http://crackingdrupal.com/taxonomy/term/57/0 en http://crackingdrupal.com/blog/ben-jeavons/using-xss-steal-access <p>We've talked about Cross Site Scripting (XSS) before, and for good reason, it's a risk far too many sites are vulnerable to. XSS is scary because it runs in the context of the trusted relationship between your browser and a website; <a href="http://drupalscout.com/knowledge-base/using-xss-steal-access">XSS can do everything you can do</a>.</p> <h3>XSS cookie theft</h3> <p>Let's look at another example of an XSS exploit: stealing administrative access to a site.</p> <ul> <li>An attacker will enter Javascript that steals the visitor's browser cookie</li> <li>An administrator will unknowingly execute this Javascript</li> <li>The administrator's browser will send the cookie to the attacker's website</li> <li>The attacker will use the stolen cookie to use the administrator's access on the site</li> </ul> <p><a href="http://drupalscout.com/knowledge-base/using-xss-steal-access"><img style="float: left; padding: 1em;" src="http://crackingdrupal.com/sites/crackingdrupal.com/files/drupalscout-final-rgb-131x200.png" /></a><br /> <strong>This article is now part of the <a href="http://drupalscout.com/knowledge-base">Knowledge Base</a> of Drupal security articles on <a href="http://drupalscout.com/">Drupal Scout</a>.</strong></p> <p>Read the rest of <a href="http://drupalscout.com/knowledge-base/using-xss-steal-access">Using XSS to steal access</a></p> <p><br style="clear:left;" /></p> <p>This page is kept so the comments posted here are available since they provide additional help and insights.</p> http://crackingdrupal.com/blog/ben-jeavons/using-xss-steal-access#comments cookies demo Planet Drupal XSS Mon, 31 Jan 2011 19:00:09 +0000 Ben Jeavons 61 at http://crackingdrupal.com