The document discusses protecting a website from cross-site request forgery (CSRF) attacks. It describes how CSRF works by tricking a victim's browser into making requests to a target site on behalf of an attacker. The document recommends using tokens or nonces to validate that requests are intentionally sent by the user and not generated by another site. It also provides resources for learning more about CSRF prevention, security training, and getting security audits for Drupal sites.

1. Protect your site from CSRF
Greg Knaddison
@greggles
greg.knaddison@acquia.com
Tuesday, May 15, 2012

2. US$15 on Kindle, US$26 paperback
Tuesday, May 15, 2012

3. Protect your site from XSS
Tuesday, May 15, 2012

4. Protect your site from XSS
Tuesday, May 15, 2012

5. drupalgovdays.org
munich2012.drupal.org
groups.drupal.org/camps
Tuesday, May 15, 2012

6. Drupal Vulnerabilities by type
12%
7%
4%
3% 48%
10%
16%
XSS Access Bypass CSRF
Authentication/Session Arbitrary Code Execution SQL Injection
Others
reported in core and contrib SAs from 6/1/2005 through 3/24/2010
Tuesday, May 15, 2012

7. BTW on XSS
http://acquia.com/node/2022266
Tuesday, May 15, 2012

8. Acquia Security Training
12%
• Journey into mind of an attacker 7%
• Preventing spam and brute force attacks 4%
3% 48%
• XSS 10%
• Access bypass 16%
• CSRF
• SQL Injection
• Over 81% of Drupal vulnerabilities
• Hands-on attacking and fixing a Drupal 7 site
• Group review of possible fixes
• How to perform automated security scans
Tuesday, May 15, 2012

9. Think like an attacker
how does an attacker think?
Tuesday, May 15, 2012

10. Think like the attacker
• “Solving problems” - just like you
• Using HTTP, Javascript, PHP - just like you
• But her problems are different...
Tuesday, May 15, 2012

11. Think like the attacker
• “Solving problems” - just like you
• Using HTTP, Javascript, PHP - just like you
• But her problems are different...
Tuesday, May 15, 2012

12. What is CSRF?
Cross Site Request Forgery
Tuesday, May 15, 2012

13. CSRF - Cross site Request Forgery
• Action performed on the site
• May confirm access/authorization
• Fails to confirm intent
But how does a computer know my intent?
Tuesday, May 15, 2012

14. Typical Page Request
/user/delete/7
Drupal HTML Visitor
sid
Tuesday, May 15, 2012

15. Typical Page Request
/user/delete/7
Drupal HTML Visitor
sid
Oh, you are
greggles
Tuesday, May 15, 2012

16. Cross Site Request Forgery
HTML
Drupal Victim
sid
Tuesday, May 15, 2012

17. Cross Site Request Forgery
Attacker
HTML
Drupal Victim
sid
Tuesday, May 15, 2012

18. Cross Site Request Forgery
Attacker
HTML
Drupal Victim
trick!
sid
Tuesday, May 15, 2012

19. CSRF and session life time
“Each employee spent only 11 minutes on any given
project before being interrupted and whisked off to do
something else. What's more, each 11-minute project was
itself fragmented into even shorter three-minute tasks, like
answering e-mail messages, reading a Web page or
working on a spreadsheet.”
Meet the Life Hackers
NY Times October 16, 2005
www.nytimes.com/2005/10/16/magazine/16guru.html
Tuesday, May 15, 2012

20. How do you trick someone into visiting a url?
• Email
• Twitter
• Facebook Attacker
• Short urls
• Web page with img, javascript trick!
• Ask them to type it in
• Etc.
Tuesday, May 15, 2012

21. User intent?
• Confirm identity
• Confirm you really asked
• Look at the person
• Facial expression, tone
• Ask them to repeat
• Ask for a secret
Tuesday, May 15, 2012

22. User intent?
• Secret to the site
• Specific to the user
• Specific to the action
• One-way-hash
Can be re-calculated
by the site.
Tuesday, May 15, 2012

23. Typical Page Request
/user/delete/7?token= e416c8d447.......cbdec84
HTML
Drupal Visitor
sid
you are greggles token
you have intent
Tuesday, May 15, 2012

24. Cross Site Request Forgery
HTML
Drupal Victim
sid
403: where is
your intent?
Tuesday, May 15, 2012

25. Cross Site Request Forgery
Attacker
HTML
Drupal Victim
sid
403: where is
your intent?
Tuesday, May 15, 2012

26. Cross Site Request Forgery
Attacker
HTML
Drupal Victim
trick!
sid
403: where is
your intent?
Tuesday, May 15, 2012

27. Demo: CSRF
simple
tricky
Tuesday, May 15, 2012

28. Preventing CSRF
Tuesday, May 15, 2012

29. Identifying CSRF in the wild
• Look at links & forms
• Live HTTP Headers, Tamper Data, Chrome tools,
• menu call back with an action verb and not
drupal_get_form
• directly use $_POST, $_GET, arg(), menu object to take
an action
• not using form_submit OR drupal_get_token
Tuesday, May 15, 2012

30. Preventing CSRF
• Just use the form API
Links and Ajax without FAPI:
• Request:
'query' = array('token' => drupal_get_token('my_id');
• Processing:
if (!drupal_valid_token($_GET['token'], 'my_id')) {
• More: http://drupalscout.com/node/20
Tuesday, May 15, 2012

31. Next steps
Tuesday, May 15, 2012

32. Acquia Security Audits
• 1 week engagement
• Manual and automated
• Static code analysis
• Penetration testing of interface
• Report:
- prioritized list of vulnerabilities
- mitigation recommendations
Tuesday, May 15, 2012

33. Resources
• Drupal Scout CSRF: drupalscout.com/tags/csrf
• Security Training:
- training.acquia.com/developing-drupal/security
• Acquiaʼs Knowledge Base: library.acquia.com
• Security checks via acquia.com/insight
• groups.drupal.org/best-practices-drupal-security
Any questions? ?
Tuesday, May 15, 2012