Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
-
Upload
nyccamp -
Category
Technology
-
view
30.681 -
download
4
description
Transcript of Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Secure your Drupal site by first hacking into it
Think like a hacker
http://www.flickr.com/photos/31246066@N04/4252587897/
How sites get hacked
XSS
Insecure environment
Stolen access
Outdated code, known vulnerabilities
XSS Demo
• Malicious Javascript is entered
• Admin unknowingly executes
• Javascript alters admin-only settings
• Changes admin password
• Puts site offline
http://www.flickr.com/photos/paolo_rosa/5088971947/
Ben Jeavons
Drupaler for 5 years
Member of Drupal Security Team
@benswords
Drupal vulnerabilities by popularity
XSS Access Bypass CSRFAuthentication/Session Arbitrary Code Execution SQL InjectionOthers
48%
16%
10%
3%
4%
7%
12%
reported in core and contrib SAs from 6/1/2005 through 3/24/2010
Cross Site Scripting
Cross Site Scripting
XSS
Javascript
Performing actions without your intent
Everything you can do XSS can do faster
Stored XSS Step 1
DrupalAttacker
Request
JS
DBJS
Stored XSS Step 2
DrupalVictim
Request
Response
JS JS
DB
Stored XSS Step 3
DrupalVictim Request
JS
DB
JS
$node = node_load($nid);$title = $node->title;drupal_set_title($title);...(later, in page.tpl.php)...<h1><?php print $title; ?></h1>
Fixing XSS
Identify where the data came from
User input!
user agentlanguagetime zonereferrer& more HTTP request headers
Lots of tools/ways to modifythese for requests
Fixing XSS
Identify where the data came from
Is that data being filtered or escaped before output?
RawInput
FilteredOutput
$node = node_load($nid);$title = $node->title;$safe = check_plain($title);drupal_set_title($safe);...(later, in page.tpl.php)...<h1><?php print $title; ?></h1>
XSS in Themes
<div class=”stuff”><?php print $node->field_stuff[0][‘value’];?>
<div class=”stuff”><?phpprint $node->field_stuff[0][‘safe’];// OR$stuff = $node->field_stuff[0];print content_format(‘field_stuff’, $stuff);
?>
Sanitize user input for output
$msg = variable_get(‘my_msg’,‘’);
print check_plain($msg);
<script>alert(‘xss yo’)</script>
github.com / unn / vuln
Test for XSS vulnerability
Insecure Environment
Insecure Environment
Lock down your stack
Admin tools and access to them
Principle of least privilege
Give out only necessary permissions
Insecure Environment
/devel/variable
/phpMyAdmin
Insecure Environment
Make backups
Test that they work
Secure access to backups
Center for Health Transformation’s records were“found by The New York Times in an unsecured archived version of the site”
http://www.flickr.com/photos/mjb/208218519/http://www.nytimes.com/2011/11/30/us/politics/gingrich-gave-push-to-clients-not-just-ideas.html
Insecure Environment
/sites/default/files/backup_migrate/
Stolen Access
SSL
Run Drupal on full TLS/SSL
securepages & securepages_prevent_hijack
http://drupalscout.com/node/17
Use a valid certificate
SFTP
“Secure” FTP
Your host should provide it
If not, consider a new one
Stay up-to-date
Stay up-to-date
Know and apply security updates
Security Advisories
Not just Drupal
third-party libraries (TinyMCE)
PHP, operating system
/CHANGELOG.txt
Automation
http://www.flickr.com/photos/hubmedia/2141860216/
Steps to a mostly automated review
Security Review: drupal.org/project/security_review
Hacked: drupal.org/project/hacked
Coder: drupal.org/project/coder
Secure Code Review
drupal.org/project/secure_code_review
Vuln: github.com/unn/vuln
More: http://drupalscout.com/node/11
in-depth, hands-on security trainingdrupalcon.org
bit.ly/drupalcon-security
Read
drupal.org/security/writing-secure-code
drupalscout.com
crackingdrupal.com
Converse
groups.drupal.org/best-practices-drupal-security
@benswords