Basic security presentation for the Jacksonville, FL Drupal user group on how Drupal deals with the OWASP top 10 security risks of 2013.
I'l be expanding this to include additional details and examples in the next version.
5. @Mediacurrent
Drupal Security
Drupal is very secure out of the box as long as it’s configured
with a little care. We can attribute a lot of this to the efforts
put forth by the community. That includes every contributor
who has developed code for Drupal or user who has taken the
time to report an issue.
Let’s look at some common security problems found in many
web applications and how Drupal handles them.
7. @Mediacurrent
OWASP
The OWASP Top 10 - 2013 is as follows:
● A1 Injection
● A2 Broken Authentication and Session Management
● A3 Cross-Site Scripting (XSS)
● A4 Insecure Direct Object References
● A5 Security Misconfiguration
● A6 Sensitive Data Exposure
● A7 Missing Function Level Access Control
● A8 Cross-Site Request Forgery (CSRF)
● A9 Using Components with Known Vulnerabilities
● A10 Unvalidated Redirects and Forwards
8. @Mediacurrent
Injection
Injection attacks occur when an attacker can insert data into a
web application that can be interpreted or executed for
malicious intent.
SQL injection is the probably the most commonly discussed
type of attack but being able to insert code, such as within a
comment form, or upload a file containing code that an
attacker could later execute, such as a custom php script, also
apply.
9. @Mediacurrent
Injection
File Injection
Drupal’s file management system controls what types of files
can be uploaded by filtering the extensions and also limits
where files can are stored.
SQL Injection
Drupal's database API sanitizes queries and D7 was designed
to make it harder for developers to write insecure queries.
Always use the API and use placeholders!
10. @Mediacurrent
Broken Auth
Broken Authentication and Session Management
Examples include:
● Storing passwords as plain text or in a known insecure
hashing algorithm, such as md5.
● Storing passwords that do not adhere to a policy such as
enforced alpha+numeric+punctuation.
● Poor session invalidation such as infinite session cookies
that could linger on an insecure system.
11. @Mediacurrent
Broken Auth
Broken Authentication and Session Management
● Drupal salts user passwords in addition to hashing them
2^15 times as a default.
● Drupal will create a salt string but it is also configurable
and may be included from a file for added security.
● Existing sessions are destroyed on login/logout limiting
the ability for an attacker to hijack a stale session.
● Several contrib modules enhance user security.
12. @Mediacurrent
XSS
Cross-site Scripting (XSS)
XSS attacks occur when an attacker injects malicious code into
an otherwise harmless web application. These are very
common vulnerabilities and occur when a web application
doesn't properly sanitize user input.
They can range from the rather simplistic or very complex.
<body onload=alert('Alert!')>
Studies show that more than 60% of sites have an XSS
vulnerability.
13. @Mediacurrent
XSS
Cross-site Scripting (XSS)
Drupal has several API functions for filtering user submitted
data to prevent XSS attacks.
Be sure you know and understand the proper use of these
functions when writing custom code.
check_url (URLs)
check_plain (plain text)
check_markup (rich text)
filter_xss (html)
And don’t forget about t() and l().
14. @Mediacurrent
Object References
Insecure Direct Object References
If the application does not verify that a user should be able to
access an object this is an insecure direct object reference
flaw.
Drupal Views are a good example of where this can occur. If
you forget to include a “published” filter the view could
display unpublished listings to a user role not normally able
to see them.
15. @Mediacurrent
Object References
Insecure Direct Object References
● Drupal’s Form API sanitizes user input and validates
submissions.
● The Menu system handles permission checks for system
paths and .htaccess has rules to keep prying eyes away
from module and theme files.
● Functions such as node_access() and user_access() are
available when writing custom code.
● Numerous contrib modules exist that enhance core
security.
17. @Mediacurrent
Misconfiguration
Security Misconfiguration
Drupal 7 out of the box is very secure but you must be
diligent about reviewing permissions when new modules are
added.
Several contrib modules are available to help with permission
audits and to prevent accidental changes or privilege
escalation.
Security Review module, Secure Permissions module
18. @Mediacurrent
Data Leakage
Sensitive Data Exposure
A common place for attackers to retrieve information is from
site backups. If the data isn’t stored using encryption or if the
encryption algorithm is weak or otherwise ineffective data
leakage is possible.
19. @Mediacurrent
Data Leakage
Sensitive Data Exposure
● Passwords are salted and hashed.
● Site specific key randomly generated during site install
which can be used for reversible encryption.
● Contrib solutions offer a number of encryption frameworks
for storing sensitive data.
20. @Mediacurrent
Access Control
Missing Function Level Access Control
User access is made available to functions and features
programmatically and with access enforcement mechanisms
in place.
21. @Mediacurrent
Access Control
Missing Function Level Access Control
Drupal has an extensive permissions based access control
system in place that checks for user authorization before an
action can be taken.
22. @Mediacurrent
CSRF
Cross-site Request Forgery (CSRF, XSRF)
With this type of exploit the attacker tricks the victim into
triggering an action via their browser.
<img src="http://example.com/user/logout" />
23. @Mediacurrent
CSRF
Cross-site Request Forgery (CSRF)
Similar to XSS Drupal has built in CSRF protection:
● Drupal’s Form API uses POST submissions.
● The Form API uses tokens which are validated with
submissions.
24. @Mediacurrent
Contrib Dangers
Using Components With Known Vulnerabilities
Using libraries or contrib modules with known security
vulnerabilities is a quick way to become a spam infested site.
25. @Mediacurrent
Contrib Dangers
Using Components With Known Vulnerabilities
There are many ways to stay up to date on Drupal core and
contrib modules.
● Use the Update Status module and configure it to notify
you when new release are available.
● Join the security mailing list to receive weekly updates on
recently discovered security concerns related to Drupal.
● Join mailing lists for any 3rd party library you use such as
WYSIWYG editors.
27. @Mediacurrent
Redirects
Unvalidated Redirects and Forwards
● Drupal’s internal page redirects can not be used to bypass
the menu and user access systems.
● Use the proper API functions such as drupal_goto and the
Form API #redirect in your custom code.
30. @Mediacurrent
Stay Informed
Getting Help
IRC - #drupal
Twitter - @drupalsecurity
Security Forums - https://drupal.org/forum/1188
Do you think your site was hacked? https://drupal.org/node/213320
Weekly Announcements - https://drupal.org/node/406142
Visit https://drupal.org/security for further information.