securitatea sete urilor pe drupal
DESCRIPTION
@MoldCampTRANSCRIPT
![Page 1: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/1.jpg)
Securitatea site-urilor pe Drupal
![Page 2: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/2.jpg)
Despre mineDespre mine
Nume: Vladimir MelnicVirsta: 28 aniDrupal: https://drupal.org/user/1580452, ~2.7 aniEmail: [email protected]: PHP, Bash, BD, IT etc.
![Page 3: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/3.jpg)
Sint siteurile pe Drupal securizate?
![Page 4: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/4.jpg)
Drupal. Factori de securitate
● Drupal core. ● Module Drupal / cod custom.● Server.● Utilizator.
![Page 5: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/5.jpg)
OWASP
Open Web Application Security Project
● A1-Injection● A2-Broken Authentication and Session Management● A3-Cross-Site Scripting (XSS)● A4-Insecure Direct Object References● A5-Security Misconfiguration● A6-Sensitive Data Exposure● A7-Missing Function Level Access Control● A8-Cross-Site Request Forgery (CSRF)● A9-Using Components with Known Vulnerabilities● A10-Unvalidated Redirects and Forwards
https://www.owasp.org
![Page 6: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/6.jpg)
Top 10 2013 cele mai periculoase vulnerabilitati WEB
![Page 7: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/7.jpg)
A1-Injection (SQL)
Injectarea unei comenzi sau interogari.
db_query('SELECT lid, source FROM {locales_source} WHERE lid = ' . $_GET['id'])...
$_GET['id'] = 'DROP TABLE {user}';
db_query('SELECT lid, source FROM {locales_source} WHERE lid = :lid', array(':lid' => $_GET['id']))...
![Page 8: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/8.jpg)
A2-Broken Authentication and Session Management
Drupal implicit este securizat!
● Conturile utilizatorilori sunt gestionate de Drupal core.● Cookie de autorizare nu pot fi schimbate pe partea client.● Cookie de autorizare nu contin login sau parola, doar id-ul
sesiunii.● Sesiunile si cookie se distrug si se creeaza automat la login,
logout.● Cookie au nume unic pentru fiecare site si sunt accesibile in
cadrul domenului.● Parolele nu se stocheaza/transmit pe email in format text.
![Page 9: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/9.jpg)
A3-Cross-Site Scripting (XSS)
Nu permieti stocarea codului 'periculos'
● Validati datele introduse● Protejati datele de SQL Injection● Definiti tipurile de date● Filtrati inserarea datele dupa tip
![Page 10: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/10.jpg)
A4-Insecure Direct Object ReferencesA7-Missing Function Level Access Control
Drupal are un sistem de verificare a accesului la pagini si chiar la elementele paginii.
● 'access_callback' in hook_menu()● user_access('administer nodes', $account);● node_access('edit', $node, $account);● $select>add_tag('node_access');● $form['field_name']['#access'] = TRUE;
![Page 11: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/11.jpg)
A5-Security Misconfiguration
● Setati parole 'complicate' pentru administrator.● Verificati permisiunile 'administer …'.● Setati corect filtrele/formatele de introducere a textului. ● Nu utilizati formatul PHP.● Verificat tipul si marimea fisierelor care pot fi incarcate de
utilizatori.● Nu folositi FTP pentru incarcarea modulelor.● Deconectati afisarea erorilor.● Deconectati devel si modulele care nu se folosesc.● Utilizati Captcha.
![Page 12: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/12.jpg)
A6-Sensitive Data Exposure
● Verificati drepturile de inscriere citire a fisierelor.● Restrictionati accesul pentru phpMyAdmin.● Restrictionati accesul backup-urile bazelor de date.● Nu utilizati FTP, utilizati SFTP sau SSH● Nu folositi drepturi root pentru MySQL● Verificati ca Apache, MySQL si PHP sa fie actualizate la ultima
versiune.
![Page 13: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/13.jpg)
A8-Cross-Site Request Forgery (CSRF)
● De folosit Form API.● Pentru link-uri si AJAX fara Form API de folosit token:
'query' => array('token' => drupal_get_token('email_verify_' . $uid));
...
if (empty($_GET['token']) || !drupal_valid_token ($_GET['token'], 'email_verify_' . $user_id))
![Page 14: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/14.jpg)
A9-Using Components with Known Vulnerabilities
Verificati codul:
● Hacked! ● Coder ● Secure Code Review● Security Review
![Page 15: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/15.jpg)
A10-Unvalidated Redirects and Forwards
Pentru redirect intern folositi:
drupal_goto() sau $form['#redirect']
![Page 16: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/16.jpg)
Deci... Sint oare siteurile pe Drupal securizate?
![Page 17: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/17.jpg)
Multumesc pentru atentie!
![Page 18: Securitatea sete urilor pe drupal](https://reader033.vdocuments.pub/reader033/viewer/2022052523/5561442dd8b42a263b8b5900/html5/thumbnails/18.jpg)
Resurse
● https://www.owasp.org/index.php/About_OWASP● https://drupal.org/security/secure-configuration● https://drupal.org/coding-standards● http://www.slideshare.net/eugef/security-of-drupal-sites● http://www.slideshare.net/ErwinAMGeirnaert/owasp-top-10-vs
-drupal-owasp-benelux-2012● http://crackingdrupal.com/blog● https://drupal.org/project/security_review● https://drupal.org/project/hacked● https://drupal.org/project/secure_code_review● http://drupalscout.com/knowledge-base