Scout xss csrf_security_presentation_chicago


Published on

A Drupalcon Chicago presentation for coders/developers about web application security in the Drupal system. Covering Cross Site Scripting and Cross Site Request Forgeries.

Published in: Technology
  • <br /><object type="application/x-shockwave-flash" data="" width="350" height="288"><param name="movie" value=""></param><embed src="" width="350" height="288" type="application/x-shockwave-flash"></embed></object>
    Are you sure you want to  Yes  No
    Your message goes here
  • See the video of this session at
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Maybe you don&apos;t know it, but it is.
  • I&apos;m pretty awesome.
  • It&apos;s pretty awesome.
  • Damn, they&apos;re really awesome.
  • DO NOT LIKE Resources: * DDOS * Mail forwarding for spam * Bot network Stealing data * E-mails * Username/passwords * Worse? (credit card, ssn, etc.) Altering data * Homepage defacement * Changing prices in e-commerce * Deleting content
  • XSS is the worst! Only for vulnerabilities fixed from d.o security team process, but anecdotally we know XSS is the worst! What about real world? Most people don&apos;t want to report their weaknesses.
  • For the Irving Berlin fans out there Javascript can do everything that you can do on the site. If you are logged in as an admin user, it can edit any users password, change permissions, etc.
  • 2. Demonstrate weak code. XSS is from “user input” - ALL user input! Including browser user agent! ### SETUP NOTES: 1. Install browscap and monitor user agents 2. Setup firefox useragent switcher with a useragent like &lt;script&gt;$(&amp;quot;body&amp;quot;).replaceWith(&amp;quot;&lt;h1&gt;now what&lt;/h1&gt;?&amp;quot;);&lt;/script&gt;
  • tpl.php and default theme_* implementations will show where to use check_plain etc. Good developers should know when/where/how to filter text, let them worry about it and hand you simple variables via preprocess functions.
  • Whenever you deal with assembling bits of text for output consider these three questions. Answers will determine whether any filtering is required. User agent in http request to include a file?
  • Data comes in from &apos;you&apos; (or a malicious user) Goes to MySQL in some queries, MySQL returns data Data is returned to you What are the “Contexts” in this page request flow? MySQL context in step 2 Your browser in step 4
  • Steven Wittens wrote this up way better than anyone else. If you don&apos;t have an hour and don&apos;t have a themer or developer...use the cheat sheet
  • You deal with a string Input comes in, any yes answer drops down, HTML output at the bottom. Sometimes we use the underlying function like check_url via a convenience function like l(). Ditto check_plain via t(). Rich text may contain html, may contain Wiki formatting. Trusted text is way less than 1% of the text on a site.
  • 3 rd most common, 2 nd hardest to “solve”
  • User Protect module Enable Go to admin/user/userprotect View Delete problem Create a node with &lt;img src=” http://6d.local/userprotect/delete/1/user “&gt; or a tinyurl or...or be sure to fix the “smart quotes” Refresh admin/user/userprotect – no longer protected!
  • Scout xss csrf_security_presentation_chicago

    1. 1. <ul>Drupal Security for Coders </ul><ul>Greg Knaddison @greggles </ul>
    2. 2. Your site is vulnerable. (really, it is)
    3. 3. <ul><li>Drupaler for 4 years
    4. 4. Drupal Association
    5. 5. Help with lots of d.o
    6. 6. 20+ modules (Pathauto, token)
    7. 7. On Security Team
    8. 8.
    9. 9.
    10. 10. @greggles </li></ul>Greg
    11. 11. <ul>&quot;Cracking Drupal is probably going to be the first Drupal book I buy.&quot; - Angie 'webchick' Byron </ul>Wrote a book Or 40% off with Wiley coupon.
    12. 12. GVS <ul><li>Development
    13. 13. Community focused
    14. 14. Progressive
    15. 15. Event management
    16. 16. Now....
    17. 17. Security
    18. 18. (with Ben) -> </li></ul>
    19. 19. I want you: To think like a hacker
    20. 20. <ul>How does a  hacker think? </ul><ul> </ul>
    21. 21. Disney Princess Castle!
    22. 24. Your site is vulnerable. You can make it safer.
    23. 25. “ A site is secure if private data is kept private, the site cannot be forced offline or into a degraded mode by a remote visitor, the site resources are used only for their intended purposes, and the site content can be edited only by appropriate users.” Some guy – Cracking Drupal chapter 1
    24. 26. <ul><li>Abusing resources
    25. 27. Stealing data
    26. 28. Altering data </li></ul>
    27. 29. <ul>Worry, your site is vulnerable </ul><ul> </ul>
    28. 30.
    29. 31. <ul>Vulnerabilities by popularity in Drupal </ul>
    30. 32. <ul>trust nothing </ul><ul>(ok, trust very little) </ul>
    31. 33. <ul>Identify user inputs. </ul>
    32. 34. <ul>node title node body form fields in the tabs </ul>
    33. 35. <ul>node title node body form fields in the tabs submit button preview button hidden html form values URL arguments </ul>
    34. 36. <ul>node title node body form fields in the tabs submit button preview button hidden html form values URL arguments </ul><ul>browser user agent browser language browser time zone referrer other HTTP request headers </ul>
    35. 37. <ul>  XSS   </ul><ul>THE BEAST </ul><ul> </ul>
    36. 38. <ul>Illustrated: Step 1 of stored XSS </ul>
    37. 39. <ul>Illustrated: Step 2 of stored XSS </ul>
    38. 40. <ul>Illustrated: Step 3 of stored XSS </ul>
    39. 41. Anything you can do XSS can do (better) jQuery.get(Drupal.settings.basePath + 'user/1/edit', function (data, status) { if (status == 'success') { // Extract the token and other required data var matches = data.match(/id=&quot;edit-user-profile-form-form-token&quot; value=&quot;([a-z0-9])&quot;/); var token = matches[1]; // Post the minimum amount of fields. Other fields get their default values. var payload = { &quot;form_id&quot;: 'user_profile_form', &quot;form_token&quot;: token, &quot;pass[pass1]&quot;: 'hacked', &quot;pass[pass2]&quot;: 'hacked' }; + 'user/1/edit', payload); } } ); }
    40. 42. demo time
    41. 43. Tests for XSS <ul><script>alert('xss');</script> <img src=”notfound.png” onerror=”alert('xss');”> </ul>
    42. 44. Themers <ul><li>Read tpl.php and default implementations
    43. 45. Rely on your module developer for variables
    44. 46. Run the tests </li></ul>
    45. 47. Developers (and themers) Where does this text come from? Is there a way a user can change it? In what context is it being used?
    46. 49. Context <ul><li>Mail context
    47. 50. Database context
    48. 51. Web context
    49. 52. Server context </li></ul>Take an hour:
    50. 54. Cross Site Request Forgery <ul><li>Taking action
    51. 55. Without confirming intent
    52. 56. AKA CSRF </li></ul>
    53. 57. Cross Site Request Forgery <ul>Demo time </ul>
    54. 58. Solutions to CSRF <ul><li>Create a token based on something unique to </li><ul><li>site, the user, and the action and
    55. 59. validate the token when the action is requested </li></ul><li>Request: </li><ul><li>'query' = array('token' => drupal_get_token('my_id'); </li></ul><li>Processing: </li><ul><li>if (!drupal_valid_token($_GET['token'], 'my_id')) { </li></ul></ul><ul>(Or just use the Form API) </ul>
    56. 60. Severities and Other Vulnerabilities <ul><li> lots of other categories of vulnerabilities in addition to XSS and CSRF </li></ul><ul><li> </li></ul>
    57. 61. Drupal Security Report <ul><li> </li></ul>
    58. 62. Moar <ul><li>Book downstairs
    59. 63. BOF at 3:15 in Arkansas room </li></ul>
    60. 64. Resources <ul><li>
    61. 65.
    62. 66.
    63. 67. - discussion group
    64. 68.
    65. 69. Cracking Drupal -
    66. 70. - XSS Cheat Sheet
    67. 71. - CSRF
    68. 72. </li></ul>
    69. 73. <ul>What did you think? </ul><ul>Locate this session on the DCC website: </ul><ul> </ul><ul>Click the “Take the Survey” link. </ul><ul>Thanks! </ul>