Secure Web 2.0 (& Drupal) Part 6

Tue, 05/26/2015 - 14:11 -- pottol
Drupal CSRF

 A7 Missing Functional Level Access Control

Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

Drupal approach:

·         Menu system uses access callback and access arguments

·         Continually review permissions

A8 CSRF (Cross Site Request Forgery)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

Example1: If there is an image like this the user who loads it will be logged out.

<img src="http://example.com/user/logout" />

Example2: some content could be deleted:

http://example.com/index.php?delete=12 <img src="http://example.com/index.php?delete=12" />

Drupal always asks "Are you sure you want to delete this?" Avoid this issue doing things in "The Drupal Way":

·         Form API works with POST submissions by default (makes it harder)

·         Form API includes form tokens, requires form retrieval before submission, checks valid values

·         drupal_valid_token() provided to generate/validate tokens for GET requests

 

Tags: