Protecting and Preventing XSS exploits / attacks in WordPress blog Searches
XXS? What is XXS?
Cross Site Scripting or XXS is what hackers use to attack websites or as wikipedia puts it:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack “everything looks fine” to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss.
Test if your WordPress Blog is vunerable to an XSS
Recently, i discovered, that if you entered code such as
It would run the script, now that script that alerts the word hello is not a massive problem, but it proves that the site is vunerable to XSS attacks!
How to Prevent XSS Exploits and attacks in your WordPress blog (or indeed any website/blog)
For Wordpress: Log onto your wordpress blog, go to Design > Theme Editor, locate the file, search.php (alternitivly can be done editing the search.php via ftp) and at the very top of the file insert the following code:
<?php
// Prevent any possible XSS attacks via $_GET.
foreach ($_GET as $check_url) {
if ((eregi("<[^>]*script*\"?[^>]*>", $check_url)) || (eregi("<[^>]*object*\"?[^>]*>", $check_url)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $check_url)) || (eregi("<[^>]*applet*\"?[^>]*>", $check_url)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $check_url)) || (eregi("<[^>]*style*\"?[^>]*>", $check_url)) ||
(eregi("<[^>]*form*\"?[^>]*>", $check_url)) || (eregi("\([^>]*\"?[^)]*\)", $check_url)) ||
(eregi("\"", $check_url))) {
echo"there appears to be an error, please press the back button and try again";
die ();}
}
unset($check_url);
?>
(origional code by:sumit270 , from php.net)
For other sites and blogs put the above code in the php file where the search results are displayed, simple!
paul are discussing.
paul 10:25 am on October 17, 2008 Permalink
great tip on a common vunlerability. the opening line of code “< ?php” contains a space between < and ? which resulted in a syntax error in my editor. I removed the space for it to work ok now.
Alex 3:17 pm on October 17, 2008 Permalink
thanks paul for pointing that out, i’ve just fixed the code