Drupal security: video example of user account hijacking with XSS

Submitted by Caleb Gilbert on
2 March, 2010
Published in: 
Drupal
security
JavaScript
xss
In this short screencast a variety of security holes are shown, as well as some malicious things which are made possible due to these lapses. We'll take a walk-through of two security issues showcased in the vulnerable.module, as well as two other exploits which I put together:
  • User account hijacking via cookie/session XSS thievery
  • User account hijacking via password-changing-inline-XSS

It's worth noting that in the screencast we demonstrate security exploits in the context of a Drupal installation which uses custom code (e.g., the examples in the video do not represent actual vulnerabilities in Drupal core). Likewise, these exploits and security holes potentially apply to any web site, Drupal or not, which accepts user input.

Links
Cracking Drupal (also, my review)
Drupal.org: Writing secure code
xssed.com

Comments

greggles replied on

Hi Caleb,

Great video - thanks for sharing.

One comment you had at about 5 minutes in was bout "sanitizing the input." I think what you mean is validating the input - Drupal doesn't sanitize data on input.

Next, it's important to realize that "sanitizing data" has to be done in a context specific way. So, it has to be santized in one way to be used for MySQL in the database context and then sanitized in another way when it is sent to the browser context.

Thanks again for your video and sharing a demonstration of "using" the vulnerable module!

Caleb Gilbert replied on

Thanks for clarifying that - I tried to get it all out correctly, but when the camera's rolling things seem to take their own course sometimes. :P

Also, thanks for the other point you made regarding the img tag!

m0d replied on

Hi there!

Nice tutorial, thanks!

I'd like to know which Firefox Extension you've used to switch between sessions (now I'm a registered user, now I'm not).

Thanks!

Add new comment