Hack Into Drupal Sites (or, How to Secure Your Drupal Site)

Secure your Drupal site by first hacking into it

Think like a hacker

http://www.flickr.com/photos/31246066@N04/4252587897/

How sites get hacked

XSS

Insecure environment

Stolen access

Outdated code, known vulnerabilities

XSS Demo

• Malicious Javascript is entered

• Admin unknowingly executes

• Javascript alters admin-only settings

• Changes admin password

• Puts site offline

http://www.flickr.com/photos/paolo_rosa/5088971947/

https://vimeo.com/15447718

Ben Jeavons

Drupaler for 5 years

Member of Drupal Security Team

@benswords

Drupal vulnerabilities by popularity

XSS Access Bypass CSRFAuthentication/Session Arbitrary Code Execution SQL InjectionOthers

48%

16%

10%

3%

4%

7%

12%

reported in core and contrib SAs from 6/1/2005 through 3/24/2010

Cross Site Scripting

Cross Site Scripting

XSS

Javascript

Performing actions without your intent

Everything you can do XSS can do faster

Stored XSS Step 1

DrupalAttacker

Request

JS

DBJS

Stored XSS Step 2

DrupalVictim

Request

Response

JS JS

DB

Stored XSS Step 3

DrupalVictim Request

JS

DB

JS

$node = node_load($nid);$title = $node->title;drupal_set_title($title);...(later, in page.tpl.php)...<h1><?php print $title; ?></h1>

Fixing XSS

Identify where the data came from

User input!

user agentlanguagetime zonereferrer& more HTTP request headers

Lots of tools/ways to modifythese for requests

Fixing XSS

Identify where the data came from

Is that data being filtered or escaped before output?

RawInput

FilteredOutput

$node = node_load($nid);$title = $node->title;$safe = check_plain($title);drupal_set_title($safe);...(later, in page.tpl.php)...<h1><?php print $title; ?></h1>

XSS in Themes

<div class=”stuff”><?php print $node->field_stuff[0][‘value’];?>

<div class=”stuff”><?phpprint $node->field_stuff[0][‘safe’];// OR$stuff = $node->field_stuff[0];print content_format(‘field_stuff’, $stuff);

?>

Sanitize user input for output

$msg = variable_get(‘my_msg’,‘’);

print check_plain($msg);

<script>alert(‘xss yo’)</script>

github.com / unn / vuln

Test for XSS vulnerability

Insecure Environment

Insecure Environment

Lock down your stack

Admin tools and access to them

Principle of least privilege

Give out only necessary permissions

Insecure Environment

/devel/variable

/phpMyAdmin

Insecure Environment

Make backups

Test that they work

Secure access to backups

Center for Health Transformation’s records were“found by The New York Times in an unsecured archived version of the site”

http://www.flickr.com/photos/mjb/208218519/http://www.nytimes.com/2011/11/30/us/politics/gingrich-gave-push-to-clients-not-just-ideas.html

Insecure Environment

/sites/default/files/backup_migrate/

Stolen Access

SSL

Run Drupal on full TLS/SSL

securepages & securepages_prevent_hijack

http://drupalscout.com/node/17

Use a valid certificate

SFTP

“Secure” FTP

Your host should provide it

If not, consider a new one

Stay up-to-date

Stay up-to-date

Know and apply security updates

Security Advisories

Not just Drupal

third-party libraries (TinyMCE)

PHP, operating system

/CHANGELOG.txt

Automation

http://www.flickr.com/photos/hubmedia/2141860216/

Steps to a mostly automated review

Security Review: drupal.org/project/security_review

Hacked: drupal.org/project/hacked

Coder: drupal.org/project/coder

Secure Code Review

drupal.org/project/secure_code_review

Vuln: github.com/unn/vuln

More: http://drupalscout.com/node/11

in-depth, hands-on security trainingdrupalcon.org

bit.ly/drupalcon-security

Read

drupal.org/security/writing-secure-code

drupalscout.com

crackingdrupal.com

Converse

groups.drupal.org/best-practices-drupal-security

ben.jeavons@acquia.com

@benswords