Installing the Vulnerable module
At this point you should be very familiar with installing and configuring modules. The last module to install to be ready for this book is the Vulnerable module, available from http crackingdrupai.com, which makes it slightly different from the other modules that you downloaded from dru-pal.org itself. The reason the module is kept separate is that it should never be installed on a normal site. Modules with such a specific and dangerous purpose are not appropriate to upload to the repository of...
Sanitizing a Typical Drupal Database
One possibility is to sanitize the database in a way that retains all meaningful data but retains the right amounts of data in typical fields so that the database is still useful for performance testing. The main strategy is to insert meaningless data on top of private fields and erase some tables that can be easily regenerated and that contain sensitive messages, as shown here UPDATE users SET mail CONCAT name, ' localhost' , init CONCAT name, ' localhost' UPDATE comments SET mail CONCAT name,...
Defining Permissions hookperm
In Chapter 3 you learned about the permissions page and how an errant click on that page could allow a typical user to perform actions she shouldn't be allowed to do. Let's dig into how that page is constructed and how the permissions are checked. The hook hook_perm is a function that any module can implement to add more permissions to the list at Administer gt User Management gt Permissions. Here is an example usage of the function from the Drupal core blog module return array 'create blog...
Web Server File System Permissions
Drupal requires write permissions to the files directory and the temp directory to enable features such as file uploads, CSS aggregation, and the upload of a new logo for the theme. However, it is a dangerous mistake to simply let Drupal have permission to write to all of the files inside the document root on your web server. Doing so would allow Drupal to write files that could then be executed. Again, you endeavor to audit your site and never let an attacker upload PHP code, which could be...
Strategies to Crack Drupal
This chapter goes example by example through several strategies to crack Drupal. The first is simply to search for a common security mistake in the code and then use some advanced Google search modifiers to find potentially vulnerable sites. Then you take a look at two vulnerabilities that were ''happened upon'' and discuss some things to be aware of as you click around sites and review code to increase the likelihood that you will happen upon these issues as well. A big part of finding bugs is...
Input Format Access filteraccess
The Filter module contains its own security system apart from the normal user_access system. It is fairly likely that this will be changed in the future so that filters are just normal permissions controlled by hook_perm and user_access. For now, we need a separate check. Figure 4-1 shows the filter system's nonstandard set of controls for determining which role can use a filter. It also provides a function to check if a user has permission to use a particular format filter_access. The...
Using Grep to Search for Common Mistakes
The first technique is to use command-line tools to search for patterns of text that will identify commonly made mistakes. For this specific example, you'll use the Concurrent Version System CVS client tool to get a local copy of all the files for Drupal's contributed modules. Then you'll use the grep command to search for patterns inside the code. There are many other tools for searching text files, but grep is one of the most commonly installed and used tools for this purpose. What should we...
PasswordRelated Modules
User passwords are a common source of vulnerabilities on a site. Attackers can use dictionary attacks or brute force attacks to guess the passwords on a site if the passwords are simple enough. On the other hand, forcing users to use complex passwords or change them on a regular basis can lead the end user to start writing down the passwords. Ideally a balance must be met between password strength and usability. One potential solution is to use OpenID, discussed shortly. Password Strength This...
What Are Hooks Form Handlers and Overrides
When describing what makes Drupal great, many developers cite the fact that Drupal provides the most commonly needed functionality without any custom code but can easily be modified to suit very specific needs. One of the main reasons people choose not to use a framework is that it isn't flexible enough or specific enough to handle a certain business purpose. To solve that common issue, Drupal has created ways to alter its functionality with API features such as hooks, handlers, and overrides....
Making the Site Bilingual
Things are kept very simple and straightforward when you always bear in mind the user stories and the domain. To implement the user stories concerning translations and the domain class Translation itself, the website must be made fully bilingual. 1. Go to the Drupal Translations download page http drupal.org project Translations , and download the Spanish translation for Drupal 6.x, which you will be using as an example, to your local machine. Unpack it into a convenient directory, and then...
Authentication Authorization and Sessions
The three interrelated concepts of authentication, authorization, and sessions govern users and permissions. Together, they form a key part of a site's attack surface, because vulnerability here allows the attacker to pretend to be another user on the site or do something that's not allowed. In a system like Drupal, where the administration interface is merged with the regular interface, this area is even more critical. Finding a weakness here may allow an attacker to assume the role of an...
Finding Exploiting and Avoiding Vulnerabilities
Where we finally put your new skills to use finding vulnerabilities, exploiting them, fixing them, and working with the security team This is the beginning of Part III, where we stop talking about theoretical situations and start dealing with real vulnerabilities in the wild. As I write this chapter, there have been some interesting recent developments. First, a class of weaknesses has been discovered in Drupal 6 Modules that were built for Drupal 5 are being upgraded sloppily with improper...
Test Drupal with Drupal Coder Module
The Coder module is a powerful tool for analyzing Drupal code. The module was created by Doug Green, but it has since had significant improvements by many users, including Stella Power and Daniel F. Kudwien. Initially it analyzed code to ensure it conformed to the Drupal coding standards and to help identify changes from one version of Drupal to another, but since it is built in an extensible manner, it can perform many different kinds of source-code analysis. It has been expanded to include...
Visitor Analysis
By just visiting your site users give you a lot of information you can use to make decisions about them. Further, whenever they submit information to your site you gain more information, which you can use to evaluate their intentions. These next two modules evaluate visitors to try to identify attackers and potential attackers. PHPIDS http drupal.org project phpids This module compares content submission to rules of the PHP-Intrusion Detection System and tries to identify attacks on a site. In...
Semantic Protection Invalid Form Data
One common mistake among new web developers is to assume that a site visitor will only submit the HTML forms as they are presented to the user. However, a malicious visitor could save the file to local HTML, edit it to add the option she wants, load the local file into her browser, and submit the new form back to your site. That's a bit of work, so there are special tools such as local proxies and browser plug-ins such as the Firefox Tamper Data extension that make it quite easy for a site...
Overridable Templates and Functions
A major part of Drupal's theme system is the theme function, which allows designers to override the default HTML. Theme functions and templates exist from the very high-level page.tpl.php, which controls the broad layout of the page, down to the theme_menu_item function, which defines the style applied to all the entries in the menu system. The theme function is called with the name of the default theme function and then any arguments. The flowchart in Figure 6-1 provides a very basic visual...
CrossSite Scripting
The basic purpose of Drupal is to take data from users, store it, and display it back to other users. This can cause a problem when an attacker finds a way to add code of some sort into the site so that it executes when other users look at it. JavaScript is the most common vehicle for these attacks, but any language that is executable by the browser can be used. This code has the ability to take actions impersonating the user, and if the code runs on your Drupal site, it has access to your full...
Menu Callback Permissions
One of the most common places to check a user's access is in the menu definition. Drupal's menu system is based on each module implementing the hook_menu function, which returns an array filled with information about the menus and paths defined by that module. The array has two keys that are related to access access callback and access arguments. Following is a single item from the hook_menu implementation in the Blog module items 'blog' array 'title' gt 'Blogs', 'page callback' gt...
Modifying Queries for Access dbrewritesql
Node access is a big topic, and it can be hard to break into chunks. By the end of the chapter, you should have a complete picture, but some of the individual pieces may not make sense on their own. Just keep following along, and you will be rewarded. To start, you'll see what you need to know as a module developer or a site admin who is deciding whether or not a module is written to properly respect the node access system and, more specifically, db_rewrite_sql within node_access. Let's look at...
Common Mistakes
As I mentioned in the chapter opening, the theme is often the source of both large volumes of vulnerabilities and vulnerabilities that are particularly dangerous. This section covers some common errors. To test yourself, try to spot the problem before it is explained. These problems usually appear for one of two reasons. If she needs additional data, a themer will often write code to get that data and then insert it into her code. Both the process of getting the data command execution, access...
Access Definitely Denied
One common action on a site is to declare that access has been denied for a particular request or action. In the browser, this appears as an ''Access denied'' message and an HTTP status code of 403 to let the browser know that there was a problem. If you were writing your own code, you would have to create the specific HTTP headers and some content to send to the user. In Drupal there is a convenience function called drupal_access_denied that handles that for you. The menu system is one common...
Testing Drupal with GrendelScan
In addition to the various Drupal-based and Drupal-specific solutions, there are also several general tools available to perform vulnerability analysis. Many of these tools tackle individual pieces SQL injection, XSS, and providing a local proxy that allows a user to manually alter browser requests. There is also a relatively new tool called Grendel-Scan Figure 8-6 , which leverages many existing tools to be able to provide an amazing array of scanning and vulnerability analysis tools. General...
Testing
Why audit code when tools can do it for you I once heard a great story to describe the difference between engineers and software developers If you ask engineers to build a bridge from San Francisco to Japan, they'll just tell you it's impossible. If you ask software developers to approach the problem, they'll just write a little function that built a 1-meter unit of bridge and then put it in a loop until the bridge is finished. Certainly one of the defining characteristics of software...
Using Extra Security Modules
Drupal is guided by the idea that core should be small but extensible and include only the most common features and APIs necessary to build a site. All other features should be implemented as an extension module that provides the additional functionality. So Drupal's core provides protection against common security vulnerabilities but does not provide some features that may be useful if you feel that your site needs more security than what is provided in core. Skeptical readers may note that...
Node Access Storage Explained
As you may have noticed in the queries shown earlier in this chapter, the node_access database table holds information about which users can take which actions on which nodes. If you install a brand new site and have not enabled any node access modules, your node_access table will look like Table 7-1. Table 7-1 Default values in the node access table GID REALM GRANT VIEW GRANT UPDATE GRANT DELETE This is Drupal's default access record, and it has a special meaning that indicates to a site that...
More Testing Drupal with Drupal Security Scanner
The Security Scanner tool was a project sponsored by Google's Summer of Code program in 2008 and developed by Dario Battista Ghilardi under the mentorship of Karoly Negyesi. Given its relatively young age, some of the features are likely to change, but the general concepts will remain true. The module has three major stages Crawl a site gathering information about the pages Plant seeds of potential cross-site scripting Crawl the site a second time to see if any of the seeds have sprouted into a...
Application Scope and Domain
Before attempting to build any website, it is very important to follow a certain workflow. Mapping out the scope and domain will allow for the production of a very significant amount of cheap mental development and will simplify the whole process, since that process concretely comprises a series of implementation steps involving design and implementation. This is in opposition to the expensive kind of development, which you need to avoid like the plague, because it involves doing work and then...
Form API Sanitizing Options and Labels
The Form API provides a way for developers to add labels to form elements. It automatically sanitizes a few properties but not others, so it is important that developers take care to filter user-supplied data if it is going to be used in an unfiltered part of the Form API. The Form API is based on a system that takes an array of data and processes it to render a form. This array, passed to drupal_get_form in the Form API, is composed of elements and properties. In general, the properties are...
Google Code University
ArticlesXSS Google has some great articles and videos about web security. The doc-reader articles are a particularly thorough review of protection against XSS, including fairly obscure forms of XSS such as UTF-7, Malformed UTF-8, and attacks via user-uploaded files with malicious content. The videos and articles in the Code University provide a much broader review of security in general and the most common forms of XSS attacks.