Document Object Model Cross Site Scripting on WordPress

By
Prathap
Published on
26 Jun 2018
1 min read
Vulnerability

Document Object Model Based Cross Site Scripting is an XSS attack. In this vulnerability, the attack payload is executed as a result of modifying the Document Object Model environment in the victim’s browser. The old versions of WordPress allows remote attackers to inject malicious JavaScript code. This code exploits the Document Object Model based cross site scripting vulnerability. Here, the attacker sends an E-mail to the website users with a link. This link is used to exploit the vulnerability. It triggers a script that steals the user’s cookie. The other method is to post a link as comments in social media platforms.

Example

The following is the example code

Select your language:

        <select><script>
        
        document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</OPTION>");
        
        document.write("<OPTION value=2>English</OPTION>");
        
        </script></select>
        

    

The above code can be invoked by:-

http://www.some.site/page.html?default=French

A Document Object Model Cross Site Scripting attack can be accomplished by sending the below link to a possible victim.

        http://www.some.site/page.html?default=<script>alert(document.cookie)</script>

    

Impact

The impact include:-

  • Cross-site scripting.
  • Possible data breach.

Mitigation / Precaution

This vulnerability can be fixed by:-

  • Upgrading the WordPress to latest version.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Prathap
Prathap
Co-founder, Director
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.