Recent patches for Form API, Filter module, and whatnot made me worry about D7's healthiness with regard to sanitation of user input on output.

The idea:

1) Enable all modules.

2) Grant all permissions.

3) Take menu router, fetch all router items having 'page callback' => 'drupal_get_form'.

4) Get all of those forms and insert <script>alert('XSS');</script> into all textfields and textareas. Submit.

5) Handle validation errors somehow. (Magic xpath trickery, but possible.)

6) Afterwards, fetch the menu router again, and visit any possible page in Drupal.

7) On every single page, assert that <script>alert('XSS');</script> is not contained in the raw output.

Files: 
CommentFileSizeAuthor
#8 drupal.security-xss.8.patch15.32 KBsun
FAILED: [[SimpleTest]]: [MySQL] 20,979 pass(es), 8 fail(s), and 1 exception(es). View
#7 drupal.security-xss.7.patch15.13 KBsun
FAILED: [[SimpleTest]]: [MySQL] 20,950 pass(es), 5 fail(s), and 1 exception(es). View
#6 drupal.security-xss.5.patch11.09 KBsun
FAILED: [[SimpleTest]]: [MySQL] 20,960 pass(es), 5 fail(s), and 6 exception(es). View
#4 drupal.security-xss.4.patch7.74 KBsun
FAILED: [[SimpleTest]]: [MySQL] 20,783 pass(es), 0 fail(s), and 5 exception(es). View
#3 drupal.security-xss.3.patch7.68 KBsun
FAILED: [[SimpleTest]]: [MySQL] 20,839 pass(es), 0 fail(s), and 5 exception(es). View
drupal.security.0.patch2.57 KBsun
FAILED: [[SimpleTest]]: [MySQL] 20,510 pass(es), 0 fail(s), and 10 exception(es). View

Comments

sun’s picture

Basically we want to move http://drupal.org/project/security_scanner into a test in core. Thanks dmitrig01!

Status: Needs review » Needs work

The last submitted patch, drupal.security.0.patch, failed testing.

sun’s picture

Status: Needs work » Needs review
FileSize
7.68 KB
FAILED: [[SimpleTest]]: [MySQL] 20,839 pass(es), 0 fail(s), and 5 exception(es). View

Heavily advanced.

sun’s picture

FileSize
7.74 KB
FAILED: [[SimpleTest]]: [MySQL] 20,783 pass(es), 0 fail(s), and 5 exception(es). View

Fixed default local task omission.

Status: Needs review » Needs work

The last submitted patch, drupal.security-xss.4.patch, failed testing.

sun’s picture

Status: Needs work » Needs review
FileSize
11.09 KB
FAILED: [[SimpleTest]]: [MySQL] 20,960 pass(es), 5 fail(s), and 6 exception(es). View

Next to some real XSS security issues, this patch nicely reveals some other logic errors and broken code in Drupal core.

I highly recommend to enable debug/verbose output in SimpleTest, run this test locally, and look at the results... the test is able to insert the XSS values in fields where they should not be accepted in the first place at all. Oh my, lots of broken code. :)

sun’s picture

FileSize
15.13 KB
FAILED: [[SimpleTest]]: [MySQL] 20,950 pass(es), 5 fail(s), and 1 exception(es). View

First round of eliminating exceptions thrown during test run.

sun’s picture

FileSize
15.32 KB
FAILED: [[SimpleTest]]: [MySQL] 20,979 pass(es), 8 fail(s), and 1 exception(es). View

Now also verifying HTML output after successful form submission, which can lead to dynamic page callbacks.

sun’s picture

Title: Basic XSS tests » XSS attacks and security scan via testbot

Better title?

Status: Needs review » Needs work

The last submitted patch, drupal.security-xss.8.patch, failed testing.

greggles’s picture

Seems like a great idea. I've tested out the project mentioned in comment #1. I'm not sure if you've used it, but basically it did a three step process:

  1. Scan all pages to index them and find form elements
  2. Try injecting text into form elements
  3. Scan all pages from step 1 to see if any of them have reflected XSS

This works reasonably well but doesn't take into account that step 2 can create new pages which are likely to be the source of XSS. Solving that problem in this work would be great.

@sun - it's not clear if you feel your current patch is ready for review/testing. Please state that when you are ready so others can provide input.

sun’s picture

The patch works reasonably well already. The tests failed for real -- because of possible XSS attacks or double-escaped form values in the output. :)

Not contained yet and only minimally prepared is recursion into forms on redirected pages, i.e. to test multi-step forms, but also sanitation of submitted form values on dynamic paths. For that, we have to abstract the logic that tries to find a form and attack it into a new helper method, so as to be able to call it recursively from itself. On subsequent redirection pages, we likely want to use menu_get_item($this->url) to figure out the $form_id on that page, and/or whether we want to add that page resp. $path to $this->page_callbacks for final XSS assertions afterwards.

Current docs are rudimentary, too...

I'm not sure whether I'll be able to work on this soon. Would be lovely to see someone else to take this up.

sun’s picture

Version: 7.x-dev » 8.x-dev
Assigned: sun » Unassigned

Although badly needed, this is D8 material according to the rules (I had to learn today). It may be backported at a later point in time (though that's unlikely).

jhedstrom’s picture

Version: 8.0.x-dev » 8.1.x-dev
Issue summary: View changes
dawehner’s picture

Version: 8.1.x-dev » 8.0.x-dev

This is test only code and so can be done at any point.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.