Hack proof your drupal siteNaveen Valecha, Software Engineer at www.qed42.comhttp://blog.valechatech.com Twitter : @NaveenvalechaNV

QED42

QED42

Do you think Hackers are Magicians ?

Topics

● Common Security Strategies● SQL Injection● Cross-Site Scripting(XSS)● Cross Site Request Forgery(CSRF)● Access bypass(Node access bypass & Menu

access bypass)● Correct use of drupal_goto unless leads to

vulnerability

QED42

Common Security Strategies

● Trust - Who can do what on the website.

● Software Updates - Update your softwares(Server, Webserver, Drupal,etc.)

● Security MisconfigurationsSecuring your website : https://www.drupal.org/security/secure-configuration

QED42

Permissions

● Be careful with site owning permissions.

● Similarly with the text formats.● User 1 name should not be simple like

“admin”, don’t use in general use, it has all permissions.

QED42

Security Misconfigurtions

● Disable php error reporting(admin/config/development/logging)

● Disable PHP filter Module.● Make sure php files are not writeable by server.● Remove write permissions for www-data-rw-r----- 1 neal www-data index.php drwxr-x--- 32 neal www-data modules/ drwxrwx--- 7 www-data neal sites/default/files/

QED42

SQL Injection

Attacker can supply messy parameters passed.SQL injection:<?phpdb_query("SELECT uid FROM {users} u WHERE u.name = '" . $_GET['user'] . "'");?>

QED42

http://example.dev/?user=x%27%3B%20DROP%20table%20node%3B%20--Query: SELECT uid FROM users u WHERE u.name = 'x'; DROPtable node; --'This will delete your node table.Leads to data loss and will break your website.

QED42

SQL Injection - Exploit

<?phpdb_query("SELECT uid FROM {users} u WHERE u.name = :name", array(':name' => $_GET['user']));

OR db_select('users', 'u') ->fields('u', array('uid')) ->condition('u.name', $_GET['user']) ->execute();?> QED42

SQL Injection -Correct Usage

Cross site Scripting(XSS)

● Attackers can inject client-side script into web pages to access bypass the security policy.

● Any data added via form-fields should be sanitized before printing.

QED42

XSS - Exploit Resulthttp://d7vulnerable.dev/admin/pizza print $row->title

print check_plain($row->title);

QED42Handle text in Secure fashion : https://www.drupal.org/node/28984

XSS - Correct Usage

QED42

QED42http://drupalscout.com/sites/default/files/article_files/filtering_text_0.pdf

Cross-site Request Forgery(CSRF)function pizza_menu() { $items['admin/pizza/%/delete'] = array( 'title' => 'Pizza', 'description' => 'Delete the pizza.', 'page callback' => 'pizza_delete', 'access arguments' => array('administer pizza'), 'file' => 'pizza.admin.inc', );function pizza_delete() { $nid = arg(2); node_delete($nid); cache_clear_all(); drupal_goto('admin/pizza');} QED42

CSRF - Exploit

Attackers can post somewhere http://d7vulnerable.dev/admin/pizza/1/deletelike this <img src=”http://d7vulnerable.dev/admin/pizza/1/delete”></img>

QED42

CSRF - Protection

● Confirmation Forms● Security tokens in the url http://d7vulnerable.

dev/admin/pizza/1/delete?token=blaski23ijuinfiknerja_eiriwe_rmewhfuihacnuhierwn

Use the Form api to avoid CSRF https://www.drupal.org/node/178896

Protecting your Drupal againts CSRF : https://docs.acquia.com/articles/protecting-your-drupal-module-against-cross-site-request-forgeries

QED42

Node Access bypass

This vulnerability is usually found in the project applications,which expose the node table data.This can be fixed by adding the node_access tag in the query and using the access api.Node Access bypass Fix of a sample modulehttp://cgit.drupalcode.org/webform_references/commit/?id=e006970

QED42

Node Access bypass - Exploit

QED42

Node Access bypass - Protection

QED42

Menu Access bypass

This rarely happens in Drupal, found rarely while reviewing project applications.This can be handled by the permissions and by checking the #accesshttps://www.drupal.org/node/2344569#comment-9528911Menu Access bypass Fix for a sample modulehttp://cgit.drupalcode.org/path_alias_picker/commit/?id=b795df0

QED42

Correct Usage of drupal_goto

● We usually use the drupal_goto to redirect the user to some other page.This does a 30X redirect .We usually suggest to use $form[‘redirect’] in the forms instead of drupal_goto.

● Incorrect usage of drupal_goto leads to Open Redirect

QED42

drupal_goto - Exploit

QED42

drupal_goto - Prevention

QED42

Recovery Strategies

● Restore from backup● Update your code● Change your passwords● Audit your code

QED42

Useful Security Modules

● Security Review: check your site for misconfiguration https://drupal. org/project/security_review

● Paranoia: no PHP eval() from the web interface https://drupal.org/project/paranoia

● Seckit: Content Security Policy, Origin checks against CSRF https://drupal. org/project/seckit

● Many More….

QED42

References

● http://www.drupal.org/writing-secure-code● https://www.drupal.org/project/issues/search?

issue_tags=PAReview%3A%20security● http://drupalsecurityreport.org/● https://groups.drupal.org/security● https://www.drupal.org/security/secure-

configuration● http://heine.familiedeelstra.com/

QED42

https://github.com/naveenvalecha/exploitedpizza

THANK YOU!Questions ?

QED42