Develop an xss and sql injection scanner based on SimpleTest

Events happening in the community are now at Drupal community events on www.drupal.org.
ingo86's picture
Posted by ingo86 on March 14, 2008 at 3:02pm

What I wanna develop for SOC 2008 is a module called security (or add security function to simpletest existing module) to enable users checking their drupal installation against xss and sql injection vulnerabilities.
It will be also good for module developers, in fact they can check their module before submitting them to drupal website. Users could be more protected against vulnerabilities that became from third part modules.
The objective of this work is to realize automated penetration test on drupal installation.

It will be based upon SimpleTest, already used by Rasmus (php core developer) to develop his own closed source xss scanner. SimpleTest is a jUnit similar library written for php.

My module could easily been extended to add more functionalities about security, but basically I think that this two are the most important.
If someone has functionality ideas to improve my project and make it better I'm here, listening for more proposal.

Categories:

Comments

Check coder

Posted by agentrickard on March 14, 2008 at 8:42pm
agentrickard's picture

It may be that Coder already checks some of this. If not, it's a good idea.

--
http://ken.therickards.com/
http://savannahnow.com/user/2
http://blufftontoday.com/user/3

--
http://ken.therickards.com/

Hoping

Posted by ingo86 on March 15, 2008 at 12:28am
ingo86's picture

I hope that Coder will use my module to check this.
I remember that sql injection and xss vulnerabilities are 2 of the most common vulnerabilities, but I think I can use this module to check other misconfiguration in drupal. So I'm waiting for proposal about this to extend my work.
If nobody will answer I will check for something else alone.

+100. Coder looks for some

Posted by pwolanin on March 15, 2008 at 2:51am
pwolanin's picture

+100. Coder looks for some obvious deficiencies in your SQL construction, but doesn't actually test for vulnerabilities. Also, an XSS scanner would help avoid the continuous list of XSS SAs we have.

Sounds great!

Posted by webchick on March 15, 2008 at 3:45pm
webchick's picture

I've cross-posted this to the Unit Testing and Coding Standards and Performance Optimization groups to get some more feedback.

Timeline

Posted by ingo86 on March 21, 2008 at 1:41pm
ingo86's picture

Here is my timeline for the first period, until may 26:

  • Learn about Drupal: Study Drupal documentation reading Pro Drupal Development and looking on website documentation. While i'm doing this i review organization's processes (release and otherwise), developer interactions, codes of conduct, etc. I've already started meeting developers on IRC channel, talk with them, socially engage into the project. I'm already active part of developer mailing list and group, unit testing group and security mailing list. I think that I need approssimativelly until may 1 to do all of this things.
  • Learn about SimpleTest: Study SimpleTest documentation, study Drupal SimpleTest existing module. I think that I need about until may 20 to do this things.
  • Produce a milestone of the project from may 20 to may 26.

Let me know what you think about this.
Thanks,
Ingo86

Some mentoring available from the SimpleTest project

Posted by perrick@drupalfr.org on March 26, 2008 at 2:01pm
perrick@drupalfr.org's picture

Hi Ingo86,

A few members from the SimpleTest project have also proposed to be mentoring this kind of tool directly inside SimpleTest. This would make it available to other components / applications outside of Drupal as well. You can have a look at it here : http://simpletest.org/en/ideas.html We called it Web Form Fuzzer. Anyway, it's just a thought from a Drupal & SimpleTest contributor ;-)

Yours,
Perrick Penet

Similar but different

Posted by chx on March 26, 2008 at 4:31pm
chx's picture

While a fuzzer is creating random input, mostly targeted for app crashes, we are going to post very information targeted to induce a security hole. Also, we will do this with the full knowledge of the Drupal system, like creating users with a certain priviledge, trying to escalate that etc.

Javascript vector are also on the list

Posted by perrick@drupalfr.org on March 26, 2008 at 4:45pm
perrick@drupalfr.org's picture

True, it would be a little different. But testing Javascript vector is also very high on such list. And the scanmus Rasmus showed in Paris (Forum PHP 2006 or 2005) is also the target I had in mind !

Yours,
Perrick

Different..

Posted by ingo86 on March 26, 2008 at 11:25pm
ingo86's picture

I think it's similar but however very different from simpletest ideas. Drupal project is focused on Drupal system, chx already said that I will focus on Drupal main features to develop this tool, in order to be very useful for a Drupal user. I think that every cms has it's own features, it is good taking advantages from that to build a very specific tool that, I hope, could be more useful than a generalistic one.
I think however that part of this module could be taked in the future to develop what simpletest idea mean.

Thanks,
Ingo86

I think CSRF should be on

Posted by tjholowaychuk on April 22, 2008 at 4:07pm
tjholowaychuk's picture

I think CSRF should be on this todo list as well, if not limited by SimpleTest

vision media
350designs
Print Huge Edmonton Printing Services
Design Inspiration Gallery

Tj Holowaychuk

Vision Media - Victoria BC Web Design
Victoria British Columbia Web Design School

Here is the timeline:

Posted by ingo86 on May 12, 2008 at 11:42am
ingo86's picture

Here is the timeline: http://code.google.com/opensource/gsoc/2008/faqs.html#0.1_timeline
I hope I will end this until the time expire, here is the updated wiki page where you can see how's going: http://groups.drupal.org/node/10912

I think CSRF should be on
You're right, but I have to see if I can do that with SimpleTest library. Talking to mentors could be a good start, I will update the wiki soon about this topic.

Sounds good, since we have

Posted by tjholowaychuk on May 13, 2008 at 3:00pm
tjholowaychuk's picture

Sounds good, since we have protection in place with the formAPI I think our major concern should be modules providing JavaScript callbacks which do not require a token etc. Either way good luck with this project it should be great!

vision media
Print Huge Edmonton Printing Services
Design Inspiration Gallery

Tj Holowaychuk

Vision Media - Victoria BC Web Design
Victoria British Columbia Web Design School

Testing and Quality Assurance

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: