Drupal Security Dive Into the Code - this presentation looks at cross site scripting (xss), sql injection, and cross site request forgeries (csrf) in Drupal. The presentation was given at DrupalGovDays in Washington DC May 18, 2012.
7. Drupal vulnerabilities by type
12%
7%
4%
3% 48%
10%
16%
XSS Access Bypass CSRF
Authentication/Session Arbitrary Code Execution SQL Injection
Others
reported in core and contrib SAs from 6/1/2005 through 3/24/2010
Friday, May 18, 2012
8. Eddy Out: Definitions
A1 - Injection
A2 - XSS
A3 - Broken Authentication and Session Mgmt
A4 - Insecure Direct Object References
A5 - Cross Site Request Forgery
Friday, May 18, 2012
9. Eddy Out: Definitions
A6 - Security Misconfiguration
A7 - Insecure Cryptographic Storage
A8 - Failure to Restrict URL Access
A9 - Insufficient Transport Layer Protection
A10 - Unvalidated Redirects and Forwards
Friday, May 18, 2012
10. Eddy Out: Freebies
A3 - Broken Authentication and Session Mgmt
A7 - Insecure Cryptographic Storage
A9 - Insufficient Transport Layer Protection
But don’t stop at the top 10...or today’s 3
Friday, May 18, 2012
11. The basics
Toes in the water
Friday, May 18, 2012
12. Security Review module
Free
Automated check of configurations
drupal.org/project/security_review
Demo
http://crackingdrupal.com/n/32
Friday, May 18, 2012
13. Captaining your ship
ssh or sftp, but never ftp
shared wifi? https if you can, vpn if you can’t
Least privilege
Audit roles
Friday, May 18, 2012
14. Stay up to date
Seriously
Friday, May 18, 2012
15. Modernize your vessel
Update module (can email you)
Mailing list
@drupalsecurity
rss: d.o/security/ d.o/security/contrib etc.
Friday, May 18, 2012
16. Head for the lifeboats
Have backups
Test them periodically
Be able to restore them
Sanitize before traveling with them
http://crackingdrupal.com/n/53
Friday, May 18, 2012
17. XSS
aka: Cross Site Scripting
code in browser using your session
Friday, May 18, 2012
18. XSS
Code
Running in your browser
Using your cookies on your site
Requesting, sending, reading responses
Browser context
Does that sound familiar?
Friday, May 18, 2012
20. Cross Site Scripting
HTML
Attacker JS Drupal Victim
JS
= Bad
Friday, May 18, 2012
21. Validate input
“Why would I ever want
javascript in a node title?”
-developer who forgot to filter on output
Friday, May 18, 2012
22. Validate input
Is it an email?
Is it a nid (right type? that they have access to?)
Is this my beautiful wife?
Is this my beautiful house?
Validation is NOT filtering
Validation is “yes or no” - user fixes it
Friday, May 18, 2012
45. CSRF Flow
/user
html
cookie
Victim Drupal
Friday, May 18, 2012
46. CSRF Flow
node/1
html
Victim Drupal
Friday, May 18, 2012
47. CSRF Flow
node/1
html
jquery.js
Victim js Drupal
foo.css
cookie
css
delete/1
object deleted
etc. in db
Friday, May 18, 2012
48. How do you exploit it?
URL Shorteners
<img src=”http://example.com/delete/2”>
Send a message to a site admin
What is my email address or twitter?
Friday, May 18, 2012
49. Are you my CSRF?
menu call back with an action verb and not
drupal_get_form
directly use $_POST, $_GET, arg(), menu object
not using form_submit OR drupal_get_token
Friday, May 18, 2012
50. Tokens (aka nonce)
Form API includes tokens by default
do form, form_validate, form_submit
don’t $_POST
OR: drupal_get_token, drupal_valid_token
Friday, May 18, 2012