• Like
  • Save
Scout xss csrf_security_presentation_chicago
Upcoming SlideShare
Loading in...5
×
 

Scout xss csrf_security_presentation_chicago

on

  • 541 views

A Drupalcon Chicago presentation for coders/developers about web application security in the Drupal system. Covering Cross Site Scripting and Cross Site Request Forgeries.

A Drupalcon Chicago presentation for coders/developers about web application security in the Drupal system. Covering Cross Site Scripting and Cross Site Request Forgeries.

Statistics

Views

Total Views
541
Views on SlideShare
541
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
2

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

12 of 2

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • <br /><object type="application/x-shockwave-flash" data="http://www.archive.org/flow/flowplayer.commercial-3.2.1.swf" width="350" height="288"><param name="movie" value="http://www.archive.org/flow/flowplayer.commercial-3.2.1.swf"></param><embed src="http://www.archive.org/flow/flowplayer.commercial-3.2.1.swf" width="350" height="288" type="application/x-shockwave-flash"></embed></object>
    Are you sure you want to
    Your message goes here
    Processing…
  • See the video of this session at http://chicago2011.drupal.org/sessions/drupal-security-coders
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Maybe you don&apos;t know it, but it is.
  • I&apos;m pretty awesome.
  • It&apos;s pretty awesome.
  • Damn, they&apos;re really awesome.
  • DO NOT LIKE Resources: * DDOS * Mail forwarding for spam * Bot network Stealing data * E-mails * Username/passwords * Worse? (credit card, ssn, etc.) Altering data * Homepage defacement * Changing prices in e-commerce * Deleting content http://www.flickr.com/photos/piez/995290158/
  • XSS is the worst! Only for vulnerabilities fixed from d.o security team process, but anecdotally we know XSS is the worst! What about real world? Most people don&apos;t want to report their weaknesses.
  • For the Irving Berlin fans out there Javascript can do everything that you can do on the site. If you are logged in as an admin user, it can edit any users password, change permissions, etc.
  • 2. Demonstrate weak code. XSS is from “user input” - ALL user input! Including browser user agent! ### SETUP NOTES: 1. Install browscap and monitor user agents 2. Setup firefox useragent switcher with a useragent like now what
  • tpl.php and default theme_* implementations will show where to use check_plain etc. Good developers should know when/where/how to filter text, let them worry about it and hand you simple variables via preprocess functions.
  • Whenever you deal with assembling bits of text for output consider these three questions. Answers will determine whether any filtering is required. User agent in http request to include a file?
  • Data comes in from &apos;you&apos; (or a malicious user) Goes to MySQL in some queries, MySQL returns data Data is returned to you What are the “Contexts” in this page request flow? MySQL context in step 2 Your browser in step 4
  • Steven Wittens wrote this up way better than anyone else. If you don&apos;t have an hour and don&apos;t have a themer or developer...use the cheat sheet
  • You deal with a string Input comes in, any yes answer drops down, HTML output at the bottom. Sometimes we use the underlying function like check_url via a convenience function like l(). Ditto check_plain via t(). Rich text may contain html, may contain Wiki formatting. Trusted text is way less than 1% of the text on a site.
  • 3 rd most common, 2 nd hardest to “solve”
  • User Protect module http://drupal.org/node/623162 Enable Go to admin/user/userprotect View Delete problem Create a node with or a tinyurl or...or be sure to fix the “smart quotes” Refresh admin/user/userprotect – no longer protected!

Scout xss csrf_security_presentation_chicago Scout xss csrf_security_presentation_chicago Presentation Transcript

    • Drupal Security for Coders
      Greg Knaddison DrupalScout.com @greggles
  • Your site is vulnerable. (really, it is)
    • Drupaler for 4 years
    • Drupal Association
    • Help with lots of d.o
    • 20+ modules (Pathauto, token)
    • On Security Team
    • MasteringDrupal.com
    • DrupalDashboard.com
    • @greggles
    Greg
    • &quot;Cracking Drupal is probably going to be the first Drupal book I buy.&quot; - Angie 'webchick' Byron
    Wrote a book Or 40% off with Wiley coupon.
  • GVS
    • Development
    • Community focused
    • Progressive
    • Event management
    • Now....
    • Security
    • (with Ben) ->
  • I want you: To think like a hacker
    • How does a  hacker think?
      http://flic.kr/p/7tMCdZ
  • Disney Princess Castle!
  •  
  •  
  • Your site is vulnerable. You can make it safer.
  • “ A site is secure if private data is kept private, the site cannot be forced offline or into a degraded mode by a remote visitor, the site resources are used only for their intended purposes, and the site content can be edited only by appropriate users.” Some guy – Cracking Drupal chapter 1
    • Abusing resources
    • Stealing data
    • Altering data
    • Worry, your site is vulnerable
      http://flic.kr/p/61i74g
  • http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf
    • Vulnerabilities by popularity in Drupal
    • trust nothing
      (ok, trust very little)
    • Identify user inputs.
    • node title node body form fields in the tabs
    • node title node body form fields in the tabs submit button preview button hidden html form values URL arguments
    • node title node body form fields in the tabs submit button preview button hidden html form values URL arguments
      browser user agent browser language browser time zone referrer other HTTP request headers
    •   XSS  
      THE BEAST
      http://flic.kr/p/6HZMaY
    • Illustrated: Step 1 of stored XSS
    • Illustrated: Step 2 of stored XSS
    • Illustrated: Step 3 of stored XSS
  • Anything you can do XSS can do (better) jQuery.get(Drupal.settings.basePath + 'user/1/edit', function (data, status) { if (status == 'success') { // Extract the token and other required data var matches = data.match(/id=&quot;edit-user-profile-form-form-token&quot; value=&quot;([a-z0-9])&quot;/); var token = matches[1]; // Post the minimum amount of fields. Other fields get their default values. var payload = { &quot;form_id&quot;: 'user_profile_form', &quot;form_token&quot;: token, &quot;pass[pass1]&quot;: 'hacked', &quot;pass[pass2]&quot;: 'hacked' }; jQuery.post(Drupal.settings.basePath + 'user/1/edit', payload); } } ); } http://crackingdrupal.com/node/8
  • demo time
  • Tests for XSS
      <script>alert('xss');</script> <img src=”notfound.png” onerror=”alert('xss');”>
  • Themers
    • Read tpl.php and default implementations
    • Rely on your module developer for variables
    • Run the tests
  • Developers (and themers) Where does this text come from? Is there a way a user can change it? In what context is it being used?
  •  
  • Context
    • Mail context
    • Database context
    • Web context
    • Server context
    Take an hour: http://acko.net/blog/safe-string-theory-for-the-web
  •  
  • Cross Site Request Forgery
    • Taking action
    • Without confirming intent
    • AKA CSRF
  • Cross Site Request Forgery
      Demo time
  • Solutions to CSRF
    • Create a token based on something unique to
      • site, the user, and the action and
      • validate the token when the action is requested
    • Request:
      • 'query' = array('token' => drupal_get_token('my_id');
    • Processing:
      • if (!drupal_valid_token($_GET['token'], 'my_id')) {
      (Or just use the Form API)
  • Severities and Other Vulnerabilities
    • drupal.org/security/contrib lots of other categories of vulnerabilities in addition to XSS and CSRF
    • drupal.org/security-team
  • Drupal Security Report
    • http://DrupalSecurityReport.org
    Ustima.com
  • Moar
    • Book downstairs
    • BOF at 3:15 in Arkansas room
  • Resources
    • http://drupal.org/security-team
    • http://drupal.org/security
    • http://drupal.org/writing-secure-code
    • http://groups.drupal.org/node/15254 - discussion group
    • http://heine.familiedeelstra.com/
    • Cracking Drupal - http://crackingdrupal.com
    • http://crackingdrupal.com/node/34 - XSS Cheat Sheet
    • http://crackingdrupal.com/node/48 - CSRF
    • http://www.drupalsecurityreport.org
    • What did you think?
      Locate this session on the DCC website:
      http://chicago2011.drupal.org/sessions
      Click the “Take the Survey” link.
      Thanks!