Drupal security: video example of user account hijacking with XSS

by Caleb G
2 March, 2010
Published in: 
Drupal
security
video
xss
In this short screencast a variety of security holes are shown, as well as some malicious things which are made possible due to these lapses. We'll take a walk-through of two security issues showcased in the vulnerable.module, as well as two other exploits which I put together:
  • User account hijacking via cookie/session XSS thievery
  • User account hijacking via password-changing-inline-XSS

It's worth noting that in the screencast we demonstrate security exploits in the context of a Drupal installation which uses custom code (e.g., the examples in the video do not represent actual vulnerabilities in Drupal core). Likewise, these exploits and security holes potentially apply to any web site, Drupal or not, which accepts user input.

Links
Cracking Drupal (also, my review)
Drupal.org: Writing secure code
xssed.com

Comments

Submitted by greggles on Wed, 03/03/2010 - 16:13

Hi Caleb,

Great video - thanks for sharing.

One comment you had at about 5 minutes in was bout "sanitizing the input." I think what you mean is validating the input - Drupal doesn't sanitize data on input.

Next, it's important to realize that "sanitizing data" has to be done in a context specific way. So, it has to be santized in one way to be used for MySQL in the database context and then sanitized in another way when it is sent to the browser context.

Thanks again for your video and sharing a demonstration of "using" the vulnerable module!

Submitted by Caleb G on Wed, 03/03/2010 - 17:28

Thanks for clarifying that - I tried to get it all out correctly, but when the camera's rolling things seem to take their own course sometimes. :P

Also, thanks for the other point you made regarding the img tag!

Submitted by greggles on Wed, 03/03/2010 - 20:06

I totally get the screencasting thing. You can probably imagine how many hours of video I've thrown away as I build (and screw up) the videos on http://www.masteringdrupal.com

Submitted by m0d on Fri, 03/05/2010 - 13:21

Hi there!

Nice tutorial, thanks!

I'd like to know which Firefox Extension you've used to switch between sessions (now I'm a registered user, now I'm not).

Thanks!

Submitted by Caleb G on Fri, 03/05/2010 - 19:34

It's called cookieswap - https://addons.mozilla.org/en-.... Have to force compatibility with Firefox 3.6 though.

Submitted by Mad Irish on Thu, 03/18/2010 - 12:46

You mention that title output should be passed through the t function ("Translate strings to the page language or a given language." http://api.drupal.org/api/func...). In fact you want to use a function like check_plain() or filter_xss() to sanitize output.

Submitted by Caleb G on Thu, 03/18/2010 - 17:06

All parameters for t function except for the "!" parameter (which is why this is not recommended for use in most cases) pass through check_plain: http://api.drupal.org/api/func...

Submitted by Mad Irish on Thu, 03/18/2010 - 20:04

I'm pretty sure the stanza:

if (empty($args)) {
return $string;
}

Indicates that if you don't have any args then the string just gets returned, unsanitized, so if you do:

t($title)

you're just going to get the title back without any check_plain().

Submitted by Caleb G on Thu, 03/18/2010 - 20:48

This is a good example of how using the tools doesn't necessary help anything if they're not used correctly - I should have shown the full example in the video. :P

If you pass a variable inline like that through t() it won't sanitize - it needs to be passed through like this in order to sanitize things:
t("My text string with a @tainted variable", array('@tainted' => $tainted));

Add new comment