2. Who am I?
Tatar Balazs Janos
@tatarbj
Works with Drupal since 2007
CTO @ Petend
Drupal Security Correspondent @ EC
Active mentor @ Mentoring community group
Provisional member @ Drupal Security Team
SecOSdreamer @ Secure Open Source day
17. Client side vulnerability
Unfiltered output
Never trust any user input.
We’ve seen the demo before ;)
Cross Site Scripting
Tatar Balazs Janos - @tatarbj
DrupalCamp Spain 2019
19. Html::escape() – plain text
Xss::filter() – html is allowed
Xss::filterAdmin() – text by admins
Tatar Balazs Janos - @tatarbj
DrupalCamp Spain 2019
31. Use behat/automated tests.
<script>alert('XSS')</script>
<img src="a" onerror="alert('title')">
Check your filters and user roles.
Do not give too many options to untrusted users!
Protection against Cross Site Scripting
Tatar Balazs Janos - @tatarbj
DrupalCamp Spain 2019
33. User can access/do something.
Menu items can be defined to be
accessed/denied.
Many access systems: node, entity, field, views...
Access bypass
Tatar Balazs Janos - @tatarbj
DrupalCamp Spain 2019
43. Unauthorized access to database resources.
Do not trust any user input.
SA-CORE-2014-005 – Highly critical D7 SA
SQL Injection
Tatar Balazs Janos - @tatarbj
DrupalCamp Spain 2019
49. Use always drupal Database API!
db_query with :placeholder (deprecated in D8,
in D9 will be removed)
Filter parameters
Check the queries in code.
username' AND 1=1
POST requests by curl
Protection against SQL Injection
Tatar Balazs Janos - @tatarbj
DrupalCamp Spain 2019
50. Test IV.
Ready for some other code?
Tatar Balazs Janos - @tatarbj
DrupalCamp Spain 2019
51. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
}
}
?>
TatarBalazsJanos
@tatarbj
DrupalCamp Spain2019
52. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
}
}
?>
TatarBalazsJanos
@tatarbj
DrupalCamp Spain2019
53. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
do {
// Find a secure random number within the range needed.
$index = ord(drupal_random_bytes(1));
} while ($index > $len);
$pass .= $allowable_characters[$index];
}
}
?>
TatarBalazsJanos
@tatarbj
DrupalCamp Spain2019
54. // custom_module.permissions.yml
administer custom module:
title: 'Bypass access control'
description: 'Allows a user to bypass access control.’
// custom_module.routing.yml
custom_module.settings.form:
path: '/admin/config/custom/settings'
requirements:
_permission: 'administer custom module'
TatarBalazsJanos
@tatarbj
DrupalCamp Spain2019
55. // custom_module.permissions.yml
administer custom module:
title: 'Bypass access control'
description: 'Allows a user to bypass access control.’
// custom_module.routing.yml
custom_module.settings.form:
path: '/admin/config/custom/settings'
requirements:
_permission: 'administer custom module'
TatarBalazsJanos
@tatarbj
DrupalCamp Spain2019
56. // custom_module.permissions.yml
administer custom module:
title: 'Bypass access control'
description: 'Allows a user to bypass access control.’
restrict access: TRUE
// custom_module.routing.yml
custom_module.settings.form:
path: '/admin/config/custom/settings'
requirements:
_permission: 'administer custom module'
TatarBalazsJanos
@tatarbj
DrupalCamp Spain2019
61. *https://events.drupal.org/sites/default/files/slides/pwolanin-2017-09-ways-drupal8-d.pdf
Many ways Drupal 8 is more secure!*
Twig templates for HTML generation
Removed PHP format
Site configuration exportable, versionable
User content entry and filtering improvements
User session and sessio always n ID handling
Automated CSRF token protection
Trusted host patterns enforced for requests
Single statement execution for SQL
Clickjacking protection
Content security policy compatibility with Core Javascript API
Tatar Balazs Janos - @tatarbj
DrupalCamp Spain 2019
63. Security advisories are for
Only stable modules
No alpha, beta, dev
d.org hosted projects
@Maintainers: If you are contacted, be supportive!
Drupal Security Team
Tatar Balazs Janos - @tatarbj
DrupalCamp Spain 2019
Einstein said: “insanity is when you do the same thing over and over again and expect different results”
Owasp: open web application security project
Reference for the XSS issue that was basically caused by a security misconfiguration.
Hide enabled blocks from selector that are used
Context update from this wednesday
Hide enabled blocks from selector that are used
Context update from this wednesday
Hide enabled blocks from selector that are used
Context update from this wednesday
Not because of having db_query deprecated, but: The $field param is used to derive various table and field names, but in each case the Database API automatically escapes these values. Note that the API does not do this for all arguments!
Mt_rand is not secure enough!
Insecure randomness by Mass Password Reset (SA-CONTRIB-2018-043) by Greg Knaddison