Command Execution SQL Injection and Friends

Command execution generally includes operating system commands and SQL injection. However, in general, this is a potential issue for all systems that your site interacts with, such as XMLRPC, REST, and SOAP. The basic problem is that data from the user (the content of your blog post) is mixed with control information (the query to insert that content into the database) and the combined string is executed against the database. This book focuses on SQL injection more than other types of command...

Index

Brute force attack, 7 Login Security, 41 build_id, 122 business objects, 167-171 replacement system, 63 callback, 208 CAPTCHA bypass, 20 Cascading Style Sheets (CSS), 86-87 aggregation, 24 CCK. See Content Construction Kit CCLite. See Creative Commons Lite module certificates, SSL, 5 CHANGELOG.txt, 118-119 check_markup, 74, 75, 85 filter XYZ), 138-139 check_plain(), 40, 53 check_plain, 73,132,139 HTML, 75-76 sanitizing data, 88 check_plain( tainted), 138 ( tainted_path), 140 clean URL, 204...

Filtering HTMLFormatted Code checkmarkup

Given that check_plain won't handle your HTML, what should you do The answer lies in check_markup, which filters data according to the configuration of a site's Input Format system. Remember, input formats were discussed toward the end of Chapter 3. The different text areas in Drupal are often accompanied by a control that lets users select the proper input format for the text. By default, users can choose from Filtered HTML or Full HTML. Of course, they can choose between those only if they...

Cross Site Request Forgery

The nature of a cross-site request forgery (CSRF) is that an attacker can make ''you'' do something without your knowledge. This is similar to stealing your session but limited to specific actions on a site. There are two basic types of CSRF those based on get requests and those based on post requests. The HTTP specification defines several types of server requests, among them get and post requests. A get request is probably the most common it happens every time you click a link or type an...

Input Formats and Filters

One of Drupal's great features is the input formats, which allow various roles to input different kinds of HTML content. One of the main purposes is ensuring that users with basic roles are limited to certain HTML tags and that they can't abuse those tags to execute XSS. You may want to limit anonymous users to style tags like < strong> , < em> , and < blockquote> but reserve more important and specific tags like < h2> and < embed> for advanced roles. The filter system goes...

Updating Drupal Core and Running the Update Script

If you have Drupal core under version control, simply change directory to the Drupal document root and execute the following litworkshop sites cvs update -dPr DRUPAL-6-3 replacing drupal-6-3 with the latest version if greater. Otherwise, delete all Drupal core files and replace with the latest Drupal 6.x version no earlier than 6.3. It bears emphasizing that in . sites default there is a new file called default.settings.php, which changes your basic default settings file. This file should be...

Implementing the Translator Team Leaders Workflow

The translator team leader plays a central role in the site, as one of the users who is able to perform many of the user stories. In the steps that follow, these user stories can be divided into two main categories, namely, having to manage registrations and having to manage the translations them- selves. This divides our implementation of the user stories into these two parts. Table B-13 shows menu entries that are relevant to the team leader. WEIGHT (OR JUST DRAG INTO APPROPRIATE POSITION)...

Installing the Vulnerable module

At this point you should be very familiar with installing and configuring modules. The last module to install to be ready for this book is the Vulnerable module, available from http crackingdrupai.com, which makes it slightly different from the other modules that you downloaded from dru-pal.org itself. The reason the module is kept separate is that it should never be installed on a normal site. Modules with such a specific and dangerous purpose are not appropriate to upload to the repository of...

Defining Permissions hookperm

In Chapter 3 you learned about the permissions page and how an errant click on that page could allow a typical user to perform actions she shouldn't be allowed to do. Let's dig into how that page is constructed and how the permissions are checked. The hook hook_perm is a function that any module can implement to add more permissions to the list at Administer gt User Management gt Permissions. Here is an example usage of the function from the Drupal core blog module return array 'create blog...

Web Server File System Permissions

Drupal requires write permissions to the files directory and the temp directory to enable features such as file uploads, CSS aggregation, and the upload of a new logo for the theme. However, it is a dangerous mistake to simply let Drupal have permission to write to all of the files inside the document root on your web server. Doing so would allow Drupal to write files that could then be executed. Again, you endeavor to audit your site and never let an attacker upload PHP code, which could be...

Strategies to Crack Drupal

This chapter goes example by example through several strategies to crack Drupal. The first is simply to search for a common security mistake in the code and then use some advanced Google search modifiers to find potentially vulnerable sites. Then you take a look at two vulnerabilities that were ''happened upon'' and discuss some things to be aware of as you click around sites and review code to increase the likelihood that you will happen upon these issues as well. A big part of finding bugs is...

Input Format Access filteraccess

The Filter module contains its own security system apart from the normal user_access system. It is fairly likely that this will be changed in the future so that filters are just normal permissions controlled by hook_perm and user_access. For now, we need a separate check. Figure 4-1 shows the filter system's nonstandard set of controls for determining which role can use a filter. It also provides a function to check if a user has permission to use a particular format filter_access. The...

Using Grep to Search for Common Mistakes

The first technique is to use command-line tools to search for patterns of text that will identify commonly made mistakes. For this specific example, you'll use the Concurrent Version System CVS client tool to get a local copy of all the files for Drupal's contributed modules. Then you'll use the grep command to search for patterns inside the code. There are many other tools for searching text files, but grep is one of the most commonly installed and used tools for this purpose. What should we...

Password Related Modules

User passwords are a common source of vulnerabilities on a site. Attackers can use dictionary attacks or brute force attacks to guess the passwords on a site if the passwords are simple enough. On the other hand, forcing users to use complex passwords or change them on a regular basis can lead the end user to start writing down the passwords. Ideally a balance must be met between password strength and usability. One potential solution is to use OpenID, discussed shortly. Password Strength This...

What Are Hooks Form Handlers and Overrides

When describing what makes Drupal great, many developers cite the fact that Drupal provides the most commonly needed functionality without any custom code but can easily be modified to suit very specific needs. One of the main reasons people choose not to use a framework is that it isn't flexible enough or specific enough to handle a certain business purpose. To solve that common issue, Drupal has created ways to alter its functionality with API features such as hooks, handlers, and overrides....

Making the Site Bilingual

Things are kept very simple and straightforward when you always bear in mind the user stories and the domain. To implement the user stories concerning translations and the domain class Translation itself, the website must be made fully bilingual. 1. Go to the Drupal Translations download page http drupal.org project Translations , and download the Spanish translation for Drupal 6.x, which you will be using as an example, to your local machine. Unpack it into a convenient directory, and then...

Authentication Authorization and Sessions

The three interrelated concepts of authentication, authorization, and sessions govern users and permissions. Together, they form a key part of a site's attack surface, because vulnerability here allows the attacker to pretend to be another user on the site or do something that's not allowed. In a system like Drupal, where the administration interface is merged with the regular interface, this area is even more critical. Finding a weakness here may allow an attacker to assume the role of an...

Finding Exploiting and Avoiding Vulnerabilities

Where we finally put your new skills to use finding vulnerabilities, exploiting them, fixing them, and working with the security team This is the beginning of Part III, where we stop talking about theoretical situations and start dealing with real vulnerabilities in the wild. As I write this chapter, there have been some interesting recent developments. First, a class of weaknesses has been discovered in Drupal 6 Modules that were built for Drupal 5 are being upgraded sloppily with improper...

Test Drupal with Drupal Coder Module

The Coder module is a powerful tool for analyzing Drupal code. The module was created by Doug Green, but it has since had significant improvements by many users, including Stella Power and Daniel F. Kudwien. Initially it analyzed code to ensure it conformed to the Drupal coding standards and to help identify changes from one version of Drupal to another, but since it is built in an extensible manner, it can perform many different kinds of source-code analysis. It has been expanded to include...

Visitor Analysis

By just visiting your site users give you a lot of information you can use to make decisions about them. Further, whenever they submit information to your site you gain more information, which you can use to evaluate their intentions. These next two modules evaluate visitors to try to identify attackers and potential attackers. PHPIDS http drupal.org project phpids This module compares content submission to rules of the PHP-Intrusion Detection System and tries to identify attacks on a site. In...

Semantic Protection Invalid Form Data

One common mistake among new web developers is to assume that a site visitor will only submit the HTML forms as they are presented to the user. However, a malicious visitor could save the file to local HTML, edit it to add the option she wants, load the local file into her browser, and submit the new form back to your site. That's a bit of work, so there are special tools such as local proxies and browser plug-ins such as the Firefox Tamper Data extension that make it quite easy for a site...

Overridable Templates and Functions

A major part of Drupal's theme system is the theme function, which allows designers to override the default HTML. Theme functions and templates exist from the very high-level page.tpl.php, which controls the broad layout of the page, down to the theme_menu_item function, which defines the style applied to all the entries in the menu system. The theme function is called with the name of the default theme function and then any arguments. The flowchart in Figure 6-1 provides a very basic visual...

Cross Site Scripting

The basic purpose of Drupal is to take data from users, store it, and display it back to other users. This can cause a problem when an attacker finds a way to add code of some sort into the site so that it executes when other users look at it. JavaScript is the most common vehicle for these attacks, but any language that is executable by the browser can be used. This code has the ability to take actions impersonating the user, and if the code runs on your Drupal site, it has access to your full...

Menu Callback Permissions

One of the most common places to check a user's access is in the menu definition. Drupal's menu system is based on each module implementing the hook_menu function, which returns an array filled with information about the menus and paths defined by that module. The array has two keys that are related to access access callback and access arguments. Following is a single item from the hook_menu implementation in the Blog module items 'blog' array 'title' gt 'Blogs', 'page callback' gt...

Modifying Queries for Access dbrewritesql

Node access is a big topic, and it can be hard to break into chunks. By the end of the chapter, you should have a complete picture, but some of the individual pieces may not make sense on their own. Just keep following along, and you will be rewarded. To start, you'll see what you need to know as a module developer or a site admin who is deciding whether or not a module is written to properly respect the node access system and, more specifically, db_rewrite_sql within node_access. Let's look at...

Access Definitely Denied

One common action on a site is to declare that access has been denied for a particular request or action. In the browser, this appears as an ''Access denied'' message and an HTTP status code of 403 to let the browser know that there was a problem. If you were writing your own code, you would have to create the specific HTTP headers and some content to send to the user. In Drupal there is a convenience function called drupal_access_denied that handles that for you. The menu system is one common...

Testing Drupal with Grendel Scan

In addition to the various Drupal-based and Drupal-specific solutions, there are also several general tools available to perform vulnerability analysis. Many of these tools tackle individual pieces SQL injection, XSS, and providing a local proxy that allows a user to manually alter browser requests. There is also a relatively new tool called Grendel-Scan Figure 8-6 , which leverages many existing tools to be able to provide an amazing array of scanning and vulnerability analysis tools. General...

Testing

Why audit code when tools can do it for you I once heard a great story to describe the difference between engineers and software developers If you ask engineers to build a bridge from San Francisco to Japan, they'll just tell you it's impossible. If you ask software developers to approach the problem, they'll just write a little function that built a 1-meter unit of bridge and then put it in a loop until the bridge is finished. Certainly one of the defining characteristics of software...

Using Extra Security Modules

Drupal is guided by the idea that core should be small but extensible and include only the most common features and APIs necessary to build a site. All other features should be implemented as an extension module that provides the additional functionality. So Drupal's core provides protection against common security vulnerabilities but does not provide some features that may be useful if you feel that your site needs more security than what is provided in core. Skeptical readers may note that...

Node Access Storage Explained

As you may have noticed in the queries shown earlier in this chapter, the node_access database table holds information about which users can take which actions on which nodes. If you install a brand new site and have not enabled any node access modules, your node_access table will look like Table 7-1. Table 7-1 Default values in the node access table GID REALM GRANT VIEW GRANT UPDATE GRANT DELETE This is Drupal's default access record, and it has a special meaning that indicates to a site that...

More Testing Drupal with Drupal Security Scanner

The Security Scanner tool was a project sponsored by Google's Summer of Code program in 2008 and developed by Dario Battista Ghilardi under the mentorship of Karoly Negyesi. Given its relatively young age, some of the features are likely to change, but the general concepts will remain true. The module has three major stages Crawl a site gathering information about the pages Plant seeds of potential cross-site scripting Crawl the site a second time to see if any of the seeds have sprouted into a...

Application Scope and Domain

Before attempting to build any website, it is very important to follow a certain workflow. Mapping out the scope and domain will allow for the production of a very significant amount of cheap mental development and will simplify the whole process, since that process concretely comprises a series of implementation steps involving design and implementation. This is in opposition to the expensive kind of development, which you need to avoid like the plague, because it involves doing work and then...

Form API Sanitizing Options and Labels

The Form API provides a way for developers to add labels to form elements. It automatically sanitizes a few properties but not others, so it is important that developers take care to filter user-supplied data if it is going to be used in an unfiltered part of the Form API. The Form API is based on a system that takes an array of data and processes it to render a form. This array, passed to drupal_get_form in the Form API, is composed of elements and properties. In general, the properties are...

Google Code University

ArticlesXSS Google has some great articles and videos about web security. The doc-reader articles are a particularly thorough review of protection against XSS, including fairly obscure forms of XSS such as UTF-7, Malformed UTF-8, and attacks via user-uploaded files with malicious content. The videos and articles in the Code University provide a much broader review of security in general and the most common forms of XSS attacks.