3. Who am I?
Tatar Balazs Janos
@tatarbj
Hungarian, lives in Brussels
Works with Drupal since 2007
Provisional Member of Drupal Security Team
IT Security Analyst, Drupal Security
Correspondent @ EC... And a cat-gif addict
47. Visit node/nid and other urls
Visit anything/%node
Use behat/automated tests.
node_access, entity_access
Menu definitions
user_access for permissions
$query->addTag('node_access')
Protection against Access bypass
53. <?php
$results = db_query("SELECT uid, name, mail FROM {users}
WHERE name LIKE :user_search",
array(':user_search' => '%' . db_like($user_search)));
?>
54.
55. Use always drupal Database API!
db_query with :placeholder (deprecated in D8, in D9 will
be removed)
Filter parameters
Check the queries in code.
username' AND 1=1
POST requests by curl
Protection against SQL Injection
57. *https://events.drupal.org/sites/default/files/slides/pwolanin-2017-09-ways-drupal8-d.pdf
Many ways Drupal 8 is more secure!
Twig templates for HTML generation
Removed PHP format
Site configuration exportable, versionable
User content entry and filtering improvements
User session and sessio always n ID handling
Automated CSRF token protection
Trusted host patterns enforced for requests
Single statement execution for SQL
Clickjacking protection
Content security policy compatibility with Core Javascript API
59. Security advisories are for
Only stable modules
No alpha, beta, dev
d.org hosted modules
@Maintainers: If you are contacted, be supportive! .
Drupal Security Team
60.
61. Hacked!
Security review (simplytest.me)
Password policy
Encrypt
Drop Guard
Composer Security Checker
Permission report
Text format reported
+ PHPCS Drupal BestPractice Sniff
Security related contribs