SlideShare a Scribd company logo
1 of 43
Download to read offline
Is Drupal secure?
 A high-level perspective on web vulnerabilities,
 Drupal’s solutions, and how to maintain site security




Presented 2009-05-29 by David Strauss
Thinking
               Securely


   “Security is a process, not an event.”

           Security is cooperative:
       It’s everyone’s responsibility.

Security involves the whole software stack,
 not just Drupal (or any other application).

    Finding problems is a good thing.
The Top 10
Web Security Issues*
...and how Drupal addresses them




*According to The Open Web Application Security Project, 2007
LEM
P ROB
Unvalidated input
When users submit information to sites,
their input must be checked for validity.

Note: This issue made the top 10 in 2004 but not 2007.
How Drupal prevents...
Unvalidated input
          User Input

                                 Drupal    Validated User Input     Form
  User     Rejected,
         Invalid Input
                                Form API                          Processor


                                             Validation: Is the
           Validation: Is the               user authorized to
           user’s input OK?                 submit this form?
LEM
P ROB
#10 Failure to
Restrict URL Access
“Frequently, an application only protects sensitive
functionality by preventing the display of links or
URLs to unauthorized users. Attackers can use this
weakness to access and perform unauthorized
operations by accessing those URLs directly.”
#10 Failure to
Restrict URL Access
                      Enter a similar URL on
         User     2
                      a site that isn’t yours:
        Profile
                   http://example.com/user/10/delete


 Save   Delete
                             3
                                 What
  See where “delete”
                                 happens?
1
  normally links.
How Drupal prevents...
#10 Failure to Restrict URL Access

‣   Drupal uses an integrated URL/access control
    system. Every URL in the system must have access
    control configured, even if that access is “allow
    everyone.”
‣   Drupal’s menu system associates link display with
    access, so direct URL entry rarely works if a link is
    not already visible.
LEM
P ROB
#9 Insecure Communications
“Applications frequently fail to encrypt network
traffic when it is necessary to protect sensitive
communications.”
#9 Insecure Communications

      http://example.com/user

                 Username
                  Administrator
    Insecure     Password
                  ••••••••••••



                   Login
How Drupal prevents...
#9 Insecure Communications
‣   As a PHP-based system, Drupal can use Apache’s
    widely-trusted SSL support.
‣   If only part of the site is behind SSL, administrators
    can install modules to make certain URLs available
    only through a secure connection. Login,
    ecommerce, and administration page URLs often
    have this sort of security configured.
LEM
P ROB
#8 Insecure
Cryptographic Storage
“Web applications rarely use cryptographic
functions properly to protect data and credentials.
Attackers use weakly protected data to conduct
identity theft and other crimes, such as credit card
fraud.”
#8 Insecure
Cryptographic Storage
                       Encrypted
                       or hashed?
           User table
            Username      Password
           Administrator unguessable
Database
              Editor        1234
              David         drupal
How Drupal prevents...
#8 Insecure Cryptographic Storage
‣   Passwords are stored using a one-way hash. Even
    if someone downloads the site database,
    recovering usable passwords is difficult.
‣   Drupal provides a randomly generated private key
    for every installation. Modules can use this key to
    use reversible encryption for sensitive data like
    credit-card numbers.
‣   Commerce modules for Drupal minimize any
    retention of sensitive data, even in encrypted form.
LEM
P ROB
#7 Broken Authentication
“Account credentials and session tokens are often
not properly protected. Attackers compromise
passwords, keys, or authentication tokens to assume
other users’ identities.”
#7 Broken Authentication
Site Cookie
     Name              Value
                                    Can users
   SESS_1234      username=editor   change their
  administrator       TRUE          own access to
                                    the site?
   password         unguessable


      Are authentication
      cookies broadcasting
      secrets to the world?
How Drupal prevents...
#7 Broken Authentication
‣   Authentication cookies are not modifiable by site
    users. This prevents users from masquerading as
    more powerful users.
‣   User sessions (and related cookies) are completely
    destroyed and recreated on login and logout.
‣   User name, ID, and password are only managed on
    the server side, not in the user’s cookie. Passwords
    are never emailed.
‣   Session cookies are named uniquely for each
    Drupal installation and strongly restricted by
    domain, limiting cross-site snooping.
LEM
P ROB
#6 Information Leakage
“Applications can unintentionally leak information
about their configuration, internal workings, or
violate privacy through a variety of application
problems. Attackers use this weakness to steal
sensitive data, or conduct more serious attacks.”
#6 Information Leakage
        http://example.com/broken-site

     Error
     Cannot connect to database.
     (mysql://rootuser:unguessable@localhost:/content)




               Password shown
                  to visitors.
How Drupal prevents...
#6 Information Leakage
‣   Administrators can configure Drupal (and even
    PHP) to privately log errors, intercepting them
    before they ever reach users.
‣   Drupal (unlike some PHP applications)
    never displays password information when
    experiencing database connection issues.
‣   Drupal ships with a .htaccess
    (Apache web server configuration) file
    preventing many forms of snooping.
‣   It is not possible to read original user passwords.
LEM
P ROB
#5 Cross-Site
Request Forgery
“A CSRF attack forces a logged-on victim’s browser
to send a pre-authenticated request to a vulnerable
web application, which then forces the victim’s
browser to perform a hostile action to the benefit of
the attacker. CSRF can be as powerful as the web
application that it attacks.”
#5 Cross-Site
Request Forgery
  Log into            http://example.com/node/10
1
  bank site.
                   My forum post
  Visit a web
2
  forum.           This is a really interesting forum post.   ?

3 An “image” on
  the forum          <img src=“http://yourbank.com/
  makes a request transfer.php?account=1&to=34893”>
  on the bank site.
How Drupal prevents...
#5 Cross-Site Request Forgery
‣   If a site allows users to load any content off
    external servers, the site can be used to originate
    attacks. This is configurable either way in Drupal.
‣   Drupal filters out scripting variations of this attack,
    leaving only simpler (GET-type) ones.
‣   The simpler CSRF attacks fail when attacking
    Drupal because the Form API isolates state-
    changing operations behind POST requests.
‣   The Form API also requires loading forms prior to
    submission, making CSRF attacks much harder.
LEM
P ROB
#4 Insecure Direct
Object Reference
“A direct object reference occurs when a developer
exposes a reference to an internal implementation
object, such as a file, directory, database record, or
key, as a URL or form parameter. Attackers can
manipulate those references to access other objects
without authorization.”
#4 Insecure Direct
Object Reference
 http://example.com/show.php?page=/etc/group

 Welcome to /group
 nobody:*:-2:nogroup:*:-1:wheel:*:0:rootdaemon:*:1:rootkmem:*:
 2:rootsys:*:3:roottty:*:4:root




                          System data
                        shown to visitors.
How Drupal prevents...
#4 Insecure Direct Object Reference
‣   Drupal’s menu and form APIs encourage validating
    and sanitizing data submitted from users.
‣   When object references are passed through the
    Form API, Drupal core protects the values from
    tampering by site users.
‣   Drupal and PHP provide file and session APIs that
    allow convenient and secure object reference
    passing.
LEM
P ROB
#3 Malicious File Execution
“Code vulnerable to remote file inclusion (RFI)
allows attackers to include hostile code and data,
resulting in devastating attacks, such as total server
compromise. Malicious file execution attacks affect
PHP, XML and any framework which accepts
filenames or files from users.”
#3 Malicious File Execution
      http://example.com/show.php?page=../reinstall-site.php

 Site content deleted                           User tries to run
 Ready to run the installer. Reinstall site >    arbitrary files.
How Drupal prevents...
#3 Malicious File Execution
‣   PHP has a configurable base directory for
    inclusions. Using this option limits possible attacks
    to only the Drupal directories.
‣   Drupal modules generally offer no entry point
    except through Drupal’s secure URL/menu handler.
    So, while users may be able to load arbitrary PHP
    files, the “attacks” will have no effect.
‣   Prevention of “insecure direct object reference”
    attacks also helps here.
LEM
P ROB
#2 Injection Flaws
“Injection flaws, particularly SQL injection, are
common in web applications. Injection occurs when
user-supplied data is sent to an interpreter as part
of a command or query. The attacker's hostile data
tricks the interpreter into executing unintended
commands or changing data.”
#2 Injection Flaws
http://example.com/user             1   Carefully construct
                                        a “username” that
Username
Administrator” OR uid=1 OR “1”=“1       changes the SQL.
Password
••••••••••••                        SELECT uid FROM users
  Login                             WHERE
                                    name=“Administrator”
                                    OR uid=1
   See how it affects                OR “1”=“1”
 2
   the actual query run.            AND password=“kjsdkjds”
           3 Use administrator privileges.
How Drupal prevents...
#2 Injection Flaws
‣   Drupal provides a database API with built-in SQL
    injection attack prevention. Properly used, it is not
    possible to inject arbitrary SQL.
‣   Drupal 7’s new database API makes writing
    insecure database code even more difficult.
‣   Drupal provides a set of functions to process URLs
    and SQL arguments, making security an easy
    choice for developers.
LEM
P ROB
#1 Cross-Site Scripting
“XSS flaws occur whenever an application takes
user supplied data and sends it to a web browser
without first validating or encoding that content.
XSS allows attackers to execute script in the victim's
browser which can hijack user sessions, deface web
sites, possibly introduce worms, etc.”
#1 Cross-Site Scripting
1   Visit a web           http://example.com/node/10
    forum.
                       My forum post
2 Embedded
  script performs      This is a really interesting forum post.
  actions as you.

                                  <script>
              fetch_url(‘http://example.com/user/20/delete’)
                                  </script>
How Drupal prevents...
#1 Cross-Site Scripting
‣   Drupal has a system of input filters that remove
    potential XSS exploits from user input.
‣   The Form API verifies that a user loaded a form
    before submitting it. This verification makes
    effective XSS against Drupal sites considerably
    more difficult.
Fixing + finding problems
How the Drupal project finds, fixes, and
notifies users about security problems
Who’s checking Drupal?
‣   Hundreds of contributors
‣   Thousands of users
‣   Security researchers
    ‣   There’s glory in finding problems
‣   Government and corporate
    certification organizations
Handling problem reports
 Security
 Problem    Drupal                   Module/
 Report     Security                 Theme
             Team                    Author

                           Patch +
                           Update


 Public
                                New
 Private    Notifications
                               Release
Thinking in terms of “tainted” data
‣   The #1 and #2 security flaws (injection and XSS)
    represent the vast majority of Drupal security
    issues in the past year.
‣   Both are the results of inadequately processing
    user-submitted data prior to use.
‣   “Tainting” is one way to model use
    of user-provided data.
‣   In 2008, Drupal received core-wide automated
    analysis of its handling of user-submitted “tainted”
    data. (Thanks Barry Jaspan.)
How data tainting works
                                      SQL   Database
                                      XSS
                  SQL escaping

                                      SQL    User’s
                                      XSS   Browser
                   XSS removal
User                                  SQL
                                      XSS   Database
SQL
                                      SQL
XSS
                                      XSS
                                            Database
                                      SQL
Tainted   Clean                       XSS    User’s
 SQL      SQL              Secure
                                            Browser
 XSS      XSS              Insecure
Enterprise best practices
Working with Drupal’s security team
to keep your project secure
Enterprise best practices
‣   Subscribe to Drupal security notification lists.
‣   Have a testing environment ready to evaluate
    updates for deployment. (Drupal core updates
    typically come out on Wednesdays.)
‣   If you modify Drupal core, have a vendor branch
    management strategy for keeping your changes
    and still being able to upgrade.
‣   Have code reviews for your own work and
    all but the most popular contributed modules.
‣   If your team is new to Drupal, find a vendor
    to review your code, configuration, and choice
    of modules.
All content in this presentation, except where noted otherwise, is Creative Commons Attribution-
ShareAlike 3.0 licensed and copyright 2009 Four Kitchen Studios, LLC.

More Related Content

What's hot

Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Philippe Gamache
 
Automating Web Application Deployment
Automating Web Application DeploymentAutomating Web Application Deployment
Automating Web Application DeploymentMathew Byrne
 
WordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
WordPress Security - A Hacker's Guide - WordCamp 2019 IslamabadWordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
WordPress Security - A Hacker's Guide - WordCamp 2019 IslamabadRF Studio
 
Microsoft/Zend Webcast on Cloud Computing
Microsoft/Zend Webcast on Cloud ComputingMicrosoft/Zend Webcast on Cloud Computing
Microsoft/Zend Webcast on Cloud ComputingJosh Holmes
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Secure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusionSecure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusionSecure Code Warrior
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
IIS for Developers
IIS for DevelopersIIS for Developers
IIS for DevelopersIdo Flatow
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
DEV208 - ASP.NET MVC 5 新功能探索
DEV208 - ASP.NET MVC 5 新功能探索DEV208 - ASP.NET MVC 5 新功能探索
DEV208 - ASP.NET MVC 5 新功能探索Will Huang
 

What's hot (20)

Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 Speech
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017
 
Automating Web Application Deployment
Automating Web Application DeploymentAutomating Web Application Deployment
Automating Web Application Deployment
 
WordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
WordPress Security - A Hacker's Guide - WordCamp 2019 IslamabadWordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
WordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
 
Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking Intro
 
Microsoft/Zend Webcast on Cloud Computing
Microsoft/Zend Webcast on Cloud ComputingMicrosoft/Zend Webcast on Cloud Computing
Microsoft/Zend Webcast on Cloud Computing
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
Secure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusionSecure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusion
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
IIS for Developers
IIS for DevelopersIIS for Developers
IIS for Developers
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
DEV208 - ASP.NET MVC 5 新功能探索
DEV208 - ASP.NET MVC 5 新功能探索DEV208 - ASP.NET MVC 5 新功能探索
DEV208 - ASP.NET MVC 5 新功能探索
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
 

Similar to Is Drupal secure?

OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks   akash mahajanTop 10 web application security risks   akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101Niall Merrigan
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awarenessJanagi Kannan
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web AppsMark Garratt
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 

Similar to Is Drupal secure? (20)

OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Joomla web application development vulnerabilities
Joomla web application development vulnerabilitiesJoomla web application development vulnerabilities
Joomla web application development vulnerabilities
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks   akash mahajanTop 10 web application security risks   akash mahajan
Top 10 web application security risks akash mahajan
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web Apps
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 

More from Four Kitchens

Four Kitchens Presents: Future of the CMS
Four Kitchens Presents: Future of the CMSFour Kitchens Presents: Future of the CMS
Four Kitchens Presents: Future of the CMSFour Kitchens
 
Four Kitchens: We make BIG websites
Four Kitchens: We make BIG websitesFour Kitchens: We make BIG websites
Four Kitchens: We make BIG websitesFour Kitchens
 
Don't Design Websites. Design Web SYSTEMS! (UT Austin Drupal Users Group)
Don't Design Websites. Design Web SYSTEMS! (UT Austin Drupal Users Group)Don't Design Websites. Design Web SYSTEMS! (UT Austin Drupal Users Group)
Don't Design Websites. Design Web SYSTEMS! (UT Austin Drupal Users Group)Four Kitchens
 
No RFPs! Why requests for proposal are bad for business (and how we can stop ...
No RFPs! Why requests for proposal are bad for business (and how we can stop ...No RFPs! Why requests for proposal are bad for business (and how we can stop ...
No RFPs! Why requests for proposal are bad for business (and how we can stop ...Four Kitchens
 
Big Websites for Small Screens: ICANN.org Case Study
Big Websites for Small Screens: ICANN.org Case StudyBig Websites for Small Screens: ICANN.org Case Study
Big Websites for Small Screens: ICANN.org Case StudyFour Kitchens
 
UX design for every screen
UX design for every screenUX design for every screen
UX design for every screenFour Kitchens
 
Don't Design Websites. Design Web SYSTEMS! (BADCamp 2011)
Don't Design Websites. Design Web SYSTEMS! (BADCamp 2011)Don't Design Websites. Design Web SYSTEMS! (BADCamp 2011)
Don't Design Websites. Design Web SYSTEMS! (BADCamp 2011)Four Kitchens
 
Don't Design Websites. Design Web SYSTEMS! (DrupalCon London 2011)
Don't Design Websites. Design Web SYSTEMS! (DrupalCon London 2011)Don't Design Websites. Design Web SYSTEMS! (DrupalCon London 2011)
Don't Design Websites. Design Web SYSTEMS! (DrupalCon London 2011)Four Kitchens
 
Don't Design Websites. Design Web SYSTEMS! (DrupalCamp LA 2011)
Don't Design Websites. Design Web SYSTEMS! (DrupalCamp LA 2011)Don't Design Websites. Design Web SYSTEMS! (DrupalCamp LA 2011)
Don't Design Websites. Design Web SYSTEMS! (DrupalCamp LA 2011)Four Kitchens
 
Accelerated grid theming using NineSixty (DrupalCamp LA 2011)
Accelerated grid theming using NineSixty (DrupalCamp LA 2011)Accelerated grid theming using NineSixty (DrupalCamp LA 2011)
Accelerated grid theming using NineSixty (DrupalCamp LA 2011)Four Kitchens
 
Don't Design Websites. Design Web SYSTEMS! (Dallas Drupal Days 2011)
Don't Design Websites. Design Web SYSTEMS! (Dallas Drupal Days 2011)Don't Design Websites. Design Web SYSTEMS! (Dallas Drupal Days 2011)
Don't Design Websites. Design Web SYSTEMS! (Dallas Drupal Days 2011)Four Kitchens
 
Building Responsive Websites and Apps with Drupal
Building Responsive Websites and Apps with DrupalBuilding Responsive Websites and Apps with Drupal
Building Responsive Websites and Apps with DrupalFour Kitchens
 
Accelerated grid theming using NineSixty (Dallas Drupal Days 2011)
Accelerated grid theming using NineSixty (Dallas Drupal Days 2011)Accelerated grid theming using NineSixty (Dallas Drupal Days 2011)
Accelerated grid theming using NineSixty (Dallas Drupal Days 2011)Four Kitchens
 
Designing future proof websites
Designing future proof websitesDesigning future proof websites
Designing future proof websitesFour Kitchens
 
Making drupal beautiful with web fonts
Making drupal beautiful with web fontsMaking drupal beautiful with web fonts
Making drupal beautiful with web fontsFour Kitchens
 
The type revolutionary's cookbook
The type revolutionary's cookbookThe type revolutionary's cookbook
The type revolutionary's cookbookFour Kitchens
 
The Web Chef Cookbook
The Web Chef CookbookThe Web Chef Cookbook
The Web Chef CookbookFour Kitchens
 

More from Four Kitchens (20)

Four Kitchens Presents: Future of the CMS
Four Kitchens Presents: Future of the CMSFour Kitchens Presents: Future of the CMS
Four Kitchens Presents: Future of the CMS
 
Four Kitchens: We make BIG websites
Four Kitchens: We make BIG websitesFour Kitchens: We make BIG websites
Four Kitchens: We make BIG websites
 
Don't Design Websites. Design Web SYSTEMS! (UT Austin Drupal Users Group)
Don't Design Websites. Design Web SYSTEMS! (UT Austin Drupal Users Group)Don't Design Websites. Design Web SYSTEMS! (UT Austin Drupal Users Group)
Don't Design Websites. Design Web SYSTEMS! (UT Austin Drupal Users Group)
 
No RFPs! Why requests for proposal are bad for business (and how we can stop ...
No RFPs! Why requests for proposal are bad for business (and how we can stop ...No RFPs! Why requests for proposal are bad for business (and how we can stop ...
No RFPs! Why requests for proposal are bad for business (and how we can stop ...
 
Big Websites for Small Screens: ICANN.org Case Study
Big Websites for Small Screens: ICANN.org Case StudyBig Websites for Small Screens: ICANN.org Case Study
Big Websites for Small Screens: ICANN.org Case Study
 
UX design for every screen
UX design for every screenUX design for every screen
UX design for every screen
 
Don't Design Websites. Design Web SYSTEMS! (BADCamp 2011)
Don't Design Websites. Design Web SYSTEMS! (BADCamp 2011)Don't Design Websites. Design Web SYSTEMS! (BADCamp 2011)
Don't Design Websites. Design Web SYSTEMS! (BADCamp 2011)
 
Don't Design Websites. Design Web SYSTEMS! (DrupalCon London 2011)
Don't Design Websites. Design Web SYSTEMS! (DrupalCon London 2011)Don't Design Websites. Design Web SYSTEMS! (DrupalCon London 2011)
Don't Design Websites. Design Web SYSTEMS! (DrupalCon London 2011)
 
Don't Design Websites. Design Web SYSTEMS! (DrupalCamp LA 2011)
Don't Design Websites. Design Web SYSTEMS! (DrupalCamp LA 2011)Don't Design Websites. Design Web SYSTEMS! (DrupalCamp LA 2011)
Don't Design Websites. Design Web SYSTEMS! (DrupalCamp LA 2011)
 
Accelerated grid theming using NineSixty (DrupalCamp LA 2011)
Accelerated grid theming using NineSixty (DrupalCamp LA 2011)Accelerated grid theming using NineSixty (DrupalCamp LA 2011)
Accelerated grid theming using NineSixty (DrupalCamp LA 2011)
 
Don't Design Websites. Design Web SYSTEMS! (Dallas Drupal Days 2011)
Don't Design Websites. Design Web SYSTEMS! (Dallas Drupal Days 2011)Don't Design Websites. Design Web SYSTEMS! (Dallas Drupal Days 2011)
Don't Design Websites. Design Web SYSTEMS! (Dallas Drupal Days 2011)
 
Building Responsive Websites and Apps with Drupal
Building Responsive Websites and Apps with DrupalBuilding Responsive Websites and Apps with Drupal
Building Responsive Websites and Apps with Drupal
 
Accelerated grid theming using NineSixty (Dallas Drupal Days 2011)
Accelerated grid theming using NineSixty (Dallas Drupal Days 2011)Accelerated grid theming using NineSixty (Dallas Drupal Days 2011)
Accelerated grid theming using NineSixty (Dallas Drupal Days 2011)
 
Intro to Drush
Intro to DrushIntro to Drush
Intro to Drush
 
Teaching Drupal
Teaching DrupalTeaching Drupal
Teaching Drupal
 
Big Websites
Big WebsitesBig Websites
Big Websites
 
Designing future proof websites
Designing future proof websitesDesigning future proof websites
Designing future proof websites
 
Making drupal beautiful with web fonts
Making drupal beautiful with web fontsMaking drupal beautiful with web fonts
Making drupal beautiful with web fonts
 
The type revolutionary's cookbook
The type revolutionary's cookbookThe type revolutionary's cookbook
The type revolutionary's cookbook
 
The Web Chef Cookbook
The Web Chef CookbookThe Web Chef Cookbook
The Web Chef Cookbook
 

Recently uploaded

Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 

Recently uploaded (20)

Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 

Is Drupal secure?

  • 1. Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal’s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss
  • 2. Thinking Securely “Security is a process, not an event.” Security is cooperative: It’s everyone’s responsibility. Security involves the whole software stack, not just Drupal (or any other application). Finding problems is a good thing.
  • 3. The Top 10 Web Security Issues* ...and how Drupal addresses them *According to The Open Web Application Security Project, 2007
  • 4. LEM P ROB Unvalidated input When users submit information to sites, their input must be checked for validity. Note: This issue made the top 10 in 2004 but not 2007.
  • 5. How Drupal prevents... Unvalidated input User Input Drupal Validated User Input Form User Rejected, Invalid Input Form API Processor Validation: Is the Validation: Is the user authorized to user’s input OK? submit this form?
  • 6. LEM P ROB #10 Failure to Restrict URL Access “Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.”
  • 7. #10 Failure to Restrict URL Access Enter a similar URL on User 2 a site that isn’t yours: Profile http://example.com/user/10/delete Save Delete 3 What See where “delete” happens? 1 normally links.
  • 8. How Drupal prevents... #10 Failure to Restrict URL Access ‣ Drupal uses an integrated URL/access control system. Every URL in the system must have access control configured, even if that access is “allow everyone.” ‣ Drupal’s menu system associates link display with access, so direct URL entry rarely works if a link is not already visible.
  • 9. LEM P ROB #9 Insecure Communications “Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.”
  • 10. #9 Insecure Communications http://example.com/user Username Administrator Insecure Password •••••••••••• Login
  • 11. How Drupal prevents... #9 Insecure Communications ‣ As a PHP-based system, Drupal can use Apache’s widely-trusted SSL support. ‣ If only part of the site is behind SSL, administrators can install modules to make certain URLs available only through a secure connection. Login, ecommerce, and administration page URLs often have this sort of security configured.
  • 12. LEM P ROB #8 Insecure Cryptographic Storage “Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.”
  • 13. #8 Insecure Cryptographic Storage Encrypted or hashed? User table Username Password Administrator unguessable Database Editor 1234 David drupal
  • 14. How Drupal prevents... #8 Insecure Cryptographic Storage ‣ Passwords are stored using a one-way hash. Even if someone downloads the site database, recovering usable passwords is difficult. ‣ Drupal provides a randomly generated private key for every installation. Modules can use this key to use reversible encryption for sensitive data like credit-card numbers. ‣ Commerce modules for Drupal minimize any retention of sensitive data, even in encrypted form.
  • 15. LEM P ROB #7 Broken Authentication “Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities.”
  • 16. #7 Broken Authentication Site Cookie Name Value Can users SESS_1234 username=editor change their administrator TRUE own access to the site? password unguessable Are authentication cookies broadcasting secrets to the world?
  • 17. How Drupal prevents... #7 Broken Authentication ‣ Authentication cookies are not modifiable by site users. This prevents users from masquerading as more powerful users. ‣ User sessions (and related cookies) are completely destroyed and recreated on login and logout. ‣ User name, ID, and password are only managed on the server side, not in the user’s cookie. Passwords are never emailed. ‣ Session cookies are named uniquely for each Drupal installation and strongly restricted by domain, limiting cross-site snooping.
  • 18. LEM P ROB #6 Information Leakage “Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.”
  • 19. #6 Information Leakage http://example.com/broken-site Error Cannot connect to database. (mysql://rootuser:unguessable@localhost:/content) Password shown to visitors.
  • 20. How Drupal prevents... #6 Information Leakage ‣ Administrators can configure Drupal (and even PHP) to privately log errors, intercepting them before they ever reach users. ‣ Drupal (unlike some PHP applications) never displays password information when experiencing database connection issues. ‣ Drupal ships with a .htaccess (Apache web server configuration) file preventing many forms of snooping. ‣ It is not possible to read original user passwords.
  • 21. LEM P ROB #5 Cross-Site Request Forgery “A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.”
  • 22. #5 Cross-Site Request Forgery Log into http://example.com/node/10 1 bank site. My forum post Visit a web 2 forum. This is a really interesting forum post. ? 3 An “image” on the forum <img src=“http://yourbank.com/ makes a request transfer.php?account=1&to=34893”> on the bank site.
  • 23. How Drupal prevents... #5 Cross-Site Request Forgery ‣ If a site allows users to load any content off external servers, the site can be used to originate attacks. This is configurable either way in Drupal. ‣ Drupal filters out scripting variations of this attack, leaving only simpler (GET-type) ones. ‣ The simpler CSRF attacks fail when attacking Drupal because the Form API isolates state- changing operations behind POST requests. ‣ The Form API also requires loading forms prior to submission, making CSRF attacks much harder.
  • 24. LEM P ROB #4 Insecure Direct Object Reference “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.”
  • 25. #4 Insecure Direct Object Reference http://example.com/show.php?page=/etc/group Welcome to /group nobody:*:-2:nogroup:*:-1:wheel:*:0:rootdaemon:*:1:rootkmem:*: 2:rootsys:*:3:roottty:*:4:root System data shown to visitors.
  • 26. How Drupal prevents... #4 Insecure Direct Object Reference ‣ Drupal’s menu and form APIs encourage validating and sanitizing data submitted from users. ‣ When object references are passed through the Form API, Drupal core protects the values from tampering by site users. ‣ Drupal and PHP provide file and session APIs that allow convenient and secure object reference passing.
  • 27. LEM P ROB #3 Malicious File Execution “Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.”
  • 28. #3 Malicious File Execution http://example.com/show.php?page=../reinstall-site.php Site content deleted User tries to run Ready to run the installer. Reinstall site > arbitrary files.
  • 29. How Drupal prevents... #3 Malicious File Execution ‣ PHP has a configurable base directory for inclusions. Using this option limits possible attacks to only the Drupal directories. ‣ Drupal modules generally offer no entry point except through Drupal’s secure URL/menu handler. So, while users may be able to load arbitrary PHP files, the “attacks” will have no effect. ‣ Prevention of “insecure direct object reference” attacks also helps here.
  • 30. LEM P ROB #2 Injection Flaws “Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.”
  • 31. #2 Injection Flaws http://example.com/user 1 Carefully construct a “username” that Username Administrator” OR uid=1 OR “1”=“1 changes the SQL. Password •••••••••••• SELECT uid FROM users Login WHERE name=“Administrator” OR uid=1 See how it affects OR “1”=“1” 2 the actual query run. AND password=“kjsdkjds” 3 Use administrator privileges.
  • 32. How Drupal prevents... #2 Injection Flaws ‣ Drupal provides a database API with built-in SQL injection attack prevention. Properly used, it is not possible to inject arbitrary SQL. ‣ Drupal 7’s new database API makes writing insecure database code even more difficult. ‣ Drupal provides a set of functions to process URLs and SQL arguments, making security an easy choice for developers.
  • 33. LEM P ROB #1 Cross-Site Scripting “XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.”
  • 34. #1 Cross-Site Scripting 1 Visit a web http://example.com/node/10 forum. My forum post 2 Embedded script performs This is a really interesting forum post. actions as you. <script> fetch_url(‘http://example.com/user/20/delete’) </script>
  • 35. How Drupal prevents... #1 Cross-Site Scripting ‣ Drupal has a system of input filters that remove potential XSS exploits from user input. ‣ The Form API verifies that a user loaded a form before submitting it. This verification makes effective XSS against Drupal sites considerably more difficult.
  • 36. Fixing + finding problems How the Drupal project finds, fixes, and notifies users about security problems
  • 37. Who’s checking Drupal? ‣ Hundreds of contributors ‣ Thousands of users ‣ Security researchers ‣ There’s glory in finding problems ‣ Government and corporate certification organizations
  • 38. Handling problem reports Security Problem Drupal Module/ Report Security Theme Team Author Patch + Update Public New Private Notifications Release
  • 39. Thinking in terms of “tainted” data ‣ The #1 and #2 security flaws (injection and XSS) represent the vast majority of Drupal security issues in the past year. ‣ Both are the results of inadequately processing user-submitted data prior to use. ‣ “Tainting” is one way to model use of user-provided data. ‣ In 2008, Drupal received core-wide automated analysis of its handling of user-submitted “tainted” data. (Thanks Barry Jaspan.)
  • 40. How data tainting works SQL Database XSS SQL escaping SQL User’s XSS Browser XSS removal User SQL XSS Database SQL SQL XSS XSS Database SQL Tainted Clean XSS User’s SQL SQL Secure Browser XSS XSS Insecure
  • 41. Enterprise best practices Working with Drupal’s security team to keep your project secure
  • 42. Enterprise best practices ‣ Subscribe to Drupal security notification lists. ‣ Have a testing environment ready to evaluate updates for deployment. (Drupal core updates typically come out on Wednesdays.) ‣ If you modify Drupal core, have a vendor branch management strategy for keeping your changes and still being able to upgrade. ‣ Have code reviews for your own work and all but the most popular contributed modules. ‣ If your team is new to Drupal, find a vendor to review your code, configuration, and choice of modules.
  • 43. All content in this presentation, except where noted otherwise, is Creative Commons Attribution- ShareAlike 3.0 licensed and copyright 2009 Four Kitchen Studios, LLC.