Anything you can do XSS can do better

Cross Site Scripting (XSS) is the number one vulnerability in Drupal code¹ and one of the scariest forms of exploits, because anything you can do XSS can do better².

More serious than <script>alert('xss')</script>

During XSS demos and vulnerability testing it's easy to use some code like <script>alert('xss')</script> to see Javascript executed where it shouldn't be. But an alert box isn't scary.

It's scary when Javascript can put your Drupal site offline. And it's even scarier when it locks you out of logging back in because it changed your administrator account username, password, and email address. Watch the short video below to see a demo of this.

The malicious Javascript entered by the attacker, when unknowingly executed by an administrator, does the following evil evil things:

  • Changes the site title and site email address
  • Changes the administrator's username, email, and password
  • Sets a site-offline message and puts the site in offline status
  • And finally, logs the current user out of the site³

How do you protect against this?

Against this exact demo? You disable the use of the Full HTML input format by anonymous users. In general you should understand how to configure your site securely and know what actions you allow untrusted users to perform.

The attack vector in the video is a comment that has Full HTML enabled for anonymous users. Note that Drupal does not come by default with Full HTML enabled for anonymous users.

Be mindful of contributed modules

It's also common that contributed modules print user-supplied data insecurely, opening up for an XSS attack. Popular modules are often more vetted and secure, and thus safer to use. Greg has written recently about some tools to use in picking modules. Also, if you're writing code, make sure you're correctly using the APIs and following best practices.

Stay safe, community!

¹XSS is the number one vulnerability in Drupal code based on times reported in Drupal core and contributed project Security Advisories as published by the Drupal Security Team. Read the report on Drupal Security for more information and stats.

²Javascript can't exactly change admin settings better than you can :). It can certainly change it "faster" than you can though.

³The final piece of the attack ran by the Javascript is actually a different class of attack known as Cross Site Request Forgery (CSRF).

Comments

alert('xss')

I know you've got to try this out, but really?

The preview button is enabled so you can test JS on our site before saving ;)