looking for vulnerable code. vlad savitsky

Are you sure thatyour site is securesecure?

Site securitySite security

● Trusted, experienced and secure hosting

● Secure code● Security updates

Security UpdatesSecurity Updates

● Subscribe to Security-newshttp://lists.drupal.org/mailman/listinfo/security-news

● Use Drupal 7 core module Update Manager.

How secure is Drupal codeDrupal code?

Types of vulnerabilitiesTypes of vulnerabilities

Is Your Drupal-siteIs Your Drupal-siteCode Secure?Code Secure?

Speaker: Vlad SavitskySpeaker: Vlad Savitsky

Working at

Skype: vlad_savitsky

ICQ: 205535814

vlad.savitsky@gmail.com

+38096 530 27 12

ChallengeChallenge

● http://google-gruyere.appspot.com/start● Gruyere / ru j r/ - a small, cheesy web ɡ ːˈ ɛə

application that allows its users to publish snippets of text and store assorted files.

● "Unfortunately," Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution.

The goal is to discover bugs in Gruyere.

Cross-site scripting (XSS)Cross-site scripting (XSS)

● Allows attackers to inject script into Web pages viewed by other users.

● http://en.wikipedia.org/wiki/Cross-site_scripting

Handling Data Handling Data Golden RuleGolden Rule

● Store exactly what the user typed. ● When handling and outputting text in HTML,

you need to be careful that proper filtering or escaping is done.

UserDrupalCode

Database

ValidatedUser Input

User Input

Invalid Input

1. User sends some data1. User sends some data

2. Attacker sends code2. Attacker sends code

UserDrupalCode

Database

2. Not Well Validated

Input

1. InputJS

JS

3. User request a page3. User request a page

UserDrupalCode

Database

3. Not Well Escaped Data

1. Request

2. SQL-Query

JS

JS

4. User runs Attacker's code4. User runs Attacker's code

HTML page

Attacker'sJavaScript

Code

User

User

1. View page

Browser

2. Send data

Access BypassAccess Bypass

UserDrupalCode

2. Get Access

1. Request /devel/php

Cross-site request forgeryCross-site request forgery

● Ability to run some actions at server accessing some URL.

● Also known as a one-click attack or session riding and abbreviated as CSRF (pronounced sea-surf) or XSRF.

● http://en.wikipedia.org/wiki/Cross-site_request_forgery

User Profile

SaveSave

DeleteDelete

1. Find URL1. Find URL

http://example.com/user/10/deletehttp://example.com/user/10/delete

2. Post URL2. Post URL

HTML page

<img src=”URL” />

User

Admin

1. Post page

Server

3. Open URL

2. Send URL

Arbitrary code executionArbitrary code execution

● Ability to execute any commands of the attacker's choice on a target machine or in a target process.

● http://en.wikipedia.org/wiki/Arbitrary_code_execution

Session fixationSession fixation

● Session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate (set) another person's session identifier (SID).

● Most session fixation attacks are web based, and most rely on session identifiers being accepted from URLs (query string) or POST data.

● http://en.wikipedia.org/wiki/Session_fixation

1. Send URL with SID1. Send URL with SID

User Admin

1. Send URL http://example.com/node/2?sid=123

DrupalCode

2. Login http://example.com/user/login?sid=123

2. Get Admin's session2. Get Admin's session

User3. Login as admin URL http://example.com/user/login?sid=123

DrupalCode

http://drupal.org/project/sharedsignonhttp://drupal.org/project/sharedsignon

http://drupal.org/node/592488http://drupal.org/node/592488

How to find a vulnerability?How to find a vulnerability?

XSS high-risk zonesXSS high-risk zones

● theme().● t() and l().● dpm().● echo(). ● var_dump().● console.log().● watchdog().● drupal_set_message().

● Templates (.tpl.php).● Theme's code.● Preprocess functions.● $form_state values.● Validation messages

and default values.● Field type 'select' and

'options' attribute.● drupal_set_title().

<script>alert('xss');</script>

<img src=”notfound.png” onerror=”alert('xss');”>

watchdog('type','message <script type="text/javascript">alert("xss");</script>');

XSS TestXSS Test

How to find XSRF?How to find XSRF?

● Inspect hook_menu().● Inspect AJAX callbacks.● If secure tokens not used used then XSRF is

possible● See drupal_get_token().

Access bypassAccess bypass

● Check hook_permissions().● Search for permission names.● Check 'access_callback's in hook_menu().● Check if code works correctly with other

contributed modules and respects their access restrictions.

Code ExecutionCode Execution

● Search for 'eval', 'system' and etc.● Check code includes.● Check if files with code could be executed.● Search for php input format for blocks, nodes,

fields and etc.● Check if modules like devel, php and etc.

enabled.● Check if uploading files with php-code is

possible.

SQL injectionSQL injection

● Static queries.

Drupal Security TeamDrupal Security Team

Goals of the security teamGoals of the security team

● Resolve reported security issues.● Provide assistance for contributed module

maintainers in resolving security issues.● Provide documentation on how to write

secure code.● Provide documentation on securing your site.

How to reportHow to reporta security issuea security issue

● Do not post in the issue tracker or discuss it in IRC.● Mail to security@drupal.org● Provide as many details as you can. At least:

● Drupal version and/or module version.● Steps to reproduce the problem.

● Do not disclose the vulnerability to anyone before the advisory is issued.

● You will be credited in the security announcement.

How the security team How the security team works with issues?works with issues?

● Review the issue and evaluate the potential impact on all supported releases of Drupal.

● If it is indeed a valid problem, the security team is mobilized to eliminate it.

● New versions are created and tested.● New packages are created and uploaded to

Drupal.org.● When an issue has been fixed, use all available

communication channels to inform users of steps that must be taken to protect themselves.

Issues withIssues withcontributed modulescontributed modules

● The module maintainer is contacted with a deadline.

● When the maintainer fixes the problem, the security team issues an advisory.

● If the maintainer does not fix the problem within the deadline, an advisory is issued, recommending disabling the module and the project on Drupal.org is unpublished.

Additional ReadingAdditional Reading

● Core Security Advisories http://drupal.org/security

● Contributed Project Security Advisorieshttp://drupal.org/security/contrib

● The Drupal Security Team http://drupal.org/security-team

● Secure confguration of your Drupal sitehttp://drupal.org/security/secure-confguration

● Writing secure codehttp://drupal.org/writing-secure-code

● Cracking Drupal – The Drupal security bookhttp://crackingdrupal.com/

● This paper's website http://drupalsecurityreport.org

● OWASP Top Ten Projecthttp://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Questions to speakerQuestions to speaker

Vlad Savitsky

http://shvetsgroup.com

Skype: vlad_savitsky

ICQ: 205535814

vlad.savitsky@gmail.com

+38 096 530 27 12