RocketModule - security http://rocket.local/categories/security en Drupal security: video example of user account hijacking with XSS http://rocket.local/blog/drupal-security-video-example-user-account-hijacking-xss <div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded">In this short screencast a variety of security holes are shown, as well as some malicious things which are made possible due to these lapses. We'll take a walk-through of two security issues showcased in the <a href="http://crackingdrupal.com/content/drupal-vulnerable-module">vulnerable.module</a>, as well as two other exploits which I put together: <ul><li>User account hijacking via cookie/session XSS thievery</li><li>User account hijacking via password-changing-inline-XSS</li></ul><div style="text-align:center;"> <div style="width:300px; margin-left:auto; margin-right:auto;"> <a href="javascript:playerPopUp('&lt;?php print base_path() . path_to_theme() ?&gt;/assets/drupal_security.html','900','601')"><img src="&lt;?php print base_path() . path_to_theme() ?&gt;/assets/drupal-security.png" alt="" /></a> </div> </div> <br />It's worth noting that in the screencast we demonstrate security exploits in the context of a Drupal installation which uses custom code (e.g., the examples in the video do not represent actual vulnerabilities in Drupal core). Likewise, these exploits and security holes potentially apply to any web site, Drupal or not, which accepts user input.<br /><br /><strong>Links</strong><br /><a href="http://crackingdrupal.com/">Cracking Drupal</a> (also, <a href="/improving-your-drupal-sites-security-cracking-drupal-review">my review</a>)<br /><a href="http://drupal.org/writing-secure-code">Drupal.org: Writing secure code</a><br /><a href="http://www.xssed.com/xssinfo">xssed.com</a></div></div></div><div class="field field-name-taxonomy-vocabulary-1 field-type-taxonomy-term-reference field-label-above"><div class="field-label">Categories:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/categories/drupal" typeof="skos:Concept" property="rdfs:label skos:prefLabel">Drupal</a></div><div class="field-item odd"><a href="/categories/security" typeof="skos:Concept" property="rdfs:label skos:prefLabel">security</a></div><div class="field-item even"><a href="/categories/javascript" typeof="skos:Concept" property="rdfs:label skos:prefLabel">JavaScript</a></div><div class="field-item odd"><a href="/categories/xss" typeof="skos:Concept" property="rdfs:label skos:prefLabel">xss</a></div></div></div> Tue, 02 Mar 2010 16:38:39 +0000 Caleb Gilbert 98 at http://rocket.local http://rocket.local/blog/drupal-security-video-example-user-account-hijacking-xss#comments Improving your Drupal site's security: Cracking Drupal review http://rocket.local/blog/improving-your-drupal-sites-security-cracking-drupal-review <div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>If you're a Drupal professional, you owe it to yourself and your clients to internalize the lessons and techniques inside <a href="http://www.amazon.com/gp/product/0470429038?ie=UTF8&amp;tag=aaronwinborn-20&amp;linkCode=as2&amp;camp=1789&amp;creative=390957&amp;creativeASIN=0470429038">Cracking Drupal: A Drop in the Bucket</a>. This is true because, statistically, any insecurities in one's site are many times more likely to be introduced by one's own custom theming/modules than by Drupal core. The book mentions the audit of a high-profile Drupal site that uncovered 120 security issues, of which the vast majority were found in the customized theme layer! (much more than from contrib/custom modules even)</p> <p>There are many good things to choose from, but for me the best thing about Cracking Drupal is that I finally have a definitive one-stop place to go for information about Drupal security: what to watch out for, how to test it, best practices, worst practices. It's all there.</p> <p>Finally, keep in mind that just reading this book will not of itself make your site more secure. I've had to re-read certain things a few times before it sunk in all the way. A process helped along even more by downloading the vulnerable.module, the module the book uses for many of its examples, and testing out the examples inside of it for a few hours.</p> <p>Many thanks to <a href="http://drupal.org/user/36762">greggles</a> for putting this together for the Drupal community. For another review of Cracking Drupal see <a href="http://aaronwinborn.com/blogs/aaron/site-hacked-read-cracking-drupal?page=35">Aaron's write up of it</a>.</p> </div></div></div><div class="field field-name-taxonomy-vocabulary-1 field-type-taxonomy-term-reference field-label-above"><div class="field-label">Categories:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/categories/drupal" typeof="skos:Concept" property="rdfs:label skos:prefLabel">Drupal</a></div><div class="field-item odd"><a href="/categories/security" typeof="skos:Concept" property="rdfs:label skos:prefLabel">security</a></div><div class="field-item even"><a href="/categories/javascript" typeof="skos:Concept" property="rdfs:label skos:prefLabel">JavaScript</a></div></div></div> Fri, 31 Jul 2009 18:58:41 +0000 Caleb Gilbert 89 at http://rocket.local http://rocket.local/blog/improving-your-drupal-sites-security-cracking-drupal-review#comments