Intro drupal security

2,183 views

Published on

Drupalcamp Austin 2011 presentation "intro to Drupal security"

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,183
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Intro drupal security

  1. 1. Dive into Drupal Security @gregglesSunday, November 20, 2011
  2. 2. Greg Knaddison Pair programmer @greggles Acquian Drupal Security TeamSunday, November 20, 2011
  3. 3. mobro.co/gregknaddisonSunday, November 20, 2011
  4. 4. US$15 on kindle, US$26 paperback crackingdrupal.comSunday, November 20, 2011
  5. 5. Agenda Overview Warm up CSRF, XSS codeSunday, November 20, 2011
  6. 6. think like a diverSunday, November 20, 2011
  7. 7. be the attacker Say hello to $user_dataSunday, November 20, 2011
  8. 8. Drupal vulnerabilities by type 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others reported in core and contrib SAs from 6/1/2005 through 3/24/2010Sunday, November 20, 2011
  9. 9. Eddy Out: Definitions A1 - Injection A2 - XSS A3 - Broken Authentication and Session Mgmt A4 - Insecure Direct Object References A5 - Cross Site Request ForgerySunday, November 20, 2011
  10. 10. Eddy Out: Definitions A6 - Security Misconfiguration A7 - Insecure Cryptographic Storage A8 - Failure to Restrict URL Access A9 - Insufficient Transport Layer Protection A10 - Unvalidated Redirects and ForwardsSunday, November 20, 2011
  11. 11. Eddy Out: Freebies A3 - Broken Authentication and Session Mgmt A7 - Insecure Cryptographic Storage A9 - Insufficient Transport Layer Protection But don’t stop at the top 10...or today’s 3Sunday, November 20, 2011
  12. 12. The basics Toes in the waterSunday, November 20, 2011
  13. 13. Security Review module Free Automated check of configurations drupal.org/project/security_review Demo http://crackingdrupal.com/n/32Sunday, November 20, 2011
  14. 14. Captaining your ship ssh or sftp, but never ftp shared wifi? https if you can, vpn if you can’t Least privilege Audit rolesSunday, November 20, 2011
  15. 15. Stay up to date SeriouslySunday, November 20, 2011
  16. 16. Modernize your vessel Update module Mailing list @drupal_security rss: d.o/security/ d.o/security/contrib etc.Sunday, November 20, 2011
  17. 17. Head for the lifeboats Have backups Test them periodically Be able to restore them Sanitize before traveling with them http://crackingdrupal.com/n/53Sunday, November 20, 2011
  18. 18. CSRF Cross Site Request Forgery Taking action without confirming intent.Sunday, November 20, 2011
  19. 19. Taking action without confirming intent. How do we confirm intent? WTF is intent?Sunday, November 20, 2011
  20. 20. <a href=”/delete/user/1”>Delete user 1</a>Sunday, November 20, 2011
  21. 21. <a href=”/delete/1”>Delete user 1</a> <img src=”/delete/1”>Sunday, November 20, 2011
  22. 22. CSRF Flow /user html cookie Victim DrupalSunday, November 20, 2011
  23. 23. CSRF Flow node/1 html Victim DrupalSunday, November 20, 2011
  24. 24. CSRF Flow node/1 html jquery.js Victim js Drupal foo.css cookie css delete/1 object deleted etc. in dbSunday, November 20, 2011
  25. 25. How do you exploit it? URL Shorteners <img src=”http://example.com/delete/2”> Send a message to a site admin What is my email address or twitter?Sunday, November 20, 2011
  26. 26. Are you my CSRF? menu call back with an action verb and not drupal_get_form directly use $_POST, $_GET, arg(), menu object not using form_submit OR drupal_get_tokenSunday, November 20, 2011
  27. 27. Tokens (aka nonce) Form API includes tokens by default do form, form_validate, form_submit don’t $_POST OR: drupal_get_token, drupal_valid_tokenSunday, November 20, 2011
  28. 28. Deep Dive on CSRFSunday, November 20, 2011
  29. 29. http://drupalscout.com/tags/csrf CSRF ResourcesSunday, November 20, 2011
  30. 30. XSS aka: Cross Site Scripting code in browser using your sessionSunday, November 20, 2011
  31. 31. XSS Code Running in your browser Using your cookies on your site Requesting, sending, reading responses Browser context Does that sound familiar?Sunday, November 20, 2011
  32. 32. Ajax HTML Drupal User JSSunday, November 20, 2011
  33. 33. Cross Site Scripting HTML Attacker JS Drupal Victim JS = BadSunday, November 20, 2011
  34. 34. Validate input “Why would I ever want javascript in a node title?” -developer who forgot to filter on outputSunday, November 20, 2011
  35. 35. Validate input Is it an email? Is it a nid (right type? that they have access to?) Is this my beautiful wife? Is this my beautiful house? Validation is NOT filtering Validation is “yes or no” - user fixes itSunday, November 20, 2011
  36. 36. Filter on output “output” “filter” “on”Sunday, November 20, 2011
  37. 37. Sunday, November 20, 2011
  38. 38. Output Contexts Mail context Database context Web context Server context http://acko.net/blog/safe-string-theory-for- the-webSunday, November 20, 2011
  39. 39. Filtering XSS Input untrusted data Output browser appropriate data check_plain, check_markup filter_xss, filter_xss_admin free: l(), t() @ and %, drupal_set_titleSunday, November 20, 2011
  40. 40. Sunday, November 20, 2011
  41. 41. Are you my XSS? drupal_set_message($user_data); $output .= $node->title; FAPI checkboxes, radios, descriptions, etc.Sunday, November 20, 2011
  42. 42. Deep Dive on XSSSunday, November 20, 2011
  43. 43. http://drupalscout.com/tags/xss XSS ResourcesSunday, November 20, 2011
  44. 44. But Greg, only admins can enter ickyquickies. d.o/security-policy and...Sunday, November 20, 2011
  45. 45. Access BypassSunday, November 20, 2011
  46. 46. Access Bypass Authentication AuthorizationSunday, November 20, 2011
  47. 47. What is it? See something they shouldn’t see Do something they shouldn’t doSunday, November 20, 2011
  48. 48. Stop Access Bypass Check before showing the feature Check before taking actionSunday, November 20, 2011
  49. 49. Where should we do this?Sunday, November 20, 2011
  50. 50. Where do we check? Request arrives Find menu callback Call it Alter that Preprocess it Theme itSunday, November 20, 2011
  51. 51. access callback => TRUE, Page callback $form[#access] = whatevs(); $form[f][#access] = whatevs(); $o = theme(‘username’, $account);Sunday, November 20, 2011
  52. 52. R U my Access Bypass? Menu callbacks - kind of important node_access() ->addTag(node_access) hook_permissions/user_accessSunday, November 20, 2011
  53. 53. Dive on Access BypassSunday, November 20, 2011
  54. 54. Resources drupal.org/security groups.drupal.org/best-practices-drupal- security drupalscout.com acquia.com crackingdrupal.comSunday, November 20, 2011
  55. 55. Thanks! questions? contact? @greggles greg.knaddison@acquia.comSunday, November 20, 2011

×