Downloaded 22 times
Uploaded byknaddison
Drupal Security for Coders and Themers - XSS and CSRF
The document discusses security vulnerabilities in Drupal sites and provides recommendations to address them. It notes that sites are vulnerable to issues like cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks that could allow altering or stealing data. It recommends steps for developers and themers to check for vulnerabilities, including reviewing code for unsafe variables, validating user inputs, and using tokens for requests. Resources are also listed for learning more about Drupal security best practices.
More Related Content
![José Ramón Palanco - NoSQL Security [RootedCON 2011]](https://cdn.slidesharecdn.com/ss_thumbnails/rooted-nosqlsecurity-110307132650-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
Drupal Security for Coders and Themers - XSS and CSRF
- 1. Your site isvulnerable. (really, it is)
- 2. I want you:To see the vulnerabilities
- 3. Disney Princess Castle!
- 4.
- 5.
- 6. Drupaler for 4years
- 7.
- 8. Help with lotsof d.o
- 9. 20+ modules (Pathauto,token)
- 10.
- 11.
- 12.
- 13.
- 14. "Cracking Drupal isprobably going to be the first Drupal book I buy." - Angie 'webchick' Byron Wrote a book Or 40% off with Wiley coupon.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23. Your site isvulnerable. You can make it safer.
- 24. “ A siteis secure if private data is kept private, the site cannot be forced offline or into a degraded mode by a remote visitor, the site resources are used only for their intended purposes, and the site content can be edited only by appropriate users.” Some guy – Cracking Drupal chapter 1
- 25.
- 26.
- 27.
- 28. Worry in aprioritized way.
- 29.
- 30.
Editor's Notes
- #2 Maybe you don't know it, but it is.
- #7 I'm pretty awesome.
- #8 It's pretty awesome.
- #9 Damn, they're really awesome.
- #10 Your site has some vulnerabilities in it somewhere – given enough time/effort someone could break in.
- #13 DO NOT LIKE Resources: * DDOS * Mail forwarding for spam * Bot network Stealing data * E-mails * Username/passwords * Worse? (credit card, ssn, etc.) Altering data * Homepage defacement * Changing prices in e-commerce * Deleting content http://www.flickr.com/photos/piez/995290158/
- #14 Being educated about security lets you know what to worry about. http://www.flickr.com/photos/filipamachado/3249193904/
- #15 XSS is the worst! Only for vulnerabilities fixed from d.o security team process, but anecdotally we know XSS is the worst! What about real world? Most people don't want to report their weaknesses.
- #16 XSS is the worst! Only for vulnerabilities fixed from d.o security team process, but anecdotally we know XSS is the worst! What about real world? Most people don't want to report their weaknesses.
- #17 For the Irving Berlin fans out there Javascript can do everything that you can do on the site. If you are logged in as an admin user, it can edit any users password, change permissions, etc.
- #18 2. Demonstrate weak code. XSS is from “user input” - ALL user input! Including browser user agent! ### SETUP NOTES: 1. Install browscap and monitor user agents 2. Setup firefox useragent switcher with a useragent like <script>$(&quot;body&quot;).replaceWith(&quot;<h1>now what</h1>?&quot;);</script>
- #20 tpl.php and default theme_* implementations will show where to use check_plain etc. Good developers should know when/where/how to filter text, let them worry about it and hand you simple variables via preprocess functions.
- #21 Whenever you deal with assembling bits of text for output consider these three questions. Answers will determine whether any filtering is required. User agent in http request to include a file?
- #22 Data comes in from 'you' (or a malicious user) Goes to MySQL in some queries, MySQL returns data Data is returned to you What are the “Contexts” in this page request flow? MySQL context in step 2 Your browser in step 4
- #23 Steven Wittens wrote this up way better than anyone else. If you don't have an hour and don't have a themer or developer...use the cheat sheet
- #24 You deal with a string Input comes in, any yes answer drops down, HTML output at the bottom. Sometimes we use the underlying function like check_url via a convenience function like l(). Ditto check_plain via t(). Rich text may contain html, may contain Wiki formatting. Trusted text is way less than 1% of the text on a site.
- #25 3 rd most common, 2 nd hardest to “solve”
- #26 User Protect module http://drupal.org/node/623162 Enable Go to admin/user/userprotect View Delete problem Create a node with <img src=” http://6d.local/userprotect/delete/1/user “> or a tinyurl or...or be sure to fix the “smart quotes” Refresh admin/user/userprotect – no longer protected!