2. Who am I?
Tatar Balazs Janos
@tatarbj
Works with Drupal since 2007
CTO @ Petend
Drupal Security Correspondent @ EC
Active mentor @ Mentoring community group
Provisional member @ Drupal Security Team
SecOSdreamer @ Secure Open Source day
DRUPALCAMP
KYIV’19
17. Client side vulnerability
Unfiltered output
Never trust any user input.
We’ve seen the demo before ;)
Cross Site Scripting
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
21. Everyone has a bingo card (check your bag!)
If you answer well, mark the number!
Wrong answer = no number!
First who shouts BINGO! wins the price!
Rules and etiquette
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
42. Use behat/automated tests.
<script>alert('XSS')</script>
<img src="a" onerror="alert('title')">
Check your filters and user roles.
Do not give too many options to untrusted users!
Protection against Cross Site Scripting
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
44. User can access/do something.
Menu items can be defined to be
accessed/denied.
Many access systems: node, entity, field, views...
Access bypass
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
57. Restricted permissions make Drupal
sites more secure by calling
restrict_permission() method.
Tatar Balazs Janos - @tatarbj
?
DRUPALCAMP
KYIV’19
58. Restricted permissions make Drupal
sites more secure by calling
restrict_permission() method.
Tatar Balazs Janos - @tatarbj
?
DRUPALCAMP
KYIV’19
59. Restricted permissions make Drupal
sites more secure by raising
attention on the permission page.
Tatar Balazs Janos - @tatarbj
?
DRUPALCAMP
KYIV’19
66. Visit node/nid and other urls
Visit anything/%node
Use behat/automated tests.
node_access, entity_access
Menu definitions
user_access for permissions
$query->addTag('node_access')
Protection against Access bypass
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
68. Unauthorized access to database resources.
Do not trust any user input.
SA-CORE-2014-005 – Highly critical D7 SA
SQL Injection
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
79. Use always drupal Database API!
db_query with :placeholder (deprecated in D8,
in D9 will be removed)
Filter parameters
Check the queries in code.
username' AND 1=1
POST requests by curl
Protection against SQL Injection
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
80. Round 4
Ready for some other code?
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
81. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
}
}
?>
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
82. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
// Each iteration, pick a random character from the
// allowable string and append it to the password:
$pass .= $allowable_characters[mt_rand(0, $len)];
}
}
?>
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
83. <?php
function _generate_password($length = 8) {
$pass = ’’;
for ($i = 0; $i < $length; $i++) {
do {
// Find a secure random number within the range needed.
$index = ord(drupal_random_bytes(1));
} while ($index > $len);
$pass .= $allowable_characters[$index];
}
}
?>
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
102. Cross Site Request Forgery
vulnerability is in the TOP10 of
OWASP list from 2017.
Tatar Balazs Janos - @tatarbj
?
DRUPALCAMP
KYIV’19
103. Cross Site Request Forgery
vulnerability is in the TOP10 of
OWASP list from 2017.
Tatar Balazs Janos - @tatarbj
?
DRUPALCAMP
KYIV’19
104. Cross Site Request Forgery
vulnerability is not in the TOP10 of
OWASP list from 2017, but was in 2013.
Tatar Balazs Janos - @tatarbj
?
DRUPALCAMP
KYIV’19
115. *https://events.drupal.org/sites/default/files/slides/pwolanin-2017-09-ways-drupal8-d.pdf
Many ways Drupal 8 is more secure!*
Twig templates for HTML generation
Removed PHP format
Site configuration exportable, versionable
User content entry and filtering improvements
User session and session always in ID handling
Automated CSRF token protection
Trusted host patterns enforced for requests
Single statement execution for SQL
Clickjacking protection
Content security policy compatibility with Core Javascript API
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
117. Security advisories are for
Only stable modules
No alpha, beta, dev
d.org hosted projects
@Maintainers: If you are contacted, be supportive!
Drupal Security Team
Tatar Balazs Janos - @tatarbj
DRUPALCAMP
KYIV’19
Einstein said: “insanity is when you do the same thing over and over again and expect different results”
Owasp: open web application security project
Reference for the XSS issue that was basically caused by a security misconfiguration.
Hide enabled blocks from selector that are used
Context update from this wednesday
Hide enabled blocks from selector that are used
Context update from this wednesday
Hide enabled blocks from selector that are used
Context update from this wednesday
Not because of having db_query deprecated, but: The $field param is used to derive various table and field names, but in each case the Database API automatically escapes these values. Note that the API does not do this for all arguments!
Not because of having db_query deprecated, but: The $field param is used to derive various table and field names, but in each case the Database API automatically escapes these values. Note that the API does not do this for all arguments!
Not because of having db_query deprecated, but: The $field param is used to derive various table and field names, but in each case the Database API automatically escapes these values. Note that the API does not do this for all arguments!
Mt_rand is not secure enough!
Insecure randomness by Mass Password Reset (SA-CONTRIB-2018-043) by Greg Knaddison