Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in Moodle plugins

Published byJacob Scott Modified over 6 years ago

Similar presentations

Presentation on theme: "Security in Moodle plugins"— Presentation transcript:

1 Security in Moodle plugins
the world’s open source learning platform Marina Glancy Moodle HQ MoodleMoot Australia 2015 #mootau15

2 About me Development Process Manager in Moodle HQ
Working for Moodle since 2011 15 years of software development MSc in Computer Science Anti social media Love open-source the world’s open source learning platform

3 1 + 1 = ∞ Security vulnerabilities developer mistake hacker exploit
infinite damage the world’s open source learning platform

4 https://docs.moodle.org/dev/Security
Typical security vulnerabilities in Moodle Cross-site scripting (XSS) Cross-site request forgery (CSRF) Privilege escalation (incl. unauthorised access) Information leakage SQL injection Command-line and code injection Illegal files access Denial of service, buffer overflow, timeout, etc. the world’s open source learning platform

5 Cross-site scripting (XSS)
XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Example of “good” JavaScript Example of “bad” JavaScript the world’s open source learning platform

6 After the attack Who is responsible? Who suffers? Whose fault is it?
Moodle administrator Developer Hacker Students Who suffers? Whose fault is it? Who is responsible? Teacher the world’s open source learning platform

7 Cross-site scripting (XSS)
the world’s open source learning platform

8 Cross-site scripting (XSS)
Make sure the plugin does not automatically assign any XSS_RISK capabilities to roles with Student or Authenticated user archetypes; Create a role with all capabilities that are not marked with XSS_RISK; Give a user this role (in addition to Student or Authenticated user); Login as this user, disable HTML editor in your preferences; Wherever you can try to insert XSS; Make sure nobody (teacher, other users) can be affected; Test rare cases, such as deletion, moving, etc. the world’s open source learning platform

9 Cross-site scripting (XSS)
the world’s open source learning platform

10 Cross-site request forgery (CSRF)
Cross-site request forgery, also known as a one-click attack or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting, which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. the world’s open source learning platform

11 Cross-site request forgery (CSRF)
On login the random session key (sesskey) is generated for user and stored in the session Every significant action appends sesskey to the request Backend script checks sesskey by calling confirm_sesskey() or require_sesskey() Moodleforms always pass and validate sesskey the world’s open source learning platform

12 Cross-site request forgery (CSRF)
As admin/teacher/manager, open many tabs with links/quickforms If some action has non-javascript confirmation page, open the confirmation page In another tab logout and login as the same user, close this tab Make sure no links or form submissions perform any changes to the data Watch for AJAX requests the world’s open source learning platform

13 Privilege escalation Capability check when displaying the control must exactly match capability check when processing request Often happens with backend scripts for AJAX requests How to test: similar to CSRF test but instead of logout/login use another browser to login as administrator and revoke some capabilities from the user Review the code and make sure every php script is either defined as internal or calls require_login() / require_course_login() the world’s open source learning platform

14 Information leakage username should not be visible to anybody
and other identity fields can only be visible to people with capability ‘moodle/site:viewuseridentity’ make sure plugin does not disclose user names or profile pictures to guests or non-logged in users the world’s open source learning platform

15 SQL injection $searchstring = optional_param('s', '', PARAM_NOTAGS);
$DB->execute(“SELECT * from {sometable} WHERE name LIKE '%” . $searchstring . ”%'”); the world’s open source learning platform

16 SQL injection Search for $DB-> in the code and make sure there are no string concatenations, only placeholders Try appending apostrophe ‘ to each input field, especially ones that are supposed to be numeric - any DML error is a sign of potential sql injection the world’s open source learning platform

17 the world’s open source learning platform

18 Command-line and code injection
Search the code for usage of exec, eval, shell_exec, system, passthru, popen, proc_open, etc. Sometimes it is even worth disabling some of those functions in php.ini unserialize() is a good function but should never be applied to user input preg_replace() with ‘e’ modifier may also be dangerous the world’s open source learning platform

19 Illegal file access Files may be saved to or read from only temporary directory or datadir In 99% cases accessing datadir should be done using methods of file_storage class, see get_file_storage() ‘filemanager’ and ‘editor’ elements in moodleforms are usually safe ‘filepicker’ or any other file upload must be tested search for functions file_get_contents(), file_put_contents() and fopen() and make sure they are only used on allowed locations the world’s open source learning platform

20 Denial of service, buffer overflow, timeout
Turn on performance reporting and make sure pages do not access DB excessively All pages accessible by guests or non-logged in users must be very light preg_match() called on user input may result in ReRegex Set a reasonable timeout for php scripts. Moodle increases timeout when needed (restore, cron, big file serving, etc) the world’s open source learning platform

21 https://moodle.org/security/
Moodle security process Quick response Bi-monthly releases Extended security support Responsible disclosure Registration with Open Source Security (OSS) #moodlesecurity the world’s open source learning platform

22 Thank you Marina Glancy marina@moodle.com
the world’s open source learning platform Marina Glancy

Download ppt "Security in Moodle plugins"

Similar presentations

Webgoat.

Webgoat.
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
OWASP WEBGOAT Alaa Darabseh Department of Computer Science

OWASP WEBGOAT Alaa Darabseh Department of Computer Science
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.1 – Command Injection Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.1 – Command Injection Justin C. Klein Keane
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Similar presentations

Ads by Google