SlideShare a Scribd company logo

Protect your site from CSRF

Acquia
Acquia

The document discusses protecting a website from cross-site request forgery (CSRF) attacks. It describes how CSRF works by tricking a victim's browser into making requests to a target site on behalf of an attacker. The document recommends using tokens or nonces to validate that requests are intentionally sent by the user and not generated by another site. It also provides resources for learning more about CSRF prevention, security training, and getting security audits for Drupal sites.

Technology
1 of 33
Download to read offline
Protect your site from CSRF Greg Knaddison @greggles greg.knaddison@acquia.com Tuesday, May 15, 2012
US$15 on Kindle, US$26 paperback Tuesday, May 15, 2012
Protect your site from XSS Tuesday, May 15, 2012
Protect your site from XSS Tuesday, May 15, 2012
drupalgovdays.org munich2012.drupal.org groups.drupal.org/camps Tuesday, May 15, 2012
Drupal Vulnerabilities by type 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others reported in core and contrib SAs from 6/1/2005 through 3/24/2010 Tuesday, May 15, 2012
BTW on XSS http://acquia.com/node/2022266 Tuesday, May 15, 2012
Acquia Security Training 12% • Journey into mind of an attacker 7% • Preventing spam and brute force attacks 4% 3% 48% • XSS 10% • Access bypass 16% • CSRF • SQL Injection • Over 81% of Drupal vulnerabilities • Hands-on attacking and fixing a Drupal 7 site • Group review of possible fixes • How to perform automated security scans Tuesday, May 15, 2012
Think like an attacker how does an attacker think? Tuesday, May 15, 2012
Think like the attacker • “Solving problems” - just like you • Using HTTP, Javascript, PHP - just like you • But her problems are different... Tuesday, May 15, 2012
Think like the attacker • “Solving problems” - just like you • Using HTTP, Javascript, PHP - just like you • But her problems are different... Tuesday, May 15, 2012
What is CSRF? Cross Site Request Forgery Tuesday, May 15, 2012
CSRF - Cross site Request Forgery • Action performed on the site • May confirm access/authorization • Fails to confirm intent But how does a computer know my intent? Tuesday, May 15, 2012
Typical Page Request /user/delete/7 Drupal HTML Visitor sid Tuesday, May 15, 2012
Typical Page Request /user/delete/7 Drupal HTML Visitor sid Oh, you are greggles Tuesday, May 15, 2012
Cross Site Request Forgery HTML Drupal Victim sid Tuesday, May 15, 2012
Cross Site Request Forgery Attacker HTML Drupal Victim sid Tuesday, May 15, 2012
Cross Site Request Forgery Attacker HTML Drupal Victim trick! sid Tuesday, May 15, 2012
CSRF and session life time “Each employee spent only 11 minutes on any given project before being interrupted and whisked off to do something else. What's more, each 11-minute project was itself fragmented into even shorter three-minute tasks, like answering e-mail messages, reading a Web page or working on a spreadsheet.” Meet the Life Hackers NY Times October 16, 2005 www.nytimes.com/2005/10/16/magazine/16guru.html Tuesday, May 15, 2012
How do you trick someone into visiting a url? • Email • Twitter • Facebook Attacker • Short urls • Web page with img, javascript trick! • Ask them to type it in • Etc. Tuesday, May 15, 2012
User intent? • Confirm identity • Confirm you really asked • Look at the person • Facial expression, tone • Ask them to repeat • Ask for a secret Tuesday, May 15, 2012
User intent? • Secret to the site • Specific to the user • Specific to the action • One-way-hash Can be re-calculated by the site. Tuesday, May 15, 2012
Typical Page Request /user/delete/7?token= e416c8d447.......cbdec84 HTML Drupal Visitor sid you are greggles token you have intent Tuesday, May 15, 2012
Cross Site Request Forgery HTML Drupal Victim sid 403: where is your intent? Tuesday, May 15, 2012
Cross Site Request Forgery Attacker HTML Drupal Victim sid 403: where is your intent? Tuesday, May 15, 2012
Cross Site Request Forgery Attacker HTML Drupal Victim trick! sid 403: where is your intent? Tuesday, May 15, 2012
Demo: CSRF simple tricky Tuesday, May 15, 2012
Preventing CSRF Tuesday, May 15, 2012
Identifying CSRF in the wild • Look at links & forms • Live HTTP Headers, Tamper Data, Chrome tools, • menu call back with an action verb and not drupal_get_form • directly use $_POST, $_GET, arg(), menu object to take an action • not using form_submit OR drupal_get_token Tuesday, May 15, 2012
Preventing CSRF • Just use the form API Links and Ajax without FAPI: • Request: 'query' = array('token' => drupal_get_token('my_id'); • Processing: if (!drupal_valid_token($_GET['token'], 'my_id')) { • More: http://drupalscout.com/node/20 Tuesday, May 15, 2012
Next steps Tuesday, May 15, 2012
Acquia Security Audits • 1 week engagement • Manual and automated • Static code analysis • Penetration testing of interface • Report: - prioritized list of vulnerabilities - mitigation recommendations Tuesday, May 15, 2012
Resources • Drupal Scout CSRF: drupalscout.com/tags/csrf • Security Training: - training.acquia.com/developing-drupal/security • Acquiaʼs Knowledge Base: library.acquia.com • Security checks via acquia.com/insight • groups.drupal.org/best-practices-drupal-security Any questions? ? Tuesday, May 15, 2012

Recommended

The DiSo Project and the Open Web
The DiSo Project and the Open WebThe DiSo Project and the Open Web
The DiSo Project and the Open WebChris Messina
 
Structured Data in WordPress
Structured Data in WordPressStructured Data in WordPress
Structured Data in WordPressrandyhoyt
 
Web Presence
Web PresenceWeb Presence
Web PresenceSandra Fish
 
Avrdc strategic plan
Avrdc strategic planAvrdc strategic plan
Avrdc strategic planAVRDC
 
The Global Horticulture Initiative
The Global Horticulture Initiative The Global Horticulture Initiative
The Global Horticulture Initiative 2020resilience
 
REST in Peace
REST in PeaceREST in Peace
REST in PeaceKate Marshalkina
 
Vegetable production under cover
Vegetable production under coverVegetable production under cover
Vegetable production under coverAVRDC - The World Vegetable Center
 
Horticulture
HorticultureHorticulture
Horticulturevishal chaturani
 

Recommended

The DiSo Project and the Open Web
The DiSo Project and the Open WebThe DiSo Project and the Open Web
The DiSo Project and the Open WebChris Messina
 
Structured Data in WordPress
Structured Data in WordPressStructured Data in WordPress
Structured Data in WordPressrandyhoyt
 
Web Presence
Web PresenceWeb Presence
Web PresenceSandra Fish
 
Avrdc strategic plan
Avrdc strategic planAvrdc strategic plan
Avrdc strategic planAVRDC
 
The Global Horticulture Initiative
The Global Horticulture Initiative The Global Horticulture Initiative
The Global Horticulture Initiative 2020resilience
 
REST in Peace
REST in PeaceREST in Peace
REST in PeaceKate Marshalkina
 
Vegetable production under cover
Vegetable production under coverVegetable production under cover
Vegetable production under coverAVRDC - The World Vegetable Center
 
Horticulture
HorticultureHorticulture
Horticulturevishal chaturani
 
Drupal Security Dive Into the Code
Drupal Security Dive Into the CodeDrupal Security Dive Into the Code
Drupal Security Dive Into the CodeGreg Knaddison
 
Introducing Immutant
Introducing Immutant Introducing Immutant
Introducing Immutant Jim Crossley
 
Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-codingTrần Bình Hậu
 
The rules of the internet
The rules of the internetThe rules of the internet
The rules of the internetCodyGarbrandt
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedMinded Security
 
HTML5 and CSS3: does now really mean now?
HTML5 and CSS3: does now really mean now?HTML5 and CSS3: does now really mean now?
HTML5 and CSS3: does now really mean now?Chris Mills
 
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate ConferenceSEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate ConferenceJulia Logan a.k.a. IrishWonder
 
Mansoura University CSED & Nozom web development sprint
Mansoura University CSED & Nozom web development sprintMansoura University CSED & Nozom web development sprint
Mansoura University CSED & Nozom web development sprintAl Sayed Gamal
 
Drupal 101 V-0.1
Drupal 101 V-0.1Drupal 101 V-0.1
Drupal 101 V-0.1Gerald Villorente
 
Finding harmony in web development
Finding harmony in web developmentFinding harmony in web development
Finding harmony in web developmentChristian Heilmann
 
Web applications scalability prolems - eslam mahmoud
Web applications scalability prolems - eslam mahmoudWeb applications scalability prolems - eslam mahmoud
Web applications scalability prolems - eslam mahmoudeslam_me
 
Building the Social Web with OpenID
Building the Social Web with OpenIDBuilding the Social Web with OpenID
Building the Social Web with OpenIDSimon Willison
 
Dan node meetup_socket_talk
Dan node meetup_socket_talkDan node meetup_socket_talk
Dan node meetup_socket_talkIshi von Meier
 
Intro to AngularJS from DCC 04/14
Intro to AngularJS from DCC 04/14Intro to AngularJS from DCC 04/14
Intro to AngularJS from DCC 04/14Chris Holwerda
 
Web 2.0 = Accessibility 2.0?
Web 2.0 = Accessibility 2.0?Web 2.0 = Accessibility 2.0?
Web 2.0 = Accessibility 2.0?Jared Smith
 
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)SOASTA
 
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)SOASTA
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜Yuki Okada
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012Abraham Aranguren
 
Acquia_Adcetera Webinar_Marketing Automation.pdf
Acquia_Adcetera Webinar_Marketing Automation.pdfAcquia_Adcetera Webinar_Marketing Automation.pdf
Acquia_Adcetera Webinar_Marketing Automation.pdfAcquia
 
Acquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdfAcquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdfAcquia
 

More Related Content

Similar to Protect your site from CSRF

Drupal Security Dive Into the Code
Drupal Security Dive Into the CodeDrupal Security Dive Into the Code
Drupal Security Dive Into the CodeGreg Knaddison
 
Introducing Immutant
Introducing Immutant Introducing Immutant
Introducing Immutant Jim Crossley
 
The rules of the internet
The rules of the internetThe rules of the internet
The rules of the internetCodyGarbrandt
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedMinded Security
 
HTML5 and CSS3: does now really mean now?
HTML5 and CSS3: does now really mean now?HTML5 and CSS3: does now really mean now?
HTML5 and CSS3: does now really mean now?Chris Mills
 
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate ConferenceSEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate ConferenceJulia Logan a.k.a. IrishWonder
 
Mansoura University CSED & Nozom web development sprint
Mansoura University CSED & Nozom web development sprintMansoura University CSED & Nozom web development sprint
Mansoura University CSED & Nozom web development sprintAl Sayed Gamal
 
Finding harmony in web development
Finding harmony in web developmentFinding harmony in web development
Finding harmony in web developmentChristian Heilmann
 
Web applications scalability prolems - eslam mahmoud
Web applications scalability prolems - eslam mahmoudWeb applications scalability prolems - eslam mahmoud
Web applications scalability prolems - eslam mahmoudeslam_me
 
Building the Social Web with OpenID
Building the Social Web with OpenIDBuilding the Social Web with OpenID
Building the Social Web with OpenIDSimon Willison
 
Dan node meetup_socket_talk
Dan node meetup_socket_talkDan node meetup_socket_talk
Dan node meetup_socket_talkIshi von Meier
 
Intro to AngularJS from DCC 04/14
Intro to AngularJS from DCC 04/14Intro to AngularJS from DCC 04/14
Intro to AngularJS from DCC 04/14Chris Holwerda
 
Web 2.0 = Accessibility 2.0?
Web 2.0 = Accessibility 2.0?Web 2.0 = Accessibility 2.0?
Web 2.0 = Accessibility 2.0?Jared Smith
 
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)SOASTA
 
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)SOASTA
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜Yuki Okada
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012Abraham Aranguren
 

Similar to Protect your site from CSRF (20)

Drupal Security Dive Into the Code
Drupal Security Dive Into the CodeDrupal Security Dive Into the Code
Drupal Security Dive Into the Code
 
Introducing Immutant
Introducing Immutant Introducing Immutant
Introducing Immutant
 
Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-coding
 
The rules of the internet
The rules of the internetThe rules of the internet
The rules of the internet
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
HTML5 and CSS3: does now really mean now?
HTML5 and CSS3: does now really mean now?HTML5 and CSS3: does now really mean now?
HTML5 and CSS3: does now really mean now?
 
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate ConferenceSEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
SEO Security Audits - Is Your Site at Risk? - Amsterdam Affiliate Conference
 
Mansoura University CSED & Nozom web development sprint
Mansoura University CSED & Nozom web development sprintMansoura University CSED & Nozom web development sprint
Mansoura University CSED & Nozom web development sprint
 
Drupal 101 V-0.1
Drupal 101 V-0.1Drupal 101 V-0.1
Drupal 101 V-0.1
 
Finding harmony in web development
Finding harmony in web developmentFinding harmony in web development
Finding harmony in web development
 
Web applications scalability prolems - eslam mahmoud
Web applications scalability prolems - eslam mahmoudWeb applications scalability prolems - eslam mahmoud
Web applications scalability prolems - eslam mahmoud
 
Building the Social Web with OpenID
Building the Social Web with OpenIDBuilding the Social Web with OpenID
Building the Social Web with OpenID
 
Dan node meetup_socket_talk
Dan node meetup_socket_talkDan node meetup_socket_talk
Dan node meetup_socket_talk
 
Intro to AngularJS from DCC 04/14
Intro to AngularJS from DCC 04/14Intro to AngularJS from DCC 04/14
Intro to AngularJS from DCC 04/14
 
Web 2.0 = Accessibility 2.0?
Web 2.0 = Accessibility 2.0?Web 2.0 = Accessibility 2.0?
Web 2.0 = Accessibility 2.0?
 
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)
 
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)
SOASTA mPulse: Delivering the Real in Real User Measurement (RUM)
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
Web開発の技術選び、 好き嫌いでやってませんか 〜技術選びで注目すべきポイントとは〜
 
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012
 

More from Acquia

Acquia_Adcetera Webinar_Marketing Automation.pdf
Acquia_Adcetera Webinar_Marketing Automation.pdfAcquia_Adcetera Webinar_Marketing Automation.pdf
Acquia_Adcetera Webinar_Marketing Automation.pdfAcquia
 
Acquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdfAcquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdfAcquia
 
Taking Your Multi-Site Management at Scale to the Next Level
Taking Your Multi-Site Management at Scale to the Next LevelTaking Your Multi-Site Management at Scale to the Next Level
Taking Your Multi-Site Management at Scale to the Next LevelAcquia
 
CDP for Retail Webinar with Appnovation - Q2 2022.pdf
CDP for Retail Webinar with Appnovation - Q2 2022.pdfCDP for Retail Webinar with Appnovation - Q2 2022.pdf
CDP for Retail Webinar with Appnovation - Q2 2022.pdfAcquia
 
May Partner Bootcamp 2022
May Partner Bootcamp 2022May Partner Bootcamp 2022
May Partner Bootcamp 2022Acquia
 
April Partner Bootcamp 2022
April Partner Bootcamp 2022April Partner Bootcamp 2022
April Partner Bootcamp 2022Acquia
 
How to Unify Brand Experience: A Hootsuite Story
How to Unify Brand Experience: A Hootsuite Story How to Unify Brand Experience: A Hootsuite Story
How to Unify Brand Experience: A Hootsuite Story Acquia
 
Using Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CX
Using Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CXUsing Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CX
Using Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CXAcquia
 
Improve Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Improve Code Quality and Time to Market: 100% Cloud-Based Development WorkflowImprove Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Improve Code Quality and Time to Market: 100% Cloud-Based Development WorkflowAcquia
 
September Partner Bootcamp
September Partner BootcampSeptember Partner Bootcamp
September Partner BootcampAcquia
 
August partner bootcamp
August partner bootcampAugust partner bootcamp
August partner bootcampAcquia
 
July 2021 Partner Bootcamp
July 2021 Partner BootcampJuly 2021 Partner Bootcamp
July 2021 Partner BootcampAcquia
 
May Partner Bootcamp
May Partner BootcampMay Partner Bootcamp
May Partner BootcampAcquia
 
DRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASY
DRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASYDRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASY
DRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASYAcquia
 
Work While You Sleep: The CMO’s Guide to a 24/7/365 Lead Machine
Work While You Sleep: The CMO’s Guide to a 24/7/365 Lead MachineWork While You Sleep: The CMO’s Guide to a 24/7/365 Lead Machine
Work While You Sleep: The CMO’s Guide to a 24/7/365 Lead MachineAcquia
 
Acquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B Leads
Acquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B LeadsAcquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B Leads
Acquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B LeadsAcquia
 
April partner bootcamp deck cookieless future
April partner bootcamp deck cookieless futureApril partner bootcamp deck cookieless future
April partner bootcamp deck cookieless futureAcquia
 
How to enhance cx through personalised, automated solutions
How to enhance cx through personalised, automated solutionsHow to enhance cx through personalised, automated solutions
How to enhance cx through personalised, automated solutionsAcquia
 
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...Acquia
 
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021Acquia
 

More from Acquia (20)

Acquia_Adcetera Webinar_Marketing Automation.pdf
Acquia_Adcetera Webinar_Marketing Automation.pdfAcquia_Adcetera Webinar_Marketing Automation.pdf
Acquia_Adcetera Webinar_Marketing Automation.pdf
 
Acquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdfAcquia Webinar Deck - 9_13 .pdf
Acquia Webinar Deck - 9_13 .pdf
 
Taking Your Multi-Site Management at Scale to the Next Level
Taking Your Multi-Site Management at Scale to the Next LevelTaking Your Multi-Site Management at Scale to the Next Level
Taking Your Multi-Site Management at Scale to the Next Level
 
CDP for Retail Webinar with Appnovation - Q2 2022.pdf
CDP for Retail Webinar with Appnovation - Q2 2022.pdfCDP for Retail Webinar with Appnovation - Q2 2022.pdf
CDP for Retail Webinar with Appnovation - Q2 2022.pdf
 
May Partner Bootcamp 2022
May Partner Bootcamp 2022May Partner Bootcamp 2022
May Partner Bootcamp 2022
 
April Partner Bootcamp 2022
April Partner Bootcamp 2022April Partner Bootcamp 2022
April Partner Bootcamp 2022
 
How to Unify Brand Experience: A Hootsuite Story
How to Unify Brand Experience: A Hootsuite Story How to Unify Brand Experience: A Hootsuite Story
How to Unify Brand Experience: A Hootsuite Story
 
Using Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CX
Using Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CXUsing Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CX
Using Personas to Guide DAM Results: How Life Time Pumped Up Their UX and CX
 
Improve Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Improve Code Quality and Time to Market: 100% Cloud-Based Development WorkflowImprove Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Improve Code Quality and Time to Market: 100% Cloud-Based Development Workflow
 
September Partner Bootcamp
September Partner BootcampSeptember Partner Bootcamp
September Partner Bootcamp
 
August partner bootcamp
August partner bootcampAugust partner bootcamp
August partner bootcamp
 
July 2021 Partner Bootcamp
July 2021 Partner BootcampJuly 2021 Partner Bootcamp
July 2021 Partner Bootcamp
 
May Partner Bootcamp
May Partner BootcampMay Partner Bootcamp
May Partner Bootcamp
 
DRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASY
DRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASYDRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASY
DRUPAL 7 END OF LIFE IS NEAR - MIGRATE TO DRUPAL 9 FAST AND EASY
 
Work While You Sleep: The CMO’s Guide to a 24/7/365 Lead Machine
Work While You Sleep: The CMO’s Guide to a 24/7/365 Lead MachineWork While You Sleep: The CMO’s Guide to a 24/7/365 Lead Machine
Work While You Sleep: The CMO’s Guide to a 24/7/365 Lead Machine
 
Acquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B Leads
Acquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B LeadsAcquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B Leads
Acquia webinar: Leveraging Drupal to Bury Your Sales Team In B2B Leads
 
April partner bootcamp deck cookieless future
April partner bootcamp deck cookieless futureApril partner bootcamp deck cookieless future
April partner bootcamp deck cookieless future
 
How to enhance cx through personalised, automated solutions
How to enhance cx through personalised, automated solutionsHow to enhance cx through personalised, automated solutions
How to enhance cx through personalised, automated solutions
 
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...
DRUPAL MIGRATIONS AND DRUPAL 9 INNOVATION: HOW PAC-12 DELIVERED DIGITALLY FOR...
 
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021
Customer Experience (CX): 3 Key Factors Shaping CX Redesign in 2021
 

Recently uploaded

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Recently uploaded (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 

Protect your site from CSRF

  • 1. Protect your site from CSRF Greg Knaddison @greggles greg.knaddison@acquia.com Tuesday, May 15, 2012
  • 2. US$15 on Kindle, US$26 paperback Tuesday, May 15, 2012
  • 3. Protect your site from XSS Tuesday, May 15, 2012
  • 4. Protect your site from XSS Tuesday, May 15, 2012
  • 5. drupalgovdays.org munich2012.drupal.org groups.drupal.org/camps Tuesday, May 15, 2012
  • 6. Drupal Vulnerabilities by type 12% 7% 4% 3% 48% 10% 16% XSS Access Bypass CSRF Authentication/Session Arbitrary Code Execution SQL Injection Others reported in core and contrib SAs from 6/1/2005 through 3/24/2010 Tuesday, May 15, 2012
  • 7. BTW on XSS http://acquia.com/node/2022266 Tuesday, May 15, 2012
  • 8. Acquia Security Training 12% • Journey into mind of an attacker 7% • Preventing spam and brute force attacks 4% 3% 48% • XSS 10% • Access bypass 16% • CSRF • SQL Injection • Over 81% of Drupal vulnerabilities • Hands-on attacking and fixing a Drupal 7 site • Group review of possible fixes • How to perform automated security scans Tuesday, May 15, 2012
  • 9. Think like an attacker how does an attacker think? Tuesday, May 15, 2012
  • 10. Think like the attacker • “Solving problems” - just like you • Using HTTP, Javascript, PHP - just like you • But her problems are different... Tuesday, May 15, 2012
  • 11. Think like the attacker • “Solving problems” - just like you • Using HTTP, Javascript, PHP - just like you • But her problems are different... Tuesday, May 15, 2012
  • 12. What is CSRF? Cross Site Request Forgery Tuesday, May 15, 2012
  • 13. CSRF - Cross site Request Forgery • Action performed on the site • May confirm access/authorization • Fails to confirm intent But how does a computer know my intent? Tuesday, May 15, 2012
  • 14. Typical Page Request /user/delete/7 Drupal HTML Visitor sid Tuesday, May 15, 2012
  • 15. Typical Page Request /user/delete/7 Drupal HTML Visitor sid Oh, you are greggles Tuesday, May 15, 2012
  • 16. Cross Site Request Forgery HTML Drupal Victim sid Tuesday, May 15, 2012
  • 17. Cross Site Request Forgery Attacker HTML Drupal Victim sid Tuesday, May 15, 2012
  • 18. Cross Site Request Forgery Attacker HTML Drupal Victim trick! sid Tuesday, May 15, 2012
  • 19. CSRF and session life time “Each employee spent only 11 minutes on any given project before being interrupted and whisked off to do something else. What's more, each 11-minute project was itself fragmented into even shorter three-minute tasks, like answering e-mail messages, reading a Web page or working on a spreadsheet.” Meet the Life Hackers NY Times October 16, 2005 www.nytimes.com/2005/10/16/magazine/16guru.html Tuesday, May 15, 2012
  • 20. How do you trick someone into visiting a url? • Email • Twitter • Facebook Attacker • Short urls • Web page with img, javascript trick! • Ask them to type it in • Etc. Tuesday, May 15, 2012
  • 21. User intent? • Confirm identity • Confirm you really asked • Look at the person • Facial expression, tone • Ask them to repeat • Ask for a secret Tuesday, May 15, 2012
  • 22. User intent? • Secret to the site • Specific to the user • Specific to the action • One-way-hash Can be re-calculated by the site. Tuesday, May 15, 2012
  • 23. Typical Page Request /user/delete/7?token= e416c8d447.......cbdec84 HTML Drupal Visitor sid you are greggles token you have intent Tuesday, May 15, 2012
  • 24. Cross Site Request Forgery HTML Drupal Victim sid 403: where is your intent? Tuesday, May 15, 2012
  • 25. Cross Site Request Forgery Attacker HTML Drupal Victim sid 403: where is your intent? Tuesday, May 15, 2012
  • 26. Cross Site Request Forgery Attacker HTML Drupal Victim trick! sid 403: where is your intent? Tuesday, May 15, 2012
  • 27. Demo: CSRF simple tricky Tuesday, May 15, 2012
  • 29. Identifying CSRF in the wild • Look at links & forms • Live HTTP Headers, Tamper Data, Chrome tools, • menu call back with an action verb and not drupal_get_form • directly use $_POST, $_GET, arg(), menu object to take an action • not using form_submit OR drupal_get_token Tuesday, May 15, 2012
  • 30. Preventing CSRF • Just use the form API Links and Ajax without FAPI: • Request: 'query' = array('token' => drupal_get_token('my_id'); • Processing: if (!drupal_valid_token($_GET['token'], 'my_id')) { • More: http://drupalscout.com/node/20 Tuesday, May 15, 2012
  • 32. Acquia Security Audits • 1 week engagement • Manual and automated • Static code analysis • Penetration testing of interface • Report: - prioritized list of vulnerabilities - mitigation recommendations Tuesday, May 15, 2012
  • 33. Resources • Drupal Scout CSRF: drupalscout.com/tags/csrf • Security Training: - training.acquia.com/developing-drupal/security • Acquiaʼs Knowledge Base: library.acquia.com • Security checks via acquia.com/insight • groups.drupal.org/best-practices-drupal-security Any questions? ? Tuesday, May 15, 2012