SlideShare une entreprise Scribd logo

Drupal security - Subhranshu Sekhar

Drupal Camp Delhi
Drupal Camp Delhi
Technologie
1  sur  21
Télécharger pour lire hors ligne
Hack Your Drupal Application - Think like a Hacker to Prevent Hacking Subhransu Sekhar Drupal Camp Delhi 2013
Why Security? Cyber Security should be one of the major concerns of any web application. This session is all about securing your Drupal Portal as per OWASP Top Ten 2013 In the session I will describe about case studies in Drupal Sites and How to Prevent it. Drupal Camp Delhi 2013
OWASP Top Ten 2013 A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards Drupal Camp Delhi 2013
A1-Injection Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Drupal Camp Delhi 2013
A1-Injection (Example) You shouldn't use data that you don't trust (as a feed, a user input, another database, etc) directly in a database query without escape it: index.php?prod_id=32 mysql_query("UPDATE product_table SET value = '". $value ."' WHERE id = ". $_GET['prod_id']); Instead you should use Drupal functions passing the user input as parameters: db_query("UPDATE {product_table } SET value = :value WHERE id = :id", array( ':value' => $value, ':id' => $prod_id); If you need to include dynamic table or column names in your query, you can use db_escape_table(). Drupal Camp Delhi 2013
A2-Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. Drupal Camp Delhi 2013
A3-Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Drupal Camp Delhi 2013
A3-Cross-Site Scripting (XSS) Demo Drupal Camp Delhi 2013
A4-Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. Drupal Camp Delhi 2013
A4-Insecure Direct Object References Demo Drupal Camp Delhi 2013
A5-Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. Drupal Camp Delhi 2013
A6-Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. Drupal Camp Delhi 2013
A6-Sensitive Data Exposure Demo Drupal Camp Delhi 2013
A7-Missing Function Level Access Control Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization. Drupal Camp Delhi 2013
A7-Missing Function Level Access Control Demo Drupal Camp Delhi 2013
A8-Cross-Site Request Forgery (CSRF) A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to Perform an action as the victim. The underlying cause is application functionality Using predictable URL/form actions in a repeatable way. Drupal Camp Delhi 2013
A8-Cross-Site Request Forgery (CSRF) Demo Drupal Camp Delhi 2013
A9-Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defences and enable a range of possible attacks and impacts. Drupal Camp Delhi 2013
A9-Using Components with Known Vulnerabilities Demo Drupal Camp Delhi 2013
A10-Unvalidated Redirects and Forwards Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. Drupal Camp Delhi 2013
A10-Unvalidated Redirects and Forwards Demo Drupal Camp Delhi 2013

Recommandé

Amplify user engagement with Game Mechanics - Vidhatanand
Amplify user engagement with Game Mechanics - VidhatanandAmplify user engagement with Game Mechanics - Vidhatanand
Amplify user engagement with Game Mechanics - VidhatanandDrupal Camp Delhi
 
Ueberseestadt
Ueberseestadt Ueberseestadt
Ueberseestadt comenius14
 
Sculptures
SculpturesSculptures
Sculpturescomenius14
 
River_Wuemme
River_WuemmeRiver_Wuemme
River_Wuemmecomenius14
 
Campusdiaries Showcase - Raj Chourasia
Campusdiaries Showcase - Raj ChourasiaCampusdiaries Showcase - Raj Chourasia
Campusdiaries Showcase - Raj ChourasiaDrupal Camp Delhi
 
Energie
EnergieEnergie
Energiecomenius14
 
Content Migration to Drupal 8
Content Migration to Drupal 8Content Migration to Drupal 8
Content Migration to Drupal 8Drupal Camp Delhi
 
Drupal Camp Delhi 2015
Drupal Camp Delhi 2015Drupal Camp Delhi 2015
Drupal Camp Delhi 2015Drupal Camp Delhi
 

Recommandé

Amplify user engagement with Game Mechanics - Vidhatanand
Amplify user engagement with Game Mechanics - VidhatanandAmplify user engagement with Game Mechanics - Vidhatanand
Amplify user engagement with Game Mechanics - VidhatanandDrupal Camp Delhi
 
Ueberseestadt
Ueberseestadt Ueberseestadt
Ueberseestadt comenius14
 
Sculptures
SculpturesSculptures
Sculpturescomenius14
 
River_Wuemme
River_WuemmeRiver_Wuemme
River_Wuemmecomenius14
 
Campusdiaries Showcase - Raj Chourasia
Campusdiaries Showcase - Raj ChourasiaCampusdiaries Showcase - Raj Chourasia
Campusdiaries Showcase - Raj ChourasiaDrupal Camp Delhi
 
Energie
EnergieEnergie
Energiecomenius14
 
Content Migration to Drupal 8
Content Migration to Drupal 8Content Migration to Drupal 8
Content Migration to Drupal 8Drupal Camp Delhi
 
Drupal Camp Delhi 2015
Drupal Camp Delhi 2015Drupal Camp Delhi 2015
Drupal Camp Delhi 2015Drupal Camp Delhi
 
Generics & Specifics of QA on Web - Sweta Shahi
Generics & Specifics of QA on Web - Sweta ShahiGenerics & Specifics of QA on Web - Sweta Shahi
Generics & Specifics of QA on Web - Sweta ShahiDrupal Camp Delhi
 
Memcache and Drupal - Vaibhav Jain
Memcache and Drupal - Vaibhav JainMemcache and Drupal - Vaibhav Jain
Memcache and Drupal - Vaibhav JainDrupal Camp Delhi
 
How NOT to build Drupal Sites - Sai Tanay
How NOT to build Drupal Sites - Sai TanayHow NOT to build Drupal Sites - Sai Tanay
How NOT to build Drupal Sites - Sai TanayDrupal Camp Delhi
 
Future proof your drupal skills - Piyuesh Kumar
Future proof your drupal skills - Piyuesh KumarFuture proof your drupal skills - Piyuesh Kumar
Future proof your drupal skills - Piyuesh KumarDrupal Camp Delhi
 
Basic Responsive Theming - Somedutta Ghosh
Basic Responsive Theming - Somedutta GhoshBasic Responsive Theming - Somedutta Ghosh
Basic Responsive Theming - Somedutta GhoshDrupal Camp Delhi
 
What is there in Drupal Community & their do's and don't's - Sivaji
What is there in Drupal Community & their do's and don't's - SivajiWhat is there in Drupal Community & their do's and don't's - Sivaji
What is there in Drupal Community & their do's and don't's - SivajiDrupal Camp Delhi
 
Drush to simplify Drupalers work - Sivaji
Drush to simplify Drupalers work - SivajiDrush to simplify Drupalers work - Sivaji
Drush to simplify Drupalers work - SivajiDrupal Camp Delhi
 
Multi lingual implementations – drupal design approaches for different scenar...
Multi lingual implementations – drupal design approaches for different scenar...Multi lingual implementations – drupal design approaches for different scenar...
Multi lingual implementations – drupal design approaches for different scenar...Drupal Camp Delhi
 
Integration of Drupal websites and Android applications - Girish Gupta
Integration of Drupal websites and Android applications - Girish GuptaIntegration of Drupal websites and Android applications - Girish Gupta
Integration of Drupal websites and Android applications - Girish GuptaDrupal Camp Delhi
 
Graphics Designing (Character, Posters, Advertisements, Brochure, Interface B...
Graphics Designing (Character, Posters, Advertisements, Brochure, Interface B...Graphics Designing (Character, Posters, Advertisements, Brochure, Interface B...
Graphics Designing (Character, Posters, Advertisements, Brochure, Interface B...Drupal Camp Delhi
 
Drupal Camp Delhi 2013 - Event Brochure
Drupal Camp Delhi 2013 - Event BrochureDrupal Camp Delhi 2013 - Event Brochure
Drupal Camp Delhi 2013 - Event BrochureDrupal Camp Delhi
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Contenu connexe

Plus de Drupal Camp Delhi

Generics & Specifics of QA on Web - Sweta Shahi
Generics & Specifics of QA on Web - Sweta ShahiGenerics & Specifics of QA on Web - Sweta Shahi
Generics & Specifics of QA on Web - Sweta ShahiDrupal Camp Delhi
 
Memcache and Drupal - Vaibhav Jain
Memcache and Drupal - Vaibhav JainMemcache and Drupal - Vaibhav Jain
Memcache and Drupal - Vaibhav JainDrupal Camp Delhi
 
How NOT to build Drupal Sites - Sai Tanay
How NOT to build Drupal Sites - Sai TanayHow NOT to build Drupal Sites - Sai Tanay
How NOT to build Drupal Sites - Sai TanayDrupal Camp Delhi
 
Future proof your drupal skills - Piyuesh Kumar
Future proof your drupal skills - Piyuesh KumarFuture proof your drupal skills - Piyuesh Kumar
Future proof your drupal skills - Piyuesh KumarDrupal Camp Delhi
 
Basic Responsive Theming - Somedutta Ghosh
Basic Responsive Theming - Somedutta GhoshBasic Responsive Theming - Somedutta Ghosh
Basic Responsive Theming - Somedutta GhoshDrupal Camp Delhi
 
What is there in Drupal Community & their do's and don't's - Sivaji
What is there in Drupal Community & their do's and don't's - SivajiWhat is there in Drupal Community & their do's and don't's - Sivaji
What is there in Drupal Community & their do's and don't's - SivajiDrupal Camp Delhi
 
Drush to simplify Drupalers work - Sivaji
Drush to simplify Drupalers work - SivajiDrush to simplify Drupalers work - Sivaji
Drush to simplify Drupalers work - SivajiDrupal Camp Delhi
 
Multi lingual implementations – drupal design approaches for different scenar...
Multi lingual implementations – drupal design approaches for different scenar...Multi lingual implementations – drupal design approaches for different scenar...
Multi lingual implementations – drupal design approaches for different scenar...Drupal Camp Delhi
 
Integration of Drupal websites and Android applications - Girish Gupta
Integration of Drupal websites and Android applications - Girish GuptaIntegration of Drupal websites and Android applications - Girish Gupta
Integration of Drupal websites and Android applications - Girish GuptaDrupal Camp Delhi
 
Graphics Designing (Character, Posters, Advertisements, Brochure, Interface B...
Graphics Designing (Character, Posters, Advertisements, Brochure, Interface B...Graphics Designing (Character, Posters, Advertisements, Brochure, Interface B...
Graphics Designing (Character, Posters, Advertisements, Brochure, Interface B...Drupal Camp Delhi
 
Drupal Camp Delhi 2013 - Event Brochure
Drupal Camp Delhi 2013 - Event BrochureDrupal Camp Delhi 2013 - Event Brochure
Drupal Camp Delhi 2013 - Event BrochureDrupal Camp Delhi
 

Plus de Drupal Camp Delhi (11)

Generics & Specifics of QA on Web - Sweta Shahi
Generics & Specifics of QA on Web - Sweta ShahiGenerics & Specifics of QA on Web - Sweta Shahi
Generics & Specifics of QA on Web - Sweta Shahi
 
Memcache and Drupal - Vaibhav Jain
Memcache and Drupal - Vaibhav JainMemcache and Drupal - Vaibhav Jain
Memcache and Drupal - Vaibhav Jain
 
How NOT to build Drupal Sites - Sai Tanay
How NOT to build Drupal Sites - Sai TanayHow NOT to build Drupal Sites - Sai Tanay
How NOT to build Drupal Sites - Sai Tanay
 
Future proof your drupal skills - Piyuesh Kumar
Future proof your drupal skills - Piyuesh KumarFuture proof your drupal skills - Piyuesh Kumar
Future proof your drupal skills - Piyuesh Kumar
 
Basic Responsive Theming - Somedutta Ghosh
Basic Responsive Theming - Somedutta GhoshBasic Responsive Theming - Somedutta Ghosh
Basic Responsive Theming - Somedutta Ghosh
 
What is there in Drupal Community & their do's and don't's - Sivaji
What is there in Drupal Community & their do's and don't's - SivajiWhat is there in Drupal Community & their do's and don't's - Sivaji
What is there in Drupal Community & their do's and don't's - Sivaji
 
Drush to simplify Drupalers work - Sivaji
Drush to simplify Drupalers work - SivajiDrush to simplify Drupalers work - Sivaji
Drush to simplify Drupalers work - Sivaji
 
Multi lingual implementations – drupal design approaches for different scenar...
Multi lingual implementations – drupal design approaches for different scenar...Multi lingual implementations – drupal design approaches for different scenar...
Multi lingual implementations – drupal design approaches for different scenar...
 
Integration of Drupal websites and Android applications - Girish Gupta
Integration of Drupal websites and Android applications - Girish GuptaIntegration of Drupal websites and Android applications - Girish Gupta
Integration of Drupal websites and Android applications - Girish Gupta
 
Graphics Designing (Character, Posters, Advertisements, Brochure, Interface B...
Graphics Designing (Character, Posters, Advertisements, Brochure, Interface B...Graphics Designing (Character, Posters, Advertisements, Brochure, Interface B...
Graphics Designing (Character, Posters, Advertisements, Brochure, Interface B...
 
Drupal Camp Delhi 2013 - Event Brochure
Drupal Camp Delhi 2013 - Event BrochureDrupal Camp Delhi 2013 - Event Brochure
Drupal Camp Delhi 2013 - Event Brochure
 

Dernier

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Dernier (20)

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Drupal security - Subhranshu Sekhar

  • 1. Hack Your Drupal Application - Think like a Hacker to Prevent Hacking Subhransu Sekhar Drupal Camp Delhi 2013
  • 2. Why Security? Cyber Security should be one of the major concerns of any web application. This session is all about securing your Drupal Portal as per OWASP Top Ten 2013 In the session I will describe about case studies in Drupal Sites and How to Prevent it. Drupal Camp Delhi 2013
  • 3. OWASP Top Ten 2013 A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards Drupal Camp Delhi 2013
  • 4. A1-Injection Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Drupal Camp Delhi 2013
  • 5. A1-Injection (Example) You shouldn't use data that you don't trust (as a feed, a user input, another database, etc) directly in a database query without escape it: index.php?prod_id=32 mysql_query("UPDATE product_table SET value = '". $value ."' WHERE id = ". $_GET['prod_id']); Instead you should use Drupal functions passing the user input as parameters: db_query("UPDATE {product_table } SET value = :value WHERE id = :id", array( ':value' => $value, ':id' => $prod_id); If you need to include dynamic table or column names in your query, you can use db_escape_table(). Drupal Camp Delhi 2013
  • 6. A2-Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. Drupal Camp Delhi 2013
  • 7. A3-Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Drupal Camp Delhi 2013
  • 9. A4-Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. Drupal Camp Delhi 2013
  • 10. A4-Insecure Direct Object References Demo Drupal Camp Delhi 2013
  • 11. A5-Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. Drupal Camp Delhi 2013
  • 12. A6-Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. Drupal Camp Delhi 2013
  • 14. A7-Missing Function Level Access Control Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization. Drupal Camp Delhi 2013
  • 15. A7-Missing Function Level Access Control Demo Drupal Camp Delhi 2013
  • 16. A8-Cross-Site Request Forgery (CSRF) A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to Perform an action as the victim. The underlying cause is application functionality Using predictable URL/form actions in a repeatable way. Drupal Camp Delhi 2013
  • 17. A8-Cross-Site Request Forgery (CSRF) Demo Drupal Camp Delhi 2013
  • 18. A9-Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defences and enable a range of possible attacks and impacts. Drupal Camp Delhi 2013
  • 19. A9-Using Components with Known Vulnerabilities Demo Drupal Camp Delhi 2013
  • 20. A10-Unvalidated Redirects and Forwards Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. Drupal Camp Delhi 2013
  • 21. A10-Unvalidated Redirects and Forwards Demo Drupal Camp Delhi 2013