This Week in Exploits: SiteLock Research Team’s First Published Vuln, More to Come

The SiteLock Research Team will have many firsts as it develops. This week we’ll discuss the first reported and patched vulnerability the team found, a minor cross-site scripting vulnerability in Testimonial Slider.


During the creation of the team’s new vulnerability research process, we tested the process on a not-so-randomly chosen WordPress plugin, Testimonial Slider. We chose Testimonial Slider for no other reason than it was a slider plugin after the recent Revolution Slider exploit. Testimonial Slider, developed by, displays customer testimonials in a responsive slider and has over 10,000 installs. We analyzed version 1.2.1 using SiteLock’s TrueCode and manual analysis.


The vulnerability was an authenticated, reflective cross-site scripting, or XSS, vuln. TrueCode pointed us to the possible vulnerability in Testimonial Slider’s settings.php file, specifically line 203, the $curr variable.


TrueCode Output
TrueCode Output


We backed through the code to find where $curr was set, which was in lines 195 and 196 where it was set to ‘Default’ if another variable, $cntr, was empty, or simply $cntr if not.


The payoff came in lines 91 and 92, where $cntr was set. If $_GET[‘scounter’] was set, it’s value was assigned to $cntr and subsequently $curr, where the reflective XSS vulnerability was.


Settings.php Before
Settings.php Before Fix


We simply needed to pass the XSS string in the scounter GET variable to get a proof of concept, a document.cookie alert.


XSS Proof of Concept
XSS Proof of Concept


We reported the vulnerability to the developer and it was fixed within 10 days:


  • 19 Oct 2015 – Notified developer,
  • 20 Oct 2015 – Developer responded, ‘We will fix this issue on priority and release an update soon.’
  • 30 Oct 2015 – Developer released version 1.2.2, ‘Fix – Input validation of s-counter on admin panel’


To fix the vulnerability, the developer added code which set $cntr to the intval of $cntr, which returns 0 if strings are passed.


Settings.php After Fix
Settings.php After Fix


We would like to thank for their responsiveness. As the Research Team grows and processes developed, the team will have more time to analyze more WordPress plugins and eventually include plugins for other content management systems.

How to Safely Shop Online During Cyber Monday

It’s easy to get wrapped up in the holiday frenzy. With the allure of Cyber Monday markdowns, it’s easy to forget to use proper precautions when shopping online. Everyone expects that all the ecommerce sites are safe, but there is always the possibility of getting tricked into visiting a website managed by cybercriminals. Here are a couple things to be mindful of as you shop online this weekend.


Know the Difference Between a Legit and Phony Website

Cybercriminals build fake retail sites that offer suspiciously good deals. Inevitably, consumers are lured by the deals and once they enter their personal information (name, address, phone number, and credit card number) hackers will use this info to their advantage. If there’s a specific site you’re looking for, type the URL directly into the browser instead of going through a search engine.


Be Wary of Unfamiliar Emails

Phishing emails are well-crafted emails that trick users into clicking on malicious links or attachments. These emails are designed to steal your personal information, including credit card information, usernames and passwords. Before you click the link or attachment in your inbox, make sure to double check the sender’s email address to ensure it’s a credible source. You can also hover over the link to see if it’s URL matches the actual site’s destination listed in the email.


Don’t Click on Sketchy Advertisements

Websites are typically flooded with ads, and this is especially true during the holiday season. As you visit your favorite ecommerce site this weekend, think twice before clicking on that eye catching ad. Hackers have the ability to place fake ads on legitimate websites, which redirect to malicious sites. To avoid clicking on a harmful ad, take notice of the domain and URL connected to those ads.


Buying gifts for yourself and loved ones should be fun and exciting. If you keep these tips in the back of your mind while you’re shopping online on Cyber Monday, you’ll be saving yourself a lot of trouble in the long run. Let’s make sure we are having happy holidays, not “hacked” holidays.

This Week in Exploits: What Are XSS Vulnerabilities? Part 2

In last week’s “episode” of ‘This Week in Exploits’, we talked about Cross-Site Scripting (XSS) and specifically reflective XSS vulnerabilities, the most common type of XSS flaw. We now know roughly what a XSS attack is, and some of what a reflected XSS attack does, but why do XSS attacks exist? How can they be used?


In brief review, XSS attacks operate by either saving malicious JavaScript onto a site (persistent XSS) or having a web application return JavaScript in response to user input (reflective XSS). Attackers will use XSS to ‘respond’ in a reflected attack by crafting a link or a form that a target will use. Many end users interact with spam emails, especially well crafted ones that look legitimate, and this is precisely how attackers use reflected XSS vulnerabilities.


The example below shows an uploaded phishing file being used to steal Outlook emails. A link in a spam email can easily show a fake sign-in page using reflected XSS. Alternatively, a ‘persistent’ XSS attack could inject a fake login page into the site code, saving a hidden phishing page on the site.


Figure 1: Outlook Phishing Page
Figure 1: Outlook Phishing Page


Phishing pages send stolen logins from one of these fake login pages to a hacker. Hackers will then test the password/login combination on different sites, to see if that combination has been reused elsewhere. The script below, which swipes logins to a video site and sends those credentials to multiple bad actors, could be hosted on almost any website.


Figure 2: Phishing Script
Figure 2: Phishing Script


This phishing example doesn’t require any special target on the vulnerable site, the attacker is merely using the site to ‘bounce’ the fake login to an end user. Hackers often take over sites to use their resources, and using reflected XSS is just another example of a hacker using someone else’s site to conduct their attack.


While persistent XSS attacks can be found and cleaned, reflected XSS don’t create any files, infect any servers, or leave any major evidence of a hack. To see examples of reflected XSS in the wild, a developer would have to be visiting suspicious links, or filling out suspect forms. The best chance of finding reflected XSS attacks using their own site would be finding and analyzing evidence in their site’s logs.


Reflected XSS is almost always only seen by an end user. A suspicious email with a reflected XSS attack would have a link that leads to the vulnerable site; a strange link, but one to a ‘safe’ source. A confused or unknowing end user could easily fall for a phishing attack, or be hit by a second redirect to a malicious site. And there are many, many spam email campaigns, infected links, phone robo calls, all directing people to malicious sites or phishing links. XSS attacks are one of the many tools in this spam arsenal, and XSS is one of the most common security flaws across the internet’s multitude of websites.


Fixing XSS


XSS vulnerabilities are common, but they are much easier to fix than complex vulnerabilities like CSRF. Without direct signs of malicious activity reflected XSS is often missed, but if they are known and searched for, they can be patched. As we now know, a threat to your end users is still present if that vulnerability exists, and no one wants their own website to be partially responsible for infected computers or stolen logins.


For developers fixing XSS vulnerabilities, there are many filtering methods available in web application software for converting input to safe text. Any user input that can be displayed to a site visitor should to be audited and filtered. Sometimes vulnerabilities are created when these are methods aren’t applied strictly enough, and patching XSS sometimes requires knowing the ‘best fit’ for the situation. The OWASP Top Ten provides an example sheet of how hackers can slip through mismatched XSS filters, and this sheet is useful for web security audits and web developers alike.


In many cases, vulnerabilities are simply missed during development. In large web applications, it is hard to find and secure every entry-point. SiteLock’s ‘360 Website Malware & Vulnerability Scanning’ includes multiple modules for finding flaws that bad actors can take advantage of. For website owners who don’t have web developers to rely on, SiteLock also provides vulnerability remediation to fix those flaws (and the full scanner suite) through SiteLock INFINITY. Prevention is also a worthy goal, and SiteLock’s TrueShield WAF will block many varieties of attack used on a website.


Don’t Let Cybercriminals Steal the Show—And Your Dough—This Holiday Season

The holiday season is a busy time for online retailers. Unfortunately, it’s also prime time for cybercriminals to attack. As you prepare for the uptick in traffic, don’t let an oversight make you vulnerable to a breach. Instead, get ahead with your website security by knowing what to expect.


Anticipate an Attack

Cybercriminals assume that retailers are caught up in the holiday shopping frenzy and will use this opportunity to take advantage of lax security. Anticipating their behaviors can help mitigate risk and prevent an attack.


Read more…

This Week in Exploits: What Are XSS Vulnerabilities? Part 1

In the world of websites, hackers have a variety of tools to intrude on people’s domains. These hacks, which take advantage of vulnerabilities in a site’s code, are categorized by projects like the OWASP Top Ten. According to the OWASP assessment, the top three most common attacks are: Injection, Weak Authentication and Session Management, and Cross-Site Scripting, known as XSS. As new vulnerabilities are discovered, we still can see that a large portion of these vulnerabilities are XSS-related vectors.

Read more…

SiteLock Ranked No. 85 Fastest Growing Company in North America on Deloitte’s 2015 Technology Fast 500™

Deloitte Fast 500 2015

SiteLock is proud to announce that we’ve been named one of the fastest growing technology companies in North America in the recent Deloitte Technology Fast 500 list! We officially rank number 85 with a 1046 percent growth between 2011 and 2014. In addition, we were also ranked as the number one fastest growing technology company in the state of Arizona.


To read more about this prestigious award as well as see the list in its entirety, click here.

This Week in Exploits: How Browser Security Can Help Website Security

Modern browsers are more than programs used to peruse the web. Browsers are tools used to communicate, develop, conduct financial transactions, and interact with government agencies. This week we discuss browser security and how it can impact website security, because as a website is the portal to a company’s online presence and resources, a browser is the entryway into a user’s workstation and the data within.
The link between browser security and website security is not conflated. We’ve seen many sites compromised through stolen FTP credentials, and entire company file stores lost to ransomware. Browsers were the likely point of entry of these compromises, and every website owner and web developer is sure to have a browser, likely multiple browsers, on the computer hosting or accessing site files and credentials. Again, the browser is the portal from the open web to the workstation, and we’ll cover the steps necessary to better secure this entry point.


Read more…

Black Friday: The Time for Closeouts, Rollbacks and Cyber Attacks

Black Friday is one of the most anticipated shopping days of the year. Shoppers are up at the crack of dawn to hit their favorite stores. Some will go as far as to camp out at the stores offering the hottest deals while others will avoid the malls altogether by finding the best sales online. Nearly 100 million Americans are expected to take advantage of Black Friday discounts this year. However, these shoppers aren’t the only ones who have been waiting for Black Friday; cyber criminals are just as excited for this big shopping day. Securing your website for the holiday season is one of the best things you can do for your business and your customers.

Read more…

This Week in Exploits: Dispelling the Myth of ‘Why My Site?’

When working to restore customer sites, our teams often hear ‘Why did they hack my site?’ Getting hacked is a violation. It’s a violation of a company’s web properties, or the personal violation of someone’s small business or specialty site. Having the hard work of web development undone, even temporarily, is a difficult experience and SiteLock strives to restore that work as quickly as possible. Our teams are dedicated to this.


This week we’re here to reassure readers that the majority of compromises are not targeted attacks. We will discuss how and why bad actors attack sites, and how to avoid becoming another line in an attacker’s text file of owned sites.


Read more…

Don’t Let Customers Slip Away This Holiday Season

Consumers have endless choices of where to shop this holiday season and your store – whether brick & mortar or online— must stand out. A well-designed, easy to use website is critical in cutting through the clutter to attract holiday shoppers and drive them to make a purchases. Unfortunately, the same features that improve user experience and retain customers can leave your website vulnerable to a cyber attack and pose a significant threat to your business.

Read more…


Get every new post delivered to your Inbox.

Join 61 other followers