Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Hi all,
here is the topic where we can review the project.
I spoke with chx and here is what we think about it.
1- Take simpletest, point it into a page with a form and try to submit xss code.
2- Check what happens (if you put in an alert you can retrieve if javascript is enable into thet form)
3- Do the same thing with sql injection string
4- Check what happens (how to check the results?)
5- Extend this procedure to all the form inside drupal
6- How can we chack if URL is not secure? (Example: $_GET values that goes inside a query directly. XSS and sql injection security issue)
6- Try to understand if there are page with incorrect permissions (to understand better)
We hope to see you there giving us an advice.
Thanks a lot,
ingo86
Comments
Comment #1
chx commentedAfter "seeding" Drupal with XSS data ie. submitting an attack into every form I would like to visit as many pages possible to catch the occassional unescaped string.
Comment #2
ingo86 commentedI have a dubt:
when i put inside a form something like
<script>alert('XSS');</script>, how does simpletest manage this?I can see if the unescaped string is accepted or not only when I reach the page that contain the print of this value, how can Simpletest know which is the page?
Do you think that I have to scan the all the website? Or may I define a list of path to search?
This is the first thing to make clear before thinking to other topics of the project.
Comment #3
jcfiala commentedHum hum hum. That's a good question. It'll partially depend on the form that you're working with, really. For instance, if you're at a node/add or node/%node/edit path, you know you need to look at node pages to see the data... but then again, it might also show up on blocks on other pages.
On the other hand, you can iterate through the menu to check pages.... although with various wildcards you may not be able to track down what all the pages are supposed to be.
It may be necessary to try and generate a likely list of pages to go to. Is this scanner going to be run on more or less production sites, or just on development sites with minimal customization?
Comment #4
ingo86 commentedThat's another good question. In this week we have to define this things before starting development.
I think that our objective will be:
- I have to use this scanner when my website is ready to be published, but before the upload.
Please chx or jcfiala correct what I say now if you think is needed:
I think I can define a list of pages where I predict to find the output of what I submit. But if someone uses a personalized module I can't be sure that I have checked every output.
I can scan every page of the website but it could be too much slow.
How can we proceed? I think jcfiala explain the problem better than me, I'm finding an answer since friday without having good ideas rather that scanning the full site.
Comment #5
ingo86 commentedchx on irc said:
alert('hello');" you check the raw html source -- if you see
then that's _trouble_ if you see <script it's fine"
Ok, but this is not what we're searching for. We need to know which pages to check after the injection. The idea I had with your suggestion is checking into the database after the input and comparing that with what i submit.
Comment #6
chx commentedMy idea is to check every page. Who knows which block appearing on which page would display an unescaped username or nodetitle? Hence this is called a scanner because it scans the site. Seed with Bad Input type 1, scan. Seed with Bad Input type 2, scan. Rinse, repeat.
Comment #7
jcfiala commentedThe tricky question is, how do you make a list of every possible page on the site? You've got one page each for every node, yes. You've got a page for all of the taxonomy pages, the front page, etc, etc. Then there's pages created by custom modules with wildcards like '%'.
It's a tricky question. do we want to collect urls by picking up every anchor tag on the front page, visiting each of those, and continuing to build up a list of anchor tags? Or is there a way to come up with a definite list of pages?
Comment #8
ingo86 commentedI agree with jcfiala analisys. How can I do that?
Also I think there is an issue scanning all site following "a" tag. If there's an hidden piece of code (that will be showed by javascript) I can't find it.
But, if drupal has a sitemap, it could contain every page of the website...
There's another thing we have to make clear: how do we inject malicious code?
There are a lot of possibility:
- injecting into every form in every field with a scan (bad, how can I retrieve which form is not protected?)
- injecting into a single form, but I have to show to the user a list of the possible forms inside drupal to make him choosing.
Other ideas about that?
Comment #9
chx commentedWell, proper Drupal code always has a fallback when JS is not available. That's not an issue. About which form fields to seed, well, as much as we can. I would guess that uid 1 can access the most and we will do just that. About which forms are protected, I do not know what is your question, if the question is which fielsd are not protected, well we need to deal with textfields and textareas only.
Comment #10
ingo86 commentedOk, I speak with chx trying to solve the problems. Now we're at a good point and we define all milestones.
I update my wiki page to enable everything to see what we define.
The tasks are:
- Build up the scanner, based on the library, that follows links and save them into database
- Test sql injection and xss seed into the forms (based upon the scanner)
- Test user role (based upon the scanner)
We have to try to build a scanner that works with multiple istances of itself.
More details on the wiki page.
Comment #11
stella commentedI'd like to see the scope of this project expanded. Rather than just being a security scanner component for the SimpleTest module, I'd like it to have additional features. I'd like this module to be a necessity to all site developers out there. It'd be great if it became standard practise for developers to run it on their sites to check for security holes before deploying them live.
One idea I have is to integrate it with the coder module so you can run coder's security code review on all active modules. As a maintainer of the coder module, I can help out there. I don't think it would be too difficult to do this.
If I can help in any way with this project, please let me know.
Cheers,
Stella
Comment #12
ingo86 commentedThanks for your support Stella, we're working on the scanner right now, but i think I can extend this module after reaching its primary scope.
Comment #13
ingo86 commented