Ask Acquia: How can I protect my Drupal website from XSS security vulnerabilities?

Cross Site Scripting (XSS) is a type of injection attack that takes advantage of the dynamic nature of a web page. XSS vulnerabilities present a real and potential threat to the websites you create and manage. In fact, as of WhiteHat’s 2014 Website Security Statistics Report, XSS was the most common vulnerability found for almost every language used in website development.

In their 2014 white paper, the Drupal Security team states that over half of all contributed project Security Advisories reported at least one XSS vulnerability – a number more than double that of the next most common vulnerability class.

XSS is clearly a threat - but time spent wringing your hands is time wasted. Take a proactive approach to protecting your website by taking advantage of the resources Acquia has made available.

How can XSS be used to attack my site?

Because of the way XSS works, web applications such as comment boxes allow users to affect the content that a page generates. When these applications are not set to disallow “Full HTML” input format by anonymous users, malicious users can use that opening to embed client-side script into the page that will later be interpreted by the browser of anyone who views that content.

What can happen as the result of an XSS infection?

When visitors to your site view the infected page, it executes injected script, triggering the attack against your website. XSS attacks can be used to steal any information contained on the infected webpage, including the session cookie and username of any logged in visitor. Using this information, an attacker can gain access to any user’s account - including that of your site administrator. With all the privileges of full administrative access, the attacker can steal any data your administrator can view and lock you out of your own website.

The Acquia Help Center’s article on this subject - Anything you can do, XSS can do better - provides a video demonstration of this type of attack.

How can I identify vulnerabilities and defend against XSS attacks?

Any field where an untrusted user can enter script into a webpage is a possible vector for XSS attacks. By following these security best practices, you can mitigate much of threat.

  • Maintain content filters to detect and stop script injection

  • Test the security of all subdomains that set cookies accessible by the main site

  • Add only modules and themes you trust to be secure – and be especially cautious when adding custom code or third party extensions.

The Acquia Help Center provides more detailed information on how to identify XSS vulnerabilities that may exist within your website. After reading through Introduction to cross-site scripting (XSS) and Drupal and Using XSS to steal access, you’ll know how to get started securing your Drupal site against the most common threat to internet security.