Drupal security: video example of user account hijacking with XSS
In this short screencast a variety of security holes are shown, as well as some malicious things which are made possible due to these lapses. We'll take a walk-through of two security issues showcased in the vulnerable.module, as well as two other exploits which I put together:
It's worth noting that in the screencast we talk about security in the context of Drupal, but these exploits and security holes potentially apply to any web site which accepts user input.
Links
Cracking Drupal (also, my review)
Drupal.org: Writing secure code
xssed.com
- User account hijacking via cookie/session XSS thievery
- User account hijacking via password-changing-inline-XSS
It's worth noting that in the screencast we talk about security in the context of Drupal, but these exploits and security holes potentially apply to any web site which accepts user input.
Links
Cracking Drupal (also, my review)
Drupal.org: Writing secure code
xssed.com
validating vs. sanitizing & "sanitizing" for a context`
Hi Caleb,
Great video - thanks for sharing.
One comment you had at about 5 minutes in was bout "sanitizing the input." I think what you mean is validating the input - Drupal doesn't sanitize data on input.
Next, it's important to realize that "sanitizing data" has to be done in a context specific way. So, it has to be santized in one way to be used for MySQL in the database context and then sanitized in another way when it is sent to the browser context.
Thanks again for your video and sharing a demonstration of "using" the vulnerable module!
Good to clarify
Thanks for clarifying that - I tried to get it all out correctly, but when the camera's rolling things seem to take their own course sometimes. :P
Also, thanks for the other point you made regarding the img tag!
sympathize with the screencasting
I totally get the screencasting thing. You can probably imagine how many hours of video I've thrown away as I build (and screw up) the videos on http://www.masteringdrupal.com
Firefox Extension...
Hi there!
Nice tutorial, thanks!
I'd like to know which Firefox Extension you've used to switch between sessions (now I'm a registered user, now I'm not).
Thanks!
...
It's called cookieswap - https://addons.mozilla.org/en-.... Have to force compatibility with Firefox 3.6 though.
T function won't sanitize
You mention that title output should be passed through the t function ("Translate strings to the page language or a given language." http://api.drupal.org/api/func...). In fact you want to use a function like check_plain() or filter_xss() to sanitize output.
It does sanitize
All parameters for t function except for the "!" parameter (which is why this is not recommended for use in most cases) pass through check_plain: http://api.drupal.org/api/func...
I'm not so sure
I'm pretty sure the stanza:
if (empty($args)) {
return $string;
}
Indicates that if you don't have any args then the string just gets returned, unsanitized, so if you do:
t($title)
you're just going to get the title back without any check_plain().
Correct, and an important distinction on correct use
This is a good example of how using the tools doesn't necessary help anything if they're not used correctly - I should have shown the full example in the video. :P
If you pass a variable inline like that through t() it won't sanitize - it needs to be passed through like this in order to sanitize things:
t("My text string with a @tainted variable", array('@tainted' => $tainted));
Post new comment