2. Who am I?
Tatar Balazs Janos
@tatarbj
Working with Drupal since 2007
CTO @ Petend
Drupal Security Correspondent @ European Commission
Provisional member @ Drupal Security Team
SecOSdreamer @ Secure Open Source days (SecOSdays)
Active mentor @ Mentoring community group
17. Client side vulnerability
Unfiltered output
Never trust any user input.
We’ve seen the demo before ;)
Cross Site Scripting
TatarBalazsJanos - @tatarbj
21. Everyone has a bingo card (check your bag!)
If you answer well, mark the number!
Wrong answer = no number!
First who shouts BINGO! wins the price!
Rules and etiquette
TatarBalazsJanos - @tatarbj
39. Use behat/automated tests.
<script>alert('XSS')</script>
<img src="a" onerror="alert('title')">
Check your filters and user roles.
Do not give too many options to untrusted users!
Protection against Cross Site Scripting
TatarBalazsJanos - @tatarbj
41. User can access/do something.
Menu items can be defined to be
accessed/denied.
Many access systems: node, entity, field, views...
Access bypass
TatarBalazsJanos - @tatarbj
59. Visit node/nid and other urls
Visit anything/%node
Use behat/automated tests.
node_access, entity_access
Menu definitions
user_access for permissions
$query->addTag('node_access')
Protection against Access bypass
TatarBalazsJanos - @tatarbj
61. Unauthorized access to database resources.
Do not trust any user input.
SA-CORE-2014-005 – Highly critical D7 SA
SQL Injection
TatarBalazsJanos - @tatarbj
72. Use always drupal Database API!
db_query with :placeholder (deprecated in D8,
in D9 will be removed)
Filter parameters
Check the queries in code.
username' AND 1=1
POST requests by curl
Protection against SQL Injection
TatarBalazsJanos - @tatarbj
74. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
}
}
?>
TatarBalazsJanos - @tatarbj
75. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
}
}
?>
TatarBalazsJanos - @tatarbj
76. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
do {
// Find a secure random number within the range needed.
$index = ord(drupal_random_bytes(1));
} while ($index > $len);
$pass .= $allowable_characters[$index];
}
}
?>
TatarBalazsJanos - @tatarbj
105. *https://events.drupal.org/sites/default/files/slides/pwolanin-2017-09-ways-drupal8-d.pdf
Many ways Drupal 8 is more secure!*
Twig templates for HTML generation
Removed PHP format
Site configuration exportable, versionable
User content entry and filtering improvements
User session and session always in ID handling
Automated CSRF token protection
Trusted host patterns enforced for requests
Single statement execution for SQL
Clickjacking protection
Content security policy compatibility with Core Javascript API
TatarBalazsJanos - @tatarbj
107. Security advisories are for
Only stable modules
No alpha, beta, dev
d.org hosted projects
@Maintainers: If you are contacted, be supportive!
Drupal Security Team
TatarBalazsJanos - @tatarbj
Einstein said: “insanity is when you do the same thing over and over again and expect different results”
Owasp: open web application security project
Reference for the XSS issue that was basically caused by a security misconfiguration.
Hide enabled blocks from selector that are used
Context update from this wednesday
Hide enabled blocks from selector that are used
Context update from this wednesday
Hide enabled blocks from selector that are used
Context update from this wednesday
Not because of having db_query deprecated, but: The $field param is used to derive various table and field names, but in each case the Database API automatically escapes these values. Note that the API does not do this for all arguments!
Not because of having db_query deprecated, but: The $field param is used to derive various table and field names, but in each case the Database API automatically escapes these values. Note that the API does not do this for all arguments!
Not because of having db_query deprecated, but: The $field param is used to derive various table and field names, but in each case the Database API automatically escapes these values. Note that the API does not do this for all arguments!
Mt_rand is not secure enough!
Insecure randomness by Mass Password Reset (SA-CONTRIB-2018-043) by Greg Knaddison