HTML Injection Explained

HTML Injection Explained

Hypertext Markup Language (HTML) injection is a type of injection vulnerability that occurs when a user is able to control an input point such as a search form and is able to inject arbitrary HTML code.. HTML allows web users to create and structure sections, paragraphs, and links using elements, tags, and attributes. However, it’s worth…

Comprehensive Guide to Penetration Tests | Tools, Process & Methods

Comprehensive Guide to Penetration Tests | Tools, Process & Methods

Penetration testing is the process of simulating real attacks on a target to access the risk associated with potential security breaches. This type of simulated environment allows the person performing the assessment to not only discover vulnerabilities, but to also exploit them where possible. Penetration tests, also known as pentest are crucial to organizations because…

The impact of an XSS vulnerability on WordPress: How hackers exploit XSS vulnerabilities to create admin accounts on your blog.

The impact of an XSS vulnerability on WordPress: How hackers exploit XSS vulnerabilities to create admin accounts on your blog.

Every time we disclose a Cross Site Scripting (XSS) vulnerability in a WordPress plugin or theme, we always illustrate the issue with a screenshot similar to this one: Users who aren’t familiar with web security often ask us how a JavaScript messagebox may represent a dangerous threat. The answer is simple: not only JS code can do…

Poisoning the Well – Compromising GoDaddy Customer Support With Blind XSS

Poisoning the Well – Compromising GoDaddy Customer Support With Blind XSS

This is the first part of a series of stories of compromising companies via blind cross-site scripting. As companies fix the issues and allow me to disclose them, I will post them here. Blind cross-site scripting (XSS) is an often-missed class of XSS which occurs when an XSS payload fires in a browser other than…

DOM XSS: An Explanation of DOM-based Cross-site Scripting

DOM XSS: An Explanation of DOM-based Cross-site Scripting

DOM XSS stands for Document Object Model-based Cross-site Scripting. A DOM-based XSS attack is possible if the web application writes data to the Document Object Model without proper sanitization. The attacker can manipulate this data to include XSS content on the web page, for example, malicious JavaScript code. The Document Object Model is a convention used…

WordPress WooCommerce XSS Vulnerability – Hijacking a Customer Account with a Crafted Image

WordPress WooCommerce XSS Vulnerability – Hijacking a Customer Account with a Crafted Image

The FortiGuard Labs team recently discovered a Cross-Site Scripting (XSS) vulnerability in WooCommerce. WooCommerce is an open-source eCommerce platform built on WordPress. According to BuiltWith statistics, WooCommerce is the No. 1 eCommerce platform, owning 22% of global market share in 2018. This XSS vulnerability (CVE-2019-9168) exists in the zoom display of the Photoswipe function, where WooCommerce failed to sterilize an…