If you can't read please download the document
Upload
knaddison
View
2.537
Download
2
Embed Size (px)
Citation preview
2. I want you: To see the vulnerabilities 3. DisneyPrincessCastle! 4. 5. 6.
7. Drupal Association 8. Help with lots of d.o 9. 20+ modules (Pathauto, token) 10. On Security Team 11. MasteringDrupal.com 12. DrupalDashboard.com 13. @knaddison Greg 14.
Wrote a book Or 40% off with Wiley coupon. 15. GVS
16. Community focused 17. Progressive 18. Event management 19. Now.... 20. Security 21. (with Ben) -> 22. Worry 23. Your site is vulnerable. You can make it safer. 24. A site is secure if private data is kept private, the site cannot be forced ofine or into a degraded mode by a remote visitor, the site resources are used only for their intended purposes, and the site content can be edited only by appropriate users. Some guy Cracking Drupal chapter 1 25.
26. Stealing data 27. Altering data 28. Worry in a prioritized way. 29. 30. http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf 31. Anything you can do XSS can do (better) jQuery.get(Drupal.settings.basePath + 'user/1/edit', function (data, status) { if (status == 'success') { // Extract the token and other required data var matches = data.match(/id="edit-user-profile-form-form-token" value="([a-z0-9])"/); var token = matches[1]; // Post the minimum amount of fields. Other fields get their default values. var payload = { "form_id": 'user_profile_form', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; jQuery.post(Drupal.settings.basePath +'user/1/edit', payload); } } ); } http://crackingdrupal.com/node/8 32. demo time 33. Tests for XSS
34. Themers
35. Rely on your module developer for variables 36. Run the tests 37. Developers Where does this text come from? Is there a way a user can change it? In whatcontextis it being used? 38. 39. Context
40. Database context 41. Web context 42. Server context Take an hour: http://acko.net/blog/safe-string-theory-for-the-web 43. 44. Cross Site Request Forgery
45. Without confirming intent 46. AKA CSRF 47. Cross Site Request Forgery
48. Solutions to CSRF
49. validate the token when the action is requested Request:
Processing:
50. Security and Usability
51. Truly destructive actionsshouldbe hard to do 52. Don't delete, archive and provide undo 53. Choose links or forms for usability, not security 54. Severities and Other Vulnerabilities
55. drupal.org/security-team 56. New Resource...
Ustima.com 57. Resources
58. http://drupal.org/security 59. http://drupal.org/writing-secure-code 60. http://groups.drupal.org/node/15254- discussion group 61. http://heine.familiedeelstra.com/ 62. Cracking Drupal -http://crackingdrupal.com 63. http://crackingdrupal.com/node/34- XSS Cheat Sheet 64. http://crackingdrupal.com/node/48- CSRF 65. http://www.drupalsecurityreport.org