• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Drupal Security Dive Into the Code
 

Drupal Security Dive Into the Code

on

  • 1,254 views

Drupal Security Dive Into the Code - this presentation looks at cross site scripting (xss), sql injection, and cross site request forgeries (csrf) in Drupal. The presentation was given at ...

Drupal Security Dive Into the Code - this presentation looks at cross site scripting (xss), sql injection, and cross site request forgeries (csrf) in Drupal. The presentation was given at DrupalGovDays in Washington DC May 18, 2012.

Statistics

Views

Total Views
1,254
Views on SlideShare
1,254
Embed Views
0

Actions

Likes
0
Downloads
8
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Drupal Security Dive Into the Code Drupal Security Dive Into the Code Presentation Transcript

    • Dive into Drupal Security @gregglesFriday, May 18, 2012
    • Greg Knaddison Pair programmer @greggles Acquian Drupal Security TeamFriday, May 18, 2012
    • US$15 on kindle, US$26 paperback crackingdrupal.comFriday, May 18, 2012
    • Agenda Overview Warm up CSRF, XSS, SQLi codeFriday, May 18, 2012
    • think like a diverFriday, May 18, 2012
    • be the attacker Say hello to $user_dataFriday, May 18, 2012
    • Drupal vulnerabilities by type 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others reported in core and contrib SAs from 6/1/2005 through 3/24/2010Friday, May 18, 2012
    • Eddy Out: Definitions A1 - Injection A2 - XSS A3 - Broken Authentication and Session Mgmt A4 - Insecure Direct Object References A5 - Cross Site Request ForgeryFriday, May 18, 2012
    • Eddy Out: Definitions A6 - Security Misconfiguration A7 - Insecure Cryptographic Storage A8 - Failure to Restrict URL Access A9 - Insufficient Transport Layer Protection A10 - Unvalidated Redirects and ForwardsFriday, May 18, 2012
    • Eddy Out: Freebies A3 - Broken Authentication and Session Mgmt A7 - Insecure Cryptographic Storage A9 - Insufficient Transport Layer Protection But don’t stop at the top 10...or today’s 3Friday, May 18, 2012
    • The basics Toes in the waterFriday, May 18, 2012
    • Security Review module Free Automated check of configurations drupal.org/project/security_review Demo http://crackingdrupal.com/n/32Friday, May 18, 2012
    • Captaining your ship ssh or sftp, but never ftp shared wifi? https if you can, vpn if you can’t Least privilege Audit rolesFriday, May 18, 2012
    • Stay up to date SeriouslyFriday, May 18, 2012
    • Modernize your vessel Update module (can email you) Mailing list @drupalsecurity rss: d.o/security/ d.o/security/contrib etc.Friday, May 18, 2012
    • Head for the lifeboats Have backups Test them periodically Be able to restore them Sanitize before traveling with them http://crackingdrupal.com/n/53Friday, May 18, 2012
    • XSS aka: Cross Site Scripting code in browser using your sessionFriday, May 18, 2012
    • XSS Code Running in your browser Using your cookies on your site Requesting, sending, reading responses Browser context Does that sound familiar?Friday, May 18, 2012
    • Ajax HTML Drupal User JSFriday, May 18, 2012
    • Cross Site Scripting HTML Attacker JS Drupal Victim JS = BadFriday, May 18, 2012
    • Validate input “Why would I ever want javascript in a node title?” -developer who forgot to filter on outputFriday, May 18, 2012
    • Validate input Is it an email? Is it a nid (right type? that they have access to?) Is this my beautiful wife? Is this my beautiful house? Validation is NOT filtering Validation is “yes or no” - user fixes itFriday, May 18, 2012
    • Filter on output “output” “filter” “on”Friday, May 18, 2012
    • Friday, May 18, 2012
    • Output Contexts Mail context Database context Web context Server context http://acko.net/blog/safe-string-theory-for- the-webFriday, May 18, 2012
    • Filtering XSS Input untrusted data Output browser appropriate data check_plain, check_markup filter_xss, filter_xss_admin free: l(), t() @ and %, drupal_set_titleFriday, May 18, 2012
    • Friday, May 18, 2012
    • html html blah html <? print $node_title ?> htmlFriday, May 18, 2012
    • html html blah html <script> alert(‘xss’); <script> htmlFriday, May 18, 2012
    • html html html blah html html blah &lt;script&gt; html alert(‘xss’); alert(‘xss’); &lt;/script&gt; html htmlFriday, May 18, 2012
    • Are you my XSS? drupal_set_message($user_data); $output .= $node->title; FAPI checkboxes, radios, descriptions, etc.Friday, May 18, 2012
    • Identifying XSS <script>alert(‘xss’);</script> <img src=”asdf.png” onerror=”alert(‘xss’)”>Friday, May 18, 2012
    • Deep Dive on XSSFriday, May 18, 2012
    • http://drupalscout.com/tags/xss XSS ResourcesFriday, May 18, 2012
    • SQL InjectionFriday, May 18, 2012
    • User modified data Included into a query Without filteringFriday, May 18, 2012
    • php php sql $user_data php phpFriday, May 18, 2012
    • php php sql ‘’;delete from users; php phpFriday, May 18, 2012
    • Fixing SQL Injection “Use Drupal’s database API” Placeholders DBTNG, ORM, Methods (not that complex)Friday, May 18, 2012
    • Dive on SQL InjectionFriday, May 18, 2012
    • CSRF Cross Site Request Forgery Taking action without confirming intent.Friday, May 18, 2012
    • Taking action without confirming intent. How do we confirm intent? WTF is intent?Friday, May 18, 2012
    • <a href=”/delete/user/1”>Delete user 1</a>Friday, May 18, 2012
    • <a href=”/delete/1”>Delete user 1</a> <img src=”/delete/1”>Friday, May 18, 2012
    • CSRF Flow /user html cookie Victim DrupalFriday, May 18, 2012
    • CSRF Flow node/1 html Victim DrupalFriday, May 18, 2012
    • CSRF Flow node/1 html jquery.js Victim js Drupal foo.css cookie css delete/1 object deleted etc. in dbFriday, May 18, 2012
    • How do you exploit it? URL Shorteners <img src=”http://example.com/delete/2”> Send a message to a site admin What is my email address or twitter?Friday, May 18, 2012
    • Are you my CSRF? menu call back with an action verb and not drupal_get_form directly use $_POST, $_GET, arg(), menu object not using form_submit OR drupal_get_tokenFriday, May 18, 2012
    • Tokens (aka nonce) Form API includes tokens by default do form, form_validate, form_submit don’t $_POST OR: drupal_get_token, drupal_valid_tokenFriday, May 18, 2012
    • Deep Dive on CSRFFriday, May 18, 2012
    • http://drupalscout.com/tags/csrf CSRF ResourcesFriday, May 18, 2012
    • Resources drupal.org/security groups.drupal.org/best-practices-drupal- security drupalscout.com acquia.com crackingdrupal.comFriday, May 18, 2012
    • Thanks! questions? contact? @greggles greg.knaddison@acquia.comFriday, May 18, 2012