Using XSS to steal access

We've talked about Cross Site Scripting (XSS) before, and for good reason, it's a risk far too many sites are vulnerable to. XSS is scary because it runs in the context of the trusted relationship between your browser and a website; XSS can do everything you can do.

XSS cookie theft

Let's look at another example of an XSS exploit: stealing administrative access to a site.

  • An attacker will enter Javascript that steals the visitor's browser cookie
  • An administrator will unknowingly execute this Javascript
  • The administrator's browser will send the cookie to the attacker's website
  • The attacker will use the stolen cookie to use the administrator's access on the site


This article is now part of the Knowledge Base of Drupal security articles on Drupal Scout.

Read the rest of Using XSS to steal access


This page is kept so the comments posted here are available since they provide additional help and insights.

Comments

don't forget httponly

While it by no means solves all XSS problems, this configuration directive would prevent the specific attack demonstrated here (and is already enabled by default on Drupal 7):
ini_set("session.cookie_httponly", 1);

Thanks for sharing

Thanks Dylan, I wasn't aware of that directive! http://us.php.net/manual/en/session.configuration.php#ini.session.cookie... has the specifics. Interesting that it's not supported by all browsers. The drupal.org thread for those interested is http://drupal.org/node/280934

Thanks

I typically only let users use "Filtered HTML" for presentation reasons, but your video serves as a timely reminder of why "Full HTML" is almost always a bad idea.

Very concise and informative--thanks!

Thanks

Thank You