Ask Sucuri: What is an XSS Vulnerability?


Question: What is an XSS vulnerability? Should I be concerned about an XSS vulnerability?

XSS (short for Cross-Site Scripting) is a widespread vulnerability that affects many web applications. The danger behind XSS is that it allows an attacker to inject content into a website and modify how it is displayed, forcing a victim’s browser to execute the code provided by the attacker while loading the page.

Generally XSS vulnerabilities require some type of interaction by the user to trigger the vulnerability, either via social engineering, or waiting for someone to visit a specific page. That’s why it’s often not taken seriously by developers, but if left unpatched, can be very dangerous.

Read More

Security Advisory: Stored XSS in Magento


Security Risk: Dangerous
Exploitation Level: Easy/Remote
DREAD Score: 7/10
Vulnerability: Stored XSS
Patched Version:  Magento CE: 1.9,2.3, Magento EE:

During our regular research audits for our Cloud-based WAF, we discovered a Stored XSS vulnerability affecting the Magento platform that can be easily exploited remotely. We notified the Magento team and worked with them to get it fixed.

Vulnerability Disclosure Timeline:

  • November 10th, 2015 – Bug discovered, initial report to Magento’s security team
  • December 1st, 2015 – No response from Magento. Requested confirmation of our previous email.
  • December 1st, 2015 – Magento acknowledge receipt of the report.
  • January 7th, 2016 – Request an ETA, been 2 months since original report.
  • January 11th, 2016 – Magento answers that the patch is ready, but no ETA available.
  • January 20th, 2016 – Magento releases patch bundle SUPEE-7405, which fixes the issue
  • January 22th, 2016 – Sucuri Public Disclosure of Vulnerability.

Read More

Security Advisory: Stored XSS in Akismet WordPress Plugin


Security Risk: Dangerous
Exploitation Level: Easy/Remote
DREAD Score: 9/10
Vulnerability: Stored XSS
Patched Version:  3.1.5

During a routine audit for our WAF, we discovered a critical stored XSS vulnerability affecting Akismet, a popular WordPress plugin deployed by millions of installs.

Read More

Security Advisory: Stored XSS in Jetpack


Security Risk: Dangerous
Exploitation Level: Easy/Remote
DREAD Score: 8/10
Vulnerability: Stored XSS
Patched Version:  3.7.1
During a routine audit for our WAF, we discovered a critical stored XSS affecting the Jetpack WordPress plugin, one of the most popular plugins in the WordPress ecosystem.

Vulnerability Disclosure Timeline:

  • September 10th, 2015 – Initial report to Automattic security team
  • September 10th, 2015 – Automattic security team acks receipt of report, sets patch date for September 22nd
  • September 28th, 2015 – Patch made public with the release of Jetpack 3.7.1 and 3.7.2
  • October 1st, 2015 – Sucuri Public Disclosure of Vulnerability

Read More

Common Website Security Terminology Defined


If you want to keep your website safe, it is important to understand the website security terminology used to describe the causes and effects of hacks. Software vulnerabilities and access control issues are two of the main causes of website infections, and in this post we will define some of the terminology used to describe them. We will also discuss some of the effects of having a hacked website in order to give you a well rounded understanding of both the symptoms and the consequences.

Read More

JetPack and TwentyFifteen Vulnerable to DOM-based XSS

Any WordPress Plugin or theme that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons. So far, the JetPack plugin (reported to have over 1 million active installs) and the TwentyFifteen theme (installed by default) are found to be vulnerable. The exact count is difficult to grasp, but both the plugin and theme are default installs in millions of WordPress installs. The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package.

DOM-based XSS

The XSS vulnerability WordPress is experiencing is very simple to exploit and happens at the Document Object Model (DOM) level. If you are not familiar with DOM attacks, the OWASP group explain it well:

DOM-Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model (DOM) “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

Read More

Critical Persistent XSS 0day in WordPress

*Update 2015-04-27*: A patch has been released and made available by the WordPress Core Team in version 4.2.1 – Please update immediately.

Yes, you’ve read it right: a critical, unpatched XSS 0day in WordPress’ comment mechanisms was disclosed earlier today by Klikki Oy.

Who’s Affected?

If your WordPress site allows users to post comments via the WordPress commenting system, you’re at risk. An attacker could leverage a bug in the way comments are stored in the site’s database to insert malicious scripts on your site, thus potentially allowing them to infect your visitors with malware, inject SEO spam or even insert backdoor in the website’s code if the code runs when in a logged-in administrator browser.

Read More

Serious Cross Site Scripting Vulnerability in TweetDeck – Twitter

This morning as I was logging into various social networks I was presented with a popup from an XSS on Tweet Deck. This obviously set every hair on my neck on fire because it’s obviously not the normal welcome screen.

After some investigation, I found a tweet from one account that I follow which had the following JavaScript code as an example – it should be all good, but TweetDeck wasn’t sanitizing the input which caused the code to execute in the browser.

Screen Shot 2014-06-11 at 9.41.54 AM

This is why, someone injected this into their tweet. When you logged into TweetDeck it triggered the vulnerability:

Screen Shot 2014-06-11 at 9.45.29 AM

As you can see, the XSS attack was set to automatically retweet via this: data-action:retweet causing a chain event for anyone that logs into TweetDeck.

This is a very serious security flaw. TweetDeck says they have already addressed the issue:

Screen Shot 2014-06-11 at 9.56.21 AM

To be safe though, we recommend logging out of Tweetdeck, revoking access in your Twitter profile and resetting all connections if you want to continue to use the application.

Screen Shot 2014-06-11 at 9.56.04 AM

What is very annoying about this is that you can’t undo the automatic retweet, making it very difficult to remove from people’s timeliness. Thankfully, the attack is mostly benign and appears to be intended to making a statement than causing harm, but it’s clear example of how the largest of applications can be exploited.

WordPress Themes: XSS Vulnerabilities and Secure Coding Practices

As many might imagine, my life revolves around Information Security. If you’re like me, you’re undoubtedly seeing all these new posts talking to insecurities in WordPress themes, specifically a plethora of Cross-Site Scripting (XSS) vulnerabilities. Surprise, surprise, right? Yeah, no, not so much.

WordPress Theme XSS Vulnerabilities

Here are some of the posts I am referring to:

Read More

WordPress 3.3 XSS Vulnerability Patched (3.3.1 Released)

We just learned of a reflected XSS vulnerability in WordPress 3.3 via the comments form (wp-comments.php). It is explained in detail here.

The disclosed vulnerability can only be triggered via Internet Explorer according to the disclosing party, our tests lead to the same result.

To further note, this is hard to reproduce because it does not get triggered when WordPress is installed via a domain. If you’re running WordPress 3.3, and WordPress was installed via a domain, you’re not vulnerable. (ethicalhack3r)

We do not consider this to be a serious vulnerability, however, we recommend updating to WordPress 3.3.1 since the vulnerability can be used in targeted attacks. More info on the release can be found in the WordPress Codex, over via the release post.