Your SlideShare is downloading. ×
0
Dive into                       Drupal Security                            @gregglesFriday, May 18, 2012
Greg Knaddison                          Pair programmer                                  @greggles                        ...
US$15 on kindle, US$26 paperback                             crackingdrupal.comFriday, May 18, 2012
Agenda                       Overview                       Warm up                       CSRF, XSS, SQLi codeFriday, May ...
think like a diverFriday, May 18, 2012
be the attacker                         Say hello to $user_dataFriday, May 18, 2012
Drupal vulnerabilities by type                                                 12%                                        ...
Eddy Out: Definitions                       A1 - Injection                       A2 - XSS                       A3 - Broken...
Eddy Out: Definitions                       A6 - Security Misconfiguration                       A7 - Insecure Cryptographic...
Eddy Out: Freebies                       A3 - Broken Authentication and Session Mgmt                       A7 - Insecure C...
The basics                        Toes in the waterFriday, May 18, 2012
Security Review module                       Free                       Automated check of configurations                  ...
Captaining your ship                       ssh or sftp, but never ftp                       shared wifi? https if you can, ...
Stay up to date                             SeriouslyFriday, May 18, 2012
Modernize your vessel                        Update module (can email you)                        Mailing list            ...
Head for the lifeboats                       Have backups                       Test them periodically                    ...
XSS                            aka: Cross Site Scripting                       code in browser using your sessionFriday, M...
XSS                       Code                       Running in your browser                       Using your cookies on y...
Ajax                                HTML                       Drupal          User                                 JSFrid...
Cross Site Scripting                                         HTML        Attacker          JS   Drupal           Victim   ...
Validate input                         “Why would I ever want                        javascript in a node title?”         ...
Validate input                       Is it an email?                       Is it a nid (right type? that they have access ...
Filter on output                       “output”                       “filter”                       “on”Friday, May 18, 2012
Friday, May 18, 2012
Output Contexts                       Mail context                       Database context                       Web contex...
Filtering XSS                       Input untrusted data                       Output browser appropriate data            ...
Friday, May 18, 2012
html                                html                                 blah                                html         ...
html                          html                          blah                          html                        <scr...
html                            html            html                            blah            html                      ...
Are you my XSS?                       drupal_set_message($user_data);                       $output .= $node->title;      ...
Identifying XSS                       <script>alert(‘xss’);</script>                       <img src=”asdf.png” onerror=”al...
Deep Dive on XSSFriday, May 18, 2012
http://drupalscout.com/tags/xss                         XSS ResourcesFriday, May 18, 2012
SQL InjectionFriday, May 18, 2012
User modified data                       Included into a query                         Without filteringFriday, May 18, 2012
php                            php                       sql $user_data                            php                    ...
php                               php                       sql ‘’;delete from                              users;        ...
Fixing SQL Injection                       “Use Drupal’s database API”                         Placeholders               ...
Dive on SQL InjectionFriday, May 18, 2012
CSRF                             Cross Site Request Forgery                       Taking action without confirming intent....
Taking action without confirming intent.                             How do we confirm intent?                              ...
<a href=”/delete/user/1”>Delete user 1</a>Friday, May 18, 2012
<a href=”/delete/1”>Delete user 1</a>                              <img src=”/delete/1”>Friday, May 18, 2012
CSRF Flow                                /user                                 html                                cookie ...
CSRF Flow                                node/1                                 html                       Victim         ...
CSRF Flow                                node/1                                  html                                jquer...
How do you exploit it?                        URL Shorteners                        <img src=”http://example.com/delete/2”...
Are you my CSRF?                       menu call back with an action verb and not                       drupal_get_form   ...
Tokens (aka nonce)                       Form API includes tokens by default                       do form, form_validate,...
Deep Dive on CSRFFriday, May 18, 2012
http://drupalscout.com/tags/csrf                        CSRF ResourcesFriday, May 18, 2012
Resources                       drupal.org/security                       groups.drupal.org/best-practices-drupal-        ...
Thanks!                                       questions?                                         contact?                 ...
Upcoming SlideShare
Loading in...5
×

Drupal Security Dive Into the Code

1,114

Published on

Drupal Security Dive Into the Code - this presentation looks at cross site scripting (xss), sql injection, and cross site request forgeries (csrf) in Drupal. The presentation was given at DrupalGovDays in Washington DC May 18, 2012.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,114
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Drupal Security Dive Into the Code"

  1. 1. Dive into Drupal Security @gregglesFriday, May 18, 2012
  2. 2. Greg Knaddison Pair programmer @greggles Acquian Drupal Security TeamFriday, May 18, 2012
  3. 3. US$15 on kindle, US$26 paperback crackingdrupal.comFriday, May 18, 2012
  4. 4. Agenda Overview Warm up CSRF, XSS, SQLi codeFriday, May 18, 2012
  5. 5. think like a diverFriday, May 18, 2012
  6. 6. be the attacker Say hello to $user_dataFriday, May 18, 2012
  7. 7. Drupal vulnerabilities by type 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others reported in core and contrib SAs from 6/1/2005 through 3/24/2010Friday, May 18, 2012
  8. 8. Eddy Out: Definitions A1 - Injection A2 - XSS A3 - Broken Authentication and Session Mgmt A4 - Insecure Direct Object References A5 - Cross Site Request ForgeryFriday, May 18, 2012
  9. 9. Eddy Out: Definitions A6 - Security Misconfiguration A7 - Insecure Cryptographic Storage A8 - Failure to Restrict URL Access A9 - Insufficient Transport Layer Protection A10 - Unvalidated Redirects and ForwardsFriday, May 18, 2012
  10. 10. Eddy Out: Freebies A3 - Broken Authentication and Session Mgmt A7 - Insecure Cryptographic Storage A9 - Insufficient Transport Layer Protection But don’t stop at the top 10...or today’s 3Friday, May 18, 2012
  11. 11. The basics Toes in the waterFriday, May 18, 2012
  12. 12. Security Review module Free Automated check of configurations drupal.org/project/security_review Demo http://crackingdrupal.com/n/32Friday, May 18, 2012
  13. 13. Captaining your ship ssh or sftp, but never ftp shared wifi? https if you can, vpn if you can’t Least privilege Audit rolesFriday, May 18, 2012
  14. 14. Stay up to date SeriouslyFriday, May 18, 2012
  15. 15. Modernize your vessel Update module (can email you) Mailing list @drupalsecurity rss: d.o/security/ d.o/security/contrib etc.Friday, May 18, 2012
  16. 16. Head for the lifeboats Have backups Test them periodically Be able to restore them Sanitize before traveling with them http://crackingdrupal.com/n/53Friday, May 18, 2012
  17. 17. XSS aka: Cross Site Scripting code in browser using your sessionFriday, May 18, 2012
  18. 18. XSS Code Running in your browser Using your cookies on your site Requesting, sending, reading responses Browser context Does that sound familiar?Friday, May 18, 2012
  19. 19. Ajax HTML Drupal User JSFriday, May 18, 2012
  20. 20. Cross Site Scripting HTML Attacker JS Drupal Victim JS = BadFriday, May 18, 2012
  21. 21. Validate input “Why would I ever want javascript in a node title?” -developer who forgot to filter on outputFriday, May 18, 2012
  22. 22. Validate input Is it an email? Is it a nid (right type? that they have access to?) Is this my beautiful wife? Is this my beautiful house? Validation is NOT filtering Validation is “yes or no” - user fixes itFriday, May 18, 2012
  23. 23. Filter on output “output” “filter” “on”Friday, May 18, 2012
  24. 24. Friday, May 18, 2012
  25. 25. Output Contexts Mail context Database context Web context Server context http://acko.net/blog/safe-string-theory-for- the-webFriday, May 18, 2012
  26. 26. Filtering XSS Input untrusted data Output browser appropriate data check_plain, check_markup filter_xss, filter_xss_admin free: l(), t() @ and %, drupal_set_titleFriday, May 18, 2012
  27. 27. Friday, May 18, 2012
  28. 28. html html blah html <? print $node_title ?> htmlFriday, May 18, 2012
  29. 29. html html blah html <script> alert(‘xss’); <script> htmlFriday, May 18, 2012
  30. 30. html html html blah html html blah &lt;script&gt; html alert(‘xss’); alert(‘xss’); &lt;/script&gt; html htmlFriday, May 18, 2012
  31. 31. Are you my XSS? drupal_set_message($user_data); $output .= $node->title; FAPI checkboxes, radios, descriptions, etc.Friday, May 18, 2012
  32. 32. Identifying XSS <script>alert(‘xss’);</script> <img src=”asdf.png” onerror=”alert(‘xss’)”>Friday, May 18, 2012
  33. 33. Deep Dive on XSSFriday, May 18, 2012
  34. 34. http://drupalscout.com/tags/xss XSS ResourcesFriday, May 18, 2012
  35. 35. SQL InjectionFriday, May 18, 2012
  36. 36. User modified data Included into a query Without filteringFriday, May 18, 2012
  37. 37. php php sql $user_data php phpFriday, May 18, 2012
  38. 38. php php sql ‘’;delete from users; php phpFriday, May 18, 2012
  39. 39. Fixing SQL Injection “Use Drupal’s database API” Placeholders DBTNG, ORM, Methods (not that complex)Friday, May 18, 2012
  40. 40. Dive on SQL InjectionFriday, May 18, 2012
  41. 41. CSRF Cross Site Request Forgery Taking action without confirming intent.Friday, May 18, 2012
  42. 42. Taking action without confirming intent. How do we confirm intent? WTF is intent?Friday, May 18, 2012
  43. 43. <a href=”/delete/user/1”>Delete user 1</a>Friday, May 18, 2012
  44. 44. <a href=”/delete/1”>Delete user 1</a> <img src=”/delete/1”>Friday, May 18, 2012
  45. 45. CSRF Flow /user html cookie Victim DrupalFriday, May 18, 2012
  46. 46. CSRF Flow node/1 html Victim DrupalFriday, May 18, 2012
  47. 47. CSRF Flow node/1 html jquery.js Victim js Drupal foo.css cookie css delete/1 object deleted etc. in dbFriday, May 18, 2012
  48. 48. How do you exploit it? URL Shorteners <img src=”http://example.com/delete/2”> Send a message to a site admin What is my email address or twitter?Friday, May 18, 2012
  49. 49. Are you my CSRF? menu call back with an action verb and not drupal_get_form directly use $_POST, $_GET, arg(), menu object not using form_submit OR drupal_get_tokenFriday, May 18, 2012
  50. 50. Tokens (aka nonce) Form API includes tokens by default do form, form_validate, form_submit don’t $_POST OR: drupal_get_token, drupal_valid_tokenFriday, May 18, 2012
  51. 51. Deep Dive on CSRFFriday, May 18, 2012
  52. 52. http://drupalscout.com/tags/csrf CSRF ResourcesFriday, May 18, 2012
  53. 53. Resources drupal.org/security groups.drupal.org/best-practices-drupal- security drupalscout.com acquia.com crackingdrupal.comFriday, May 18, 2012
  54. 54. Thanks! questions? contact? @greggles greg.knaddison@acquia.comFriday, May 18, 2012
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×