Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout your development process and live maintenance. About the Presenter: Ben Jeavons is a member of the Drupal Security team and co-author of the Drupal Security Report. As an engineer at Acquia he works on the Acquia Network including the security and performance analysis tool, Acquia Insight. Experience Level: Intermediate

1. Secure your Drupal
site by first
hacking into it

2. Think like a hacker
http://www.flickr.com/photos/31246066@N04/4252587897/

3. How sites get hacked
XSS
Insecure environment
Stolen access
Outdated code, known vulnerabilities

4. XSS Demo
• Malicious Javascript is entered
• Admin unknowingly executes
• Javascript alters admin-only settings
• Changes admin password
• Puts site offline
http://www.flickr.com/photos/paolo_rosa/5088971947/

5. https://vimeo.com/15447718

6. Ben Jeavons
Drupaler for 5 years
Member of Drupal Security Team
@benswords

7. Drupal vulnerabilities by popularity
12%
7%
4%
3% 48%
10%
16%
XSS Access Bypass CSRF
Authentication/Session Arbitrary Code Execution SQL Injection
Others
reported in core and contrib SAs from 6/1/2005 through 3/24/2010

8. Cross Site Scripting

9. Cross Site Scripting
XSS
Javascript
Performing actions without your intent
Everything you can do XSS can do faster

10. Stored XSS Step 1
Request
Attacker Drupal DB
JS
JS

11. Stored XSS Step 2
Request
Victim Drupal DB
Response
JS JS

12. Stored XSS Step 3
Victim Request
Drupal DB
JS JS

13. $node = node_load($nid);
$title = $node->title;
drupal_set_title($title);
...
(later, in page.tpl.php)
...
<h1><?php print $title; ?></h1>

14. Fixing XSS
Identify where the data came from
User input!

18. user agent
language
time zone
referrer
& more HTTP request headers
Lots of tools/ways to modify
these for requests

19. Fixing XSS
Identify where the data came from
Is that data being filtered or escaped before
output?

21. Raw
Input
Filtered
Output

23. $node = node_load($nid);
$title = $node->title;
$safe = check_plain($title);
drupal_set_title($safe);
...
(later, in page.tpl.php)
...
<h1><?php print $title; ?></h1>

24. XSS in Themes
<div class=”stuff”>
<?php
print $node->field_stuff[0][‘value’];
?>

25. <div class=”stuff”>
<?php
print $node->field_stuff[0][‘safe’];
// OR
$stuff = $node->field_stuff[0];
print content_format(‘field_stuff’, $stuff);
?>

26. Sanitize user input for output
$msg = variable_get(‘my_msg’,‘’);
print check_plain($msg);

27. Test for XSS vulnerability
<script>alert(‘xss yo’)</script>
github.com / unn / vuln

28. Insecure Environment

29. Insecure Environment
Lock down your stack
Admin tools and access to them
Principle of least privilege
Give out only necessary permissions

31. Insecure Environment
/devel/variable
/phpMyAdmin

32. Insecure Environment
Make backups
Test that they work
Secure access to backups

33. Center for Health
Transformation’s
records were
“found by The New
York Times in an
unsecured archived
version of the site”
http://www.nytimes.com/2011/11/30/us/politics/gingrich-gave-push-to-clients-not-just-ideas.html
http://www.flickr.com/photos/mjb/208218519/

34. Insecure Environment
/sites/default/files/backup_migrate/

35. Stolen Access

38. SSL
Run Drupal on full TLS/SSL
securepages & securepages_prevent_hijack
http://drupalscout.com/node/17
Use a valid certificate

39. SFTP
“Secure” FTP
Your host should provide it
If not, consider a new one

40. Stay up-to-date

41. Stay up-to-date
Know and apply security updates
Security Advisories
Not just Drupal
third-party libraries (TinyMCE)
PHP, operating system

42. /CHANGELOG.txt

43. Automation
http://www.flickr.com/photos/hubmedia/2141860216/

44. Steps to a mostly automated review
Security Review: drupal.org/project/security_review
Hacked: drupal.org/project/hacked
Coder: drupal.org/project/coder
Secure Code Review
drupal.org/project/secure_code_review
Vuln: github.com/unn/vuln
More: http://drupalscout.com/node/11

45. in-depth, hands-on security training
drupalcon.org
bit.ly/drupalcon-security

46. Read
drupal.org/security/writing-secure-code
drupalscout.com
crackingdrupal.com
Converse
groups.drupal.org/best-practices-drupal-security
ben.jeavons@acquia.com
@benswords