Using XSS to steal access – Acquia Support Knowledge Base

Issue

I would like to understand the security implications of Cross Site Scripting (XSS)?

Resolution

We've talked about Cross Site Scripting (XSS) before, and for good reason; it's a risk far too many websites are vulnerable to. The basic threat of XSS to your website's security is that it runs in the context of the trusted relationship between your browser and a website.

XSS cookie theft

Another example of an XSS exploit is using XSS to steal administrative access to a website:

An attacker enters JavaScript that steals the visitor's browser cookie.
An administrator unknowingly executes this JavaScript.
The administrator's browser sends the cookie to the attacker's website.
The attacker uses the stolen cookie to use the administrator's access on the website.

Mitigation

XSS vulnerabilities are extremely common in web applications, so you should audit your configuration and custom code for adherence to Drupal best practices.

Topics

security
xss
best practices
drupal7

External Links

Anything you can do, XSS can do better
Securing your site
Writing secure code in Drupal 7