Drupal security: video example of user account hijacking with XSS

In this short screencast a variety of security holes are shown, as well as some malicious things which are made possible due to these lapses. We'll take a walk-through of two security issues showcased in the vulnerable.module, as well as two other exploits which I put together:
  • User account hijacking via cookie/session XSS thievery
  • User account hijacking via password-changing-inline-XSS

It's worth noting that in the screencast we demonstrate security exploits in the context of a Drupal installation which uses custom code (e.g., the examples in the video do not represent actual vulnerabilities in Drupal core). Likewise, these exploits and security holes potentially apply to any web site, Drupal or not, which accepts user input.

Cracking Drupal (also, my review)
Drupal.org: Writing secure code
2 March, 2010


Hi Caleb,

Great video - thanks for sharing.

One comment you had at about 5 minutes in was bout "sanitizing the input." I think what you mean is validating the input - Drupal doesn't sanitize data on input.

Next, it's important to realize that "sanitizing data" has to be done in a context specific way. So, it has to be santized in one way to be used for MySQL in the database context and then sanitized in another way when it is sent to the browser context.

Thanks again for your video and sharing a demonstration of "using" the vulnerable module!

Thanks for clarifying that - I tried to get it all out correctly, but when the camera's rolling things seem to take their own course sometimes. :P

Also, thanks for the other point you made regarding the img tag!

Hi there!

Nice tutorial, thanks!

I'd like to know which Firefox Extension you've used to switch between sessions (now I'm a registered user, now I'm not).


You mention that title output should be passed through the t function ("Translate strings to the page language or a given language." http://api.drupal.org/api/func...). In fact you want to use a function like check_plain() or filter_xss() to sanitize output.