Drupal Security Dive Into the Code

Dive into Drupal Security

@greggles

Friday, May 18, 2012

http://pnwdrupalsummit.org/sessions/drupal-security-coders-deep-dive-xss-csrf-sql-injection




Greg KnaddisonPair programmer

@gregglesAcquian

Drupal Security Team


US$15 on kindle, US$26 paperbackcrackingdrupal.com


Overview

Warm up

CSRF, XSS, SQLi code

Agenda


think like a diver


be the attacker

Say hello to $user_data


XSS Access Bypass CSRFAuthentication/Session Arbitrary Code Execution SQL InjectionOthers

48%

16%

10%

3%

4%

7%

12%

reported in core and contrib SAs from 6/1/2005 through 3/24/2010

Drupal vulnerabilities by type


Eddy Out: Definitions

A1 - Injection

A2 - XSS

A3 - Broken Authentication and Session Mgmt

A4 - Insecure Direct Object References

A5 - Cross Site Request Forgery


Eddy Out: Definitions

A6 - Security Misconfiguration

A7 - Insecure Cryptographic Storage

A8 - Failure to Restrict URL Access

A9 - Insufficient Transport Layer Protection

A10 - Unvalidated Redirects and Forwards


Eddy Out: Freebies

A3 - Broken Authentication and Session Mgmt

A7 - Insecure Cryptographic Storage

A9 - Insufficient Transport Layer Protection

But don’t stop at the top 10...or today’s 3


The basicsToes in the water


Security Review module

Free

Automated check of configurations

drupal.org/project/security_review

Demo

http://crackingdrupal.com/n/32




Captaining your ship

ssh or sftp, but never ftp

shared wifi? https if you can, vpn if you can’t

Least privilege

Audit roles


Stay up to date

Seriously


Modernize your vessel

Update module (can email you)

Mailing list

@drupalsecurity

rss: d.o/security/ d.o/security/contrib etc.


Head for the lifeboats

Have backups

Test them periodically

Be able to restore them

Sanitize before traveling with them





XSSaka: Cross Site Scripting

code in browser using your session


XSS

Code

Running in your browser

Using your cookies on your site

Requesting, sending, reading responses

Browser context

Does that sound familiar?


Ajax

DrupalHTML

JSUser


Cross Site Scripting

= Bad

DrupalAttacker JSHTML

JSVictim


Validate input

“Why would I ever want javascript in a node title?”

-developer who forgot to filter on output


Validate input

Is it an email?

Is it a nid (right type? that they have access to?)

Is this my beautiful wife?

Is this my beautiful house?

Validation is NOT filtering

Validation is “yes or no” - user fixes it


Filter on output

“output”

“filter”

“on”



Output Contexts

Mail context

Database context

Web context

Server context

http://acko.net/blog/safe-string-theory-for-the-web






Filtering XSS

Input untrusted data

Output browser appropriate data

check_plain, check_markup

filter_xss, filter_xss_admin

free: l(), t() @ and %, drupal_set_title



htmlhtmlblahhtml

<? print $node_title ?>html


htmlhtmlblahhtml

<script>alert(‘xss’);

<script>html


htmlhtmlblahhtml

<script>alert(‘xss’);

</script>html

htmlhtmlblahhtml

alert(‘xss’);html


Are you my XSS?

drupal_set_message($user_data);

$output .= $node->title;

FAPI checkboxes, radios, descriptions, etc.


Identifying XSS

<script>alert(‘xss’);</script>

<img src=”asdf.png” onerror=”alert(‘xss’)”>


Deep Dive on XSSFriday, May 18, 2012

XSS Resources

http://drupalscout.com/tags/xss


http://drupalscout.com/tags/csrf


SQL Injection


User modified data

Included into a query

Without filtering


phpphp

sql $user_dataphpphp


phpphp

sql ‘’;delete from users;phpphp


Fixing SQL Injection

“Use Drupal’s database API”

Placeholders

DBTNG, ORM, Methods (not that complex)


Dive on SQL InjectionFriday, May 18, 2012

CSRFCross Site Request Forgery

Taking action without confirming intent.


Taking action without confirming intent.

How do we confirm intent?

WTF is intent?


<a href=”/delete/user/1”>Delete user 1</a>


<a href=”/delete/1”>Delete user 1</a>

<img src=”/delete/1”>


CSRF Flow

Drupal

/user

Victim

html

cookie


CSRF Flow

Drupal

node/1

Victim

html


CSRF Flow

Drupal

node/1

Victim

html

js

jquery.js

css

foo.css

etc.

delete/1object deleted

in db

cookie


How do you exploit it?

URL Shorteners

<img src=”http://example.com/delete/2”>

Send a message to a site admin

What is my email address or twitter?


http://example.com/cid/delete/2

http://example.com/cid/delete/2

Are you my CSRF?

menu call back with an action verb and not drupal_get_form

directly use $_POST, $_GET, arg(), menu object

not using form_submit OR drupal_get_token


Tokens (aka nonce)

Form API includes tokens by default

do form, form_validate, form_submit

don’t $_POST

OR: drupal_get_token, drupal_valid_token


Deep Dive on CSRFFriday, May 18, 2012

CSRF Resources





Resources

drupal.org/security

groups.drupal.org/best-practices-drupal-security

drupalscout.com

acquia.com

crackingdrupal.com


http://drupal.org/security

http://drupal.org/security

Thanks!questions?

contact?@greggles

[email protected]


Technology

Drupal Security Dive Into the Code