’ve moved past plain-text Tuesday, August 31, 2010
  • 27. SFTP • “Secure” FTP • Your host should provide it • If not, consider a new one Tuesday, August 31, 2010
  • 28. SSL • Run Drupal on full SSL • Use securepages and securepages_prevent_hijack modules • http://crackingdrupal.com/blog/greggles/ drupal-and-ssl-multiple-recipes-possible- solutions-https • Use a valid certificate Tuesday, August 31, 2010
  • 29. Security Review • http://drupal.org/project/security_review • File system permissions • Granted “super-admin” permissions • Input formats • Allowed upload extensions • PHP & Javascript in content Tuesday, August 31, 2010
  • 30. Security Advisories • http://drupal.org/security • Handbooks • http://drupal.org/security/secure-configuration • http://drupal.org/writing-secure-code • Cracking Drupal Book • http://crackingdrupal.com • http://www.owasp.org/ Tuesday, August 31, 2010