Intro drupal security

Dive into
Drupal Security
@greggles

Sunday, November 20, 2011

Greg Knaddison
Pair programmer
@greggles
Acquian
Drupal Security Team


mobro.co/gregknaddison


US$15 on kindle, US$26 paperback
crackingdrupal.com


Agenda

Overview

Warm up

CSRF, XSS code


think like a diver


be the attacker

Say hello to $user_data


Drupal vulnerabilities by type

12%

7%

4%

3% 48%

10%

16%

XSS Access Bypass CSRF
Authentication/Session Arbitrary Code Execution SQL Injection
Others
reported in core and contrib SAs from 6/1/2005 through 3/24/2010


Eddy Out: Deﬁnitions

A1 - Injection

A2 - XSS

A3 - Broken Authentication and Session Mgmt

A4 - Insecure Direct Object References

A5 - Cross Site Request Forgery


Eddy Out: Definitions

A6 - Security Misconfiguration

A7 - Insecure Cryptographic Storage

A8 - Failure to Restrict URL Access

A9 - Insufficient Transport Layer Protection

A10 - Unvalidated Redirects and Forwards


Eddy Out: Freebies

A3 - Broken Authentication and Session Mgmt

A7 - Insecure Cryptographic Storage

A9 - Insufﬁcient Transport Layer Protection

But don’t stop at the top 10...or today’s 3


The basics
Toes in the water


Security Review module

Free

Automated check of conﬁgurations

drupal.org/project/security_review

Demo

http://crackingdrupal.com/n/32


Captaining your ship

ssh or sftp, but never ftp

shared wiﬁ? https if you can, vpn if you can’t

Least privilege

Audit roles


Stay up to date

Seriously


Modernize your vessel

Update module

Mailing list

@drupal_security

rss: d.o/security/ d.o/security/contrib etc.


Head for the lifeboats

Have backups

Test them periodically

Be able to restore them

Sanitize before traveling with them

http://crackingdrupal.com/n/53


CSRF
Cross Site Request Forgery
Taking action without confirming intent.


Taking action without conﬁrming intent.

How do we conﬁrm intent?

WTF is intent?


<a href=”/delete/user/1”>Delete user 1</a>


<a href=”/delete/1”>Delete user 1</a>

<img src=”/delete/1”>


CSRF Flow
/user
html

cookie
Victim Drupal


CSRF Flow
node/1
html

Victim Drupal


CSRF Flow
node/1
html
jquery.js

Victim js Drupal
foo.css
cookie
css
delete/1
object deleted
etc. in db


How do you exploit it?

URL Shorteners

<img src=”http://example.com/delete/2”>

Send a message to a site admin

What is my email address or twitter?


Are you my CSRF?

menu call back with an action verb and not
drupal_get_form

directly use $_POST, $_GET, arg(), menu object

not using form_submit OR drupal_get_token


Tokens (aka nonce)

Form API includes tokens by default

do form, form_validate, form_submit

don’t $_POST

OR: drupal_get_token, drupal_valid_token


Deep Dive on CSRF

http://drupalscout.com/tags/csrf

CSRF Resources

XSS
aka: Cross Site Scripting
code in browser using your session


XSS
Code

Running in your browser

Using your cookies on your site

Requesting, sending, reading responses

Browser context

Does that sound familiar?


Ajax

HTML
Drupal User
JS


Cross Site Scripting

HTML
Attacker JS Drupal Victim
JS

= Bad


Validate input

“Why would I ever want
javascript in a node title?”
-developer who forgot to ﬁlter on output


Validate input
Is it an email?

Is it a nid (right type? that they have access to?)

Is this my beautiful wife?

Is this my beautiful house?

Validation is NOT ﬁltering

Validation is “yes or no” - user ﬁxes it


Filter on output

“output”

“ﬁlter”

“on”


Output Contexts
Mail context

Database context

Web context

Server context

http://acko.net/blog/safe-string-theory-for-
the-web


Filtering XSS

Input untrusted data

Output browser appropriate data

check_plain, check_markup

ﬁlter_xss, ﬁlter_xss_admin

free: l(), t() @ and %, drupal_set_title


Are you my XSS?

drupal_set_message($user_data);

$output .= $node->title;

FAPI checkboxes, radios,
descriptions, etc.


Deep Dive on XSS

http://drupalscout.com/tags/xss

XSS Resources

But Greg, only admins can enter
ickyquickies.

d.o/security-policy

and...


Access Bypass


Access Bypass
Authentication
Authorization


What is it?

See something they shouldn’t see

Do something they shouldn’t do


Stop Access Bypass

Check before showing the feature

Check before taking action


Where should we do this?


Where do we check?
Request arrives

Find menu callback

Call it

Alter that

Preprocess it

Theme it


'access callback' => TRUE,

Page callback

$form['#access'] = whatevs();

$form['f']['#access'] = whatevs();

$o = theme(‘username’, $account);


R U my Access Bypass?

Menu callbacks - kind of important

node_access()

->addTag('node_access')

hook_permissions/user_access


Dive on Access Bypass

Resources
drupal.org/security

groups.drupal.org/best-practices-drupal-
security

drupalscout.com

acquia.com

crackingdrupal.com


Thanks!
questions?
contact?
@greggles
greg.knaddison@acquia.com


Intro drupal security

Recommandé

Recommandé

Contenu connexe

Similaire à Intro drupal security

Similaire à Intro drupal security (14)

Dernier

Dernier (20)

Intro drupal security