Protect you site from CSRF
Upcoming SlideShare
Loading in...5
×
 

Protect you site from CSRF

on

  • 1,612 views

 

Statistics

Views

Total Views
1,612
Views on SlideShare
1,612
Embed Views
0

Actions

Likes
1
Downloads
20
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Protect you site from CSRF Protect you site from CSRF Presentation Transcript

  • Protect your site from CSRF Greg Knaddison @greggles greg.knaddison@acquia.comTuesday, May 15, 2012
  • US$15 on Kindle, US$26 paperbackTuesday, May 15, 2012
  • Protect your site from XSSTuesday, May 15, 2012
  • Protect your site from XSSTuesday, May 15, 2012
  • drupalgovdays.org munich2012.drupal.org groups.drupal.org/campsTuesday, May 15, 2012
  • Drupal Vulnerabilities by type 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others reported in core and contrib SAs from 6/1/2005 through 3/24/2010Tuesday, May 15, 2012
  • BTW on XSS http://acquia.com/node/2022266Tuesday, May 15, 2012
  • Acquia Security Training 12% • Journey into mind of an attacker 7% • Preventing spam and brute force attacks 4% 3% 48% • XSS 10% • Access bypass 16% • CSRF • SQL Injection • Over 81% of Drupal vulnerabilities • Hands-on attacking and fixing a Drupal 7 site • Group review of possible fixes • How to perform automated security scansTuesday, May 15, 2012
  • Think like an attacker how does an attacker think?Tuesday, May 15, 2012
  • Think like the attacker • “Solving problems” - just like you • Using HTTP, Javascript, PHP - just like you • But her problems are different...Tuesday, May 15, 2012
  • Think like the attacker • “Solving problems” - just like you • Using HTTP, Javascript, PHP - just like you • But her problems are different...Tuesday, May 15, 2012
  • What is CSRF? Cross Site Request ForgeryTuesday, May 15, 2012
  • CSRF - Cross site Request Forgery • Action performed on the site • May confirm access/authorization • Fails to confirm intent But how does a computer know my intent?Tuesday, May 15, 2012
  • Typical Page Request /user/delete/7 Drupal HTML Visitor sidTuesday, May 15, 2012
  • Typical Page Request /user/delete/7 Drupal HTML Visitor sid Oh, you are gregglesTuesday, May 15, 2012
  • Cross Site Request Forgery HTML Drupal Victim sidTuesday, May 15, 2012
  • Cross Site Request Forgery Attacker HTML Drupal Victim sidTuesday, May 15, 2012
  • Cross Site Request Forgery Attacker HTML Drupal Victim trick! sidTuesday, May 15, 2012
  • CSRF and session life time “Each employee spent only 11 minutes on any given project before being interrupted and whisked off to do something else. Whats more, each 11-minute project was itself fragmented into even shorter three-minute tasks, like answering e-mail messages, reading a Web page or working on a spreadsheet.” Meet the Life Hackers NY Times October 16, 2005 www.nytimes.com/2005/10/16/magazine/16guru.htmlTuesday, May 15, 2012
  • How do you trick someone into visiting a url? • Email • Twitter • Facebook Attacker • Short urls • Web page with img, javascript trick! • Ask them to type it in • Etc.Tuesday, May 15, 2012
  • User intent? • Confirm identity • Confirm you really asked • Look at the person • Facial expression, tone • Ask them to repeat • Ask for a secretTuesday, May 15, 2012
  • User intent? • Secret to the site • Specific to the user • Specific to the action • One-way-hash Can be re-calculated by the site.Tuesday, May 15, 2012
  • Typical Page Request /user/delete/7?token= e416c8d447.......cbdec84 HTML Drupal Visitor sid you are greggles token you have intentTuesday, May 15, 2012
  • Cross Site Request Forgery HTML Drupal Victim sid 403: where is your intent?Tuesday, May 15, 2012
  • Cross Site Request Forgery Attacker HTML Drupal Victim sid 403: where is your intent?Tuesday, May 15, 2012
  • Cross Site Request Forgery Attacker HTML Drupal Victim trick! sid 403: where is your intent?Tuesday, May 15, 2012
  • Demo: CSRF simple trickyTuesday, May 15, 2012
  • Preventing CSRFTuesday, May 15, 2012
  • Identifying CSRF in the wild • Look at links & forms • Live HTTP Headers, Tamper Data, Chrome tools, • menu call back with an action verb and not drupal_get_form • directly use $_POST, $_GET, arg(), menu object to take an action • not using form_submit OR drupal_get_tokenTuesday, May 15, 2012
  • Preventing CSRF • Just use the form API Links and Ajax without FAPI: • Request: query = array(token => drupal_get_token(my_id); • Processing: if (!drupal_valid_token($_GET[token], my_id)) { • More: http://drupalscout.com/node/20Tuesday, May 15, 2012
  • Next stepsTuesday, May 15, 2012
  • Acquia Security Audits • 1 week engagement • Manual and automated • Static code analysis • Penetration testing of interface • Report: - prioritized list of vulnerabilities - mitigation recommendationsTuesday, May 15, 2012
  • Resources • Drupal Scout CSRF: drupalscout.com/tags/csrf • Security Training: - training.acquia.com/developing-drupal/security • Acquiaʼs Knowledge Base: library.acquia.com • Security checks via acquia.com/insight • groups.drupal.org/best-practices-drupal-security Any questions? ?Tuesday, May 15, 2012