Presentation is loading. Please wait.

Presentation is loading. Please wait.

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Published byEleanore Cox Modified over 8 years ago

Similar presentations

Presentation on theme: "Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix."— Presentation transcript:

1 Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix Systems

2 Security Responsibility Drupal API protects sites from many threats Module code may have holes but it's tough to find them on your own By definition you need to delegate privilege Enforcing safe configuration is just a mouse click away

3 Why Bother? “I'm running a small site, who would want to attack it?” “I back up every night, if it goes down I can just restore?” “I'm the only admin, so vulnerabilities don't actually affect users.”

4 Logical Fallacy You don't know what the attacker is after! Bandwidth Blackhat SEO Spam Drive by download JavaScript port scanning Host RFI text file On, and on, and on...

5 Risk Analysis Everyone should gauge their own risk Threat x Likelihood x Impact = Risk How can you judge likelihood? What about unknown threats? You may not think of security problems before they affect your site

6 Sample Attack Pattern Enumerate user accounts Brute force (guess) passwords Log in as a low privilege user Escalate privilege Take over web server process Establish a shell account Escalate privilege to root

7 Real World Attack Pattern Attacker identifies reflected XSS Attacker links to your reflected XSS Search engine crawls link, reflects to attacker site Attacker site gains search rank based on your site

8 Other Attack Patterns Attacker discovers ability to post content Attacker posts stored XSS Attacker posts to site with link to malware, trust exploitation Attacker spams your site Attacker brute forces a site account Account has same credentials as shell Possibilities are endless

9 Account = Privilege = Danger! Accounts have specific privilege Some privileges are super dangerous: Administer content types Administer filters Administer users Administer permissions Administer site configuration

10 PHP through Web UI = THREAT If attackers can write PHP it's game over Jealously protect PHP permissions Users with PHP can destroy the site by accident Poorly coded PHP can introduce other vulns!

11 Permissions to Create Content Created content could mean: Stored xss Stored xsrf Hijacked message Exploited trust Spam Drive by download And on and on...

12 Privilege Continued Don't tree the Drupal permissions form!

13 Use Roles Create roles to subdivide permissions to only those users who actually need them.

14 Limit Access to User Profiles Consider using RealName module Limit access to authenticated users

15 Creating Profiles Don't allow anonymous users to create new accounts (or they will) Be careful what permissions these accounts could get

16 Don't Email Passwords! Remove '!password' tokens! Login link works just fine

17 Limit PHP If you aren't using the PHP input type get rid of it Delete php in the /modules directory This will remove the PHP input format filter Make sure no role has any permission with 'PHP' in the description Monitor your permissions assignments

18 Refine Input Types Restrict HTML Input

19 Modules Modules are the #1 way vulnerabilities get to your site Don't use pre release modules no matter what the help forums say! They aren't suitable for production They're not supported by Drupal security They're buggy by definition!

20 File Uploads Be careful what files can be uploaded

21 Restrict Error Reporting MySQL errors aren't helpful to users and can give away configuration details.

22 Mitigation Defensive strategies help to defend your Drupal site

23 Defense in Depth If you can't prevent – detect! Several core modules help

24 Defense in Depth Review your logs to detect Or use an automated system like OSSEC (http://www.ossec.net)http://www.ossec.net

Download ppt "Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix."

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
INSTALLATION OF WORDPRESS. WORDPRESS WordPress is an open source CMS, often used as a blog publishing application powered by PHP and MySQL. It has many.

INSTALLATION OF WORDPRESS. WORDPRESS WordPress is an open source CMS, often used as a blog publishing application powered by PHP and MySQL. It has many.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane
Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.

Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Justin Klein Keane Drupal Training Session 1 Introduction to Drupal.

Justin Klein Keane Drupal Training Session 1 Introduction to Drupal.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.

By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.
Higher Order WP Security Hacks, attacks, and getting your site back Dougal Campbell.

Higher Order WP Security Hacks, attacks, and getting your site back Dougal Campbell.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Similar presentations

Ads by Google