drupal security dive into the code
Post on 08-May-2015
1.061 Views
Preview:
DESCRIPTION
TRANSCRIPT
Dive into Drupal Security
@greggles
Friday, May 18, 2012
Greg KnaddisonPair programmer
@gregglesAcquian
Drupal Security Team
Friday, May 18, 2012
US$15 on kindle, US$26 paperbackcrackingdrupal.com
Friday, May 18, 2012
Overview
Warm up
CSRF, XSS, SQLi code
Agenda
Friday, May 18, 2012
think like a diver
Friday, May 18, 2012
be the attacker
Say hello to $user_data
Friday, May 18, 2012
XSS Access Bypass CSRFAuthentication/Session Arbitrary Code Execution SQL InjectionOthers
48%
16%
10%
3%
4%
7%
12%
reported in core and contrib SAs from 6/1/2005 through 3/24/2010
Drupal vulnerabilities by type
Friday, May 18, 2012
Eddy Out: Definitions
A1 - Injection
A2 - XSS
A3 - Broken Authentication and Session Mgmt
A4 - Insecure Direct Object References
A5 - Cross Site Request Forgery
Friday, May 18, 2012
Eddy Out: Definitions
A6 - Security Misconfiguration
A7 - Insecure Cryptographic Storage
A8 - Failure to Restrict URL Access
A9 - Insufficient Transport Layer Protection
A10 - Unvalidated Redirects and Forwards
Friday, May 18, 2012
Eddy Out: Freebies
A3 - Broken Authentication and Session Mgmt
A7 - Insecure Cryptographic Storage
A9 - Insufficient Transport Layer Protection
But don’t stop at the top 10...or today’s 3
Friday, May 18, 2012
The basicsToes in the water
Friday, May 18, 2012
Security Review module
Free
Automated check of configurations
drupal.org/project/security_review
Demo
http://crackingdrupal.com/n/32
Friday, May 18, 2012
Captaining your ship
ssh or sftp, but never ftp
shared wifi? https if you can, vpn if you can’t
Least privilege
Audit roles
Friday, May 18, 2012
Stay up to date
Seriously
Friday, May 18, 2012
Modernize your vessel
Update module (can email you)
Mailing list
@drupalsecurity
rss: d.o/security/ d.o/security/contrib etc.
Friday, May 18, 2012
Head for the lifeboats
Have backups
Test them periodically
Be able to restore them
Sanitize before traveling with them
http://crackingdrupal.com/n/53
Friday, May 18, 2012
XSSaka: Cross Site Scripting
code in browser using your session
Friday, May 18, 2012
XSS
Code
Running in your browser
Using your cookies on your site
Requesting, sending, reading responses
Browser context
Does that sound familiar?
Friday, May 18, 2012
Ajax
DrupalHTML
JSUser
Friday, May 18, 2012
Cross Site Scripting
= Bad
DrupalAttacker JSHTML
JSVictim
Friday, May 18, 2012
Validate input
“Why would I ever want javascript in a node title?”
-developer who forgot to filter on output
Friday, May 18, 2012
Validate input
Is it an email?
Is it a nid (right type? that they have access to?)
Is this my beautiful wife?
Is this my beautiful house?
Validation is NOT filtering
Validation is “yes or no” - user fixes it
Friday, May 18, 2012
Filter on output
“output”
“filter”
“on”
Friday, May 18, 2012
Friday, May 18, 2012
Output Contexts
Mail context
Database context
Web context
Server context
http://acko.net/blog/safe-string-theory-for-the-web
Friday, May 18, 2012
Filtering XSS
Input untrusted data
Output browser appropriate data
check_plain, check_markup
filter_xss, filter_xss_admin
free: l(), t() @ and %, drupal_set_title
Friday, May 18, 2012
Friday, May 18, 2012
htmlhtmlblahhtml
<? print $node_title ?>html
Friday, May 18, 2012
htmlhtmlblahhtml
<script>alert(‘xss’);
<script>html
Friday, May 18, 2012
htmlhtmlblahhtml
<script>alert(‘xss’);
</script>html
htmlhtmlblahhtml
alert(‘xss’);html
Friday, May 18, 2012
Are you my XSS?
drupal_set_message($user_data);
$output .= $node->title;
FAPI checkboxes, radios, descriptions, etc.
Friday, May 18, 2012
Identifying XSS
<script>alert(‘xss’);</script>
<img src=”asdf.png” onerror=”alert(‘xss’)”>
Friday, May 18, 2012
Deep Dive on XSSFriday, May 18, 2012
XSS Resources
http://drupalscout.com/tags/xss
Friday, May 18, 2012
SQL Injection
Friday, May 18, 2012
User modified data
Included into a query
Without filtering
Friday, May 18, 2012
phpphp
sql $user_dataphpphp
Friday, May 18, 2012
phpphp
sql ‘’;delete from users;phpphp
Friday, May 18, 2012
Fixing SQL Injection
“Use Drupal’s database API”
Placeholders
DBTNG, ORM, Methods (not that complex)
Friday, May 18, 2012
Dive on SQL InjectionFriday, May 18, 2012
CSRFCross Site Request Forgery
Taking action without confirming intent.
Friday, May 18, 2012
Taking action without confirming intent.
How do we confirm intent?
WTF is intent?
Friday, May 18, 2012
<a href=”/delete/user/1”>Delete user 1</a>
Friday, May 18, 2012
<a href=”/delete/1”>Delete user 1</a>
<img src=”/delete/1”>
Friday, May 18, 2012
CSRF Flow
Drupal
/user
Victim
html
cookie
Friday, May 18, 2012
CSRF Flow
Drupal
node/1
Victim
html
Friday, May 18, 2012
CSRF Flow
Drupal
node/1
Victim
html
js
jquery.js
css
foo.css
etc.
delete/1object deleted
in db
cookie
Friday, May 18, 2012
How do you exploit it?
URL Shorteners
<img src=”http://example.com/delete/2”>
Send a message to a site admin
What is my email address or twitter?
Friday, May 18, 2012
Are you my CSRF?
menu call back with an action verb and not drupal_get_form
directly use $_POST, $_GET, arg(), menu object
not using form_submit OR drupal_get_token
Friday, May 18, 2012
Tokens (aka nonce)
Form API includes tokens by default
do form, form_validate, form_submit
don’t $_POST
OR: drupal_get_token, drupal_valid_token
Friday, May 18, 2012
Deep Dive on CSRFFriday, May 18, 2012
CSRF Resources
http://drupalscout.com/tags/csrf
Friday, May 18, 2012
Resources
drupal.org/security
groups.drupal.org/best-practices-drupal-security
drupalscout.com
acquia.com
crackingdrupal.com
Friday, May 18, 2012
Thanks!questions?
contact?@greggles
greg.knaddison@acquia.com
Friday, May 18, 2012
top related