looking for vulnerable code. vlad savitsky
DESCRIPTION
How to find vulnerable code in your Drupal project? Different attacks and how to protect your site? What to do if you find security problem in code/site?TRANSCRIPT
![Page 1: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/1.jpg)
![Page 2: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/2.jpg)
Are you sure thatyour site is securesecure?
![Page 3: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/3.jpg)
Site securitySite security
● Trusted, experienced and secure hosting
● Secure code● Security updates
![Page 4: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/4.jpg)
Security UpdatesSecurity Updates
● Subscribe to Security-newshttp://lists.drupal.org/mailman/listinfo/security-news
● Use Drupal 7 core module Update Manager.
![Page 5: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/5.jpg)
How secure is Drupal codeDrupal code?
![Page 6: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/6.jpg)
Types of vulnerabilitiesTypes of vulnerabilities
![Page 7: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/7.jpg)
Is Your Drupal-siteIs Your Drupal-siteCode Secure?Code Secure?
![Page 8: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/8.jpg)
Speaker: Vlad SavitskySpeaker: Vlad Savitsky
Working at
Skype: vlad_savitsky
ICQ: 205535814
+38096 530 27 12
![Page 9: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/9.jpg)
ChallengeChallenge
● http://google-gruyere.appspot.com/start● Gruyere / ru j r/ - a small, cheesy web ɡ ːˈ ɛə
application that allows its users to publish snippets of text and store assorted files.
● "Unfortunately," Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution.
The goal is to discover bugs in Gruyere.
![Page 10: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/10.jpg)
Cross-site scripting (XSS)Cross-site scripting (XSS)
● Allows attackers to inject script into Web pages viewed by other users.
● http://en.wikipedia.org/wiki/Cross-site_scripting
![Page 11: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/11.jpg)
Handling Data Handling Data Golden RuleGolden Rule
● Store exactly what the user typed. ● When handling and outputting text in HTML,
you need to be careful that proper filtering or escaping is done.
![Page 12: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/12.jpg)
UserDrupalCode
Database
ValidatedUser Input
User Input
Invalid Input
1. User sends some data1. User sends some data
![Page 13: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/13.jpg)
2. Attacker sends code2. Attacker sends code
UserDrupalCode
Database
2. Not Well Validated
Input
1. InputJS
JS
![Page 14: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/14.jpg)
3. User request a page3. User request a page
UserDrupalCode
Database
3. Not Well Escaped Data
1. Request
2. SQL-Query
JS
JS
![Page 15: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/15.jpg)
4. User runs Attacker's code4. User runs Attacker's code
HTML page
Attacker'sJavaScript
Code
User
User
1. View page
Browser
2. Send data
![Page 16: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/16.jpg)
Access BypassAccess Bypass
UserDrupalCode
2. Get Access
1. Request /devel/php
![Page 17: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/17.jpg)
Cross-site request forgeryCross-site request forgery
● Ability to run some actions at server accessing some URL.
● Also known as a one-click attack or session riding and abbreviated as CSRF (pronounced sea-surf) or XSRF.
● http://en.wikipedia.org/wiki/Cross-site_request_forgery
![Page 18: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/18.jpg)
User Profile
SaveSave
DeleteDelete
1. Find URL1. Find URL
http://example.com/user/10/deletehttp://example.com/user/10/delete
![Page 19: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/19.jpg)
2. Post URL2. Post URL
HTML page
<img src=”URL” />
User
Admin
1. Post page
Server
3. Open URL
2. Send URL
![Page 20: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/20.jpg)
Arbitrary code executionArbitrary code execution
● Ability to execute any commands of the attacker's choice on a target machine or in a target process.
● http://en.wikipedia.org/wiki/Arbitrary_code_execution
![Page 21: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/21.jpg)
![Page 22: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/22.jpg)
Session fixationSession fixation
● Session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate (set) another person's session identifier (SID).
● Most session fixation attacks are web based, and most rely on session identifiers being accepted from URLs (query string) or POST data.
● http://en.wikipedia.org/wiki/Session_fixation
![Page 23: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/23.jpg)
1. Send URL with SID1. Send URL with SID
User Admin
1. Send URL http://example.com/node/2?sid=123
DrupalCode
2. Login http://example.com/user/login?sid=123
![Page 24: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/24.jpg)
2. Get Admin's session2. Get Admin's session
User3. Login as admin URL http://example.com/user/login?sid=123
DrupalCode
![Page 25: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/25.jpg)
http://drupal.org/project/sharedsignonhttp://drupal.org/project/sharedsignon
![Page 27: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/27.jpg)
How to find a vulnerability?How to find a vulnerability?
![Page 28: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/28.jpg)
XSS high-risk zonesXSS high-risk zones
● theme().● t() and l().● dpm().● echo(). ● var_dump().● console.log().● watchdog().● drupal_set_message().
● Templates (.tpl.php).● Theme's code.● Preprocess functions.● $form_state values.● Validation messages
and default values.● Field type 'select' and
'options' attribute.● drupal_set_title().
![Page 29: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/29.jpg)
<script>alert('xss');</script>
<img src=”notfound.png” onerror=”alert('xss');”>
watchdog('type','message <script type="text/javascript">alert("xss");</script>');
XSS TestXSS Test
![Page 30: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/30.jpg)
![Page 31: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/31.jpg)
How to find XSRF?How to find XSRF?
● Inspect hook_menu().● Inspect AJAX callbacks.● If secure tokens not used used then XSRF is
possible● See drupal_get_token().
![Page 32: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/32.jpg)
Access bypassAccess bypass
● Check hook_permissions().● Search for permission names.● Check 'access_callback's in hook_menu().● Check if code works correctly with other
contributed modules and respects their access restrictions.
![Page 33: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/33.jpg)
Code ExecutionCode Execution
● Search for 'eval', 'system' and etc.● Check code includes.● Check if files with code could be executed.● Search for php input format for blocks, nodes,
fields and etc.● Check if modules like devel, php and etc.
enabled.● Check if uploading files with php-code is
possible.
![Page 34: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/34.jpg)
SQL injectionSQL injection
● Static queries.
![Page 35: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/35.jpg)
Drupal Security TeamDrupal Security Team
![Page 36: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/36.jpg)
Goals of the security teamGoals of the security team
● Resolve reported security issues.● Provide assistance for contributed module
maintainers in resolving security issues.● Provide documentation on how to write
secure code.● Provide documentation on securing your site.
![Page 37: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/37.jpg)
How to reportHow to reporta security issuea security issue
● Do not post in the issue tracker or discuss it in IRC.● Mail to [email protected]● Provide as many details as you can. At least:
● Drupal version and/or module version.● Steps to reproduce the problem.
● Do not disclose the vulnerability to anyone before the advisory is issued.
● You will be credited in the security announcement.
![Page 38: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/38.jpg)
How the security team How the security team works with issues?works with issues?
● Review the issue and evaluate the potential impact on all supported releases of Drupal.
● If it is indeed a valid problem, the security team is mobilized to eliminate it.
● New versions are created and tested.● New packages are created and uploaded to
Drupal.org.● When an issue has been fixed, use all available
communication channels to inform users of steps that must be taken to protect themselves.
![Page 39: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/39.jpg)
Issues withIssues withcontributed modulescontributed modules
● The module maintainer is contacted with a deadline.
● When the maintainer fixes the problem, the security team issues an advisory.
● If the maintainer does not fix the problem within the deadline, an advisory is issued, recommending disabling the module and the project on Drupal.org is unpublished.
![Page 40: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/40.jpg)
Additional ReadingAdditional Reading
● Core Security Advisories http://drupal.org/security
● Contributed Project Security Advisorieshttp://drupal.org/security/contrib
● The Drupal Security Team http://drupal.org/security-team
● Secure confguration of your Drupal sitehttp://drupal.org/security/secure-confguration
● Writing secure codehttp://drupal.org/writing-secure-code
● Cracking Drupal – The Drupal security bookhttp://crackingdrupal.com/
● This paper's website http://drupalsecurityreport.org
● OWASP Top Ten Projecthttp://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
![Page 41: Looking for Vulnerable Code. Vlad Savitsky](https://reader033.vdocument.in/reader033/viewer/2022051610/548d9e93b479597a588b47a7/html5/thumbnails/41.jpg)
Questions to speakerQuestions to speaker
Vlad Savitsky
http://shvetsgroup.com
Skype: vlad_savitsky
ICQ: 205535814
+38 096 530 27 12