The document discusses Drupal's approach to maintaining site security and addressing common web vulnerabilities. It explains how Drupal prevents issues like cross-site scripting, SQL injection, file execution, insecure direct object references, cross-site request forgery, information leakage, broken authentication, insecure data storage, unencrypted communications, and unauthorized URL access through features like input filtering, access control validation, encryption, and its database abstraction layer. It also provides tips for writing secure Drupal code.
5. How Drupal prevents...
• Drupal has a system of input filters that
remove potential XSS exploits from user input.
• The Form API verifies that a user loaded a
form before submitting it. This verification
makes effective XSS against Drupal sites
considerably more difficult.
www.techday7.com
6. Injection Flaws
Username:
SELECT uid FROM users
Administrator” OR uid=1 OR “1”=“1 WHERE
Password name=“Administrator”
OR uid=1
•••••••••••• OR “1”=“1”
AND password=“kjsdkjds”
Login
www.techday7.com
7. How Drupal prevents...
• Drupal provides a database API with built-in
SQL injection attack prevention.
• Drupal provides a set of functions to process
URLs and SQL arguments, making security an
easy choice for developers.
www.techday7.com
8. Malicious File Execution
• Code vulnerable to remote file inclusion (RFI)
allows attackers to include hostile code and
data, resulting in devastating attacks, such as
total server compromise.
• Malicious file execution attacks affect PHP,
XML and any framework which accepts
filenames or files from users
• Ex : http://mydomain.com/show.php?page=../
install.php
9. How Drupal prevents...
• PHP has a configurable base directory for
inclusions. Using this option limits possible
attacks to only the Drupal directories.
• Drupal modules generally offer no entry point
except through Drupal’s secure URL/menu
handler. So, while users may be able to load
arbitrary PHP files, the “attacks” will have no
effect.
• Prevention of “insecure direct object
reference” attacks also helps here.
www.techday7.com
10. Insecure Direct Object Reference
A direct object reference occurs when a
developer exposes a reference to an
internal implementation object, such as a
file, directory, database record, or
key, as a URL or form parameter.
Ex : http://mydomain.com?page=/etc/group
•It will show the Groups details of the Server.
www.techday7.com
11. How Drupal prevents...
• Drupal’s menu and form APIs encourage
validating and sanitizing data submitted from
users.
• When object references are passed through
the Form API, Drupal core protects the values
from tampering by site users.
• Drupal and PHP provide file and session APIs
that allow convenient and secure object
reference passing.
www.techday7.com
12. Cross-Site Request Forgery
• CSRF is an attack which forces an end user to
execute unwanted actions on a web
application in which he/she is currently
authenticated.
• CSRF attacks generally target functions that
cause a state change on the server but can
also be used to access sensitive data.
www.techday7.com
13. How Drupal prevents...
• Drupal filters out scripting variations of this
attack, leaving only simpler ones.
• The simpler CSRF attacks fail when attacking
Drupal because the Form API isolates state
changing operations behind POST requests.
• The Form API also requires loading forms prior
to submission, making CSRF attacks much
harder.
www.techday7.com
15. How Drupal prevents...
• Administrators can configure Drupal to
privately log errors, intercepting them before
they ever reach users.
• Drupal never displays password information
when experiencing database connection
issues.
• Drupal ships with a .htaccess file preventing
many forms of snooping.
www.techday7.com
16. Broken Authentication
• Account credentials and session tokens are
often not properly protected.
• Authentication and session management
includes all aspects of handling user
authentication and managing active sessions.
www.techday7.com
17. How Drupal prevents...
• Authentication cookies are not modifiable by
site users.
• User sessions (and related cookies) are
completely destroyed and recreated on login
and logout.
• User name, ID, and password are only
managed on the server side, not in the user’s
cookie. Passwords are never emailed.
• Session cookies are named uniquely for each
Drupal installation
www.techday7.com
18. Insecure Cryptographic Storage
• Web applications rarely use cryptographic
functions properly to protect data and
credentials.
• Attackers use weakly protected data to
conduct identity theft and other crimes, such
as credit card fraud.
www.techday7.com
19. How Drupal prevents...
• Passwords are stored using a one-way hash.
• Drupal provides a randomly generated private
key for every installation
www.techday7.com
20. Insecure Communications
• Applications frequently fail to encrypt
network traffic when it is necessary to protect
sensitive communications.
www.techday7.com
21. How Drupal prevents...
• As a PHP-based system, Drupal can use
Apache’s widely-trusted SSL support.
• If only part of the site is behind SSL,
administrators can install modules to make
certain URLs available only through a secure
connection.
Ex: $conf['https'] = TRUE need to be in settings.php
www.techday7.com
22. Failure to Restrict URL Access
• Frequently, an application only protects
sensitive functionality by preventing the
display of links or URLs to unauthorized users.
• Attackers can use this weakness to access and
perform unauthorized operations by accessing
those URLs directly.”
• Ex: http://mydomain.com/user/10/delete
www.techday7.com
23. How Drupal prevents...
• Drupal uses an integrated URL/access control
system.
• Every URL in the system must have access
control configured.
www.techday7.com
24. Unvalidated input
• When users submit information to sites, their
input must be checked for validity using Drupal
Form API.
Form Api
User Input
Validated Form
Processor
Rejected Input
Is User have access
Is user input ok? to submit form?
25. Writing secure code
Use check functions on output to prevent cross site scripting attacks
No piece of user-submitted content should ever be placed as-is into HTML.
Use check plain or theme('placeholder') for plain text.
Use check markup or filter_xss for markup containing text.
Use the t() function with @ or % placeholders to construct safe, translatable
strings.
Ex:
drupal_set_message(t("Your favorite color is $color!")); // No input checking!
drupal_set_message('Your favorite color is ' . check_plain($color));
drupal_set_message(t('Your favorite color is @color', array('@color' => $color)));
26. Use the database abstraction layer to avoid SQL injection attacks
For example, never concatenate data directly into SQL queries, like this:
<?php db_query('SELECT foo FROM {table} t WHERE t.name = '. $_GET['user']); ?
>
<?php db_query("SELECT foo FROM {table} t WHERE t.name = '%s' ",
$_GET['user']); ?>
Use db_rewrite_sql to respect node access restrictions.
<?php
$result = db_query(db_rewrite_sql("SELECT n.nid, n.title FROM {node} n"));
?>
www.techday7.com