Download - Protect you site from CSRF
![Page 2: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/2.jpg)
US$15 on Kindle, US$26 paperback
Tuesday, May 15, 2012
![Page 3: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/3.jpg)
Protect your site from XSS
Tuesday, May 15, 2012
![Page 4: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/4.jpg)
Protect your site from XSS
Tuesday, May 15, 2012
![Page 5: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/5.jpg)
drupalgovdays.org
munich2012.drupal.org
groups.drupal.org/camps
Tuesday, May 15, 2012
![Page 6: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/6.jpg)
Drupal Vulnerabilities by type
XSS Access Bypass CSRFAuthentication/Session Arbitrary Code Execution SQL InjectionOthers
48%
16%
10%
3%
4%
7%
12%
reported in core and contrib SAs from 6/1/2005 through 3/24/2010
Tuesday, May 15, 2012
![Page 7: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/7.jpg)
BTW on XSS
http://acquia.com/node/2022266
Tuesday, May 15, 2012
![Page 8: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/8.jpg)
Acquia Security Training
• Journey into mind of an attacker• Preventing spam and brute force attacks• XSS• Access bypass• CSRF• SQL Injection• Over 81% of Drupal vulnerabilities• Hands-on attacking and fixing a Drupal 7 site• Group review of possible fixes• How to perform automated security scans
48%
16%
10%
3%4%
7%
12%
Tuesday, May 15, 2012
![Page 9: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/9.jpg)
Think like an attacker
how does an attacker think?
Tuesday, May 15, 2012
![Page 10: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/10.jpg)
Think like the attacker
• “Solving problems” - just like you•Using HTTP, Javascript, PHP - just like you•But her problems are different...
Tuesday, May 15, 2012
![Page 11: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/11.jpg)
Think like the attacker
• “Solving problems” - just like you•Using HTTP, Javascript, PHP - just like you•But her problems are different...
Tuesday, May 15, 2012
![Page 12: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/12.jpg)
What is CSRF?
Cross Site Request Forgery
Tuesday, May 15, 2012
![Page 13: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/13.jpg)
CSRF - Cross site Request Forgery
• Action performed on the site• May confirm access/authorization• Fails to confirm intent
But how does a computer know my intent?
Tuesday, May 15, 2012
![Page 14: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/14.jpg)
Typical Page Request
Drupal VisitorHTML
sid
/user/delete/7
Tuesday, May 15, 2012
![Page 15: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/15.jpg)
Typical Page Request
Drupal VisitorHTML
sid
Oh, you aregreggles
/user/delete/7
Tuesday, May 15, 2012
![Page 16: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/16.jpg)
Cross Site Request Forgery
DrupalHTML
Victimsid
Tuesday, May 15, 2012
![Page 17: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/17.jpg)
Cross Site Request Forgery
Attacker
DrupalHTML
Victimsid
Tuesday, May 15, 2012
![Page 18: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/18.jpg)
Cross Site Request Forgery
Attacker
DrupalHTML
Victimsid
trick!
Tuesday, May 15, 2012
![Page 19: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/19.jpg)
CSRF and session life time
“Each employee spent only 11 minutes on any given project before being interrupted and whisked off to do something else. What's more, each 11-minute project was itself fragmented into even shorter three-minute tasks, like answering e-mail messages, reading a Web page or working on a spreadsheet.”
Meet the Life HackersNY Times October 16, 2005www.nytimes.com/2005/10/16/magazine/16guru.html
Tuesday, May 15, 2012
![Page 20: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/20.jpg)
How do you trick someone into visiting a url?
Attacker
trick!
• Email• Twitter• Facebook• Short urls• Web page with img, javascript• Ask them to type it in• Etc.
Tuesday, May 15, 2012
![Page 21: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/21.jpg)
User intent?
• Confirm identity• Confirm you really asked• Look at the person• Facial expression, tone• Ask them to repeat• Ask for a secret
Tuesday, May 15, 2012
![Page 22: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/22.jpg)
User intent?
• Secret to the site• Specific to the user• Specific to the action• One-way-hash
Can be re-calculated by the site.
Tuesday, May 15, 2012
![Page 23: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/23.jpg)
Typical Page Request
Drupal VisitorHTML
sid
you are gregglesyou have intent
/user/delete/7?token= e416c8d447.......cbdec84
token
Tuesday, May 15, 2012
![Page 24: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/24.jpg)
Cross Site Request Forgery
DrupalHTML
Victimsid
403: where is your intent?
Tuesday, May 15, 2012
![Page 25: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/25.jpg)
Cross Site Request Forgery
Attacker
DrupalHTML
Victimsid
403: where is your intent?
Tuesday, May 15, 2012
![Page 26: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/26.jpg)
Cross Site Request Forgery
Attacker
DrupalHTML
Victimsid
trick!
403: where is your intent?
Tuesday, May 15, 2012
![Page 27: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/27.jpg)
Demo: CSRFsimpletricky
Tuesday, May 15, 2012
![Page 28: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/28.jpg)
Preventing CSRF
Tuesday, May 15, 2012
![Page 29: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/29.jpg)
Identifying CSRF in the wild
• Look at links & forms• Live HTTP Headers, Tamper Data, Chrome tools, • menu call back with an action verb and not
drupal_get_form• directly use $_POST, $_GET, arg(), menu object to take
an action• not using form_submit OR drupal_get_token
Tuesday, May 15, 2012
![Page 30: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/30.jpg)
Preventing CSRF
• Just use the form API
Links and Ajax without FAPI:
• Request:'query' = array('token' => drupal_get_token('my_id');
• Processing:if (!drupal_valid_token($_GET['token'], 'my_id')) {
• More: http://drupalscout.com/node/20
Tuesday, May 15, 2012
![Page 31: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/31.jpg)
Next steps
Tuesday, May 15, 2012
![Page 32: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/32.jpg)
Acquia Security Audits
• 1 week engagement• Manual and automated• Static code analysis• Penetration testing of interface• Report: - prioritized list of vulnerabilities - mitigation recommendations
Tuesday, May 15, 2012
![Page 33: Protect you site from CSRF](https://reader036.vdocument.in/reader036/viewer/2022062513/55517f5eb4c9057f478b5318/html5/thumbnails/33.jpg)
Resources
• Drupal Scout CSRF: drupalscout.com/tags/csrf • Security Training: - training.acquia.com/developing-drupal/security
• Acquiaʼs Knowledge Base: library.acquia.com• Security checks via acquia.com/insight • groups.drupal.org/best-practices-drupal-security
Any questions? ?
Tuesday, May 15, 2012