The document discusses protecting a website from cross-site request forgery (CSRF) attacks. It describes how CSRF works by tricking a victim's browser into making requests to a target site on behalf of an attacker. The document recommends using tokens or nonces to validate that requests are intentionally sent by the user and not generated by another site. It also provides resources for learning more about CSRF prevention, security training, and getting security audits for Drupal sites.
5. drupalgovdays.org
munich2012.drupal.org
groups.drupal.org/camps
Tuesday, May 15, 2012
6. Drupal Vulnerabilities by type
12%
7%
4%
3% 48%
10%
16%
XSS Access Bypass CSRF
Authentication/Session Arbitrary Code Execution SQL Injection
Others
reported in core and contrib SAs from 6/1/2005 through 3/24/2010
Tuesday, May 15, 2012
7. BTW on XSS
http://acquia.com/node/2022266
Tuesday, May 15, 2012
8. Acquia Security Training
12%
• Journey into mind of an attacker 7%
• Preventing spam and brute force attacks 4%
3% 48%
• XSS 10%
• Access bypass 16%
• CSRF
• SQL Injection
• Over 81% of Drupal vulnerabilities
• Hands-on attacking and fixing a Drupal 7 site
• Group review of possible fixes
• How to perform automated security scans
Tuesday, May 15, 2012
9. Think like an attacker
how does an attacker think?
Tuesday, May 15, 2012
10. Think like the attacker
• “Solving problems” - just like you
• Using HTTP, Javascript, PHP - just like you
• But her problems are different...
Tuesday, May 15, 2012
11. Think like the attacker
• “Solving problems” - just like you
• Using HTTP, Javascript, PHP - just like you
• But her problems are different...
Tuesday, May 15, 2012
12. What is CSRF?
Cross Site Request Forgery
Tuesday, May 15, 2012
13. CSRF - Cross site Request Forgery
• Action performed on the site
• May confirm access/authorization
• Fails to confirm intent
But how does a computer know my intent?
Tuesday, May 15, 2012
14. Typical Page Request
/user/delete/7
Drupal HTML Visitor
sid
Tuesday, May 15, 2012
15. Typical Page Request
/user/delete/7
Drupal HTML Visitor
sid
Oh, you are
greggles
Tuesday, May 15, 2012
17. Cross Site Request Forgery
Attacker
HTML
Drupal Victim
sid
Tuesday, May 15, 2012
18. Cross Site Request Forgery
Attacker
HTML
Drupal Victim
trick!
sid
Tuesday, May 15, 2012
19. CSRF and session life time
“Each employee spent only 11 minutes on any given
project before being interrupted and whisked off to do
something else. What's more, each 11-minute project was
itself fragmented into even shorter three-minute tasks, like
answering e-mail messages, reading a Web page or
working on a spreadsheet.”
Meet the Life Hackers
NY Times October 16, 2005
www.nytimes.com/2005/10/16/magazine/16guru.html
Tuesday, May 15, 2012
20. How do you trick someone into visiting a url?
• Email
• Twitter
• Facebook Attacker
• Short urls
• Web page with img, javascript trick!
• Ask them to type it in
• Etc.
Tuesday, May 15, 2012
21. User intent?
• Confirm identity
• Confirm you really asked
• Look at the person
• Facial expression, tone
• Ask them to repeat
• Ask for a secret
Tuesday, May 15, 2012
22. User intent?
• Secret to the site
• Specific to the user
• Specific to the action
• One-way-hash
Can be re-calculated
by the site.
Tuesday, May 15, 2012
23. Typical Page Request
/user/delete/7?token= e416c8d447.......cbdec84
HTML
Drupal Visitor
sid
you are greggles token
you have intent
Tuesday, May 15, 2012
24. Cross Site Request Forgery
HTML
Drupal Victim
sid
403: where is
your intent?
Tuesday, May 15, 2012
25. Cross Site Request Forgery
Attacker
HTML
Drupal Victim
sid
403: where is
your intent?
Tuesday, May 15, 2012
26. Cross Site Request Forgery
Attacker
HTML
Drupal Victim
trick!
sid
403: where is
your intent?
Tuesday, May 15, 2012
27. Demo: CSRF
simple
tricky
Tuesday, May 15, 2012
29. Identifying CSRF in the wild
• Look at links & forms
• Live HTTP Headers, Tamper Data, Chrome tools,
• menu call back with an action verb and not
drupal_get_form
• directly use $_POST, $_GET, arg(), menu object to take
an action
• not using form_submit OR drupal_get_token
Tuesday, May 15, 2012
30. Preventing CSRF
• Just use the form API
Links and Ajax without FAPI:
• Request:
'query' = array('token' => drupal_get_token('my_id');
• Processing:
if (!drupal_valid_token($_GET['token'], 'my_id')) {
• More: http://drupalscout.com/node/20
Tuesday, May 15, 2012