Download - Protect you site from CSRF
US$15 on Kindle, US$26 paperback
Tuesday, May 15, 2012
Protect your site from XSS
Tuesday, May 15, 2012
Protect your site from XSS
Tuesday, May 15, 2012
drupalgovdays.org
munich2012.drupal.org
groups.drupal.org/camps
Tuesday, May 15, 2012
Drupal Vulnerabilities by type
XSS Access Bypass CSRFAuthentication/Session Arbitrary Code Execution SQL InjectionOthers
48%
16%
10%
3%
4%
7%
12%
reported in core and contrib SAs from 6/1/2005 through 3/24/2010
Tuesday, May 15, 2012
BTW on XSS
http://acquia.com/node/2022266
Tuesday, May 15, 2012
Acquia Security Training
• Journey into mind of an attacker• Preventing spam and brute force attacks• XSS• Access bypass• CSRF• SQL Injection• Over 81% of Drupal vulnerabilities• Hands-on attacking and fixing a Drupal 7 site• Group review of possible fixes• How to perform automated security scans
48%
16%
10%
3%4%
7%
12%
Tuesday, May 15, 2012
Think like an attacker
how does an attacker think?
Tuesday, May 15, 2012
Think like the attacker
• “Solving problems” - just like you•Using HTTP, Javascript, PHP - just like you•But her problems are different...
Tuesday, May 15, 2012
Think like the attacker
• “Solving problems” - just like you•Using HTTP, Javascript, PHP - just like you•But her problems are different...
Tuesday, May 15, 2012
What is CSRF?
Cross Site Request Forgery
Tuesday, May 15, 2012
CSRF - Cross site Request Forgery
• Action performed on the site• May confirm access/authorization• Fails to confirm intent
But how does a computer know my intent?
Tuesday, May 15, 2012
Typical Page Request
Drupal VisitorHTML
sid
/user/delete/7
Tuesday, May 15, 2012
Typical Page Request
Drupal VisitorHTML
sid
Oh, you aregreggles
/user/delete/7
Tuesday, May 15, 2012
Cross Site Request Forgery
DrupalHTML
Victimsid
Tuesday, May 15, 2012
Cross Site Request Forgery
Attacker
DrupalHTML
Victimsid
Tuesday, May 15, 2012
Cross Site Request Forgery
Attacker
DrupalHTML
Victimsid
trick!
Tuesday, May 15, 2012
CSRF and session life time
“Each employee spent only 11 minutes on any given project before being interrupted and whisked off to do something else. What's more, each 11-minute project was itself fragmented into even shorter three-minute tasks, like answering e-mail messages, reading a Web page or working on a spreadsheet.”
Meet the Life HackersNY Times October 16, 2005www.nytimes.com/2005/10/16/magazine/16guru.html
Tuesday, May 15, 2012
How do you trick someone into visiting a url?
Attacker
trick!
• Email• Twitter• Facebook• Short urls• Web page with img, javascript• Ask them to type it in• Etc.
Tuesday, May 15, 2012
User intent?
• Confirm identity• Confirm you really asked• Look at the person• Facial expression, tone• Ask them to repeat• Ask for a secret
Tuesday, May 15, 2012
User intent?
• Secret to the site• Specific to the user• Specific to the action• One-way-hash
Can be re-calculated by the site.
Tuesday, May 15, 2012
Typical Page Request
Drupal VisitorHTML
sid
you are gregglesyou have intent
/user/delete/7?token= e416c8d447.......cbdec84
token
Tuesday, May 15, 2012
Cross Site Request Forgery
DrupalHTML
Victimsid
403: where is your intent?
Tuesday, May 15, 2012
Cross Site Request Forgery
Attacker
DrupalHTML
Victimsid
403: where is your intent?
Tuesday, May 15, 2012
Cross Site Request Forgery
Attacker
DrupalHTML
Victimsid
trick!
403: where is your intent?
Tuesday, May 15, 2012
Demo: CSRFsimpletricky
Tuesday, May 15, 2012
Preventing CSRF
Tuesday, May 15, 2012
Identifying CSRF in the wild
• Look at links & forms• Live HTTP Headers, Tamper Data, Chrome tools, • menu call back with an action verb and not
drupal_get_form• directly use $_POST, $_GET, arg(), menu object to take
an action• not using form_submit OR drupal_get_token
Tuesday, May 15, 2012
Preventing CSRF
• Just use the form API
Links and Ajax without FAPI:
• Request:'query' = array('token' => drupal_get_token('my_id');
• Processing:if (!drupal_valid_token($_GET['token'], 'my_id')) {
• More: http://drupalscout.com/node/20
Tuesday, May 15, 2012
Next steps
Tuesday, May 15, 2012
Acquia Security Audits
• 1 week engagement• Manual and automated• Static code analysis• Penetration testing of interface• Report: - prioritized list of vulnerabilities - mitigation recommendations
Tuesday, May 15, 2012
Resources
• Drupal Scout CSRF: drupalscout.com/tags/csrf • Security Training: - training.acquia.com/developing-drupal/security
• Acquiaʼs Knowledge Base: library.acquia.com• Security checks via acquia.com/insight • groups.drupal.org/best-practices-drupal-security
Any questions? ?
Tuesday, May 15, 2012