Anatomy of an XSS Attack
Malicious computer attacks can happen to any business at any time. If you think that your business is safe from hackers, viruses, or corrupt code, you’re wrong. In fact, that type of thinking gives you a false sense of security. You must be vigilant in monitoring your essential systems, whether it’s your email server, your web applications, or anything in between. One of the largest attack vectors is XSS attacks.
Hackers exploit vulnerabilities when they find them. These attacks are often automated and will indiscriminately exploit these vulnerabilities.
Potential security breaches must stay at the forefront of your mind to prevent data theft, fraudulent scams, or phishing schemes. This not only protects your organization but your clients and website users too.
Whether you’re in the IT department or you’re a business owner, it’s important to understand that the threat of an attack is a legitimate, ongoing concern. Educating yourself on potential security threats is the best way to arm your business against attackers. Here, we’ll explore one particular recent WordPress plugin attack and learn some key strategies for protecting your business from similar threats.
XSS Attacks
Cross-site scripting (XSS) is a common type of computer security attack. It allows malicious code to enter into web pages and applications viewed by the site’s users. XSS targets the business’ web users, rather than the application or site itself.
XSS attacks are often a way for hackers to sneak past access controls like the same-origin policy. This policy keeps malicious code from making its way from one page’s sensitive data to another. With an XSS attack, hackers can bypass this security policy to gain access to a web application’s users and corrupt their system or steal valuable data.
The number of WordPress sites is increasing rapidly as more businesses are using the popular platform. For all it’s benefits, WordPress isn’t immune to the threat of attack, and XSS attacks are among the most common.
For hackers, there are many reasons to execute an XSS attack, including data theft, phishing scams, and highjacking user’s sessions to leach their personal information.
WP Live Support Chat Plugin: An XSS Attack Case Study
WP Live Support Chat is a free plugin that allows WordPress sites to offer a chat feature on their site. Twice recently, WordPress had to issue patches for WP Live Support Chat to safeguard users after several XSS flaws were discovered.
If your business runs one of the 60,000 sites that use the WP Live Support Chat plugin, this is critical news. If you don’t use the plugin, it’s important to understand the issue so you are prepared to handle another XSS attacks.
In the WP Live Support Chat plugin case, the XSS attack allowed unauthenticated users to insert JavaScript payloads into the websites it targeted.
According to John Castro from Sucuri (the group that discovered the plugin flaw), “Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.”
The WP Live Support Chat flaw existed because of an unprotected hook in the plugin. A hook is a function that can be applied to a filter or action. In this case, the unprotected hook was triggered when users accessed the admin area of WordPress. This meant that the attacker didn’t require authentication to gain access.
Beyond WP Live Chat Support Attacks
It’s not just the WP Live Support Chat plugin that has come under recent XSS attack. The WordPress charitable donation plugin, Give, also experienced a similar flaw. In this case, it meant that donors were able to add code to administrative pages, potentially causing a lot of damage by evil-intentioned attackers.
Without the need for authentication, it’s easy for hackers to launch a wide-spread, automated attack. A flaw like this allows them to insert the fraudulent code and compromise users’ private data and accounts.
XSS attacks are dangerous when the corrupt code infects sections like user comments. In a case like this, any time a user loads that page, the attackers gain access to the user’s browser and personal data.
Protecting Your Business
Savvy businesses don’t wait for an attack to occur to safeguard themselves against security threats. A passive approach does little for offering protection and it opens you up to malicious attacks from any direction. To stay one step ahead of these attacks, there are several things you can do:
Always Stay Up-To-Date
It’s critical to stay on top of updates. When WordPress learned of the flaw, they quickly issued a new version without the specific flawed hook. Unfortunately, after further investigation, a few other exploits were found. Because of the expanding scope, the WordPress.org security team turned off installs for the plugin until the author addressed all of the issues. The short-term solution, in this case, was to uninstall the plugin. This was an extreme case, and even if you stayed on top of the updates, you would have seen the notice.
Always Require Authentication
For added site security, you’ll want to implement a crossing boundaries policy that requires users to re-enter usernames and passwords before attempting to access personal data or account information.
You can also have your site set up to expire a user’s session if users from two different IP addresses are trying to access the same data at the same time.
These strategies act as additional layers of protection, especially when it comes to protecting your users’ data, whether it’s personal contact information, account details, or credit card information.
Stay Informed
A strong IT team should be up on the latest news in the tech sector. This helps them stay informed on any issues, like the XSS attack on WP Live Support Chat. Flaws like these make news and social media headlines quickly. An observant team is an informed team.
Having your IT staff staying active online provides a constant stream of information about any new developments.
Partner with Professionals
Keep your website protected without tying up all of your IT team’s resources by working with a professional website development group. At Pixel Jar, we focus on developing and implementing fantastic websites for our clients, and WordPress is our specialty.
Our team is available for consulting, development, optimization, and ongoing support of your site. We keep up to date on security issues and will harden your site against malicious attacks. We also partner with security companies to put the right plan in place for your project.
