Drupal Security
Various attacks and ways to protect site
Presents by Vasily Kraev
Drupal Camp Msk 2014
About me
and disclaimer :)
Sword and shield
- Everything is hackable
- Sometimes has expensive "hack"-cost
- Don't be paranoid, try to balance
The foundation
Process
- Gathering info about target
- Attack
- Maybe: backdoor/rootkit
- PROFIT!!!!11
Gathering info
Gathering info
- Google dorks
- HTML source code
- README.txt / INSTALL.txt
*.txt / css / jsindahousein module - nmap, Havij,
MetaSploitFramework
Dorks
inurl:CHANGELOG.txt intext:drupal
intext:"SA-CORE" -intext:7.32
-site:github.com -site:drupal.org
$databases['default']['default'] = array( password
nmap example on vestaCP
Scanning blablabla.net (xxx.xxx.xxx.xxx) [1000 ports]
Discovered open port 587/tcp on xxx.xxx.xxx.xxx
...
Discovered open port 8443/tcp on xxx.xxx.xxx.xxx
Completed SYN Stealth Scan at 08:40, 1.56s elapsed (1000 total ports)
Initiating OS detection (try #1) against blablabla.net (xxx.xxx.xxx.xxx)
Retrying OS detection (try #2) against blablabla.net (xxx.xxx.xxx.xxx)
Nmap scan report for blablabla.net (xxx.xxx.xxx.xxx)
Host is up (0.058s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
465/tcp open smtps
587/tcp open submission
2525/tcp open ms-v-worlds
3306/tcp open mysql
8080/tcp open http-proxy
8083/tcp open us-srv
8443/tcp open https-alt
Device type: general purpose|WAP|storage-misc|broadband router|media device|phone
Running (JUST GUESSING): Linux 3.X|2.6.X|2.4.X (96%), Asus Linux (93%), HP embedded (91%), Linksys Linux 2.4.X (90%), ......
Attack
You must protect whole server...
Attack
... and human resources too
Attack
- Drupal-specific
- DoS: RAM / HDD / DB
- DDoS
- Non-standart
Drupal bad practice
print "<a href='/node/" . $node->nid .
"'>" . $node->title . "</a>";
$result = db_query("UPDATE status FROM {node}
SET status = " . $status . " WHERE nid = " . $nid);
$nomer = $node->field_nomer['und'][0]['value'];
much better
print l(t('Title:') . check_plain($node->title), $node->path);
$result = db_update('node')
->fields(array('status' => 1))
->condition('nid', 123)
->execute();
Hey, I khow the wrappers!
$wrapper = entity_metadata_wrapper('node', $node);
$title = $wrapper->title->value();
$number = $wrapper->field_number->raw();
Use wrappers right!
$wrapper = entity_metadata_wrapper('node', $node);
$title = $wrapper->title->value(array('sanitize' => TRUE));
XSS Risk
- echo() print()
- theme()
- t() and l() without % @
- var_dump() dpm()
- console.log()
- watchdog()
- drupal_set_title() drupal_set_message()
- $form_state values
- Templates (.tpl.php)
- Theme's code
- Preprocess functions
- Validation messages
Remember!
XSRF
- Inspect hook_permissions()
- Get permission names
- Check access_callback in hook_menu()
- if(user_access('something'));
- $_GET, $_POST, or not use secure tokens? XSRF is possible
- Inspect hook_menu() & AJAX callbacks
Access bypass
How fix ?
- user_access for permissions
- node_access
- entity_access
- $query->addTag('node_access');
- Use FormAPI
- Send & validate tokens
Modules for security
- Secure login
- Password policy
- Paranoia
- Hacked!
- Permissions Lock
- Secure Login
- Security Review
- Two Factor Authentication
Enhancing security
- disable & delete php module
- use git
- use CoderSniffer
- use XSS-test-content + Selenium
- use tests
-
Core & Contributed Project Security Advisories
DoS
DoS
RAM
1 color png 10000x10000px ~ 215 kb
resizing this to thumbnail 200x200px ~ 2Gb RAM
HDD
ZipBomb
DB/cache
http://site.com/page?q=1
http://site.com/page?q=2
http://site.com/page?q=asd
Misconfig
- Not closed ports
- One user for apache+php / all sites
- Wrong perms on dirs / config file or .htaccess (iframe, traff redirect, shell)
AddType application/x-httpd-php .jpgRedirect 301 / http://very-bad-site.com/
Wrong configuration (docs nginx linode)
drupal modules, etc
DDoS
PentagonComp: Yes, my password is "MaoZedong"
Crouching tiger hidden dragon
How hackers hide shells?
php block in DB
jpg.php (+ htaccess)
obfuscation
git (hooks make shell at pull) :)
?
skype: vasilykraev
vk@vkraev.ru