SlideShare ist ein Scribd-Unternehmen logo

Drupal Development Security Essentials

Als KEY, PDF herunterladen
C
chrisshattuck

Slides for the Drupal Development Security Essentials presentation at the Pacific Northwest Drupal Summit.

Technologie
1 von 129
Drupal Development Security Essentials Because unnecessary exposure is embarrassing.
I’m not a guru.
I’m not a guru. Khalid Baheyeldin Gerhard Killesreiter These f olks are Joshua Brauer Andy Kirkham Dries Buytaert Greg Knaddison Angela Byron Kieran Lal (coordinator) Drupal Security Team Robert Castelo Adam Light http://drupal.org/security-team Nathaniel Catchpole John Morahan Stéphane Corlosquet Karoly Negyesi Heine Deelstra (team leader) Stella Power Neil Drumm David Rothstein Ben Jeavons Jakub Suchy Dmitri Gaskin Mori Sugimoto (coordinator) James Gilliland David Strauss Charlie Gordon Oleg Terenchuk Gábor Hojtsy Damien Tournoud Morbus Iff Moshe Weitzman Bart Jansens Peter Wolanin Barry Jaspan Derek Wright Chris Johnson Dave Reid
Reasons to be concerned
Reasons to be concerned Security hole
Reasons to be concerned 1. Security holes can lose time and money Security hole
Reasons to be concerned 1. Security holes can lose time and money 2. Or get you sued Security hole
Reasons to be concerned 1. Security holes can lose time and money 2. Or get you sued 3. Or be terribly embarrassing Security hole
Reasons to be concerned 1. Security holes can lose time and money 2. Or get you sued 3. Or be terribly embarrassing 4. Users are slow to upgrade (your old code can be around for a long time) Security hole
Reasons to be concerned 1. Security holes can lose time and money 2. Or get you sued 3. Or be terribly embarrassing 4. Users are slow to upgrade (your old code can be around for a long time) 5. If you want a Drupal CVS account, your request can get a red flag if you’re not following basic security protocol Security hole
Reasons to be concerned 1. Security holes can lose time and money 2. Or get you sued 3. Or be terribly embarrassing 4. Users are slow to upgrade (your old code can be around for a long time) 5. If you want a Drupal CVS account, your request can get a red flag if you’re not following basic security protocol 6. Drupal is becoming a more and more attractive Security hole target
What we’re going to cover
What we’re going to cover 1. Set up a free dev environment to play
What we’re going to cover 1. Set up a free dev environment to play 2. The golden rule of Drupal security
What we’re going to cover 1. Set up a free dev environment to play 2. The golden rule of Drupal security 3. A quick definition of common attaxss
What we’re going to cover 1. Set up a free dev environment to play 2. The golden rule of Drupal security 3. A quick definition of common attaxss 4. Our arsenal of functions (+ examples)
What we’re going to cover 1. Set up a free dev environment to play 2. The golden rule of Drupal security 3. A quick definition of common attaxss 4. Our arsenal of functions (+ examples) 5. Questions (maybe even some answers!)
What we’re going to cover 1. Set up a free dev environment to play 2. The golden rule of Drupal security 3. A quick definition of common attaxss 4. Our arsenal of functions (+ examples) 5. Questions (maybe even some answers!)
Set up a free dev enviornment
Set up a free dev enviornment 1. Don’t have an editor? Browse with Filezilla http://filezilla- project.org/ and open in text editor.
Set up a free dev enviornment 1. Don’t have an editor? Browse with Filezilla http://filezilla- project.org/ and open in text editor. 2. Sign up for an account at http://webenabled.com
Set up a free dev enviornment 1. Don’t have an editor? Browse with Filezilla http://filezilla- project.org/ and open in text editor. 2. Sign up for an account at http://webenabled.com 3. After signing in, create an Acquia appliation (has a bunch of modules already bundled)
Set up a free dev enviornment 1. Don’t have an editor? Browse with Filezilla http://filezilla- project.org/ and open in text editor. 2. Sign up for an account at http://webenabled.com 3. After signing in, create an Acquia appliation (has a bunch of modules already bundled) 4. Copy the SSH info, and connect using your editor.
The Golden Rule of Drupal Security
The Golden Rule of Drupal Security Whatchoothink?
The Golden Rule of Drupal Security Whatchoothink? Use the APIs.
The Golden Rule of Drupal Security Whatchoothink? Use the APIs. This isn’t so bad.
The Golden Rule of Drupal Security Whatchoothink? Use the APIs. This isn’t so bad.
The Golden Rule of Drupal Security Whatchoothink? Use the APIs. This isn’t so bad. APIs take a little while to learn
The Golden Rule of Drupal Security Whatchoothink? Use the APIs. This isn’t so bad. APIs take a little while to learn
The Golden Rule of Drupal Security Whatchoothink? Use the APIs. This isn’t so bad. APIs take a little while to learn Nearly every security-related function has awesome side benefits.
Common Attaxss
Common Attaxss XSS - Cross-Site Scripting
Common Attaxss XSS - Cross-Site Scripting SQL Injection
Common Attaxss XSS - Cross-Site Scripting SQL Injection DOS - Denial of service
Common Attaxss XSS - Cross-Site Scripting SQL Injection DOS - Denial of service CSRF - Cross Site Request Forgeries
Our arsenal of functions We need guns. 10 or so guns. String filtering Links Access control Database Data passing
Our arsenal of functions We need guns. 10 or so guns. String filtering t() Links Access control Database Data passing
Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () Links Access control Database Data passing
Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () Links Access control Database Data passing
Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links Access control Database Data passing
Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () Access control Database Data passing
Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () Access control Database Data passing
Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () ‘ Access control Database Data passing
Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () ‘ Access control user_access () Database Data passing
Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () ‘ Access control user_access () Database db_query () Data passing
Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () ‘ Access control user_access () Database db_query () db_query_range () Data passing
Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () ‘ Access control user_access () Database db_query () db_query_range () Data passing drupal_get_token ()
Protects against: XSS t()
Protects against: XSS t() Purpose: Filters out the malicious, leaves the delicious.
Protects against: XSS t() Purpose: Filters out the malicious, leaves the delicious. Bonus: Makes your text translatable into other languages (Internationalization module) or overridable though config (String Overrides module)
Protects against: XSS t() Purpose: Filters out the malicious, leaves the delicious. Bonus: Makes your text translatable into other languages (Internationalization module) or overridable though config (String Overrides module) Example:
Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths)
Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering
Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering @ - Plain text
Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering @ - Plain text % - Highlighted
Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering @ - Plain text % - Highlighted t(“I !pity the foo’”, “<strong>pity</strong>”) I pity the foo’
Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering @ - Plain text % - Highlighted t(“I !pity the foo’”, “<strong>pity</strong>”) I pity the foo’ t(“I @pity the foo’”, “<strong>pity</strong>”) I <strong>pity</strong> the foo’
Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering @ - Plain text % - Highlighted t(“I !pity the foo’”, “<strong>pity</strong>”) I pity the foo’ t(“I @pity the foo’”, “<strong>pity</strong>”) I <strong>pity</strong> the foo’ t(“I %pity the foo’”, “<strong>pity</strong>”) I <strong>pity</strong> the foo’
Protects against: XSS Mo’ about t()
Protects against: XSS Mo’ about t() format_plural() is nice
Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript
Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript Caveats
Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript Caveats 1. Don’t use l()
Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript Caveats 1. Don’t use l() 2. Wrap t() around entire sentences
Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript Caveats 1. Don’t use l() 2. Wrap t() around entire sentences 3. Avoid escaping quotation marks
Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript Caveats 1. Don’t use l() 2. Wrap t() around entire sentences 3. Avoid escaping quotation marks 4. Don’t pass a variable through t()
Protects against: XSS check_plain()
Protects against: XSS check_plain() Purpose: Filters malicious toppings. Converts to plain text, as advertised.
Protects against: XSS check_plain() Purpose: Filters malicious toppings. Converts to plain text, as advertised.
Protects against: XSS check_markup()
Protects against: XSS check_markup() Purpose: Applies content filters to content. Super cool.
Protects against: XSS check_markup() Purpose: Applies content filters to content. Super cool. Bonus: Filters do more than filter, they also embed stuff like blocks, views, images and links without giving the user unnecessary access.
Protects against: XSS check_markup() Purpose: Applies content filters to content. Super cool. Bonus: Filters do more than filter, they also embed stuff like blocks, views, images and links without giving the user unnecessary access.
Protects against: XSS filter_xss_admin()
Protects against: XSS filter_xss_admin() Purpose: Lets through all HTML except styles and scripts.
Protects against: XSS filter_xss_admin() Purpose: Lets through all HTML except styles and scripts.
Protects against: XSS l() and URL()
Protects against: XSS l() and URL() Purpose: Laconic linking tool for leading without losing location.
Protects against: XSS l() and URL() Purpose: Laconic linking tool for leading without losing location. Bonus: Filters out HTML by default, but also insures that the URL is always pointing to the right place, even if Drupal moves.
Protects against: XSS l() and URL() Purpose: Laconic linking tool for leading without losing location. Bonus: Filters out HTML by default, but also insures that the URL is always pointing to the right place, even if Drupal moves.
Protects against: XSS l() and URL() Purpose: Laconic linking tool for leading without losing location. Bonus: Filters out HTML by default, but also insures that the URL is always pointing to the right place, even if Drupal moves.
Protects against: XSS l() and URL() Purpose: Laconic linking tool for leading without losing location. Bonus: Filters out HTML by default, but also insures that the URL is always pointing to the right place, even if Drupal moves. Other luscious options: attributes, query, fragment, html, alias
Protects against: XSS, DOS user_access()
Protects against: XSS, DOS user_access() Purpose: Keep users from accessing stuff they’re not supposed to.
Protects against: XSS, DOS user_access() Purpose: Keep users from accessing stuff they’re not supposed to. Step 1: Implement hook_perm()
Protects against: XSS, DOS user_access() Purpose: Keep users from accessing stuff they’re not supposed to. Step 1: Implement hook_perm() Step 2: Use user_access() to check permissions
Protects against: XSS, DOS user_access() Purpose: Keep users from accessing stuff they’re not supposed to. Step 1: Implement hook_perm() Step 2: Use user_access() to check permissions
Protects against: XSS, DOS user_access() Purpose: Keep users from accessing stuff they’re not supposed to. Step 1: Implement hook_perm() Step 2: Use user_access() to check permissions
Protects against: XSS, DOS user_access() continued
Protects against: XSS, DOS user_access() continued 1. Granularity is a virtue
Protects against: XSS, DOS user_access() continued 1. Granularity is a virtue 2. Access control doesn’t work unless you use it
Protects against: XSS, DOS user_access() continued 1. Granularity is a virtue 2. Access control doesn’t work unless you use it 3. Be cautious about using other module’s permissions
Protects against: XSS, DOS user_access() continued 1. Granularity is a virtue 2. Access control doesn’t work unless you use it 3. Be cautious about using other module’s permissions 4. It’s not just about your users, it’s also about the hackers posing as your users.
Protects against: SQL injection db_query() is WTF r a t hat be ? doing
Protects against: SQL injection db_query() is WTF r a t hat be ? doing Purpose: Filters out inaccurate and potentially malicious material out of a database query.
Protects against: SQL injection db_query() is WTF r a t hat be ? doing Purpose: Filters out inaccurate and potentially malicious material out of a database query. Bonus: Instantly makes your queries cross-database compatible.
Protects against: SQL injection db_query() is WTF r a t hat be ? doing Purpose: Filters out inaccurate and potentially malicious material out of a database query. Bonus: Instantly makes your queries cross-database compatible.
Protects against: SQL injection db_query() continued
Protects against: SQL injection db_query() continued 1. Wrap brackets around table names
Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders
Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders %s - String
Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders %s - String %d - Integer / Number
Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders %s - String %d - Integer / Number %% - For LIKE queries
Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders %s - String %d - Integer / Number %% - For LIKE queries 3. Note that there is usually a Drupal equivilant to MySQL functions, such as:
Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders %s - String %d - Integer / Number %% - For LIKE queries 3. Note that there is usually a Drupal equivilant to MySQL functions, such as: mysql_fetch_array = db_fetch_array mysql_result - db_result mysql_fetch_object - db_fetch_object (see a pattern?)
Protects against: DOS, SQL injection db_query_range() ,o field o f Gre etings ou* know o *y ng? gr ass, d bear’s doi at w hat th
Protects against: DOS, SQL injection db_query_range() ,o field o f Gre etings ou* know o *y ng? gr ass, d bear’s doi at w hat th Purpose: Limits the number of results returned
Protects against: DOS, SQL injection db_query_range() ,o field o f Gre etings ou* know o *y ng? gr ass, d bear’s doi at w hat th Purpose: Limits the number of results returned Bonus: Also helps with database compatability
Protects against: DOS, SQL injection db_query_range() ,o field o f Gre etings ou* know o *y ng? gr ass, d bear’s doi at w hat th Purpose: Limits the number of results returned Bonus: Also helps with database compatability
Protects against: CSRF drupal_get_token()
Protects against: CSRF drupal_get_token() Purpose: Verify the source of a request (i.e. GET or POST)
Protects against: CSRF drupal_get_token() Purpose: Verify the source of a request (i.e. GET or POST) Step 1: Set the token drupal_prepare_form() in /includes/form.inc
Protects against: CSRF drupal_get_token() Purpose: Verify the source of a request (i.e. GET or POST) Step 1: Set the token drupal_prepare_form() in /includes/form.inc Step 2: Check the token drupal_validate_form() in /includes/form.inc
Protects against: CSRF drupal_get_token() cont’d
Protects against: CSRF drupal_get_token() cont’d Let’s look at the code:
Protects against: CSRF drupal_get_token() cont’d Let’s look at the code:
Protects against: CSRF drupal_get_token() cont’d Let’s look at the code: /includes/common.inc
Protects against: CSRF drupal_get_token() cont’d Let’s look at the code: /includes/common.inc Works for AJAX, too!
Protects against: CSRF drupal_get_token() cont’d Let’s look at the code: /includes/common.inc Works for AJAX, too! 1. Set a hidden input with a token
Protects against: CSRF drupal_get_token() cont’d Let’s look at the code: /includes/common.inc Works for AJAX, too! 1. Set a hidden input with a token 2. Pass the value in the AJAX call
Protects against: CSRF drupal_get_token() cont’d Let’s look at the code: /includes/common.inc Works for AJAX, too! 1. Set a hidden input with a token 2. Pass the value in the AJAX call 3. Check it server-side before processing
More security tips for your consideration
More security tips for your consideration 1. Use the Form(s) API, it does a lot of heavy lifting
More security tips for your consideration 1. Use the Form(s) API, it does a lot of heavy lifting 2. Set permissions properly
More security tips for your consideration 1. Use the Form(s) API, it does a lot of heavy lifting 2. Set permissions properly 3. Don’t use User One for regular admin tasks
More security tips for your consideration 1. Use the Form(s) API, it does a lot of heavy lifting 2. Set permissions properly 3. Don’t use User One for regular admin tasks 4. SSL certificates aren’t a cure-all
There. Now we’re covered.
My info Chris Shattuck e s s http://chrisshattuck.com Twitter: stompeers e l a m S h I sell Drupal development tutorial videos at http://buildamodule.com I also do Drupal consulting User Experience (UX) . Interface Design (UI) . jQuery integration Drupal Training . Guerrilla Usability . Module Development

Empfohlen

DrupalCon Austin BuildAModule Training "Drupal For Beginners" Introduction Sl...
DrupalCon Austin BuildAModule Training "Drupal For Beginners" Introduction Sl...DrupalCon Austin BuildAModule Training "Drupal For Beginners" Introduction Sl...
DrupalCon Austin BuildAModule Training "Drupal For Beginners" Introduction Sl...
chrisshattuck
 
Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]
Olivier Dony
 
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
iotcloudserve_tein
 
Slides
SlidesSlides
Slides
vti
 
Incident Management in the Age of DevOps and SRE
Incident Management in the Age of DevOps and SRE Incident Management in the Age of DevOps and SRE
Incident Management in the Age of DevOps and SRE
Rundeck
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps_Fest
 
Incident Management in the Age of DevOps and SRE
Incident Management in the Age of DevOps and SRE Incident Management in the Age of DevOps and SRE
Incident Management in the Age of DevOps and SRE
Rundeck
 

Empfohlen

DrupalCon Austin BuildAModule Training "Drupal For Beginners" Introduction Sl...
DrupalCon Austin BuildAModule Training "Drupal For Beginners" Introduction Sl...DrupalCon Austin BuildAModule Training "Drupal For Beginners" Introduction Sl...
DrupalCon Austin BuildAModule Training "Drupal For Beginners" Introduction Sl...
chrisshattuck
 
Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]Safer Odoo Code [Odoo Experience 2017]
Safer Odoo Code [Odoo Experience 2017]
Olivier Dony
 
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
Introduction to DevOps and DevOpsSec with Secure Design by Prof.Krerk (Chulal...
iotcloudserve_tein
 
Slides
SlidesSlides
Slides
vti
 
Incident Management in the Age of DevOps and SRE
Incident Management in the Age of DevOps and SRE Incident Management in the Age of DevOps and SRE
Incident Management in the Age of DevOps and SRE
Rundeck
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps_Fest
 
Incident Management in the Age of DevOps and SRE
Incident Management in the Age of DevOps and SRE Incident Management in the Age of DevOps and SRE
Incident Management in the Age of DevOps and SRE
Rundeck
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
NotSoSecure Global Services
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
Leo Loobeek
 
Lynn cisco IOS Exploit Presentation
Lynn cisco IOS Exploit PresentationLynn cisco IOS Exploit Presentation
Lynn cisco IOS Exploit Presentation
nomorebugs
 
Config Management Camp 2017 - If it moves, give it a pipeline
Config Management Camp 2017 - If it moves, give it a pipelineConfig Management Camp 2017 - If it moves, give it a pipeline
Config Management Camp 2017 - If it moves, give it a pipeline
Mark Rendell
 
How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]
Olivier Dony
 
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
ElínAnna Jónasdóttir
 
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
Sqreen
 
The Last Mile Continued: Incident Management
The Last Mile Continued: Incident Management The Last Mile Continued: Incident Management
The Last Mile Continued: Incident Management
Rundeck
 
Real-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and CountermeasuesReal-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and Countermeasues
volvent
 
10 Rules for Safer Code
10 Rules for Safer Code10 Rules for Safer Code
10 Rules for Safer Code
Quang Ngoc
 
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
IBM Danmark
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]
Olivier Dony
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
Coverity
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Lucidworks
 
Conf orm - explain
Conf orm - explainConf orm - explain
Conf orm - explain
Louise Grandjonc
 
Software Technical Design for Information Security: A short intro for Tech Le...
Software Technical Design for Information Security: A short intro for Tech Le...Software Technical Design for Information Security: A short intro for Tech Le...
Software Technical Design for Information Security: A short intro for Tech Le...
Chris F Carroll
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
Leigh Honeywell
 
Android App Security Fundamentals
Android App Security FundamentalsAndroid App Security Fundamentals
Android App Security Fundamentals
AndreaCioccarelli
 
Java
Java Java
Java
Aashish Jain
 
Unrestricted Play - Boise Play Lab Presentation
Unrestricted Play - Boise Play Lab PresentationUnrestricted Play - Boise Play Lab Presentation
Unrestricted Play - Boise Play Lab Presentation
chrisshattuck
 
When Will Drupal Die? Keynote talk from Bay Area Drupal Camp 2014
When Will Drupal Die? Keynote talk from Bay Area Drupal Camp 2014When Will Drupal Die? Keynote talk from Bay Area Drupal Camp 2014
When Will Drupal Die? Keynote talk from Bay Area Drupal Camp 2014
chrisshattuck
 

Weitere ähnliche Inhalte

Ähnlich wie Drupal Development Security Essentials

Config Management Camp 2017 - If it moves, give it a pipeline
Config Management Camp 2017 - If it moves, give it a pipelineConfig Management Camp 2017 - If it moves, give it a pipeline
Config Management Camp 2017 - If it moves, give it a pipeline
Mark Rendell
 
How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]
Olivier Dony
 
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
ElínAnna Jónasdóttir
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
Coverity
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
Leigh Honeywell
 

Ähnlich wie Drupal Development Security Essentials (20)

Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
Lynn cisco IOS Exploit Presentation
Lynn cisco IOS Exploit PresentationLynn cisco IOS Exploit Presentation
Lynn cisco IOS Exploit Presentation
 
Config Management Camp 2017 - If it moves, give it a pipeline
Config Management Camp 2017 - If it moves, give it a pipelineConfig Management Camp 2017 - If it moves, give it a pipeline
Config Management Camp 2017 - If it moves, give it a pipeline
 
How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]How To Break Odoo's Security [Odoo Experience 2018]
How To Break Odoo's Security [Odoo Experience 2018]
 
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)
 
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout Session
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
The Last Mile Continued: Incident Management
The Last Mile Continued: Incident Management The Last Mile Continued: Incident Management
The Last Mile Continued: Incident Management
 
Real-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and CountermeasuesReal-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and Countermeasues
 
10 Rules for Safer Code
10 Rules for Safer Code10 Rules for Safer Code
10 Rules for Safer Code
 
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
 
Conf orm - explain
Conf orm - explainConf orm - explain
Conf orm - explain
 
Software Technical Design for Information Security: A short intro for Tech Le...
Software Technical Design for Information Security: A short intro for Tech Le...Software Technical Design for Information Security: A short intro for Tech Le...
Software Technical Design for Information Security: A short intro for Tech Le...
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
 
Android App Security Fundamentals
Android App Security FundamentalsAndroid App Security Fundamentals
Android App Security Fundamentals
 
Java
Java Java
Java
 

Mehr von chrisshattuck

When Will Drupal Die?
When Will Drupal Die?When Will Drupal Die?
When Will Drupal Die?
chrisshattuck
 
Mentored training-intro-slides
Mentored training-intro-slidesMentored training-intro-slides
Mentored training-intro-slides
chrisshattuck
 
Powering a Lean Startup With Drupal V.1
Powering a Lean Startup With Drupal V.1Powering a Lean Startup With Drupal V.1
Powering a Lean Startup With Drupal V.1
chrisshattuck
 
Everything I Know About Making Money and Being Happy as a Freelancer
Everything I Know About Making Money and Being Happy as a FreelancerEverything I Know About Making Money and Being Happy as a Freelancer
Everything I Know About Making Money and Being Happy as a Freelancer
chrisshattuck
 
Victoria BC Drupalcamp Presentation - Drupal Development Evolved!
Victoria BC Drupalcamp Presentation - Drupal Development Evolved!Victoria BC Drupalcamp Presentation - Drupal Development Evolved!
Victoria BC Drupalcamp Presentation - Drupal Development Evolved!
chrisshattuck
 

Mehr von chrisshattuck (11)

Unrestricted Play - Boise Play Lab Presentation
Unrestricted Play - Boise Play Lab PresentationUnrestricted Play - Boise Play Lab Presentation
Unrestricted Play - Boise Play Lab Presentation
 
When Will Drupal Die? Keynote talk from Bay Area Drupal Camp 2014
When Will Drupal Die? Keynote talk from Bay Area Drupal Camp 2014When Will Drupal Die? Keynote talk from Bay Area Drupal Camp 2014
When Will Drupal Die? Keynote talk from Bay Area Drupal Camp 2014
 
Mentored training intro slides - BadCamp 2014
Mentored training intro slides - BadCamp 2014Mentored training intro slides - BadCamp 2014
Mentored training intro slides - BadCamp 2014
 
When Will Drupal Die? (Keynote talk)
When Will Drupal Die? (Keynote talk)When Will Drupal Die? (Keynote talk)
When Will Drupal Die? (Keynote talk)
 
When Will Drupal Die?
When Will Drupal Die?When Will Drupal Die?
When Will Drupal Die?
 
Mentored training-intro-slides
Mentored training-intro-slidesMentored training-intro-slides
Mentored training-intro-slides
 
Powering a Lean Startup With Drupal V.1
Powering a Lean Startup With Drupal V.1Powering a Lean Startup With Drupal V.1
Powering a Lean Startup With Drupal V.1
 
Everything I Know About Making Money and Being Happy as a Freelancer
Everything I Know About Making Money and Being Happy as a FreelancerEverything I Know About Making Money and Being Happy as a Freelancer
Everything I Know About Making Money and Being Happy as a Freelancer
 
Drupal Kick Butt
Drupal Kick ButtDrupal Kick Butt
Drupal Kick Butt
 
Victoria BC Drupalcamp Presentation - Drupal Development Evolved!
Victoria BC Drupalcamp Presentation - Drupal Development Evolved!Victoria BC Drupalcamp Presentation - Drupal Development Evolved!
Victoria BC Drupalcamp Presentation - Drupal Development Evolved!
 
Plugging Into The Drupal Community - Essential Tools
Plugging Into The Drupal Community - Essential ToolsPlugging Into The Drupal Community - Essential Tools
Plugging Into The Drupal Community - Essential Tools
 

Kürzlich hochgeladen

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Kürzlich hochgeladen (20)

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 

Drupal Development Security Essentials

  • 1. Drupal Development Security Essentials Because unnecessary exposure is embarrassing.
  • 2. I’m not a guru.
  • 3. I’m not a guru. Khalid Baheyeldin Gerhard Killesreiter These f olks are Joshua Brauer Andy Kirkham Dries Buytaert Greg Knaddison Angela Byron Kieran Lal (coordinator) Drupal Security Team Robert Castelo Adam Light http://drupal.org/security-team Nathaniel Catchpole John Morahan Stéphane Corlosquet Karoly Negyesi Heine Deelstra (team leader) Stella Power Neil Drumm David Rothstein Ben Jeavons Jakub Suchy Dmitri Gaskin Mori Sugimoto (coordinator) James Gilliland David Strauss Charlie Gordon Oleg Terenchuk Gábor Hojtsy Damien Tournoud Morbus Iff Moshe Weitzman Bart Jansens Peter Wolanin Barry Jaspan Derek Wright Chris Johnson Dave Reid
  • 4. Reasons to be concerned
  • 5. Reasons to be concerned Security hole
  • 6. Reasons to be concerned 1. Security holes can lose time and money Security hole
  • 7. Reasons to be concerned 1. Security holes can lose time and money 2. Or get you sued Security hole
  • 8. Reasons to be concerned 1. Security holes can lose time and money 2. Or get you sued 3. Or be terribly embarrassing Security hole
  • 9. Reasons to be concerned 1. Security holes can lose time and money 2. Or get you sued 3. Or be terribly embarrassing 4. Users are slow to upgrade (your old code can be around for a long time) Security hole
  • 10. Reasons to be concerned 1. Security holes can lose time and money 2. Or get you sued 3. Or be terribly embarrassing 4. Users are slow to upgrade (your old code can be around for a long time) 5. If you want a Drupal CVS account, your request can get a red flag if you’re not following basic security protocol Security hole
  • 11. Reasons to be concerned 1. Security holes can lose time and money 2. Or get you sued 3. Or be terribly embarrassing 4. Users are slow to upgrade (your old code can be around for a long time) 5. If you want a Drupal CVS account, your request can get a red flag if you’re not following basic security protocol 6. Drupal is becoming a more and more attractive Security hole target
  • 12. What we’re going to cover
  • 13. What we’re going to cover 1. Set up a free dev environment to play
  • 14. What we’re going to cover 1. Set up a free dev environment to play 2. The golden rule of Drupal security
  • 15. What we’re going to cover 1. Set up a free dev environment to play 2. The golden rule of Drupal security 3. A quick definition of common attaxss
  • 16. What we’re going to cover 1. Set up a free dev environment to play 2. The golden rule of Drupal security 3. A quick definition of common attaxss 4. Our arsenal of functions (+ examples)
  • 17. What we’re going to cover 1. Set up a free dev environment to play 2. The golden rule of Drupal security 3. A quick definition of common attaxss 4. Our arsenal of functions (+ examples) 5. Questions (maybe even some answers!)
  • 18. What we’re going to cover 1. Set up a free dev environment to play 2. The golden rule of Drupal security 3. A quick definition of common attaxss 4. Our arsenal of functions (+ examples) 5. Questions (maybe even some answers!)
  • 19. Set up a free dev enviornment
  • 20. Set up a free dev enviornment 1. Don’t have an editor? Browse with Filezilla http://filezilla- project.org/ and open in text editor.
  • 21. Set up a free dev enviornment 1. Don’t have an editor? Browse with Filezilla http://filezilla- project.org/ and open in text editor. 2. Sign up for an account at http://webenabled.com
  • 22. Set up a free dev enviornment 1. Don’t have an editor? Browse with Filezilla http://filezilla- project.org/ and open in text editor. 2. Sign up for an account at http://webenabled.com 3. After signing in, create an Acquia appliation (has a bunch of modules already bundled)
  • 23. Set up a free dev enviornment 1. Don’t have an editor? Browse with Filezilla http://filezilla- project.org/ and open in text editor. 2. Sign up for an account at http://webenabled.com 3. After signing in, create an Acquia appliation (has a bunch of modules already bundled) 4. Copy the SSH info, and connect using your editor.
  • 24. The Golden Rule of Drupal Security
  • 25. The Golden Rule of Drupal Security Whatchoothink?
  • 26. The Golden Rule of Drupal Security Whatchoothink? Use the APIs.
  • 27. The Golden Rule of Drupal Security Whatchoothink? Use the APIs. This isn’t so bad.
  • 28. The Golden Rule of Drupal Security Whatchoothink? Use the APIs. This isn’t so bad.
  • 29. The Golden Rule of Drupal Security Whatchoothink? Use the APIs. This isn’t so bad. APIs take a little while to learn
  • 30. The Golden Rule of Drupal Security Whatchoothink? Use the APIs. This isn’t so bad. APIs take a little while to learn
  • 31. The Golden Rule of Drupal Security Whatchoothink? Use the APIs. This isn’t so bad. APIs take a little while to learn Nearly every security-related function has awesome side benefits.
  • 33. Common Attaxss XSS - Cross-Site Scripting
  • 34. Common Attaxss XSS - Cross-Site Scripting SQL Injection
  • 35. Common Attaxss XSS - Cross-Site Scripting SQL Injection DOS - Denial of service
  • 36. Common Attaxss XSS - Cross-Site Scripting SQL Injection DOS - Denial of service CSRF - Cross Site Request Forgeries
  • 37. Our arsenal of functions We need guns. 10 or so guns. String filtering Links Access control Database Data passing
  • 38. Our arsenal of functions We need guns. 10 or so guns. String filtering t() Links Access control Database Data passing
  • 39. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () Links Access control Database Data passing
  • 40. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () Links Access control Database Data passing
  • 41. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links Access control Database Data passing
  • 42. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () Access control Database Data passing
  • 43. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () Access control Database Data passing
  • 44. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () ‘ Access control Database Data passing
  • 45. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () ‘ Access control user_access () Database Data passing
  • 46. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () ‘ Access control user_access () Database db_query () Data passing
  • 47. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () ‘ Access control user_access () Database db_query () db_query_range () Data passing
  • 48. Our arsenal of functions We need guns. 10 or so guns. String filtering t() check_plain () check_markup () filter_xss_admin () Links l () url () ‘ Access control user_access () Database db_query () db_query_range () Data passing drupal_get_token ()
  • 50. Protects against: XSS t() Purpose: Filters out the malicious, leaves the delicious.
  • 51. Protects against: XSS t() Purpose: Filters out the malicious, leaves the delicious. Bonus: Makes your text translatable into other languages (Internationalization module) or overridable though config (String Overrides module)
  • 52. Protects against: XSS t() Purpose: Filters out the malicious, leaves the delicious. Bonus: Makes your text translatable into other languages (Internationalization module) or overridable though config (String Overrides module) Example:
  • 53. Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths)
  • 54. Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering
  • 55. Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering @ - Plain text
  • 56. Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering @ - Plain text % - Highlighted
  • 57. Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering @ - Plain text % - Highlighted t(“I !pity the foo’”, “<strong>pity</strong>”) I pity the foo’
  • 58. Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering @ - Plain text % - Highlighted t(“I !pity the foo’”, “<strong>pity</strong>”) I pity the foo’ t(“I @pity the foo’”, “<strong>pity</strong>”) I <strong>pity</strong> the foo’
  • 59. Protects against: XSS Mo’ about t() 3 variable replacement options (for stuff that shouldn’t be translated, like paths) ! - No filtering @ - Plain text % - Highlighted t(“I !pity the foo’”, “<strong>pity</strong>”) I pity the foo’ t(“I @pity the foo’”, “<strong>pity</strong>”) I <strong>pity</strong> the foo’ t(“I %pity the foo’”, “<strong>pity</strong>”) I <strong>pity</strong> the foo’
  • 60. Protects against: XSS Mo’ about t()
  • 61. Protects against: XSS Mo’ about t() format_plural() is nice
  • 62. Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript
  • 63. Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript Caveats
  • 64. Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript Caveats 1. Don’t use l()
  • 65. Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript Caveats 1. Don’t use l() 2. Wrap t() around entire sentences
  • 66. Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript Caveats 1. Don’t use l() 2. Wrap t() around entire sentences 3. Avoid escaping quotation marks
  • 67. Protects against: XSS Mo’ about t() format_plural() is nice Drupal.t() for javascript Caveats 1. Don’t use l() 2. Wrap t() around entire sentences 3. Avoid escaping quotation marks 4. Don’t pass a variable through t()
  • 68. Protects against: XSS check_plain()
  • 69. Protects against: XSS check_plain() Purpose: Filters malicious toppings. Converts to plain text, as advertised.
  • 70. Protects against: XSS check_plain() Purpose: Filters malicious toppings. Converts to plain text, as advertised.
  • 71. Protects against: XSS check_markup()
  • 72. Protects against: XSS check_markup() Purpose: Applies content filters to content. Super cool.
  • 73. Protects against: XSS check_markup() Purpose: Applies content filters to content. Super cool. Bonus: Filters do more than filter, they also embed stuff like blocks, views, images and links without giving the user unnecessary access.
  • 74. Protects against: XSS check_markup() Purpose: Applies content filters to content. Super cool. Bonus: Filters do more than filter, they also embed stuff like blocks, views, images and links without giving the user unnecessary access.
  • 75. Protects against: XSS filter_xss_admin()
  • 76. Protects against: XSS filter_xss_admin() Purpose: Lets through all HTML except styles and scripts.
  • 77. Protects against: XSS filter_xss_admin() Purpose: Lets through all HTML except styles and scripts.
  • 78. Protects against: XSS l() and URL()
  • 79. Protects against: XSS l() and URL() Purpose: Laconic linking tool for leading without losing location.
  • 80. Protects against: XSS l() and URL() Purpose: Laconic linking tool for leading without losing location. Bonus: Filters out HTML by default, but also insures that the URL is always pointing to the right place, even if Drupal moves.
  • 81. Protects against: XSS l() and URL() Purpose: Laconic linking tool for leading without losing location. Bonus: Filters out HTML by default, but also insures that the URL is always pointing to the right place, even if Drupal moves.
  • 82. Protects against: XSS l() and URL() Purpose: Laconic linking tool for leading without losing location. Bonus: Filters out HTML by default, but also insures that the URL is always pointing to the right place, even if Drupal moves.
  • 83. Protects against: XSS l() and URL() Purpose: Laconic linking tool for leading without losing location. Bonus: Filters out HTML by default, but also insures that the URL is always pointing to the right place, even if Drupal moves. Other luscious options: attributes, query, fragment, html, alias
  • 84. Protects against: XSS, DOS user_access()
  • 85. Protects against: XSS, DOS user_access() Purpose: Keep users from accessing stuff they’re not supposed to.
  • 86. Protects against: XSS, DOS user_access() Purpose: Keep users from accessing stuff they’re not supposed to. Step 1: Implement hook_perm()
  • 87. Protects against: XSS, DOS user_access() Purpose: Keep users from accessing stuff they’re not supposed to. Step 1: Implement hook_perm() Step 2: Use user_access() to check permissions
  • 88. Protects against: XSS, DOS user_access() Purpose: Keep users from accessing stuff they’re not supposed to. Step 1: Implement hook_perm() Step 2: Use user_access() to check permissions
  • 89. Protects against: XSS, DOS user_access() Purpose: Keep users from accessing stuff they’re not supposed to. Step 1: Implement hook_perm() Step 2: Use user_access() to check permissions
  • 90. Protects against: XSS, DOS user_access() continued
  • 91. Protects against: XSS, DOS user_access() continued 1. Granularity is a virtue
  • 92. Protects against: XSS, DOS user_access() continued 1. Granularity is a virtue 2. Access control doesn’t work unless you use it
  • 93. Protects against: XSS, DOS user_access() continued 1. Granularity is a virtue 2. Access control doesn’t work unless you use it 3. Be cautious about using other module’s permissions
  • 94. Protects against: XSS, DOS user_access() continued 1. Granularity is a virtue 2. Access control doesn’t work unless you use it 3. Be cautious about using other module’s permissions 4. It’s not just about your users, it’s also about the hackers posing as your users.
  • 95. Protects against: SQL injection db_query() is WTF r a t hat be ? doing
  • 96. Protects against: SQL injection db_query() is WTF r a t hat be ? doing Purpose: Filters out inaccurate and potentially malicious material out of a database query.
  • 97. Protects against: SQL injection db_query() is WTF r a t hat be ? doing Purpose: Filters out inaccurate and potentially malicious material out of a database query. Bonus: Instantly makes your queries cross-database compatible.
  • 98. Protects against: SQL injection db_query() is WTF r a t hat be ? doing Purpose: Filters out inaccurate and potentially malicious material out of a database query. Bonus: Instantly makes your queries cross-database compatible.
  • 99. Protects against: SQL injection db_query() continued
  • 100. Protects against: SQL injection db_query() continued 1. Wrap brackets around table names
  • 101. Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders
  • 102. Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders %s - String
  • 103. Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders %s - String %d - Integer / Number
  • 104. Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders %s - String %d - Integer / Number %% - For LIKE queries
  • 105. Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders %s - String %d - Integer / Number %% - For LIKE queries 3. Note that there is usually a Drupal equivilant to MySQL functions, such as:
  • 106. Protects against: SQL injection db_query() continued 1. Wrap brackets around table names 2. Filter any user-supplied data by using placeholders %s - String %d - Integer / Number %% - For LIKE queries 3. Note that there is usually a Drupal equivilant to MySQL functions, such as: mysql_fetch_array = db_fetch_array mysql_result - db_result mysql_fetch_object - db_fetch_object (see a pattern?)
  • 107. Protects against: DOS, SQL injection db_query_range() ,o field o f Gre etings ou* know o *y ng? gr ass, d bear’s doi at w hat th
  • 108. Protects against: DOS, SQL injection db_query_range() ,o field o f Gre etings ou* know o *y ng? gr ass, d bear’s doi at w hat th Purpose: Limits the number of results returned
  • 109. Protects against: DOS, SQL injection db_query_range() ,o field o f Gre etings ou* know o *y ng? gr ass, d bear’s doi at w hat th Purpose: Limits the number of results returned Bonus: Also helps with database compatability
  • 110. Protects against: DOS, SQL injection db_query_range() ,o field o f Gre etings ou* know o *y ng? gr ass, d bear’s doi at w hat th Purpose: Limits the number of results returned Bonus: Also helps with database compatability
  • 111. Protects against: CSRF drupal_get_token()
  • 112. Protects against: CSRF drupal_get_token() Purpose: Verify the source of a request (i.e. GET or POST)
  • 113. Protects against: CSRF drupal_get_token() Purpose: Verify the source of a request (i.e. GET or POST) Step 1: Set the token drupal_prepare_form() in /includes/form.inc
  • 114. Protects against: CSRF drupal_get_token() Purpose: Verify the source of a request (i.e. GET or POST) Step 1: Set the token drupal_prepare_form() in /includes/form.inc Step 2: Check the token drupal_validate_form() in /includes/form.inc
  • 115. Protects against: CSRF drupal_get_token() cont’d
  • 116. Protects against: CSRF drupal_get_token() cont’d Let’s look at the code:
  • 117. Protects against: CSRF drupal_get_token() cont’d Let’s look at the code:
  • 118. Protects against: CSRF drupal_get_token() cont’d Let’s look at the code: /includes/common.inc
  • 119. Protects against: CSRF drupal_get_token() cont’d Let’s look at the code: /includes/common.inc Works for AJAX, too!
  • 120. Protects against: CSRF drupal_get_token() cont’d Let’s look at the code: /includes/common.inc Works for AJAX, too! 1. Set a hidden input with a token
  • 121. Protects against: CSRF drupal_get_token() cont’d Let’s look at the code: /includes/common.inc Works for AJAX, too! 1. Set a hidden input with a token 2. Pass the value in the AJAX call
  • 122. Protects against: CSRF drupal_get_token() cont’d Let’s look at the code: /includes/common.inc Works for AJAX, too! 1. Set a hidden input with a token 2. Pass the value in the AJAX call 3. Check it server-side before processing
  • 123. More security tips for your consideration
  • 124. More security tips for your consideration 1. Use the Form(s) API, it does a lot of heavy lifting
  • 125. More security tips for your consideration 1. Use the Form(s) API, it does a lot of heavy lifting 2. Set permissions properly
  • 126. More security tips for your consideration 1. Use the Form(s) API, it does a lot of heavy lifting 2. Set permissions properly 3. Don’t use User One for regular admin tasks
  • 127. More security tips for your consideration 1. Use the Form(s) API, it does a lot of heavy lifting 2. Set permissions properly 3. Don’t use User One for regular admin tasks 4. SSL certificates aren’t a cure-all
  • 128. There. Now we’re covered.
  • 129. My info Chris Shattuck e s s http://chrisshattuck.com Twitter: stompeers e l a m S h I sell Drupal development tutorial videos at http://buildamodule.com I also do Drupal consulting User Experience (UX) . Interface Design (UI) . jQuery integration Drupal Training . Guerrilla Usability . Module Development