Introduction to Cross Site Scripting (XSS) and Drupal
This article provides an introduction to Cross Site Scripting in Drupal.
Basics of How Cross Site Scripting Works
This video shows an example of a poorly configured site where a malicious visitor can use XSS to change a user's password. It then shows how to use the Security Review module to identify and fix some XSS vulnerabilities in a site. Note that the Security Review module is not a complete solution, it only finds some common vulnerabilities.
Identifying Cross Site Scripting
- Have the content of the alert specific to the place where the injection was made so you can trace it back
- Some fields will filter some information, but not others, so try multiple methods
Specifically, try to inject these two strings:
"><img src="u.png" onerror="alert('blog-node-title');"</script>
Why is it called "Cross Site Scripting"?
From his post on the history of cross site scripting, Jeremiah Grossman describes the original version of XSS:
Future XSS articles will cover:
- What are the appropriate filter functions to use? How do I decide when to use them?
- What are some other examples of cross-site scripting?