Drupal security
•Download as PPT, PDF•
2 likes•4,222 views
The document discusses Drupal's approach to maintaining site security and addressing common web vulnerabilities. It explains how Drupal prevents issues like cross-site scripting, SQL injection, file execution, insecure direct object references, cross-site request forgery, information leakage, broken authentication, insecure data storage, unencrypted communications, and unauthorized URL access through features like input filtering, access control validation, encryption, and its database abstraction layer. It also provides tips for writing secure Drupal code.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Drupal security
Similar to Drupal security (20)
Recently uploaded
Recently uploaded (20)
Drupal security
- 1. Drupal Security Drupal’s solutions, and how to maintain site security - Bakiyanathan R www.techday7.com
- 2. 9 out of 10 websites have serious vulnerabilities WhiteHat Security www.techday7.com
- 3. The Top 10 Web Security Issues* ...and how Drupal addresses them www.techday7.com
- 4. Cross-Site Scripting www.techday7.com
- 5. How Drupal prevents... • Drupal has a system of input filters that remove potential XSS exploits from user input. • The Form API verifies that a user loaded a form before submitting it. This verification makes effective XSS against Drupal sites considerably more difficult. www.techday7.com
- 6. Injection Flaws Username: SELECT uid FROM users Administrator” OR uid=1 OR “1”=“1 WHERE Password name=“Administrator” OR uid=1 •••••••••••• OR “1”=“1” AND password=“kjsdkjds” Login www.techday7.com
- 7. How Drupal prevents... • Drupal provides a database API with built-in SQL injection attack prevention. • Drupal provides a set of functions to process URLs and SQL arguments, making security an easy choice for developers. www.techday7.com
- 8. Malicious File Execution • Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. • Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users • Ex : http://mydomain.com/show.php?page=../ install.php
- 9. How Drupal prevents... • PHP has a configurable base directory for inclusions. Using this option limits possible attacks to only the Drupal directories. • Drupal modules generally offer no entry point except through Drupal’s secure URL/menu handler. So, while users may be able to load arbitrary PHP files, the “attacks” will have no effect. • Prevention of “insecure direct object reference” attacks also helps here. www.techday7.com
- 10. Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Ex : http://mydomain.com?page=/etc/group •It will show the Groups details of the Server. www.techday7.com
- 11. How Drupal prevents... • Drupal’s menu and form APIs encourage validating and sanitizing data submitted from users. • When object references are passed through the Form API, Drupal core protects the values from tampering by site users. • Drupal and PHP provide file and session APIs that allow convenient and secure object reference passing. www.techday7.com
- 12. Cross-Site Request Forgery • CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. • CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data. www.techday7.com
- 13. How Drupal prevents... • Drupal filters out scripting variations of this attack, leaving only simpler ones. • The simpler CSRF attacks fail when attacking Drupal because the Form API isolates state changing operations behind POST requests. • The Form API also requires loading forms prior to submission, making CSRF attacks much harder. www.techday7.com
- 14. Information Leakage Ex: Cannot connect to database. (mysql://rootuser:password@localhost:/db)
- 15. How Drupal prevents... • Administrators can configure Drupal to privately log errors, intercepting them before they ever reach users. • Drupal never displays password information when experiencing database connection issues. • Drupal ships with a .htaccess file preventing many forms of snooping. www.techday7.com
- 16. Broken Authentication • Account credentials and session tokens are often not properly protected. • Authentication and session management includes all aspects of handling user authentication and managing active sessions. www.techday7.com
- 17. How Drupal prevents... • Authentication cookies are not modifiable by site users. • User sessions (and related cookies) are completely destroyed and recreated on login and logout. • User name, ID, and password are only managed on the server side, not in the user’s cookie. Passwords are never emailed. • Session cookies are named uniquely for each Drupal installation www.techday7.com
- 18. Insecure Cryptographic Storage • Web applications rarely use cryptographic functions properly to protect data and credentials. • Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud. www.techday7.com
- 19. How Drupal prevents... • Passwords are stored using a one-way hash. • Drupal provides a randomly generated private key for every installation www.techday7.com
- 20. Insecure Communications • Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. www.techday7.com
- 21. How Drupal prevents... • As a PHP-based system, Drupal can use Apache’s widely-trusted SSL support. • If only part of the site is behind SSL, administrators can install modules to make certain URLs available only through a secure connection. Ex: $conf['https'] = TRUE need to be in settings.php www.techday7.com
- 22. Failure to Restrict URL Access • Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. • Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.” • Ex: http://mydomain.com/user/10/delete www.techday7.com
- 23. How Drupal prevents... • Drupal uses an integrated URL/access control system. • Every URL in the system must have access control configured. www.techday7.com
- 24. Unvalidated input • When users submit information to sites, their input must be checked for validity using Drupal Form API. Form Api User Input Validated Form Processor Rejected Input Is User have access Is user input ok? to submit form?
- 25. Writing secure code Use check functions on output to prevent cross site scripting attacks No piece of user-submitted content should ever be placed as-is into HTML. Use check plain or theme('placeholder') for plain text. Use check markup or filter_xss for markup containing text. Use the t() function with @ or % placeholders to construct safe, translatable strings. Ex: drupal_set_message(t("Your favorite color is $color!")); // No input checking! drupal_set_message('Your favorite color is ' . check_plain($color)); drupal_set_message(t('Your favorite color is @color', array('@color' => $color)));
- 26. Use the database abstraction layer to avoid SQL injection attacks For example, never concatenate data directly into SQL queries, like this: <?php db_query('SELECT foo FROM {table} t WHERE t.name = '. $_GET['user']); ? > <?php db_query("SELECT foo FROM {table} t WHERE t.name = '%s' ", $_GET['user']); ?> Use db_rewrite_sql to respect node access restrictions. <?php $result = db_query(db_rewrite_sql("SELECT n.nid, n.title FROM {node} n")); ?> www.techday7.com
- 27. www.techday7.com
Editor's Notes
- rfgtgyhygghyhtg