Over the course of one week I had the opportunity to audit two hacked WordPress websites. I could quickly discover two vulnerabilities: a Cross Site Scripting, or XSS, in a premium WordPress theme Akal, and a Denial-of-Service in an undisclosed newsletter plugin. This post describes the Akal premium WordPress theme XSS vulnerability.
Read More »WordPress advisory: Akal premium theme XSS vulnerability
prettyPhoto DOM based XSS on Saotn.org… This evening, after tweeting about preventing cross site scripting vulnerabilities, I received a reply from Olivier Beg. His reply to my tweet contained an image, as you can see above. He alerted me that Saotn.org was vulnerable to a DOM based XSS vulnerability, hidden in prettyPhoto used by my WordPress theme. Whoops! So, I had work to do! But, what is prettyPhoto and what exactly is a DOM based XSS?
Read More »prettyPhoto DOM based XSS .htaccess to secure your website
Here are 7 .htaccess snippets for you to secure your website, by using .htaccess as a kind of Web Application Firewall (WAF). You can use this information to block exploits and rogue HTTP requests on your website.
Read More »7 Snippets to use .htaccess as a Web Application Firewall