Your SlideShare is downloading. ×
0
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Drupal Security Dive Into the Code
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Drupal Security Dive Into the Code

1,102

Published on

Drupal Security Dive Into the Code - this presentation looks at cross site scripting (xss), sql injection, and cross site request forgeries (csrf) in Drupal. The presentation was given at …

Drupal Security Dive Into the Code - this presentation looks at cross site scripting (xss), sql injection, and cross site request forgeries (csrf) in Drupal. The presentation was given at DrupalGovDays in Washington DC May 18, 2012.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,102
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. Dive into Drupal Security @gregglesFriday, May 18, 2012
  2. Greg Knaddison Pair programmer @greggles Acquian Drupal Security TeamFriday, May 18, 2012
  3. US$15 on kindle, US$26 paperback crackingdrupal.comFriday, May 18, 2012
  4. Agenda Overview Warm up CSRF, XSS, SQLi codeFriday, May 18, 2012
  5. think like a diverFriday, May 18, 2012
  6. be the attacker Say hello to $user_dataFriday, May 18, 2012
  7. Drupal vulnerabilities by type 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others reported in core and contrib SAs from 6/1/2005 through 3/24/2010Friday, May 18, 2012
  8. Eddy Out: Definitions A1 - Injection A2 - XSS A3 - Broken Authentication and Session Mgmt A4 - Insecure Direct Object References A5 - Cross Site Request ForgeryFriday, May 18, 2012
  9. Eddy Out: Definitions A6 - Security Misconfiguration A7 - Insecure Cryptographic Storage A8 - Failure to Restrict URL Access A9 - Insufficient Transport Layer Protection A10 - Unvalidated Redirects and ForwardsFriday, May 18, 2012
  10. Eddy Out: Freebies A3 - Broken Authentication and Session Mgmt A7 - Insecure Cryptographic Storage A9 - Insufficient Transport Layer Protection But don’t stop at the top 10...or today’s 3Friday, May 18, 2012
  11. The basics Toes in the waterFriday, May 18, 2012
  12. Security Review module Free Automated check of configurations drupal.org/project/security_review Demo http://crackingdrupal.com/n/32Friday, May 18, 2012
  13. Captaining your ship ssh or sftp, but never ftp shared wifi? https if you can, vpn if you can’t Least privilege Audit rolesFriday, May 18, 2012
  14. Stay up to date SeriouslyFriday, May 18, 2012
  15. Modernize your vessel Update module (can email you) Mailing list @drupalsecurity rss: d.o/security/ d.o/security/contrib etc.Friday, May 18, 2012
  16. Head for the lifeboats Have backups Test them periodically Be able to restore them Sanitize before traveling with them http://crackingdrupal.com/n/53Friday, May 18, 2012
  17. XSS aka: Cross Site Scripting code in browser using your sessionFriday, May 18, 2012
  18. XSS Code Running in your browser Using your cookies on your site Requesting, sending, reading responses Browser context Does that sound familiar?Friday, May 18, 2012
  19. Ajax HTML Drupal User JSFriday, May 18, 2012
  20. Cross Site Scripting HTML Attacker JS Drupal Victim JS = BadFriday, May 18, 2012
  21. Validate input “Why would I ever want javascript in a node title?” -developer who forgot to filter on outputFriday, May 18, 2012
  22. Validate input Is it an email? Is it a nid (right type? that they have access to?) Is this my beautiful wife? Is this my beautiful house? Validation is NOT filtering Validation is “yes or no” - user fixes itFriday, May 18, 2012
  23. Filter on output “output” “filter” “on”Friday, May 18, 2012
  24. Friday, May 18, 2012
  25. Output Contexts Mail context Database context Web context Server context http://acko.net/blog/safe-string-theory-for- the-webFriday, May 18, 2012
  26. Filtering XSS Input untrusted data Output browser appropriate data check_plain, check_markup filter_xss, filter_xss_admin free: l(), t() @ and %, drupal_set_titleFriday, May 18, 2012
  27. Friday, May 18, 2012
  28. html html blah html <? print $node_title ?> htmlFriday, May 18, 2012
  29. html html blah html <script> alert(‘xss’); <script> htmlFriday, May 18, 2012
  30. html html html blah html html blah &lt;script&gt; html alert(‘xss’); alert(‘xss’); &lt;/script&gt; html htmlFriday, May 18, 2012
  31. Are you my XSS? drupal_set_message($user_data); $output .= $node->title; FAPI checkboxes, radios, descriptions, etc.Friday, May 18, 2012
  32. Identifying XSS <script>alert(‘xss’);</script> <img src=”asdf.png” onerror=”alert(‘xss’)”>Friday, May 18, 2012
  33. Deep Dive on XSSFriday, May 18, 2012
  34. http://drupalscout.com/tags/xss XSS ResourcesFriday, May 18, 2012
  35. SQL InjectionFriday, May 18, 2012
  36. User modified data Included into a query Without filteringFriday, May 18, 2012
  37. php php sql $user_data php phpFriday, May 18, 2012
  38. php php sql ‘’;delete from users; php phpFriday, May 18, 2012
  39. Fixing SQL Injection “Use Drupal’s database API” Placeholders DBTNG, ORM, Methods (not that complex)Friday, May 18, 2012
  40. Dive on SQL InjectionFriday, May 18, 2012
  41. CSRF Cross Site Request Forgery Taking action without confirming intent.Friday, May 18, 2012
  42. Taking action without confirming intent. How do we confirm intent? WTF is intent?Friday, May 18, 2012
  43. <a href=”/delete/user/1”>Delete user 1</a>Friday, May 18, 2012
  44. <a href=”/delete/1”>Delete user 1</a> <img src=”/delete/1”>Friday, May 18, 2012
  45. CSRF Flow /user html cookie Victim DrupalFriday, May 18, 2012
  46. CSRF Flow node/1 html Victim DrupalFriday, May 18, 2012
  47. CSRF Flow node/1 html jquery.js Victim js Drupal foo.css cookie css delete/1 object deleted etc. in dbFriday, May 18, 2012
  48. How do you exploit it? URL Shorteners <img src=”http://example.com/delete/2”> Send a message to a site admin What is my email address or twitter?Friday, May 18, 2012
  49. Are you my CSRF? menu call back with an action verb and not drupal_get_form directly use $_POST, $_GET, arg(), menu object not using form_submit OR drupal_get_tokenFriday, May 18, 2012
  50. Tokens (aka nonce) Form API includes tokens by default do form, form_validate, form_submit don’t $_POST OR: drupal_get_token, drupal_valid_tokenFriday, May 18, 2012
  51. Deep Dive on CSRFFriday, May 18, 2012
  52. http://drupalscout.com/tags/csrf CSRF ResourcesFriday, May 18, 2012
  53. Resources drupal.org/security groups.drupal.org/best-practices-drupal- security drupalscout.com acquia.com crackingdrupal.comFriday, May 18, 2012
  54. Thanks! questions? contact? @greggles greg.knaddison@acquia.comFriday, May 18, 2012

×