drupal security dive into the code

Dive into Drupal Security

@greggles

Friday, May 18, 2012

Greg KnaddisonPair programmer

@gregglesAcquian

Drupal Security Team

Friday, May 18, 2012

US$15 on kindle, US$26 paperbackcrackingdrupal.com

Friday, May 18, 2012

Overview

Warm up

CSRF, XSS, SQLi code

Agenda

Friday, May 18, 2012

think like a diver

Friday, May 18, 2012

be the attacker

Say hello to $user_data

Friday, May 18, 2012

XSS Access Bypass CSRFAuthentication/Session Arbitrary Code Execution SQL InjectionOthers

48%

16%

10%

3%

4%

7%

12%

reported in core and contrib SAs from 6/1/2005 through 3/24/2010

Drupal vulnerabilities by type

Friday, May 18, 2012

Eddy Out: Definitions

A1 - Injection

A2 - XSS

A3 - Broken Authentication and Session Mgmt

A4 - Insecure Direct Object References

A5 - Cross Site Request Forgery

Friday, May 18, 2012

Eddy Out: Definitions

A6 - Security Misconfiguration

A7 - Insecure Cryptographic Storage

A8 - Failure to Restrict URL Access

A9 - Insufficient Transport Layer Protection

A10 - Unvalidated Redirects and Forwards

Friday, May 18, 2012

Eddy Out: Freebies

A3 - Broken Authentication and Session Mgmt

A7 - Insecure Cryptographic Storage

A9 - Insufficient Transport Layer Protection

But don’t stop at the top 10...or today’s 3

Friday, May 18, 2012

The basicsToes in the water

Friday, May 18, 2012

Security Review module

Free

Automated check of configurations

drupal.org/project/security_review

Demo

http://crackingdrupal.com/n/32

Friday, May 18, 2012

Captaining your ship

ssh or sftp, but never ftp

shared wifi? https if you can, vpn if you can’t

Least privilege

Audit roles

Friday, May 18, 2012

Stay up to date

Seriously

Friday, May 18, 2012

Modernize your vessel

Update module (can email you)

Mailing list

@drupalsecurity

rss: d.o/security/ d.o/security/contrib etc.

Friday, May 18, 2012

Head for the lifeboats

Have backups

Test them periodically

Be able to restore them

Sanitize before traveling with them

http://crackingdrupal.com/n/53

Friday, May 18, 2012

XSSaka: Cross Site Scripting

code in browser using your session

Friday, May 18, 2012

XSS

Code

Running in your browser

Using your cookies on your site

Requesting, sending, reading responses

Browser context

Does that sound familiar?

Friday, May 18, 2012

Ajax

DrupalHTML

JSUser

Friday, May 18, 2012

Cross Site Scripting

= Bad

DrupalAttacker JSHTML

JSVictim

Friday, May 18, 2012

Validate input

“Why would I ever want javascript in a node title?”

-developer who forgot to filter on output

Friday, May 18, 2012

Validate input

Is it an email?

Is it a nid (right type? that they have access to?)

Is this my beautiful wife?

Is this my beautiful house?

Validation is NOT filtering

Validation is “yes or no” - user fixes it

Friday, May 18, 2012

Filter on output

“output”

“filter”

“on”

Friday, May 18, 2012

Friday, May 18, 2012

Output Contexts

Mail context

Database context

Web context

Server context

http://acko.net/blog/safe-string-theory-for-the-web

Friday, May 18, 2012

Filtering XSS

Input untrusted data

Output browser appropriate data

check_plain, check_markup

filter_xss, filter_xss_admin

free: l(), t() @ and %, drupal_set_title

Friday, May 18, 2012

Friday, May 18, 2012

htmlhtmlblahhtml

<? print $node_title ?>html

Friday, May 18, 2012

htmlhtmlblahhtml

<script>alert(‘xss’);

<script>html

Friday, May 18, 2012

htmlhtmlblahhtml

&lt;script&gt;alert(‘xss’);

&lt;/script&gt;html

htmlhtmlblahhtml

alert(‘xss’);html

Friday, May 18, 2012

Are you my XSS?

drupal_set_message($user_data);

$output .= $node->title;

FAPI checkboxes, radios, descriptions, etc.

Friday, May 18, 2012

Identifying XSS

<script>alert(‘xss’);</script>

<img src=”asdf.png” onerror=”alert(‘xss’)”>

Friday, May 18, 2012

Deep Dive on XSSFriday, May 18, 2012

XSS Resources

http://drupalscout.com/tags/xss

Friday, May 18, 2012

SQL Injection

Friday, May 18, 2012

User modified data

Included into a query

Without filtering

Friday, May 18, 2012

phpphp

sql $user_dataphpphp

Friday, May 18, 2012

phpphp

sql ‘’;delete from users;phpphp

Friday, May 18, 2012

Fixing SQL Injection

“Use Drupal’s database API”

Placeholders

DBTNG, ORM, Methods (not that complex)

Friday, May 18, 2012

Dive on SQL InjectionFriday, May 18, 2012

CSRFCross Site Request Forgery

Taking action without confirming intent.

Friday, May 18, 2012

Taking action without confirming intent.

How do we confirm intent?

WTF is intent?

Friday, May 18, 2012

<a href=”/delete/user/1”>Delete user 1</a>

Friday, May 18, 2012

<a href=”/delete/1”>Delete user 1</a>

<img src=”/delete/1”>

Friday, May 18, 2012

CSRF Flow

Drupal

/user

Victim

html

cookie

Friday, May 18, 2012

CSRF Flow

Drupal

node/1

Victim

html

Friday, May 18, 2012

CSRF Flow

Drupal

node/1

Victim

html

js

jquery.js

css

foo.css

etc.

delete/1object deleted

in db

cookie

Friday, May 18, 2012

How do you exploit it?

URL Shorteners

<img src=”http://example.com/delete/2”>

Send a message to a site admin

What is my email address or twitter?

Friday, May 18, 2012

Are you my CSRF?

menu call back with an action verb and not drupal_get_form

directly use $_POST, $_GET, arg(), menu object

not using form_submit OR drupal_get_token

Friday, May 18, 2012

Tokens (aka nonce)

Form API includes tokens by default

do form, form_validate, form_submit

don’t $_POST

OR: drupal_get_token, drupal_valid_token

Friday, May 18, 2012

Deep Dive on CSRFFriday, May 18, 2012

CSRF Resources

http://drupalscout.com/tags/csrf

Friday, May 18, 2012

Resources

drupal.org/security

groups.drupal.org/best-practices-drupal-security

drupalscout.com

acquia.com

crackingdrupal.com

Friday, May 18, 2012

Thanks!questions?

contact?@greggles

greg.knaddison@acquia.com

Friday, May 18, 2012