7. be the attacker
Say hello to $user_data
Sunday, November 20, 2011
8. Drupal vulnerabilities by type
12%
7%
4%
3% 48%
10%
16%
XSS Access Bypass CSRF
Authentication/Session Arbitrary Code Execution SQL Injection
Others
reported in core and contrib SAs from 6/1/2005 through 3/24/2010
Sunday, November 20, 2011
9. Eddy Out: Definitions
A1 - Injection
A2 - XSS
A3 - Broken Authentication and Session Mgmt
A4 - Insecure Direct Object References
A5 - Cross Site Request Forgery
Sunday, November 20, 2011
10. Eddy Out: Definitions
A6 - Security Misconfiguration
A7 - Insecure Cryptographic Storage
A8 - Failure to Restrict URL Access
A9 - Insufficient Transport Layer Protection
A10 - Unvalidated Redirects and Forwards
Sunday, November 20, 2011
11. Eddy Out: Freebies
A3 - Broken Authentication and Session Mgmt
A7 - Insecure Cryptographic Storage
A9 - Insufficient Transport Layer Protection
But don’t stop at the top 10...or today’s 3
Sunday, November 20, 2011
12. The basics
Toes in the water
Sunday, November 20, 2011
13. Security Review module
Free
Automated check of configurations
drupal.org/project/security_review
Demo
http://crackingdrupal.com/n/32
Sunday, November 20, 2011
14. Captaining your ship
ssh or sftp, but never ftp
shared wifi? https if you can, vpn if you can’t
Least privilege
Audit roles
Sunday, November 20, 2011
15. Stay up to date
Seriously
Sunday, November 20, 2011
16. Modernize your vessel
Update module
Mailing list
@drupal_security
rss: d.o/security/ d.o/security/contrib etc.
Sunday, November 20, 2011
17. Head for the lifeboats
Have backups
Test them periodically
Be able to restore them
Sanitize before traveling with them
http://crackingdrupal.com/n/53
Sunday, November 20, 2011
18. CSRF
Cross Site Request Forgery
Taking action without confirming intent.
Sunday, November 20, 2011
19. Taking action without confirming intent.
How do we confirm intent?
WTF is intent?
Sunday, November 20, 2011
22. CSRF Flow
/user
html
cookie
Victim Drupal
Sunday, November 20, 2011
23. CSRF Flow
node/1
html
Victim Drupal
Sunday, November 20, 2011
24. CSRF Flow
node/1
html
jquery.js
Victim js Drupal
foo.css
cookie
css
delete/1
object deleted
etc. in db
Sunday, November 20, 2011
25. How do you exploit it?
URL Shorteners
<img src=”http://example.com/delete/2”>
Send a message to a site admin
What is my email address or twitter?
Sunday, November 20, 2011
26. Are you my CSRF?
menu call back with an action verb and not
drupal_get_form
directly use $_POST, $_GET, arg(), menu object
not using form_submit OR drupal_get_token
Sunday, November 20, 2011
27. Tokens (aka nonce)
Form API includes tokens by default
do form, form_validate, form_submit
don’t $_POST
OR: drupal_get_token, drupal_valid_token
Sunday, November 20, 2011
30. XSS
aka: Cross Site Scripting
code in browser using your session
Sunday, November 20, 2011
31. XSS
Code
Running in your browser
Using your cookies on your site
Requesting, sending, reading responses
Browser context
Does that sound familiar?
Sunday, November 20, 2011
32. Ajax
HTML
Drupal User
JS
Sunday, November 20, 2011
33. Cross Site Scripting
HTML
Attacker JS Drupal Victim
JS
= Bad
Sunday, November 20, 2011
34. Validate input
“Why would I ever want
javascript in a node title?”
-developer who forgot to filter on output
Sunday, November 20, 2011
35. Validate input
Is it an email?
Is it a nid (right type? that they have access to?)
Is this my beautiful wife?
Is this my beautiful house?
Validation is NOT filtering
Validation is “yes or no” - user fixes it
Sunday, November 20, 2011
36. Filter on output
“output”
“filter”
“on”
Sunday, November 20, 2011
38. Output Contexts
Mail context
Database context
Web context
Server context
http://acko.net/blog/safe-string-theory-for-
the-web
Sunday, November 20, 2011
39. Filtering XSS
Input untrusted data
Output browser appropriate data
check_plain, check_markup
filter_xss, filter_xss_admin
free: l(), t() @ and %, drupal_set_title
Sunday, November 20, 2011
52. R U my Access Bypass?
Menu callbacks - kind of important
node_access()
->addTag('node_access')
hook_permissions/user_access
Sunday, November 20, 2011