Icegram Persistent Cross-Site Scripting

Icegram is a plugin that helps you collect email addresses for your newsletter. Other features include light-box popup offers, header action bars, toast notifications, and slide-in messengers.
Versions and lower are affected by a persistent Cross-Site Scripting in the admin area. This plugin has over 40,000 installations and any attacker with a subscriber account can leverage this vulnerability.
We are not aware of any exploit attempts currently targeting this plugin, but all of our clients behind the website firewall are already protected.
Continue reading Icegram Persistent Cross-Site Scripting at Sucuri Blog.


Application News – Application Security Weekly #68

    WordPress Plugin WP Statistics Patches XSS Flaw, Three RCEs in Android’s Media framework, Nine Best Practices For Integrating Application Security Testing Into DevOps, 6 Traits That Define DevSecOps, and much more! News Bugs, Breaches, and More! WordPress Plugin WP Statistics Patches XSS Flaw Three RCEs in Android’s Media framework If you build it, […]
The post Application News – Application Security Weekly #68 appeared first on Security Weekly.


Stored XSS in MyBB

The open source PHP forum software myBB recently published a new update, version 1.8.21. This is a security release fixing a Stored XSS vulnerability in the private messaging and post modules.
What Are the Risks?
Unpatched websites could allow bad actors to send booby-trapped posts or private messages to users. These would execute rogue JavaScript code when opened, momentarily giving the attacker’s scripts all privileges to the targeted account.
If administrators are targeted, successful attacks could trick their browser into hacking their own site by executing code on the server and grant full power over the site to the assailants.
Continue reading Stored XSS in MyBB <= 1.8.20 at Sucuri Blog.


Slimstat: Stored XSS from Visitors

The WordPress Slimstat plugin, which currently has over 100k installs, allows your website to gather analytics data for your WordPress website. It will track certain information such as the browser and operating system details, plus page visits to optimize the website analytics.
Versions below 4.8.1 are affected by an unauthenticated stored XSS on the administrator dashboard.

2019/05/16: Initial disclosure
2019/05/20: Patch released (4.8.1)
2019/05/21: Blog post released

This vulnerability allows a visitor to inject arbitrary JavasScript code on the plugin access log functionality, which is visible both on the plugin’s access log page and on the admin dashboard index—‚ the default page shown once you log in.
Continue reading Slimstat: Stored XSS from Visitors at Sucuri Blog.


XSSCon – Simple XSS Scanner Tool

Powerfull Simple XSS Scanner made with python 3.7InstallingRequirements: BeautifulSoup4 pip install bs4 requests pip install requests python 3.7 Commands: git clone XSSConpython3 –help UsageBasic usage:python3 -u http://testphp.vulnweb.comAdvanced usage see help: python3 –helpRoadmapv0.3B: Added custom options ( Such –proxy, –user-agent etc… ) First launched v0.3B Patch:Added support for form method GETDownload XSSCon


Persistent XSS via CSRF in WP Meta and Date Remover

During regular research audits for our Sucuri Firewall (WAF), we discovered a Cross Site Request Forgery (CSRF) leading to a persistent Cross Site Scripting vulnerability affecting 70,000+ users of the WP Meta and Date Remover plugin for WordPress.
Disclosure / Response Timeline:

April 30 – Initial contact attempt
May 07 – Patch is live

Are You at Risk?
This vulnerability requires some level of social engineering to be exploited.
Continue reading Persistent XSS via CSRF in WP Meta and Date Remover at Sucuri Blog.


Bashter – Web Crawler, Scanner, And Analyzer Framework

Bashter is a tool for scanning a Web-based Application. Bashter is very suitable for doing Bug Bounty or Penentration Testing. It is designed like a framework so you can easily add a script for detect vulnerability.For ExampleYou can add something script like this:${BASHTER_HOME}/parts/form/yourscript.bash ${WEB-FULLPATH} ${WEB-SOURCECODE}${BASHTER_HOME}/parts/url/yourscript.bash ${WEB-FULLPATH} ${WEB-SOURCECODE}${BASHTER_HOME}/parts/header/yourscript.bash ${WEB-FULLPATH} ${WEB-SOURCECODE}For the sample, you can follow existing scripts.Disable ScriptYou only need to change the extension, for example .bash => Default:Detect Form InputDetect CORS MissconfigurationDetect X-FRAME-OPTIONS missing (Clickjacking Potential)Detect Reflected XSS via URLDetect Reflected XSS via FormHow to Install:git clone Bashter/bash setup.bashContributor:Schopath a.k.a Ophan (@panophan)Suhada (@suhada99)Abay (@abaykan)Download Bashter


NAXSI – An Open-Source, High Performance, Low Rules Maintenance WAF For NGINX

NAXSI means Nginx Anti XSS & SQL Injection.Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple (and readable) rules containing 99% of known patterns involved in website vulnerabilities. For example, <, | or drop are not supposed to be part of a URI.Being very simple, those patterns may match legitimate queries, it is the Naxsi's administrator duty to add specific rules that will whitelist legitimate behaviours. The administrator can either add whitelists manually by analyzing nginx's error log, or (recommended) start the project with an intensive auto-learning phase that will automatically generate whitelisting rules regarding a website's behaviour.In short, Naxsi behaves like a DROP-by-default firewall, the only task is to add required ACCEPT rules for the target website to work properly.Why is it different?Contrary to most Web Application Firewalls, Naxsi doesn't rely on a signature base like an antivirus, and thus cannot be circumvented by an "unknown" attack pattern. Naxsi is Free software (as in freedom) and free (as in free beer) to use.What does it run on?Naxsi should be compatible with any nginx version.It depends on libpcre for its regexp support, and is reported to work great on NetBSD, FreeBSD, OpenBSD, Debian, Ubuntu and CentOS.Getting startedThe documentationSome rules for mainstream softwareThe nxapi/nxtool to generate rulesDownload Naxsi