Drupal Security Dive Into the Code - this presentation looks at cross site scripting (xss), sql injection, and cross site request forgeries (csrf) in Drupal. The presentation was given at DrupalGovDays in Washington DC May 18, 2012.

1. Dive into
Drupal Security
@greggles
Friday, May 18, 2012

2. Greg Knaddison
Pair programmer
@greggles
Acquian
Drupal Security Team
Friday, May 18, 2012

3. US$15 on kindle, US$26 paperback
crackingdrupal.com
Friday, May 18, 2012

4. Agenda
Overview
Warm up
CSRF, XSS, SQLi code
Friday, May 18, 2012

5. think like a diver
Friday, May 18, 2012

6. be the attacker
Say hello to $user_data
Friday, May 18, 2012

7. Drupal vulnerabilities by type
12%
7%
4%
3% 48%
10%
16%
XSS Access Bypass CSRF
Authentication/Session Arbitrary Code Execution SQL Injection
Others
reported in core and contrib SAs from 6/1/2005 through 3/24/2010
Friday, May 18, 2012

8. Eddy Out: Definitions
A1 - Injection
A2 - XSS
A3 - Broken Authentication and Session Mgmt
A4 - Insecure Direct Object References
A5 - Cross Site Request Forgery
Friday, May 18, 2012

9. Eddy Out: Definitions
A6 - Security Misconfiguration
A7 - Insecure Cryptographic Storage
A8 - Failure to Restrict URL Access
A9 - Insufficient Transport Layer Protection
A10 - Unvalidated Redirects and Forwards
Friday, May 18, 2012

10. Eddy Out: Freebies
A3 - Broken Authentication and Session Mgmt
A7 - Insecure Cryptographic Storage
A9 - Insufficient Transport Layer Protection
But don’t stop at the top 10...or today’s 3
Friday, May 18, 2012

11. The basics
Toes in the water
Friday, May 18, 2012

12. Security Review module
Free
Automated check of configurations
drupal.org/project/security_review
Demo
http://crackingdrupal.com/n/32
Friday, May 18, 2012

13. Captaining your ship
ssh or sftp, but never ftp
shared wifi? https if you can, vpn if you can’t
Least privilege
Audit roles
Friday, May 18, 2012

14. Stay up to date
Seriously
Friday, May 18, 2012

15. Modernize your vessel
Update module (can email you)
Mailing list
@drupalsecurity
rss: d.o/security/ d.o/security/contrib etc.
Friday, May 18, 2012

16. Head for the lifeboats
Have backups
Test them periodically
Be able to restore them
Sanitize before traveling with them
http://crackingdrupal.com/n/53
Friday, May 18, 2012

17. XSS
aka: Cross Site Scripting
code in browser using your session
Friday, May 18, 2012

18. XSS
Code
Running in your browser
Using your cookies on your site
Requesting, sending, reading responses
Browser context
Does that sound familiar?
Friday, May 18, 2012

19. Ajax
HTML
Drupal User
JS
Friday, May 18, 2012

20. Cross Site Scripting
HTML
Attacker JS Drupal Victim
JS
= Bad
Friday, May 18, 2012

21. Validate input
“Why would I ever want
javascript in a node title?”
-developer who forgot to filter on output
Friday, May 18, 2012

22. Validate input
Is it an email?
Is it a nid (right type? that they have access to?)
Is this my beautiful wife?
Is this my beautiful house?
Validation is NOT filtering
Validation is “yes or no” - user fixes it
Friday, May 18, 2012

23. Filter on output
“output”
“filter”
“on”
Friday, May 18, 2012

24. Friday, May 18, 2012

25. Output Contexts
Mail context
Database context
Web context
Server context
http://acko.net/blog/safe-string-theory-for-
the-web
Friday, May 18, 2012

26. Filtering XSS
Input untrusted data
Output browser appropriate data
check_plain, check_markup
filter_xss, filter_xss_admin
free: l(), t() @ and %, drupal_set_title
Friday, May 18, 2012

27. Friday, May 18, 2012

28. html
html
blah
html
<? print $node_title ?>
html
Friday, May 18, 2012

29. html
html
blah
html
<script>
alert(‘xss’);
<script>
html
Friday, May 18, 2012

30. html
html html
blah html
html blah
&lt;script&gt; html
alert(‘xss’); alert(‘xss’);
&lt;/script&gt; html
html
Friday, May 18, 2012

31. Are you my XSS?
drupal_set_message($user_data);
$output .= $node->title;
FAPI checkboxes, radios,
descriptions, etc.
Friday, May 18, 2012

32. Identifying XSS
<script>alert(‘xss’);</script>
<img src=”asdf.png” onerror=”alert(‘xss’)”>
Friday, May 18, 2012

33. Deep Dive on XSS
Friday, May 18, 2012

34. http://drupalscout.com/tags/xss
XSS Resources
Friday, May 18, 2012

35. SQL Injection
Friday, May 18, 2012

36. User modified data
Included into a query
Without filtering
Friday, May 18, 2012

37. php
php
sql $user_data
php
php
Friday, May 18, 2012

38. php
php
sql ‘’;delete from
users;
php
php
Friday, May 18, 2012

39. Fixing SQL Injection
“Use Drupal’s database API”
Placeholders
DBTNG, ORM, Methods (not that complex)
Friday, May 18, 2012

40. Dive on SQL Injection
Friday, May 18, 2012

41. CSRF
Cross Site Request Forgery
Taking action without confirming intent.
Friday, May 18, 2012

42. Taking action without confirming intent.
How do we confirm intent?
WTF is intent?
Friday, May 18, 2012

43. <a href=”/delete/user/1”>Delete user 1</a>
Friday, May 18, 2012

44. <a href=”/delete/1”>Delete user 1</a>
<img src=”/delete/1”>
Friday, May 18, 2012

45. CSRF Flow
/user
html
cookie
Victim Drupal
Friday, May 18, 2012

46. CSRF Flow
node/1
html
Victim Drupal
Friday, May 18, 2012

47. CSRF Flow
node/1
html
jquery.js
Victim js Drupal
foo.css
cookie
css
delete/1
object deleted
etc. in db
Friday, May 18, 2012

48. How do you exploit it?
URL Shorteners
<img src=”http://example.com/delete/2”>
Send a message to a site admin
What is my email address or twitter?
Friday, May 18, 2012

49. Are you my CSRF?
menu call back with an action verb and not
drupal_get_form
directly use $_POST, $_GET, arg(), menu object
not using form_submit OR drupal_get_token
Friday, May 18, 2012

50. Tokens (aka nonce)
Form API includes tokens by default
do form, form_validate, form_submit
don’t $_POST
OR: drupal_get_token, drupal_valid_token
Friday, May 18, 2012

51. Deep Dive on CSRF
Friday, May 18, 2012

52. http://drupalscout.com/tags/csrf
CSRF Resources
Friday, May 18, 2012

53. Resources
drupal.org/security
groups.drupal.org/best-practices-drupal-
security
drupalscout.com
acquia.com
crackingdrupal.com
Friday, May 18, 2012

54. Thanks!
questions?
contact?
@greggles
greg.knaddison@acquia.com
Friday, May 18, 2012