Protect your site from CSRF     Greg Knaddison     @greggles     greg.knaddison@acquia.comTuesday, May 15, 2012
US$15 on Kindle, US$26 paperbackTuesday, May 15, 2012
Protect your site from XSSTuesday, May 15, 2012
Protect your site from XSSTuesday, May 15, 2012
drupalgovdays.org                              munich2012.drupal.org    groups.drupal.org/campsTuesday, May 15, 2012
Drupal Vulnerabilities by type                                                    12%                                     ...
BTW on XSS                        http://acquia.com/node/2022266Tuesday, May 15, 2012
Acquia Security Training                                                             12%      • Journey into mind of an at...
Think like an attacker                        how does an attacker think?Tuesday, May 15, 2012
Think like the attacker                  • “Solving problems” - just like you                  • Using HTTP, Javascript, P...
Think like the attacker                  • “Solving problems” - just like you                  • Using HTTP, Javascript, P...
What is CSRF?      Cross Site Request ForgeryTuesday, May 15, 2012
CSRF - Cross site Request Forgery     • Action performed on the site     • May confirm access/authorization     • Fails to ...
Typical Page Request                                 /user/delete/7                        Drupal       HTML         Visit...
Typical Page Request                                    /user/delete/7                           Drupal       HTML        ...
Cross Site Request Forgery                                 HTML                        Drupal          Victim             ...
Cross Site Request Forgery                                        Attacker                                 HTML           ...
Cross Site Request Forgery                                        Attacker                                 HTML           ...
CSRF and session life time         “Each employee spent only 11 minutes on any given         project before being interrup...
How do you trick someone into visiting a url?       • Email       • Twitter       • Facebook                         Attac...
User intent?     • Confirm identity     • Confirm you really asked     • Look at the person     • Facial expression, tone   ...
User intent?     • Secret to the site     • Specific to the user     • Specific to the action     • One-way-hash            ...
Typical Page Request                        /user/delete/7?token= e416c8d447.......cbdec84                                ...
Cross Site Request Forgery                                 HTML                        Drupal          Victim             ...
Cross Site Request Forgery                                        Attacker                                 HTML           ...
Cross Site Request Forgery                                        Attacker                                 HTML           ...
Demo: CSRF                          simple                           trickyTuesday, May 15, 2012
Preventing CSRFTuesday, May 15, 2012
Identifying CSRF in the wild      • Look at links & forms      • Live HTTP Headers, Tamper Data, Chrome tools,      • menu...
Preventing CSRF     • Just use the form API         Links and Ajax without FAPI:     • Request:       query = array(token ...
Next stepsTuesday, May 15, 2012
Acquia Security Audits      • 1 week engagement      • Manual and automated      • Static code analysis      • Penetration...
Resources      • Drupal Scout CSRF: drupalscout.com/tags/csrf      • Security Training:           - training.acquia.com/de...
Upcoming SlideShare
Loading in...5
×

Protect you site from CSRF

1,387

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,387
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
65
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Protect you site from CSRF

  1. 1. Protect your site from CSRF Greg Knaddison @greggles greg.knaddison@acquia.comTuesday, May 15, 2012
  2. 2. US$15 on Kindle, US$26 paperbackTuesday, May 15, 2012
  3. 3. Protect your site from XSSTuesday, May 15, 2012
  4. 4. Protect your site from XSSTuesday, May 15, 2012
  5. 5. drupalgovdays.org munich2012.drupal.org groups.drupal.org/campsTuesday, May 15, 2012
  6. 6. Drupal Vulnerabilities by type 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others reported in core and contrib SAs from 6/1/2005 through 3/24/2010Tuesday, May 15, 2012
  7. 7. BTW on XSS http://acquia.com/node/2022266Tuesday, May 15, 2012
  8. 8. Acquia Security Training 12% • Journey into mind of an attacker 7% • Preventing spam and brute force attacks 4% 3% 48% • XSS 10% • Access bypass 16% • CSRF • SQL Injection • Over 81% of Drupal vulnerabilities • Hands-on attacking and fixing a Drupal 7 site • Group review of possible fixes • How to perform automated security scansTuesday, May 15, 2012
  9. 9. Think like an attacker how does an attacker think?Tuesday, May 15, 2012
  10. 10. Think like the attacker • “Solving problems” - just like you • Using HTTP, Javascript, PHP - just like you • But her problems are different...Tuesday, May 15, 2012
  11. 11. Think like the attacker • “Solving problems” - just like you • Using HTTP, Javascript, PHP - just like you • But her problems are different...Tuesday, May 15, 2012
  12. 12. What is CSRF? Cross Site Request ForgeryTuesday, May 15, 2012
  13. 13. CSRF - Cross site Request Forgery • Action performed on the site • May confirm access/authorization • Fails to confirm intent But how does a computer know my intent?Tuesday, May 15, 2012
  14. 14. Typical Page Request /user/delete/7 Drupal HTML Visitor sidTuesday, May 15, 2012
  15. 15. Typical Page Request /user/delete/7 Drupal HTML Visitor sid Oh, you are gregglesTuesday, May 15, 2012
  16. 16. Cross Site Request Forgery HTML Drupal Victim sidTuesday, May 15, 2012
  17. 17. Cross Site Request Forgery Attacker HTML Drupal Victim sidTuesday, May 15, 2012
  18. 18. Cross Site Request Forgery Attacker HTML Drupal Victim trick! sidTuesday, May 15, 2012
  19. 19. CSRF and session life time “Each employee spent only 11 minutes on any given project before being interrupted and whisked off to do something else. Whats more, each 11-minute project was itself fragmented into even shorter three-minute tasks, like answering e-mail messages, reading a Web page or working on a spreadsheet.” Meet the Life Hackers NY Times October 16, 2005 www.nytimes.com/2005/10/16/magazine/16guru.htmlTuesday, May 15, 2012
  20. 20. How do you trick someone into visiting a url? • Email • Twitter • Facebook Attacker • Short urls • Web page with img, javascript trick! • Ask them to type it in • Etc.Tuesday, May 15, 2012
  21. 21. User intent? • Confirm identity • Confirm you really asked • Look at the person • Facial expression, tone • Ask them to repeat • Ask for a secretTuesday, May 15, 2012
  22. 22. User intent? • Secret to the site • Specific to the user • Specific to the action • One-way-hash Can be re-calculated by the site.Tuesday, May 15, 2012
  23. 23. Typical Page Request /user/delete/7?token= e416c8d447.......cbdec84 HTML Drupal Visitor sid you are greggles token you have intentTuesday, May 15, 2012
  24. 24. Cross Site Request Forgery HTML Drupal Victim sid 403: where is your intent?Tuesday, May 15, 2012
  25. 25. Cross Site Request Forgery Attacker HTML Drupal Victim sid 403: where is your intent?Tuesday, May 15, 2012
  26. 26. Cross Site Request Forgery Attacker HTML Drupal Victim trick! sid 403: where is your intent?Tuesday, May 15, 2012
  27. 27. Demo: CSRF simple trickyTuesday, May 15, 2012
  28. 28. Preventing CSRFTuesday, May 15, 2012
  29. 29. Identifying CSRF in the wild • Look at links & forms • Live HTTP Headers, Tamper Data, Chrome tools, • menu call back with an action verb and not drupal_get_form • directly use $_POST, $_GET, arg(), menu object to take an action • not using form_submit OR drupal_get_tokenTuesday, May 15, 2012
  30. 30. Preventing CSRF • Just use the form API Links and Ajax without FAPI: • Request: query = array(token => drupal_get_token(my_id); • Processing: if (!drupal_valid_token($_GET[token], my_id)) { • More: http://drupalscout.com/node/20Tuesday, May 15, 2012
  31. 31. Next stepsTuesday, May 15, 2012
  32. 32. Acquia Security Audits • 1 week engagement • Manual and automated • Static code analysis • Penetration testing of interface • Report: - prioritized list of vulnerabilities - mitigation recommendationsTuesday, May 15, 2012
  33. 33. Resources • Drupal Scout CSRF: drupalscout.com/tags/csrf • Security Training: - training.acquia.com/developing-drupal/security • Acquiaʼs Knowledge Base: library.acquia.com • Security checks via acquia.com/insight • groups.drupal.org/best-practices-drupal-security Any questions? ?Tuesday, May 15, 2012
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×