Document Object Model Cross Site Scripting on WordPress

Prathap

Published on

26 Jun 2018

1 min read

Document Object Model Based Cross Site Scripting is an XSS attack. In this vulnerability, the attack payload is executed as a result of modifying the Document Object Model environment in the victim’s browser. The old versions of WordPress allows remote attackers to inject malicious JavaScript code. This code exploits the Document Object Model based cross site scripting vulnerability. Here, the attacker sends an E-mail to the website users with a link. This link is used to exploit the vulnerability. It triggers a script that steals the user’s cookie. The other method is to post a link as comments in social media platforms.

Example

The following is the example code

Select your language:

        <select><script>
        
        document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</OPTION>");
        
        document.write("<OPTION value=2>English</OPTION>");
        
        </script></select>
        …

The above code can be invoked by:-

http://www.some.site/page.html?default=French

A Document Object Model Cross Site Scripting attack can be accomplished by sending the below link to a possible victim.

        http://www.some.site/page.html?default=<script>alert(document.cookie)</script>

    

Impact

The impact include:-

Cross-site scripting.
Possible data breach.

Mitigation / Precaution

This vulnerability can be fixed by:-

Upgrading the WordPress to latest version.

Automated human-like penetration testing for your web apps & APIs

Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Product tour

Written by