Dont Discount XSS Vulnerabilities

  /     /     /  
Publicated : 22/11/2024   Category : security


Dont Discount XSS Vulnerabilities


XSS flaws are more serious than youd think.



Last weeks release of the WordPress 4.0.1 update offers a good lesson in vulnerability prioritization for security organizations -- namely that security professionals need to stop underestimating cross-site scripting (XSS) vulnerabilities.
The release notes
issued by the WordPress team fixed a number of critical vulnerabilities, including a handful of serious XSS vulnerabilities. Alongside this release, an update of the WP-Statistics plug-in fixed
another XSS bug found by Sucuri researchers
that could be used to create new administrator accounts, insert SEO spam in blog posts, and perform actions within that sites admin panel. In addition to these flaws, the WordPress crew alluded in their notes last week to a severe XSS flaw in all WordPress versions before 4.0 that was found by the Finnish researcher Jouko Pynnonen. He offered further
details about that flaw
in the Full Disclosure mailing list last week.
With 86% of WordPress sites still running vulnerable versions, this particular XSS allows attackers to post comments with malicious JavaScript on to WordPress sites that dont authenticate users before they make comments, says Pynnonen, a researcher with the firm Klikki Oy. The malicious code would then execute when it is viewed in a blog, a page, or the administrative dashboard. Pynnonen developed a proof of concept that showed how this could be leveraged to devastating effect.
Our PoC exploits first clean up traces of the injected script from the database, then perform other administrative tasks such as changing the current users password, adding a new administrator account, or using the plug-in editor to write attacker-supplied PHP code on the server (this impact applies to any WordPress XSS if triggered by an administrator).
These operations happen in the background without the user seeing anything out of ordinary.
While XSS vulnerabilities and exploits have continued to flourish, many security teams have deprioritized these flaws over the last several years in favor of addressing what seems to be higher-severity SQL injection vulnerabilities. Experts say organizations should be wary of that tactic.
SQL injection vulnerabilities are becoming more and more rare, as well as other high and critical risk vulnerabilities, Ilia Kolochenko, CEO of the consultancy High-Tech Bridge, says in a
blog post
. At the same time almost nobody cares about medium-risk XSS vulnerabilities leaving their websites vulnerable. Obviously, hackers benefit from such negligence and use XSS vulnerabilities to achieve their goals. If you close your door, dont forget to close your windows -- otherwise the entire security is at risk.
A report his firm released last week shows that the architecture of more than 70% of web applications allows for well-crafted XSS exploits to perform an automated and layered attack that could ultimately give the attacker root as a result. Meanwhile, 95% of todays XSS vulnerabilities can be used to perform drive-by-download attacks to exploit even the most security-concious users visiting seemingly harmless URLs.
According to Johannes Ulrich, director of the SANS Internet Storm Center (ISC), as common as XSS vulnerabilities are, theyre often underestimated. It doesnt seem like XSS lets attackers directly tap into databases, the way SQL injection does or doesnt allow code execution on the server, he wrote recently in a
SANS ISC blog post
. But the truth is that it gives attackers the power to modify HTML on a site, which can ultimately take them down a path of ultimate compromise.
With that, the attacker can easily modify form tags, he wrote, or the attacker could use XMLHTTPRequest to conduct CSRF without being limited by same origin policy. The attacker will know what you type, and will be able to change what you type, so in short: The attacker is in full control. This is why XSS is happening.

Last News

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Dont Discount XSS Vulnerabilities