Over the course of one week I had the opportunity to audit two hacked WordPress websites. I could quickly discover two vulnerabilities: a Cross Site Scripting, or XSS, in a premium WordPress theme Akal, and a Denial-of-Service in an undisclosed newsletter plugin. This post describes the Akal premium WordPress theme XSS vulnerability.
Continue readingSysadmins of the North
Technical blog, where topics include: computer, server, web, sysadmin, MySQL, database, virtualization, optimization and security
Tag: XSS
prettyPhoto DOM based XSS on Saotn.org… This evening, after tweeting about preventing cross site scripting vulnerabilities, I received a reply from Olivier Beg. His reply to my tweet contained an image, as you can see above. He alerted me that Saotn.org was vulnerable to a DOM based XSS vulnerability, hidden in prettyPhoto used by my WordPress theme. Whoops! So, I had work to do! But, what is prettyPhoto and what exactly is a DOM based XSS?
Continue readingDefend Against Cross-Site Scripting Using The HTML Encode Shortcuts. The .NET 4.0 & 4.5 frameworks introduced new syntax shortcuts to HTML encode dynamic content being rendered to the browser. These shortcuts provide an easy way to protect against Cross-Site Scripting (XSS) attacks in the newer versions of the .NET framework.
.htaccess to secure your website
In this post I provide you with 7 .htaccess snippets to secure your website, by letting .htaccess act as a kind of Web Application Firewall (WAF). You can use this information to block out exploit- and rogue HTTP requests on your website.
Continue readingPopular posts
-
Remove IIS Server version HTTP Response Header
-
List all SPNs used in your Active Directory
-
Disk Cleanup in Windows Server
-
PowerShell return value, exit code, or ErrorLevel equivalent
-
5 Extra ways to clean up disk space in Windows Server
-
Tunnel RDP through SSH & PuTTY
-
Fatal error: Uncaught Error: [] operator not supported for strings – PHP 7.1
-
"The length of the URL for this request exceeds the configured maxUrlLength value"
-
MySQL InnoDB performance improvement: InnoDB buffer pool instances – Updated!
-
WsusPool keeps crashing: stops again and again
Proudly hosted by
© 2020 Sysadmins of the North
Theme by Anders Noren — Up ↑