Home » Groups » SoC 2008

Security scanner component for SimpleTest module

You are viewing a wiki page. You are welcome to join the group and then edit it. Be bold!
ingo86's picture
public
group: SoC 2008
ingo86 - Tue, 2008-04-22 15:27

Project Information:

Project page on drupal.org: http://drupal.org/project/security_scanner
Current status: Start seeding!
If you wanna add something please look at http://drupal.org/node/259324

Description:

This project consists in developing a tool that allows to verify the degree of security of Drupal installations. This system will be developed on the basis of the SimpleTest module and will automatically check the presence of Cross Site Scripting, Sql Injection, and potentially Cross Site Request Forgery. Hence it will make much faster the discovery of vulnerabilities and their fixing.
More informations here: http://groups.drupal.org/node/9798

Project Schedule:

April 22 - May 4: Studying Simpletest module
May 4 - May 9: University exams, a little break to study enough to run with success.
May 10 - May 25: Ending studying, review all the project with mentors and definition of the Milestone
May 26 - June 15: Build up the spider that check pages and saves them into the database
June 15 - June 22: Inject seeds into forms (xss and sql)
June 22 - July 6: Tests user role
July 6 - July 13: Create user interface for the module
July 13 - July 27: Tests
July 27 - End of coding: Write down the docs.

Status Updates:

07 july 2008

Looking at the schedule I see that we're a bit late, we're seeding now into forms. This happens because:
A- We encounter some difficulties.
B- I lose time going in holyday.
C- I'm new to drupal and I don't know very much its api, so sometimes I lose time trying to understand how something works.
The project seems to be very promising. In fact we talk about using the crawler part of it to find 403 pages in a drupal installation. It could be a good way to use it, but anyone can discover multiple application for the scanner. I need to add some small adjustments to it but it seems to be working good.
Here I show one of the difficulties we found:
While seeding we have to check for validated inputs, in fact this fields check the value of the input and return error if its not what it's looking forward. This makes me unable to send the form and I need to take them off. In order to do this I need hook_form_alter that processes the form and, with a recursive function, strips all that is validated. After that we can process a drupalPost to make the seed.
Into CVS we decided to create a new folder for xss_injector module, which is separated from security_scanner module (the crawler) because as said before we think it could has more application besides the security scanner. We think that we have to change the name of it in the future, but it's not a priority right now.

26 june 2008

I found a bug inside Drupal core that makes me lose the cookie that take the session active. It was a timestamp compared as minor than the actual time, but the scanner is very very fast, so this two values results peer. I temporary set a sleep(1) into my code to avoid this problem.
After that, i create a new table and catched the form_id from the pages. So the crawler is finally working (with 4 days of delay, but with a week of holyday not calculated into the schedule). This evening I start seeding! (Hoping that my computer resource supports this awful effort).

19 june 2008

Sorry for the late, but with exams and holiday I forget updating the wiki, however I worked on the code a lot.
Now I'm on holiday, till saturday. This week I take a break on the project. In the last days I make the scan running through the pages with user ID 1, that was not working before. I used cURL options in order to do this. It was more difficult than predicted, so I have to work more on this part of the project. I hope to complete the search of the forms into the pages on monday morning, to enable seeding and catching the results on the second part of the next week.

01 june 2008

Project started. Developed a scanner based on cURL library, then created a database to save it's results. Added the ability to save only one-time the links that the scanner find (no duplicated links) and added the ability of scan through administrative pages, getting the privileges from the one-time login procedure. Wroted an article for Drupal Planet regarding a trick with MySQL. Now, it's time to catch the pages with forms and to seed xss or other inside that.

22 may 2008

Ready to start!

19 may 2008

Talking with mentors and defining the project milestones .... Doing this, look here, you're welcome: http://drupal.org/node/259324...

12 may 2008

Added a description of myself for Drupal ... done!
Create a simple news website as example to introduce myself into drupal features ... done!
Learn SimpleTest module code ... postponed!
Meet with mentors to talk about CSRF vulnerabilities ... done!

29 april 2008

CVS Access ... done!
Project Page ... done!
Milestone definition and last review with mentor ... done!


» Login or register to post comments