Security in Moodle plugins

Slides:

Advertisements

Similar presentations

Advertisements

Cross-site Request Forgery (CSRF) Attacks

Web Security Never, ever, trust user inputs Supankar.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

OWASP WEBGOAT Alaa Darabseh Department of Computer Science

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.1 – Command Injection Justin C. Klein Keane

Chapter 4 Application Security Knowledge and Test Prep

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Martin Kruliš by Martin Kruliš (v1.0)1.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Prevent Cross-Site Scripting (XSS) attack

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Building Secure Web Applications With ASP.Net MVC.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Crash Course in Web Hacking

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

Security Issues with PHP  PHP installation  PHP programming Willa Zhu & Eugene Burger.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

Database and Cloud Security

COMP9321 Web Application Engineering Semester 2, 2017

Web Application Security

Module: Software Engineering of Web Applications

Building Secure ColdFusion Applications

Web Application Vulnerabilities

An Introduction to Web Application Security

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

TOPIC: Web Security (Part-4)

World Wide Web policy.

API Security Auditing Be Aware,Be Safe

Static Detection of Cross-Site Scripting Vulnerabilities

CS 371 Web Application Programming

SQL Injection Attacks Many web servers have backing databases

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

Cross-Site Forgery

Cross-Site Request Forgeries: Exploitation and Prevention

Auditing Etsy The Security of Etsy

PHP: Security issues FdSc Module 109 Server side scripting and

CSC 495/583 Topics of Software Security Intro to Web Security

Lecture 2 - SQL Injection

Web Hacking: Beginners

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

CS5123 Software Validation and Quality Assurance

Lecture 27 Security I April 4, 2018 Open news web sites.

Presentation transcript:

Security in Moodle plugins the world’s open source learning platform Marina Glancy Moodle HQ MoodleMoot Australia 2015 #mootau15

About me Development Process Manager in Moodle HQ Working for Moodle since 2011 15 years of software development MSc in Computer Science Anti social media Love open-source the world’s open source learning platform

1 + 1 = ∞ Security vulnerabilities developer mistake hacker exploit infinite damage the world’s open source learning platform

https://docs.moodle.org/dev/Security Typical security vulnerabilities in Moodle Cross-site scripting (XSS) Cross-site request forgery (CSRF) Privilege escalation (incl. unauthorised access) Information leakage SQL injection Command-line and code injection Illegal files access Denial of service, buffer overflow, timeout, etc. https://docs.moodle.org/dev/Security the world’s open source learning platform

Cross-site scripting (XSS) XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Example of “good” JavaScript Example of “bad” JavaScript the world’s open source learning platform

After the attack Who is responsible? Who suffers? Whose fault is it? Moodle administrator Developer Hacker Students Who suffers? Whose fault is it? Who is responsible? Teacher the world’s open source learning platform

Cross-site scripting (XSS) the world’s open source learning platform

Cross-site scripting (XSS) Make sure the plugin does not automatically assign any XSS_RISK capabilities to roles with Student or Authenticated user archetypes; Create a role with all capabilities that are not marked with XSS_RISK; Give a user this role (in addition to Student or Authenticated user); Login as this user, disable HTML editor in your preferences; Wherever you can try to insert XSS; Make sure nobody (teacher, other users) can be affected; Test rare cases, such as deletion, moving, etc. the world’s open source learning platform

Cross-site scripting (XSS) the world’s open source learning platform

Cross-site request forgery (CSRF) Cross-site request forgery, also known as a one-click attack or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting, which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. the world’s open source learning platform

Cross-site request forgery (CSRF) On login the random session key (sesskey) is generated for user and stored in the session Every significant action appends sesskey to the request Backend script checks sesskey by calling confirm_sesskey() or require_sesskey() Moodleforms always pass and validate sesskey the world’s open source learning platform

Cross-site request forgery (CSRF) As admin/teacher/manager, open many tabs with links/quickforms If some action has non-javascript confirmation page, open the confirmation page In another tab logout and login as the same user, close this tab Make sure no links or form submissions perform any changes to the data Watch for AJAX requests the world’s open source learning platform

Privilege escalation Capability check when displaying the control must exactly match capability check when processing request Often happens with backend scripts for AJAX requests How to test: similar to CSRF test but instead of logout/login use another browser to login as administrator and revoke some capabilities from the user Review the code and make sure every php script is either defined as internal or calls require_login() / require_course_login() the world’s open source learning platform

Information leakage username should not be visible to anybody email and other identity fields can only be visible to people with capability ‘moodle/site:viewuseridentity’ make sure plugin does not disclose user names or profile pictures to guests or non-logged in users the world’s open source learning platform

SQL injection $searchstring = optional_param('s', '', PARAM_NOTAGS); $DB->execute(“SELECT * from {sometable} WHERE name LIKE '%” . $searchstring . ”%'”); the world’s open source learning platform

SQL injection Search for $DB-> in the code and make sure there are no string concatenations, only placeholders Try appending apostrophe ‘ to each input field, especially ones that are supposed to be numeric - any DML error is a sign of potential sql injection the world’s open source learning platform

the world’s open source learning platform

Command-line and code injection Search the code for usage of exec, eval, shell_exec, system, passthru, popen, proc_open, etc. Sometimes it is even worth disabling some of those functions in php.ini unserialize() is a good function but should never be applied to user input preg_replace() with ‘e’ modifier may also be dangerous the world’s open source learning platform

Illegal file access Files may be saved to or read from only temporary directory or datadir In 99% cases accessing datadir should be done using methods of file_storage class, see get_file_storage() ‘filemanager’ and ‘editor’ elements in moodleforms are usually safe ‘filepicker’ or any other file upload must be tested search for functions file_get_contents(), file_put_contents() and fopen() and make sure they are only used on allowed locations the world’s open source learning platform

Denial of service, buffer overflow, timeout Turn on performance reporting and make sure pages do not access DB excessively All pages accessible by guests or non-logged in users must be very light preg_match() called on user input may result in ReRegex Set a reasonable timeout for php scripts. Moodle increases timeout when needed (restore, cron, big file serving, etc) the world’s open source learning platform

https://moodle.org/security/ Moodle security process Quick response Bi-monthly releases Extended security support Responsible disclosure Registration with Open Source Security (OSS) https://moodle.org/security/ #moodlesecurity the world’s open source learning platform

Thank you Marina Glancy marina@moodle.com the world’s open source learning platform Marina Glancy marina@moodle.com