Hi,
trying to learn more about XSS attacks. I’ve been told that my cms system was open to xss attacks because i allowed our web editors to add JS.
The web editors are all internal staff members so they won’t (or shouldn’t be) adding malicious code.
I don’t understand how this alone could allow XSS.
Surely XSS attacks require a variable being posted to a page that contains the JS and that isn’t santinized not an output from my database containing js.
Well since it’s the logged in area of your site then it is secure until you get a malicious internal staff person trying to hack your system. Obviously this is less dangerous than allowing anyone… still if you take care of it by adequately by sanitising input you reduce risk. XSS attacks can be introduced by adding any JavaScript code to the HTML, this can be in a script tag or even in an onclick HTML attribute…
I recommend that you pose this question to people in the PHP forum, for they are on the receiving end of XSS attacks and can provide the best info and advice for you about it.
Hey @Noppy, so you are not entirely wrong, but the fact remains if someone finds a security hole in your CMS to let them insert JS into your database that wasn’t a web editor, then you still could have an XSS vulnerability occur. Granted, that is a large IF, but there are other factors to consider too. Does your CMS permit non-editors to leave comments? Are those comments stored in your database? Do you sanitize them when writing them as output?
You would not be the first to trust your internal users to not post malicious code when generating an article/publication. If that is where the claim was made, than you can take it for what it is. However, if the person making the claim is making it based on a regular user’s access… that is something you’ll want to close up sooner than later.