Tag: Cross-Site Scripting (XSS)

cybersecurity for web designers and developers

Web Development and Cybersecurity – Are You Protecting Your Clients?

Cybersecurity continues to be an evolving challenge for website designers and developers. Everyday, hackers create new malware strains and perform sophisticated attacks that can devastate client websites.

SiteLock is promoting Cybersecurity Awareness Month and as a web designer or developer, it is imperative that you understand your role in the security of your clients’ websites. Many people assume that you are handling every aspect of the site, including its protection. Because of this, you must take action and understand how to provide that security.

Read More

SiteLock Website Security

Are you Batting a Thousand when it comes to Website Security?

Cybercriminals are unpredictable. They’ll surprise you by sneaking into your website, executing attacks and harming your data and business. You can think of it like a baseball game, in which the hacker is trying to make it to the next base without getting called out. Secure all your bases by learning a little about how hackers attack your website.

Read More

WordPress plugin vulnerability

SiteLock Research Team Uncovers WordPress Plugin Vulnerability

The SiteLock Research Team will have many firsts as it develops. This week we’ll discuss the first reported and patched vulnerability the team found, a minor cross-site scripting vulnerability in Testimonial Slider.

 

The team has been working on putting together a new vulnerability research process.   During the creation of this process, we tested a not-so-randomly chosen WordPress plugin, Testimonial Slider. We chose Testimonial Slider for no other reason than it was a slider plugin, after the recent Revolution Slider exploit.

 

What Does Testimonial Slider Do?

Testimonial Slider, developed by SliderVilla.com, displays customer testimonials in a responsive slider and has over 10,000 installs. We analyzed version 1.2.1 using SiteLock TrueCode and manual analysis.

 

Read More

how to prevent security breaches

This Week in Exploits: What Are XSS Vulnerabilities? Part 2

In last week’s “episode” of ‘This Week in Exploits’, we talked about Cross-Site Scripting (XSS) and specifically reflective XSS vulnerabilities, the most common type of XSS flaw. We now know roughly what a XSS attack is, and some of what a reflected XSS attack does, but why do XSS attacks exist? How can they be used?

 

Read More

How to Secure Your Open Source Platform Website

WordPress vulnerabilities

Open source content management systems (CMS) like WordPress, Joomla! and Drupal have become some of the most popular platforms for creating websites. So much in fact, that over 25 percent of the entire internet is powered on WordPress.

Platforms like WordPress are free and have a huge community of users and developers, providing a vast ecosystem themes and plugins. Unfortunately, since they’re so popular, open source platforms are often a large target for hackers and since much of the platform is developed by volunteers, code vulnerabilities may exist.

Read More

SiteLock and the WordPress Genericons XSS Vulnerability: What You Need to Know

Earlier this week a security researcher reported a cross site scripting (XSS) vulnerability in the WordPress icon package, genericons. Genericons included an HTML file, example.html, which had the cross site scripting flaw, and the icon package is used with the default installed WordPress theme, Twenty Fifteen, to give you an idea of the broad impact.

The XSS vulnerability was DOM, or document object model, based meaning it could potentially control how the browser handles a requested page. The victim would have to be coaxed into clicking a malicious link, reducing severity, though the exploit remains widely deployed all the same.

Read More

SiteLock and the WordPress 4.2 XSS Vulnerability: What You Need to Know

Recently, a security researcher released a zero-day stored XSS vulnerability in WordPress, meaning it was previously undisclosed and, at the time, unpatched. The vulnerability affected the latest versions of WordPress at release, including 4.2.

The vulnerability involves how WordPress stores comments in its MySQL database. Comments are stored as text and the size of that text is limited to 64 kilobytes, or 64,000 characters. Given a previously approved comment, an attacker could create a malformed comment using approved HTML tags and tack on 64 kb of any character (perl -e ‘print “a” x 64000’). The 64 kb of junk is truncated and what’s left is a malicious comment in the database which will run whenever it’s viewed. And what can run is up to the attacker – creating backdoors, stealing credentials, malicious redirects and more.

If you run WordPress, here’s what you need to know.

Read More

SiteLock and WP Super Cache XSS: What You Need to Know

A cross-site scripting (XSS) vulnerability was recently revealed in the WordPress caching plugin, WP Super Cache. WP Super Cache converts dynamic WordPress pages into static HTML, which, as you can imagine, is quicker to serve to visitors than a database generated page. Great for high traffic sites, WP Super Cache’s popularity has garnered over a million downloads.

A cookie-based XSS vulnerability was found using wp_cache_get_cookies_values() which is called to append a unique ID, or key, that WP Super Cache uses to determine which cached pages to serve. Given this, an attacker could request a page with the site’s cookie edited to include an XSS exploit, Super Cache generates the page appending the malicious cookie payload, and WP Super Cache’s cached file list page is served up exploit and all, stealing the admin’s cookies or performing other mayhem.

Run a WordPress site with WP Super Cache? Here’s what you need to know.

Read More

Attention All Bloggers: Beware of Cross-Site Scripting!

With each technological advance, a challenge is created for the unscrupulous hacker. The popularity of blogging software, with all its vulnerabilities, has spawned thousands of malicious cross-site scripting attacks. Hackers have not neglected immense commercial sites. Facebook, PayPal, Hotmail, GMail and Twitter have all had issues with cross-site scripting. Often referred to as XSS, cross-site scripting is a major threat to blogs. Owners of blogs should be aware of the dangers, and what actions must be taken to prevent a cross-site scripting attack on their site.

Blog Vulnerabilities and XSS

Most cross-site scripting vulnerabilities take place on server-side code, while DOM (document object model) is a method used by hackers to exploit vulnerabilities on client-side code. Running antivirus or spyware blockers provide some protection, but not nearly enough to prevent attacks from outside.

Read More

Powered by WordPress & Theme by Anders Norén