Archive for June, 2009

XSS (Cross Site Scripting) Attacks. How can I prevent XSS attacks on my website?

Monday, June 22nd, 2009

Many websites today are reeling under persistent XSS (cross site scripting) attacks where vulnerable code is being attached to their webpages which block their sites on Google and other search engines and prevent users from browsing their websites. Users not using updated browsers download the malicious code on their PCs or are being redirected to the websites of the malicious code, where their sessions are being captured or sensitive data like usernames/passwords are being used by hackers to gain priveleged information which could cause damage to the users and the website owners alike.

Many website owners feel that this is a problem with the webhost or that their PCs are virus infected and the files which they are uploading on their webserver is virus infected and that is causing this problem. But this is simply not the case! XSS attacks are generated on a runtime basis due to insecure code on your website or web application which is being used by hackers to attach their own code into your website through insecure feedback forms, user registration/login forms and even search fields.

Here are some collection of links to online videos and resources which should enable you to gain a better understanding of XSS and how to block prevent XSS attacks on your website:

Video 1: A brief video primer on SQL Injection works.


Video 2: Persistent Cross Site Scripting


Video 3: Don Ankney of Microsoft talks about the continuing challenges around eradicating Cross Site Scripting from the Earth.



Foiling Cross-Site Attacks: An interesting read on XSS and cross-site request forgeries(CSRF).

XSS Tools:

Springenwerk Security Scanner: Springenwerk is an open source Cross Site Scripting (XSS) security scanner, written in Python.
HTML Purifier: HTML Purifier is a standards-compliant HTML filter library written in PHP. It has pulgins for popular CMS and PHP Frameworks like Drupal, Joomla and Codeigniter.
N-Stalker Free Edition: N-Stalker Web Application Security Scanner provides a restricted set of free Web Security Assessment checks to enhance the overall security of your web server infrastructure.
As XSS security is an evolving area and new products, techniques are being introduced to prevent its abuse, your comments and additional resources on this post are welcome to make this a valuable resource for other users.
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
 Loading ... Loading ...

Tags: , , ,
Posted in Web Application Security | 2 Comments »

How to create a view in Drupal

Sunday, June 21st, 2009

In this post we will discuss how to create view to display the listing  for the content types in drupal sites. In Drupal, you can create  dynamic pages from administrative menu > content management > content > Add Option. So, if you are creating some dynamic content E.g. pages where you should like to list the records for a particular set of data fields, then to fulfill this requirement you need to create a View which will display you the listing of the contents of any content types.

Here are some simple steps to create view for any content type. This example has been created using Drupal 5.10.

Step 1 :Basic View Setup

Download the view module (http://drupalmodules.com/module/views) and install the module. Once you enable the view module to can create view for all content types. From administrative menu/site building/views click on add option. Once, you click on the add option you will get a form as shown in figure below.

Basic information is the general information about the view which you will create.

viewinfo

Step 2 : Creating the View Display

You can display your created view in a page,block and both. Its up to to you how would you like to get the output.  For your help we are creating both the page and block. Please check the snapshots given below.

(a) Creating a page for the view.

Firstly, you have to check the provide page view option and give the URL of the view page. Use pager is the option for the pagination. If you don’t want pagination just unchecked the checkbox.

Page

b) Creating a Block for the view.

Check the provide block option to create a block for the view. Nodes per block indicated how many nodes you want to show in you block.

Block

Step 3 : Selecting the fields

Fields – Select the fields which you want to display for this content types. In our example, we are showing the node title and node body. You need to choose the field from the drop down and click on the add Field button. The selected field will display above as shown in figure.

Display Fields

Step 4 :View Arguments

Arguments – If you want to display a particular node then you need to configure this argument section otherwise leave it blank.  If you want to display a particular node then you select the argument from the drop down which you want to pass for the node and click add argument. The selected argument will show above as shown in figure.

Now, you need to set the wildcard value. Wildcard is the value which you pass from the URL. This will automatically fetch the value and show the corresponding node content.

For example, if you want to show node whose node ID is 11 then select node ID as the argument and set wildcard to %1.

%1 represent 11, the first argument you pass from the URL i.e., http://localhost/drupaldemo/?q=admin/build/views/page_entry/11

%2 represent 22, the second argument you pass from the URL i.e., http://localhost/drupaldemo/?q=admin/build/views/page_entry/11/22

Passing Argument

Step 5 :Creating Filters for the View

Filters – From this filter section you can filter the nodes which you want to show into your view page. In our example, we are filtering through node type and this is the simple and general way to filter. Select the Node: type from the dropdown and a click on the add filter button. Then select the page as the value of the node type.

Actually, in our example we are filtering the page type from all nodes through this filter option.

Filter

Step 6 : Set Your Sort Criteria

Sort Criteria – Select the field from the dropdown to sort. In our example, we are sorting as node ID i.e., latest node entry will show at the top of the listing. See the snapshot given below.

Sorting

Step 7 : Confirm the changes and preview the ‘View’

Finally, click on the save button to save all the provided information. Once, the view is save you can access the page by the URL you have provided. For our example, URL name is viewPage and to see the listing of the page nodes the url is http://sitename/?q=viewPage.

You will get the full url of your view page from  Administrative menu > site building > views > Listing page. You can also edit and delete this view from the section.

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 4.50 out of 5)
 Loading ... Loading ...

Tags: ,
Posted in CMS, Drupal CMS | No Comments »

Two ways to add Joomla users using your custom code

Sunday, June 7th, 2009

The task of adding Joomla users, login/logout, activating/deactivating of users and password reset tasks etc are handled by the component com_users. In this post I will show how to add a joomla user from an external page.

Adding users externally can be done in two ways:
1. Create an html form with correct fields and submit it the correct Joomla url so that Joomla handles the registration, or
2. If you want to do it in your custom method, you need to create both the html form and the and the script that will add the user to the Joomla.

First, the regular way:

We create an html form with the correct field names and place the form in the joomla root. The field names should match with that of the general joomla registration form.

If we view the source of a Joomla registration form then we can see that the form has text fields named name, username, Email, password, password2 and hidden fields task, id, gid. There is another hidden field whose name is generated by JUtility::getToken() and the value of the field is 1. This field value is checked at the time of submitting the registration information. More about this in a moment. On submitting the registration form the registration information is processed by the register_save method of the UserController in com_user, which has been specified by the hidden field named task in the registration form.

Now we come to the UserController in the com_user. In the register_save method there is a line which checks the token value from the submitted form. As we are using a static html form we either need to generate the token name on the html form or if we don’t want to include the token in the form then we need to bypass the line of code which checks for the token.

JRequest::checkToken() or jexit( 'Invalid Token' );

In the register_save method of the UserController in the com_user. Since we will be using a html form commonly so we go for the second option and comment the line for checking token

// JRequest::checkToken() or jexit( 'Invalid Token' );

The submitted registration information is then processed by the register_save method. The data is actually saved in the save method of the UserController.

Now, the Other way:

Here we use the previously created form and submit it to the custom script that we create. This approach is basically to copy the functionality of the register_save() method in the UserController in com_user to an external script and submit the html registration form to that script.

Now onto the script:
To access the joomla environment in an external script, the following snippet is added to the start of the script:

define( '_JEXEC', 1 );
define('JPATH_BASE', dirname(__FILE__) );//this is when we are in the root
define( 'DS', DIRECTORY_SEPARATOR );
 
require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );
 
$mainframe =& JFactory::getApplication('site');
$mainframe->initialise();

This snippet basically makes available the joomla framework available in the script. The code snippet is found in the index.php of the joomla root.

Now we import the functionality of the register_save() method in the script.

#1. Check for request forgeries, we comment this out since tokens are not generated in the html page

//JRequest::checkToken() or jexit( 'Invalid Token' );

#2. Get required system objects

$user 	      = clone(JFactory::getUser());
$pathway 	      = & $mainframe->getPathway();
$config	      = & JFactory::getConfig();
$authorize	      = & JFactory::getACL();
$document       = & JFactory::getDocument();

#3. If user registration is not allowed, show 403 not authorized(Not needed)

$usersConfig = &JComponentHelper::getParams( 'com_users' );
if ($usersConfig->get('allowUserRegistration') == '0')
	{
		JError::raiseError( 403, JText::_( 'Access Forbidden' ));
		return;
	}

#4. Initialize new usertype setting

$newUsertype = $usersConfig->get( 'new_usertype' );
if (!$newUsertype)
	{
		$newUsertype = 'Registered';
	}

#5. Bind the post array to the user object

if (!$user->bind( JRequest::get('post'), 'usertype' ))
	{
		JError::raiseError( 500, $user->getError());
	}

#6. Set some initial user values

$user->set('id', 0);
$user->set('usertype', '');
$user->set('gid', $authorize->get_group_id( '', $newUsertype, 'ARO' ));
 
$date =& JFactory::getDate();
$user->set('registerDate', $date->toMySQL());

#7. If user activation is turned on, we need to set the activation information(Not needed)

$useractivation = $usersConfig->get( 'useractivation' );
if ($useractivation == '1')
	{
		jimport('joomla.user.helper');
		$user->set('activation', md5( JUserHelper::genRandomPassword()) );
		$user->set('block', '1');
	}

#8. Save the details of the user

$user->save();

After this we can use the php header function to redirect the user to the desired location.

That’s it! I hope Joomla developers find this helpful and please feel to post your views and comments to this post.

1 Star2 Stars3 Stars4 Stars5 Stars (12 votes, average: 3.67 out of 5)
 Loading ... Loading ...

Tags: ,
Posted in CMS, Joomla | 16 Comments »