Are you sure thatyour site is secure?             secure
Site security       ●   Trusted, experienced           and secure hosting       ●   Secure code       ●   Security updates
Security Updates●   Subscribe to Security-news    http://lists.drupal.org/mailman/listinfo/security-news●   Use Drupal 7 c...
How secure is Drupal code?                     code
Types of vulnerabilities
Is Your Drupal-site   Code Secure?
Speaker: Vlad Savitsky          Working at          Skype: vlad_savitsky          ICQ: 205535814          vlad.savitsky@gm...
Challenge●   http://google-gruyere.appspot.com/start●   Gruyere /ɡruːˈjɛər/ - a small, cheesy web    application that allo...
Cross-site scripting (XSS)●   Allows attackers to inject script into Web pages    viewed by other users.●   http://en.wiki...
Handling Data               Golden Rule●   Store exactly what the user typed.●   When handling and outputting text in HTML...
1. User sends some data       User Input                        DrupalUser       Invalid Input    Code                    ...
2. Attacker sends code       1. Input                  JS                         DrupalUser                         Code ...
3. User request a page       1. Request                      DrupalUser          JS       3. Not Well    Code       Escape...
4. User runs Attackers code                         Browser         1. View page  User                  HTML page         ...
Access Bypass       1. Request        /devel/php                       DrupalUser                       Code       2. Get ...
Cross-site request forgery●   Ability to run some actions at server accessing    some URL.●   Also known as a one-click at...
1. Find URL          User Profile             Save             Save             Delete             Deletehttp://example.co...
2. Post URL                           Server         1. Post page User                   HTML page2. Send URL             ...
Arbitrary code execution●   Ability to execute any commands of the    attackers choice on a target machine or in a    targ...
Session fixation●   Session fixation attacks attempt to exploit the    vulnerability of a system which allows one    perso...
1. Send URL with SID         1. Send URL         http://example.com/node/2?sid=123User                                    ...
2. Get Admins session       3. Login as admin URL       http://example.com/user/login?sid=123User                         ...
http://drupal.org/project/sharedsignon
http://drupal.org/node/592488
How to find a vulnerability?
XSS high-risk zones●   theme().                ●   Templates (.tpl.php).●   t() and l().            ●   Themes code.●   dp...
XSS Test<script>alert(xss);</script><img src=”notfound.png” onerror=”alert(xss);”>watchdog(type,message <scripttype="text/...
How to find XSRF?●   Inspect hook_menu().●   Inspect AJAX callbacks.●   If secure tokens not used used then XSRF is    pos...
Access bypass●   Check hook_permissions().●   Search for permission names.●   Check access_callbacks in hook_menu().●   Ch...
Code Execution●   Search for eval, system and etc.●   Check code includes.●   Check if files with code could be executed.●...
SQL injection●   Static queries.
Drupal Security Team
Goals of the security team●   Resolve reported security issues.●   Provide assistance for contributed module    maintainer...
How to report                a security issue●   Do not post in the issue tracker or discuss it in IRC.●   Mail to securit...
How the security team        works with issues?●   Review the issue and evaluate the potential    impact on all supported ...
Issues with        contributed modules●   The module maintainer is contacted with a    deadline.●   When the maintainer fi...
Additional Reading●   Core Security Advisories    http://drupal.org/security●   Contributed Project Security Advisories   ...
Questions to speaker         Vlad Savitsky         http://shvetsgroup.com         Skype: vlad_savitsky         ICQ: 205535...
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
Upcoming SlideShare
Loading in...5
×

Looking for Vulnerable Code. Vlad Savitsky

923

Published on

How to find vulnerable code in your Drupal project?
Different attacks and how to protect your site?
What to do if you find security problem in code/site?

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
923
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
18
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Looking for Vulnerable Code. Vlad Savitsky

  1. 1. Are you sure thatyour site is secure? secure
  2. 2. Site security ● Trusted, experienced and secure hosting ● Secure code ● Security updates
  3. 3. Security Updates● Subscribe to Security-news http://lists.drupal.org/mailman/listinfo/security-news● Use Drupal 7 core module Update Manager.
  4. 4. How secure is Drupal code? code
  5. 5. Types of vulnerabilities
  6. 6. Is Your Drupal-site Code Secure?
  7. 7. Speaker: Vlad Savitsky Working at Skype: vlad_savitsky ICQ: 205535814 vlad.savitsky@gmail.com +38096 530 27 12
  8. 8. Challenge● http://google-gruyere.appspot.com/start● Gruyere /ɡruːˈjɛər/ - a small, cheesy web application that allows its users to publish snippets of text and store assorted files.● "Unfortunately," Gruyere has multiple security bugs ranging from cross-site scripting and cross- site request forgery, to information disclosure, denial of service, and remote code execution.The goal is to discover bugs in Gruyere.
  9. 9. Cross-site scripting (XSS)● Allows attackers to inject script into Web pages viewed by other users.● http://en.wikipedia.org/wiki/Cross-site_scripting
  10. 10. Handling Data Golden Rule● Store exactly what the user typed.● When handling and outputting text in HTML, you need to be careful that proper filtering or escaping is done.
  11. 11. 1. User sends some data User Input DrupalUser Invalid Input Code Validated User Input Database
  12. 12. 2. Attacker sends code 1. Input JS DrupalUser Code 2. Not Well Validated Input JS Database
  13. 13. 3. User request a page 1. Request DrupalUser JS 3. Not Well Code Escaped Data 2. SQL-Query JS Database
  14. 14. 4. User runs Attackers code Browser 1. View page User HTML page Attackers 2. Send data JavaScript Code User
  15. 15. Access Bypass 1. Request /devel/php DrupalUser Code 2. Get Access
  16. 16. Cross-site request forgery● Ability to run some actions at server accessing some URL.● Also known as a one-click attack or session riding and abbreviated as CSRF (pronounced sea-surf) or XSRF.● http://en.wikipedia.org/wiki/Cross-site_request_forgery
  17. 17. 1. Find URL User Profile Save Save Delete Deletehttp://example.com/user/10/deletehttp://example.com/user/10/delete
  18. 18. 2. Post URL Server 1. Post page User HTML page2. Send URL <img 3. Open URL src=”URL” />Admin
  19. 19. Arbitrary code execution● Ability to execute any commands of the attackers choice on a target machine or in a target process.● http://en.wikipedia.org/wiki/Arbitrary_code_execution
  20. 20. Session fixation● Session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate (set) another persons session identifier (SID).● Most session fixation attacks are web based, and most rely on session identifiers being accepted from URLs (query string) or POST data.● http://en.wikipedia.org/wiki/Session_fixation
  21. 21. 1. Send URL with SID 1. Send URL http://example.com/node/2?sid=123User Admin 2. LoginDrupal http://example.com/user/login?sid=123Code
  22. 22. 2. Get Admins session 3. Login as admin URL http://example.com/user/login?sid=123User Drupal Code
  23. 23. http://drupal.org/project/sharedsignon
  24. 24. http://drupal.org/node/592488
  25. 25. How to find a vulnerability?
  26. 26. XSS high-risk zones● theme(). ● Templates (.tpl.php).● t() and l(). ● Themes code.● dpm(). ● Preprocess functions.● echo(). ● $form_state values.● var_dump(). ● Validation messages● console.log(). and default values.● watchdog(). ● Field type select and options attribute.● drupal_set_message(). ● drupal_set_title().
  27. 27. XSS Test<script>alert(xss);</script><img src=”notfound.png” onerror=”alert(xss);”>watchdog(type,message <scripttype="text/javascript">alert("xss");</script>);
  28. 28. How to find XSRF?● Inspect hook_menu().● Inspect AJAX callbacks.● If secure tokens not used used then XSRF is possible● See drupal_get_token().
  29. 29. Access bypass● Check hook_permissions().● Search for permission names.● Check access_callbacks in hook_menu().● Check if code works correctly with other contributed modules and respects their access restrictions.
  30. 30. Code Execution● Search for eval, system and etc.● Check code includes.● Check if files with code could be executed.● Search for php input format for blocks, nodes, fields and etc.● Check if modules like devel, php and etc. enabled.● Check if uploading files with php-code is possible.
  31. 31. SQL injection● Static queries.
  32. 32. Drupal Security Team
  33. 33. Goals of the security team● Resolve reported security issues.● Provide assistance for contributed module maintainers in resolving security issues.● Provide documentation on how to write secure code.● Provide documentation on securing your site.
  34. 34. How to report a security issue● Do not post in the issue tracker or discuss it in IRC.● Mail to security@drupal.org● Provide as many details as you can. At least: ● Drupal version and/or module version. ● Steps to reproduce the problem.● Do not disclose the vulnerability to anyone before the advisory is issued.● You will be credited in the security announcement.
  35. 35. How the security team works with issues?● Review the issue and evaluate the potential impact on all supported releases of Drupal.● If it is indeed a valid problem, the security team is mobilized to eliminate it.● New versions are created and tested.● New packages are created and uploaded to Drupal.org.● When an issue has been fixed, use all available communication channels to inform users of steps that must be taken to protect themselves.
  36. 36. Issues with contributed modules● The module maintainer is contacted with a deadline.● When the maintainer fixes the problem, the security team issues an advisory.● If the maintainer does not fix the problem within the deadline, an advisory is issued, recommending disabling the module and the project on Drupal.org is unpublished.
  37. 37. Additional Reading● Core Security Advisories http://drupal.org/security● Contributed Project Security Advisories http://drupal.org/security/contrib● The Drupal Security Team http://drupal.org/security-team● Secure confguration of your Drupal site http://drupal.org/security/secure-confguration● Writing secure code http://drupal.org/writing-secure-code● Cracking Drupal – The Drupal security book http://crackingdrupal.com/● This papers website http://drupalsecurityreport.org● OWASP Top Ten Project http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  38. 38. Questions to speaker Vlad Savitsky http://shvetsgroup.com Skype: vlad_savitsky ICQ: 205535814 vlad.savitsky@gmail.com +38 096 530 27 12
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×