Anything you can do XSS can do better

Cross Site Scripting (XSS) is the number one vulnerability in Drupal code¹ and one of the scariest forms of exploits, because anything you can do XSS can do better².

More serious than <script>alert('xss')</script>

During XSS demos and vulnerability testing it's easy to use some code like <script>alert('xss')</script> to see Javascript executed where it shouldn't be. But an alert box isn't scary.

It's scary when Javascript can put your Drupal site offline. And it's even scarier when it locks you out of logging back in because it changed your administrator account username, password, and email address. Watch the short video below to see a demo of this.


This article is now part of the Knowledge Base of Drupal security articles on Drupal Scout.

Read the rest of Anything you can do XSS can do better


This page is kept so the comments posted here are available since they provide additional help and insights.

Comments

Thx!

Thanks guys for your continuing quest on making Drupal (installations) safer.

It might be worth a note that you can protect your admin account (and any other account you want) from edits/deletion by using user protect module. Even if your site is XSS proof you might want to protect your UID1 from edits by an user administrator going bonkers or deletion while being intoxicated.

So scary!

XSS is scary, full stop. One small mistake by an admin during configuration and it could result in someone litterally owning your site. A massive issue if, for example, you're running an ubercart shop and you take payment details on-site!

It might be worth a note that

It might be worth a note that you can protect your admin account (and any other account you want) from edits/deletion by using user protect module.

This might indeed block the attack shown in the video. But...

You are focusing to much on the example instead of the point "XSS can do everything you can do".

An exploit

  • can read and distribute your session cookie (use http.only cookies)
  • can create a new user with all permissions
  • can grant all permissions to anonymous users
  • can enable the php module and add the PHP filter to an input format
  • can enable file uploads and upload an executable file
  • etc

Dude, it was just a sidenote.

Dude,

it was just a sidenote. Of course you have to work on the XSS front constantly because it is so dangerous. Using user protect helps to prevent the worst and can avoid non XSS dangers.

Yeah, my Javascript is

Yeah, my Javascript is actually really amateurish compared to what's out there. Probably the scariest XSS attack demo I've seen was a command-control attack where the attacker had a persistent window into the site to run commands and retrieve data.

hi

Hi. Author .
Can u show me the code XSS of this demo.
I only want to try at my website offline.
can u ? thanks.