1. Your site is vulnerable. (really, it is)

2. I want you: To see the vulnerabilities 3. DisneyPrincessCastle! 4. 5. 6.

Drupaler for 4 years

7. Drupal Association 8. Help with lots of d.o 9. 20+ modules (Pathauto, token) 10. On Security Team 11. MasteringDrupal.com 12. DrupalDashboard.com 13. @knaddison Greg 14.

"Cracking Drupal is probably going to be the first Drupal book I buy." - Angie 'webchick' Byron

Wrote a book Or 40% off with Wiley coupon. 15. GVS

Development

16. Community focused 17. Progressive 18. Event management 19. Now.... 20. Security 21. (with Ben) -> 22. Worry 23. Your site is vulnerable. You can make it safer. 24. A site is secure if private data is kept private, the site cannot be forced ofine or into a degraded mode by a remote visitor, the site resources are used only for their intended purposes, and the site content can be edited only by appropriate users. Some guy Cracking Drupal chapter 1 25.

Abusing resources

26. Stealing data 27. Altering data 28. Worry in a prioritized way. 29. 30. http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf 31. Anything you can do XSS can do (better) jQuery.get(Drupal.settings.basePath + 'user/1/edit', function (data, status) { if (status == 'success') { // Extract the token and other required data var matches = data.match(/id="edit-user-profile-form-form-token" value="([a-z0-9])"/); var token = matches[1]; // Post the minimum amount of fields. Other fields get their default values. var payload = { "form_id": 'user_profile_form', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; jQuery.post(Drupal.settings.basePath +'user/1/edit', payload); } } ); } http://crackingdrupal.com/node/8 32. demo time 33. Tests for XSS

34. Themers

Read tpl.php and default implementations

35. Rely on your module developer for variables 36. Run the tests 37. Developers Where does this text come from? Is there a way a user can change it? In whatcontextis it being used? 38. 39. Context

Mail context

40. Database context 41. Web context 42. Server context Take an hour: http://acko.net/blog/safe-string-theory-for-the-web 43. 44. Cross Site Request Forgery

Taking action

45. Without confirming intent 46. AKA CSRF 47. Cross Site Request Forgery

Demo time

48. Solutions to CSRF

Create a token based on something unique to

site, the user, and the action and

49. validate the token when the action is requested Request:

'query' = array('token' => drupal_get_token('my_id');

Processing:

if (!drupal_valid_token($_GET['token'], 'my_id')) {

(Or just use the Form API)

50. Security and Usability

Confirmation forms == teh suck

51. Truly destructive actionsshouldbe hard to do 52. Don't delete, archive and provide undo 53. Choose links or forms for usability, not security 54. Severities and Other Vulnerabilities

drupal.org/security/contrib lots of other categories of vulnerabilities in addition to XSS and CSRF

55. drupal.org/security-team 56. New Resource...

http://DrupalSecurityReport.org

Ustima.com 57. Resources

http://drupal.org/security-team

58. http://drupal.org/security 59. http://drupal.org/writing-secure-code 60. http://groups.drupal.org/node/15254- discussion group 61. http://heine.familiedeelstra.com/ 62. Cracking Drupal -http://crackingdrupal.com 63. http://crackingdrupal.com/node/34- XSS Cheat Sheet 64. http://crackingdrupal.com/node/48- CSRF 65. http://www.drupalsecurityreport.org