In this short screencast a variety of security holes are shown, as well as some malicious things which are made possible due to these lapses. We'll take a walk-through of two security issues showcased in the vulnerable.module, as well as two other exploits which I put together:
![]()
It's worth noting that in the screencast we demonstrate security exploits in the context of a Drupal installation which uses custom code (e.g., the examples in the video do not represent actual vulnerabilities in Drupal core). Likewise, these exploits and security holes potentially apply to any web site, Drupal or not, which accepts user input.
Links
Cracking Drupal (also, my review)
Drupal.org: Writing secure code
xssed.com
- User account hijacking via cookie/session XSS thievery
- User account hijacking via password-changing-inline-XSS
It's worth noting that in the screencast we demonstrate security exploits in the context of a Drupal installation which uses custom code (e.g., the examples in the video do not represent actual vulnerabilities in Drupal core). Likewise, these exploits and security holes potentially apply to any web site, Drupal or not, which accepts user input.
Links
Cracking Drupal (also, my review)
Drupal.org: Writing secure code
xssed.com
Categories:
