XSS, CSRF and Other Acronyms You Need to Know

http://mrf.github.io/security-acronyms

About Me:


Mark Ferree

@mrf


Spoiler Alert:

Don't trust user input

Tricky Part:

User input can mean a lot of things

http://www.wordle.net/

There are a lot of things to worry about

Don't Panic

The Big Ones:

XSS

Sanitization on output

Validation vs. Sanitization

          
function security_presentation_form_example($form, &$form_state) {
  $form['description'] = array(
    '#type' => 'item',
    '#title' => t('A form with nothing but a textfield'),
  );
  $form['name'] = array(
    '#type' => 'textfield',
    '#title' => t('Name'),
  );
  $form['submit'] = array(
    '#type' => 'submit',
    '#value' => 'Submit',
  );
  return $form;
}
          
        
          
function security_presentation_form_example_submit($form, &$form_state) {
   $my_name = $form_state['values']['name'];
   variable_set('security_presentation_name', $my_name);
   drupal_goto('examples/form_example/output');
}
          
        
          
function security_presentation_form_example_view() {
  $name_value = variable_get('security_presentation_name');
  return $name_value;
}
          
        
          
function security_presentation_form_example_view() {
  $name_value = variable_get('security_presentation_name');
  $name_value = check_plain(variable_get('security_presentation_name'));
  return $name_value;
}
          
        
          
function security_presentation_form_example_view() {
  $name_value = variable_get('security_presentation_name');
  $name_value = t("Translated name: @name", array('@name' => $name_value));
  return $name_value;
}

URL Arguments

          
function security_presentation_arg_example_view() {
  $myvalue = arg(3);
  return $myvalue;
}

SQL Injection

            
function security_presentation_sql_example_view() {
  $content_type = variable_get('security_presentation_type');
  $result = db_query("SELECT title, type FROM {node} //
      where type = '" . $content_type. "'");
  $output = '';
  print_r($result, true);
  foreach ($result as $record) {
    $output .= $record->type;
    $output .= ': ';
    $output .= $record->title;
    $output .= '
';
  }
  return $output;
}

http://xkcd.com/327 
            
function security_presentation_sql_example_view() {
  $content_type = variable_get('security_presentation_type');
  $result = db_query("SELECT title, type FROM {node} //
      where type = :type", array(':type' =>  $content_type));
  $output = '';
  print_r($result, true);
  foreach ($result as $record) {
    $output .= $record->type;
    $output .= ': ';
    $output .= $record->title;
    $output .= '
';
  }
  return $output;
}

And a short break while we re-install Drupal...

CSRF

            
function security_presentation_csrf_example_view() {
  $output = '
';
  $output .= "";
  $output .= '';
  $output .= '
';
  return $output;
}


function security_presentation_csrf_example_submit() {
  return check_plain($_POST['name']);
}

USE FAPI!

Questions?


Mark Ferree

@mrf