Cybercriminals are unpredictable. They’ll surprise you by sneaking into your website, executing attacks and harming your data and business. You can think of it like a baseball game, in which the hacker is trying to make it to the next base without getting called out. Secure all your bases by learning a little about how hackers attack your website.
The SiteLock Research Team will have many firsts as it develops. This week we’ll discuss the first reported and patched vulnerability the team found, a minor cross-site scripting vulnerability in Testimonial Slider.
During the creation of the team’s new vulnerability research process, we tested the process on a not-so-randomly chosen WordPress plugin, Testimonial Slider. We chose Testimonial Slider for no other reason than it was a slider plugin after the recent Revolution Slider exploit. Testimonial Slider, developed by SliderVilla.com, displays customer testimonials in a responsive slider and has over 10,000 installs. We analyzed version 1.2.1 using SiteLock’s TrueCode and manual analysis.
In the world of websites, hackers have a variety of tools to intrude on people’s domains. These hacks, which take advantage of vulnerabilities in a site’s code, are categorized by projects like the OWASP Top Ten. According to the OWASP assessment, the top three most common attacks are: Injection, Weak Authentication and Session Management, and Cross-Site Scripting, known as XSS. As new vulnerabilities are discovered, we still can see that a large portion of these vulnerabilities are XSS-related vectors.
Open source content management systems like WordPress, Joomla and Drupal have become some of the most popular platforms for creating websites. So much in fact, that 17% of the entire internet is hosted on WordPress.
Platforms like WordPress are free and have a huge community of users and developers, providing a vast ecosystem themes and plugins. Unfortunately, since they’re so popular, open source platforms are often a large target for hackers and since much of the platform is developed by volunteers, code vulnerabilities may exist.
Earlier this week a security researcher reported a cross site scripting (XSS) vulnerability in the WordPress icon package, genericons. Genericons included an HTML file, example.html, which had the cross site scripting flaw, and the icon package is used with the default installed WordPress theme, Twenty Fifteen, to give you an idea of the broad impact.
The XSS vulnerability was DOM, or document object model, based meaning it could potentially control how the browser handles a requested page. The victim would have to be coaxed into clicking a malicious link, reducing severity, though the exploit remains widely deployed all the same.
Recently, a security researcher released a zero-day stored XSS vulnerability in WordPress, meaning it was previously undisclosed and, at the time, unpatched. The vulnerability affected the latest versions of WordPress at release, including 4.2.
The vulnerability involves how WordPress stores comments in its MySQL database. Comments are stored as text and the size of that text is limited to 64 kilobytes, or 64,000 characters. Given a previously approved comment, an attacker could create a malformed comment using approved HTML tags and tack on 64 kb of any character (perl -e ‘print “a” x 64000’). The 64 kb of junk is truncated and what’s left is a malicious comment in the database which will run whenever it’s viewed. And what can run is up to the attacker – creating backdoors, stealing credentials, malicious redirects and more.
If you run WordPress, here’s what you need to know.
A cross-site scripting (XSS) vulnerability was recently revealed in the WordPress caching plugin, WP Super Cache. WP Super Cache converts dynamic WordPress pages into static HTML, which, as you can imagine, is quicker to serve to visitors than a database generated page. Great for high traffic sites, WP Super Cache’s popularity has garnered over a million downloads.
A cookie-based XSS vulnerability was found using wp_cache_get_cookies_values() which is called to append a unique ID, or key, that WP Super Cache uses to determine which cached pages to serve. Given this, an attacker could request a page with the site’s cookie edited to include an XSS exploit, Super Cache generates the page appending the malicious cookie payload, and WP Super Cache’s cached file list page is served up exploit and all, stealing the admin’s cookies or performing other mayhem.
Run a WordPress site with WP Super Cache? Here’s what you need to know.
With each technological advance, a challenge is created for the unscrupulous hacker. The popularity of blogging software, with all its vulnerabilities, has spawned thousands of malicious cross-site scripting attacks. Hackers have not neglected immense commercial sites. Facebook, PayPal, Hotmail, GMail and Twitter have all had issues with cross-site scripting. Often referred to as XSS, cross-site scripting is a major threat to blogs. Owners of blogs should be aware of the dangers, and what actions must be taken to prevent a cross-site scripting attack on their site.
Blog Vulnerabilities and XSS
Most cross-site scripting vulnerabilities take place on server-side code, while DOM (document object model) is a method used by hackers to exploit vulnerabilities on client-side code. Running antivirus or spyware blockers provide some protection, but not nearly enough to prevent attacks from outside.