Project Information:
Project page on drupal.org: http://drupal.org/project/security_scanner
Current status: Docs
If you wanna add something please look at http://drupal.org/node/259324
Description:
This project consists in developing a tool that allows to verify the degree of security of Drupal installations. This system will be developed on the basis of the SimpleTest module and will automatically check the presence of Cross Site Scripting, Sql Injection, and potentially Cross Site Request Forgery. Hence it will make much faster the discovery of vulnerabilities and their fixing.
More informations here: http://groups.drupal.org/node/9798
Project Schedule:
April 22 - May 4: Studying Simpletest module
May 4 - May 9: University exams, a little break to study enough to run with success.
May 10 - May 25: Ending studying, review all the project with mentors and definition of the Milestone
May 26 - June 15: Build up the spider that check pages and saves them into the database
June 15 - June 22: Inject seeds into forms (xss and sql)
June 22 - July 6: Tests user role
July 6 - July 13: Create user interface for the module
July 13 - July 27: Tests
July 27 - End of coding: Write down the docs.
Status Updates:
17 august 2008
I write some tests and there's only a little bit of docs to add. I found some features to add and some way to expand this work outside SoC. I surely will work on this in the next months. Stay tuned.
29 july 2008
I talked with chx to understand what we can do now. We talked about the last part of the project, it seems so difficult to develop a new automated process that check for user permissions. We looked at some functions but finally we decided that it's too difficult and onerous.
Then we started looking at simpletest integration. Till now we used a part of simpletest, the drupal_web_test_case class. We would need to add simpletest module and use it in place of the drupal_web_test_case class copy-pasted into my security_scanner.module file. I started looking on how to do it, but i see that it means a rewrite of big portions of code. And if that were not enough, simpletest has to be ported into core for drupal 7, this means that my work could be wasted because i would have to rewrite it in the next months. We decided that the best thing to do is wait until drupal 7. So, the project uses simpletest, but there could be a better integration that we won't develop until simpletest will be moved into core.
However right now we have a powerful crawler which, with small changes, could be used to execute lot of different tasks.
The last part of my project will be tests and docs and I will start it tomorrow.
26 july 2008
Time is running very fast but i'm trustful. I have to build the last part in the next few days because i'm far for holyday in the first week of august. I found and corrected some bugs; now the framework is better and more usable. I'm still searching for bugs because something goes wrong into the seeder. After correcting this I will release a beta 1. After the week of holyday I will make tests and docs.
16 july 2008
Seeding process is automatized, i'm moving some lines of code to make the whole crawler function more usable. After doing this i have to build the last part of the project: check for misconfigured users auth.
09 july 2008
Seeding process now works, I need to automatize it and check for errors.
07 july 2008
Looking at the schedule I see that we're a bit late, we're seeding now into forms. This happens because:
A- We encounter some difficulties.
B- I lose time going in holyday.
C- I'm new to drupal and I don't know very much its api, so sometimes I lose time trying to understand how something works.
The project seems to be very promising. In fact we talk about using the crawler part of it to find 404 pages in a drupal installation. It could be a good way to use it, but anyone can discover multiple application for the scanner. I need to add some small adjustments to it but it seems to be working good.
Here I show one of the difficulties we found:
While seeding we have to check for validated inputs, in fact this fields check the value of the input and return error if its not what it's looking forward. This makes me unable to send the form and I need to take them off. In order to do this I need hook_form_alter that processes the form and, with a recursive function, strips all that is validated. After that we can process a drupalPost to make the seed.
Into CVS we decided to create a new folder for xss_injector module, which is separated from security_scanner module (the crawler) because as said before we think it could has more application besides the security scanner. We think that we have to change the name of it in the future, but it's not a priority right now.
26 june 2008
I found a bug inside Drupal core that makes me lose the cookie that take the session active. It was a timestamp compared as minor than the actual time, but the scanner is very very fast, so this two values results peer. I temporary set a sleep(1) into my code to avoid this problem.
After that, i create a new table and catched the form_id from the pages. So the crawler is finally working (with 4 days of delay, but with a week of holyday not calculated into the schedule). This evening I start seeding! (Hoping that my computer resource supports this awful effort).
19 june 2008
Sorry for the late, but with exams and holiday I forget updating the wiki, however I worked on the code a lot.
Now I'm on holiday, till saturday. This week I take a break on the project. In the last days I make the scan running through the pages with user ID 1, that was not working before. I used cURL options in order to do this. It was more difficult than predicted, so I have to work more on this part of the project. I hope to complete the search of the forms into the pages on monday morning, to enable seeding and catching the results on the second part of the next week.
01 june 2008
Project started. Developed a scanner based on cURL library, then created a database to save it's results. Added the ability to save only one-time the links that the scanner find (no duplicated links) and added the ability of scan through administrative pages, getting the privileges from the one-time login procedure. Wroted an article for Drupal Planet regarding a trick with MySQL. Now, it's time to catch the pages with forms and to seed xss or other inside that.
22 may 2008
Ready to start!
19 may 2008
Talking with mentors and defining the project milestones .... Doing this, look here, you're welcome: http://drupal.org/node/259324...
12 may 2008
Added a description of myself for Drupal ... done!
Create a simple news website as example to introduce myself into drupal features ... done!
Learn SimpleTest module code ... postponed!
Meet with mentors to talk about CSRF vulnerabilities ... done!
29 april 2008
CVS Access ... done!
Project Page ... done!
Milestone definition and last review with mentor ... done!