SlideShare une entreprise Scribd logo

Is Drupal Secure?

David Timothy Strauss
David Timothy Strauss

Presented at DrupalCamp Stockholm 2009 (2009-05-29)

1  sur  43
Télécharger pour lire hors ligne
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal’s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss
Thinking Securely “Security is a process, not an event.” Security is cooperative: It’s everyone’s responsibility. Security involves the whole software stack, not just Drupal (or any other application). Finding problems is a good thing.
The Top 10 Web Security Issues* ...and how Drupal addresses them *According to The Open Web Application Security Project, 2007
LEM P ROB Unvalidated input When users submit information to sites, their input must be checked for validity. Note: This issue made the top 10 in 2004 but not 2007.
How Drupal prevents... Unvalidated input User Input Drupal Validated User Input Form User Rejected, Invalid Input Form API Processor Validation: Is the Validation: Is the user authorized to user’s input OK? submit this form?
LEM P ROB #10 Failure to Restrict URL Access “Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.”
#10 Failure to Restrict URL Access Enter a similar URL on User 2 a site that isn’t yours: Profile http://example.com/user/10/delete Save Delete 3 What See where “delete” happens? 1 normally links.
How Drupal prevents... #10 Failure to Restrict URL Access ‣ Drupal uses an integrated URL/access control system. Every URL in the system must have access control configured, even if that access is “allow everyone.” ‣ Drupal’s menu system associates link display with access, so direct URL entry rarely works if a link is not already visible.
LEM P ROB #9 Insecure Communications “Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.”
#9 Insecure Communications http://example.com/user Username Administrator Insecure Password •••••••••••• Login
How Drupal prevents... #9 Insecure Communications ‣ As a PHP-based system, Drupal can use Apache’s widely-trusted SSL support. ‣ If only part of the site is behind SSL, administrators can install modules to make certain URLs available only through a secure connection. Login, ecommerce, and administration page URLs often have this sort of security configured.
LEM P ROB #8 Insecure Cryptographic Storage “Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.”
#8 Insecure Cryptographic Storage Encrypted or hashed? User table Username Password Administrator unguessable Database Editor 1234 David drupal
How Drupal prevents... #8 Insecure Cryptographic Storage ‣ Passwords are stored using a one-way hash. Even if someone downloads the site database, recovering usable passwords is difficult. ‣ Drupal provides a randomly generated private key for every installation. Modules can use this key to use reversible encryption for sensitive data like credit-card numbers. ‣ Commerce modules for Drupal minimize any retention of sensitive data, even in encrypted form.
LEM P ROB #7 Broken Authentication “Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities.”
#7 Broken Authentication Site Cookie Name Value Can users SESS_1234 username=editor change their administrator TRUE own access to the site? password unguessable Are authentication cookies broadcasting secrets to the world?
How Drupal prevents... #7 Broken Authentication ‣ Authentication cookies are not modifiable by site users. This prevents users from masquerading as more powerful users. ‣ User sessions (and related cookies) are completely destroyed and recreated on login and logout. ‣ User name, ID, and password are only managed on the server side, not in the user’s cookie. Passwords are never emailed. ‣ Session cookies are named uniquely for each Drupal installation and strongly restricted by domain, limiting cross-site snooping.
LEM P ROB #6 Information Leakage “Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.”
#6 Information Leakage http://example.com/broken-site Error Cannot connect to database. (mysql://rootuser:unguessable@localhost:/content) Password shown to visitors.
How Drupal prevents... #6 Information Leakage ‣ Administrators can configure Drupal (and even PHP) to privately log errors, intercepting them before they ever reach users. ‣ Drupal (unlike some PHP applications) never displays password information when experiencing database connection issues. ‣ Drupal ships with a .htaccess (Apache web server configuration) file preventing many forms of snooping. ‣ It is not possible to read original user passwords.
LEM P ROB #5 Cross-Site Request Forgery “A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.”
#5 Cross-Site Request Forgery Log into http://example.com/node/10 1 bank site. My forum post Visit a web 2 forum. This is a really interesting forum post. ? 3 An “image” on the forum <img src=“http://yourbank.com/ makes a request transfer.php?account=1&to=34893”> on the bank site.
How Drupal prevents... #5 Cross-Site Request Forgery ‣ If a site allows users to load any content off external servers, the site can be used to originate attacks. This is configurable either way in Drupal. ‣ Drupal filters out scripting variations of this attack, leaving only simpler (GET-type) ones. ‣ The simpler CSRF attacks fail when attacking Drupal because the Form API isolates state- changing operations behind POST requests. ‣ The Form API also requires loading forms prior to submission, making CSRF attacks much harder.
LEM P ROB #4 Insecure Direct Object Reference “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.”
#4 Insecure Direct Object Reference http://example.com/show.php?page=/etc/group Welcome to /group nobody:*:-2:nogroup:*:-1:wheel:*:0:rootdaemon:*:1:rootkmem:*: 2:rootsys:*:3:roottty:*:4:root System data shown to visitors.
How Drupal prevents... #4 Insecure Direct Object Reference ‣ Drupal’s menu and form APIs encourage validating and sanitizing data submitted from users. ‣ When object references are passed through the Form API, Drupal core protects the values from tampering by site users. ‣ Drupal and PHP provide file and session APIs that allow convenient and secure object reference passing.
LEM P ROB #3 Malicious File Execution “Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.”
#3 Malicious File Execution http://example.com/show.php?page=../reinstall-site.php Site content deleted User tries to run Ready to run the installer. Reinstall site > arbitrary files.
How Drupal prevents... #3 Malicious File Execution ‣ PHP has a configurable base directory for inclusions. Using this option limits possible attacks to only the Drupal directories. ‣ Drupal modules generally offer no entry point except through Drupal’s secure URL/menu handler. So, while users may be able to load arbitrary PHP files, the “attacks” will have no effect. ‣ Prevention of “insecure direct object reference” attacks also helps here.
LEM P ROB #2 Injection Flaws “Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.”
#2 Injection Flaws http://example.com/user 1 Carefully construct a “username” that Username Administrator” OR uid=1 OR “1”=“1 changes the SQL. Password •••••••••••• SELECT uid FROM users Login WHERE name=“Administrator” OR uid=1 See how it affects OR “1”=“1” 2 the actual query run. AND password=“kjsdkjds” 3 Use administrator privileges.
How Drupal prevents... #2 Injection Flaws ‣ Drupal provides a database API with built-in SQL injection attack prevention. Properly used, it is not possible to inject arbitrary SQL. ‣ Drupal 7’s new database API makes writing insecure database code even more difficult. ‣ Drupal provides a set of functions to process URLs and SQL arguments, making security an easy choice for developers.
LEM P ROB #1 Cross-Site Scripting “XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.”
#1 Cross-Site Scripting 1 Visit a web http://example.com/node/10 forum. My forum post 2 Embedded script performs This is a really interesting forum post. actions as you. <script> fetch_url(‘http://example.com/user/20/delete’) </script>
How Drupal prevents... #1 Cross-Site Scripting ‣ Drupal has a system of input filters that remove potential XSS exploits from user input. ‣ The Form API verifies that a user loaded a form before submitting it. This verification makes effective XSS against Drupal sites considerably more difficult.
Fixing + finding problems How the Drupal project finds, fixes, and notifies users about security problems
Who’s checking Drupal? ‣ Hundreds of contributors ‣ Thousands of users ‣ Security researchers ‣ There’s glory in finding problems ‣ Government and corporate certification organizations
Handling problem reports Security Problem Drupal Module/ Report Security Theme Team Author Patch + Update Public New Private Notifications Release
Thinking in terms of “tainted” data ‣ The #1 and #2 security flaws (injection and XSS) represent the vast majority of Drupal security issues in the past year. ‣ Both are the results of inadequately processing user-submitted data prior to use. ‣ “Tainting” is one way to model use of user-provided data. ‣ In 2008, Drupal received core-wide automated analysis of its handling of user-submitted “tainted” data. (Thanks Barry Jaspan.)
How data tainting works SQL Database XSS SQL escaping SQL User’s XSS Browser XSS removal User SQL XSS Database SQL SQL XSS XSS Database SQL Tainted Clean XSS User’s SQL SQL Secure Browser XSS XSS Insecure
Enterprise best practices Working with Drupal’s security team to keep your project secure
Enterprise best practices ‣ Subscribe to Drupal security notification lists. ‣ Have a testing environment ready to evaluate updates for deployment. (Drupal core updates typically come out on Wednesdays.) ‣ If you modify Drupal core, have a vendor branch management strategy for keeping your changes and still being able to upgrade. ‣ Have code reviews for your own work and all but the most popular contributed modules. ‣ If your team is new to Drupal, find a vendor to review your code, configuration, and choice of modules.
All content in this presentation, except where noted otherwise, is Creative Commons Attribution- ShareAlike 3.0 licensed and copyright 2009 Four Kitchen Studios, LLC.

Recommandé

Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?Four Kitchens
 
Drupal security
Drupal securityDrupal security
Drupal securityTechday7
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)ClubHack
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 

Recommandé

Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?Four Kitchens
 
Drupal security
Drupal securityDrupal security
Drupal securityTechday7
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)Best practices of web app security (samvel gevorgyan)
Best practices of web app security (samvel gevorgyan)ClubHack
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folksn|u - The Open Security Community
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012Krishna T
 
Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotJeremiah Grossman
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 
Top security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themTop security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themElad Elrom
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security amiable_indian
 
Security Function
Security FunctionSecurity Function
Security FunctionSamuel Soon
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Frameworkawiasecretary
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 

Contenu connexe

Tendances

New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012Krishna T
 
Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotJeremiah Grossman
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 
Top security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themTop security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themElad Elrom
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security amiable_indian
 
Security Function
Security FunctionSecurity Function
Security FunctionSamuel Soon
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Frameworkawiasecretary
 

Tendances (20)

New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Html5 for Security Folks
Html5 for Security FolksHtml5 for Security Folks
Html5 for Security Folks
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
 
Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security Forgot
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
 
Top security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themTop security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid them
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security
 
Security Function
Security FunctionSecurity Function
Security Function
 
BeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation FrameworkBeEF: The Browser Exploitation Framework
BeEF: The Browser Exploitation Framework
 

Similaire à Is Drupal Secure?

OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101Niall Merrigan
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awarenessJanagi Kannan
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web AppsMark Garratt
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 

Similaire à Is Drupal Secure? (20)

OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Joomla web application development vulnerabilities
Joomla web application development vulnerabilitiesJoomla web application development vulnerabilities
Joomla web application development vulnerabilities
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
OWASP Top10 2010
OWASP Top10 2010OWASP Top10 2010
OWASP Top10 2010
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web Apps
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 

Plus de David Timothy Strauss

Container Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security SummitContainer Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security SummitDavid Timothy Strauss
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...David Timothy Strauss
 
Effective service and resource management with systemd
Effective service and resource management with systemdEffective service and resource management with systemd
Effective service and resource management with systemdDavid Timothy Strauss
 
PHP at Density and Scale (Lone Star PHP 2014)
PHP at Density and Scale (Lone Star PHP 2014)PHP at Density and Scale (Lone Star PHP 2014)
PHP at Density and Scale (Lone Star PHP 2014)David Timothy Strauss
 

Plus de David Timothy Strauss (14)

Advanced Drupal 8 Caching
Advanced Drupal 8 CachingAdvanced Drupal 8 Caching
Advanced Drupal 8 Caching
 
LCache DrupalCon Dublin 2016
LCache DrupalCon Dublin 2016LCache DrupalCon Dublin 2016
LCache DrupalCon Dublin 2016
 
Container Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security SummitContainer Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security Summit
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
 
Effective service and resource management with systemd
Effective service and resource management with systemdEffective service and resource management with systemd
Effective service and resource management with systemd
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMs
 
PHP at Density and Scale (Lone Star PHP 2014)
PHP at Density and Scale (Lone Star PHP 2014)PHP at Density and Scale (Lone Star PHP 2014)
PHP at Density and Scale (Lone Star PHP 2014)
 
PHP at Density and Scale
PHP at Density and ScalePHP at Density and Scale
PHP at Density and Scale
 
PHP at Density and Scale
PHP at Density and ScalePHP at Density and Scale
PHP at Density and Scale
 
Valhalla at Pantheon
Valhalla at PantheonValhalla at Pantheon
Valhalla at Pantheon
 
Cassandra-Powered Distributed DNS
Cassandra-Powered Distributed DNSCassandra-Powered Distributed DNS
Cassandra-Powered Distributed DNS
 
Scalable Drupal Infrastructure
Scalable Drupal InfrastructureScalable Drupal Infrastructure
Scalable Drupal Infrastructure
 
Planning LAMP infrastructure
Planning LAMP infrastructurePlanning LAMP infrastructure
Planning LAMP infrastructure
 
Cassandra queuing
Cassandra queuingCassandra queuing
Cassandra queuing
 

Is Drupal Secure?

  • 1. Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal’s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss
  • 2. Thinking Securely “Security is a process, not an event.” Security is cooperative: It’s everyone’s responsibility. Security involves the whole software stack, not just Drupal (or any other application). Finding problems is a good thing.
  • 3. The Top 10 Web Security Issues* ...and how Drupal addresses them *According to The Open Web Application Security Project, 2007
  • 4. LEM P ROB Unvalidated input When users submit information to sites, their input must be checked for validity. Note: This issue made the top 10 in 2004 but not 2007.
  • 5. How Drupal prevents... Unvalidated input User Input Drupal Validated User Input Form User Rejected, Invalid Input Form API Processor Validation: Is the Validation: Is the user authorized to user’s input OK? submit this form?
  • 6. LEM P ROB #10 Failure to Restrict URL Access “Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.”
  • 7. #10 Failure to Restrict URL Access Enter a similar URL on User 2 a site that isn’t yours: Profile http://example.com/user/10/delete Save Delete 3 What See where “delete” happens? 1 normally links.
  • 8. How Drupal prevents... #10 Failure to Restrict URL Access ‣ Drupal uses an integrated URL/access control system. Every URL in the system must have access control configured, even if that access is “allow everyone.” ‣ Drupal’s menu system associates link display with access, so direct URL entry rarely works if a link is not already visible.
  • 9. LEM P ROB #9 Insecure Communications “Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications.”
  • 10. #9 Insecure Communications http://example.com/user Username Administrator Insecure Password •••••••••••• Login
  • 11. How Drupal prevents... #9 Insecure Communications ‣ As a PHP-based system, Drupal can use Apache’s widely-trusted SSL support. ‣ If only part of the site is behind SSL, administrators can install modules to make certain URLs available only through a secure connection. Login, ecommerce, and administration page URLs often have this sort of security configured.
  • 12. LEM P ROB #8 Insecure Cryptographic Storage “Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.”
  • 13. #8 Insecure Cryptographic Storage Encrypted or hashed? User table Username Password Administrator unguessable Database Editor 1234 David drupal
  • 14. How Drupal prevents... #8 Insecure Cryptographic Storage ‣ Passwords are stored using a one-way hash. Even if someone downloads the site database, recovering usable passwords is difficult. ‣ Drupal provides a randomly generated private key for every installation. Modules can use this key to use reversible encryption for sensitive data like credit-card numbers. ‣ Commerce modules for Drupal minimize any retention of sensitive data, even in encrypted form.
  • 15. LEM P ROB #7 Broken Authentication “Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities.”
  • 16. #7 Broken Authentication Site Cookie Name Value Can users SESS_1234 username=editor change their administrator TRUE own access to the site? password unguessable Are authentication cookies broadcasting secrets to the world?
  • 17. How Drupal prevents... #7 Broken Authentication ‣ Authentication cookies are not modifiable by site users. This prevents users from masquerading as more powerful users. ‣ User sessions (and related cookies) are completely destroyed and recreated on login and logout. ‣ User name, ID, and password are only managed on the server side, not in the user’s cookie. Passwords are never emailed. ‣ Session cookies are named uniquely for each Drupal installation and strongly restricted by domain, limiting cross-site snooping.
  • 18. LEM P ROB #6 Information Leakage “Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.”
  • 19. #6 Information Leakage http://example.com/broken-site Error Cannot connect to database. (mysql://rootuser:unguessable@localhost:/content) Password shown to visitors.
  • 20. How Drupal prevents... #6 Information Leakage ‣ Administrators can configure Drupal (and even PHP) to privately log errors, intercepting them before they ever reach users. ‣ Drupal (unlike some PHP applications) never displays password information when experiencing database connection issues. ‣ Drupal ships with a .htaccess (Apache web server configuration) file preventing many forms of snooping. ‣ It is not possible to read original user passwords.
  • 21. LEM P ROB #5 Cross-Site Request Forgery “A CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.”
  • 22. #5 Cross-Site Request Forgery Log into http://example.com/node/10 1 bank site. My forum post Visit a web 2 forum. This is a really interesting forum post. ? 3 An “image” on the forum <img src=“http://yourbank.com/ makes a request transfer.php?account=1&to=34893”> on the bank site.
  • 23. How Drupal prevents... #5 Cross-Site Request Forgery ‣ If a site allows users to load any content off external servers, the site can be used to originate attacks. This is configurable either way in Drupal. ‣ Drupal filters out scripting variations of this attack, leaving only simpler (GET-type) ones. ‣ The simpler CSRF attacks fail when attacking Drupal because the Form API isolates state- changing operations behind POST requests. ‣ The Form API also requires loading forms prior to submission, making CSRF attacks much harder.
  • 24. LEM P ROB #4 Insecure Direct Object Reference “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.”
  • 25. #4 Insecure Direct Object Reference http://example.com/show.php?page=/etc/group Welcome to /group nobody:*:-2:nogroup:*:-1:wheel:*:0:rootdaemon:*:1:rootkmem:*: 2:rootsys:*:3:roottty:*:4:root System data shown to visitors.
  • 26. How Drupal prevents... #4 Insecure Direct Object Reference ‣ Drupal’s menu and form APIs encourage validating and sanitizing data submitted from users. ‣ When object references are passed through the Form API, Drupal core protects the values from tampering by site users. ‣ Drupal and PHP provide file and session APIs that allow convenient and secure object reference passing.
  • 27. LEM P ROB #3 Malicious File Execution “Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.”
  • 28. #3 Malicious File Execution http://example.com/show.php?page=../reinstall-site.php Site content deleted User tries to run Ready to run the installer. Reinstall site > arbitrary files.
  • 29. How Drupal prevents... #3 Malicious File Execution ‣ PHP has a configurable base directory for inclusions. Using this option limits possible attacks to only the Drupal directories. ‣ Drupal modules generally offer no entry point except through Drupal’s secure URL/menu handler. So, while users may be able to load arbitrary PHP files, the “attacks” will have no effect. ‣ Prevention of “insecure direct object reference” attacks also helps here.
  • 30. LEM P ROB #2 Injection Flaws “Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.”
  • 31. #2 Injection Flaws http://example.com/user 1 Carefully construct a “username” that Username Administrator” OR uid=1 OR “1”=“1 changes the SQL. Password •••••••••••• SELECT uid FROM users Login WHERE name=“Administrator” OR uid=1 See how it affects OR “1”=“1” 2 the actual query run. AND password=“kjsdkjds” 3 Use administrator privileges.
  • 32. How Drupal prevents... #2 Injection Flaws ‣ Drupal provides a database API with built-in SQL injection attack prevention. Properly used, it is not possible to inject arbitrary SQL. ‣ Drupal 7’s new database API makes writing insecure database code even more difficult. ‣ Drupal provides a set of functions to process URLs and SQL arguments, making security an easy choice for developers.
  • 33. LEM P ROB #1 Cross-Site Scripting “XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.”
  • 34. #1 Cross-Site Scripting 1 Visit a web http://example.com/node/10 forum. My forum post 2 Embedded script performs This is a really interesting forum post. actions as you. <script> fetch_url(‘http://example.com/user/20/delete’) </script>
  • 35. How Drupal prevents... #1 Cross-Site Scripting ‣ Drupal has a system of input filters that remove potential XSS exploits from user input. ‣ The Form API verifies that a user loaded a form before submitting it. This verification makes effective XSS against Drupal sites considerably more difficult.
  • 36. Fixing + finding problems How the Drupal project finds, fixes, and notifies users about security problems
  • 37. Who’s checking Drupal? ‣ Hundreds of contributors ‣ Thousands of users ‣ Security researchers ‣ There’s glory in finding problems ‣ Government and corporate certification organizations
  • 38. Handling problem reports Security Problem Drupal Module/ Report Security Theme Team Author Patch + Update Public New Private Notifications Release
  • 39. Thinking in terms of “tainted” data ‣ The #1 and #2 security flaws (injection and XSS) represent the vast majority of Drupal security issues in the past year. ‣ Both are the results of inadequately processing user-submitted data prior to use. ‣ “Tainting” is one way to model use of user-provided data. ‣ In 2008, Drupal received core-wide automated analysis of its handling of user-submitted “tainted” data. (Thanks Barry Jaspan.)
  • 40. How data tainting works SQL Database XSS SQL escaping SQL User’s XSS Browser XSS removal User SQL XSS Database SQL SQL XSS XSS Database SQL Tainted Clean XSS User’s SQL SQL Secure Browser XSS XSS Insecure
  • 41. Enterprise best practices Working with Drupal’s security team to keep your project secure
  • 42. Enterprise best practices ‣ Subscribe to Drupal security notification lists. ‣ Have a testing environment ready to evaluate updates for deployment. (Drupal core updates typically come out on Wednesdays.) ‣ If you modify Drupal core, have a vendor branch management strategy for keeping your changes and still being able to upgrade. ‣ Have code reviews for your own work and all but the most popular contributed modules. ‣ If your team is new to Drupal, find a vendor to review your code, configuration, and choice of modules.
  • 43. All content in this presentation, except where noted otherwise, is Creative Commons Attribution- ShareAlike 3.0 licensed and copyright 2009 Four Kitchen Studios, LLC.