How Cybersecurity works
Cybersecurity

How Cybersecurity works:  Cross-Site Scripting and vulnerability disclosure.

Since 2001, Open Web Application Security (OWASP) team has been helping cybersecurity professionals, programmers, and business owners protect websites against hackers. The non-profit organization is comprised of more than 32,000 volunteers around the globe. They are responsible for putting together excellent tools, research, and materials, like the OWASP top 10.  If you want to understand how to protect your website from attack, their Top 10 list is an excellent place to start.  

The OWASP top 10 isn’t a static document.  The team monitors the items on the list and helps us all keep up with what website hackers are doing.  Their most recent version came out in 2021.  The previous version came out in 2017.  The newest version has some new categories and some revisions of categories from the 2017 version.  That’s just OWASP helping to keep our websites safe.  

In the 2021 version, category 3 of 10 is A03:2021 – Injection.  There are several subcategories of AO3, but today we’re going to focus on an attack path known as XSS or Cross Site Scripting. 

Another website you should be aware of if you’re trying to protect your business on your own is cwe.mitr.org  CWE stands for Common Weakness Enumeration.  This is a community-driven list of hardware and software vulnerabilities that may impact your company’s security.  CWE assigns a number to each class of vulnerability.  Cross Site Scripting (XSS) is known as CWE-79.  

So what is Cross-Site Scripting?

The best definition I have found comes from the OWASP  Webpage, and it says:

“Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end-user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.”

The simplest non-technical explanation comes from the FOSSA website:  “An attacker tricks the browser to misinterpret malicious code as user input.”

So that was a lot.  Let’s summarize.  XSS is an attack where a web server accepts some kind of input from the user.  It might be a web contact form, typing directly into the URL bar in the browser, or a search form on the site (among other things).  The web server doesn’t validate the user’s input – it doesn’t check to ensure that the input it got was what it was looking for.  In that case, an attacker can input code, and the webserver may run that code.  If it does, the attacker can potentially take control of the website.

A Word About WordPress

WordPress is a very popular Content Management System (CMS) for websites.  It allows people to focus on creating the content of their websites without knowing a lot of code and technical details.  One of the cool things about WordPress is that you can use what are known as plugins to do various things on your website very simply and easily.  There are WordPress plugins for everything you could imagine.   It’s a great system, but it does have one inherent flaw.  While some developers write multiple plugins, in other cases, each plugin is written by a different developer.  That means you could add numerous vulnerabilities to your website using these plugins.  The WordPress community tries to keep an eye out for problems, but they can only do so much.  If a vulnerability is found in a plugin, it’s up to the developer to fix it, and if they don’t, well, your website is at risk.  

Most plugin developers are pretty good about fixing problems when they are brought to light.  That’s one advantage of community-driven software.  The community tends to police itself, and weak coders aren’t around for long.  But even good coders can make mistakes, and that’s exactly what happened in August-September of 2021.  A vulnerability was detected in a  WordPress Plugin called under construction which, at the time, had been installed on over 80,000 websites.  This case study is instructive in helping to show how software vulnerabilities get brought to light and resolved. 

What Happened

WordFence is an excellent WordPress security plugin. We use it, and we strongly recommend that if you have a WordPress website, you should use it too.  Get the paid version. The real-time threat intelligence and immediate access to new firewall rules that come with it are worth the money.  WordFence, besides being a great plugin, has a great security team behind it.  Their analysts and researchers actively hunt for threats that will impact your website and work to fix them.

Their excellent security team uncovered the XSS vulnerability in the UnderCostrcution plugin that we’re talking about in this article.  We’ll talk about the timeline on that in a moment.  First, we need to understand how vulnerability disclosure works.

When a hacker discovers a vulnerability, they will often keep it to themselves so that they can exploit it to break into systems.  Often, however, they will develop an exploit for the vulnerability they discovered and sell it on the dark web.  The code they write is often quite valuable, and no one on the hacker side of the equation has any incentive to disclose that vulnerability and get it fixed.

With security teams, however, it’s quite the opposite.  However, when a security researcher finds a vulnerability, they find themselves in a bit of a catch-22.  If they immediately disclose their findings to the public, they are also potentially disclosing it to the hacker community.  Still, getting the information out as quickly as possible is crucial to help protect the public.   So how does this quandary get resolved?

Responsible security researchers will notify the developer that they’ve found the vulnerability and give them a chance to fix it, and put out an update to the application before making their findings public. This way, the vulnerability can be fixed before the hacker community becomes aware of it, if they aren’t already, regardless of whether the developer is a huge corporation like Microsoft or Apple or a small single-person WordPress plugin developer.  That’s why you should always apply patches and updates to your systems and applications when they become available.  If you know there is a patch for a given vulnerability, the hackers know too.  If you don’t patch your systems, the hacker community is looking for you.

The threat intelligence team at WordFence is nothing if not responsible, so when they discovered the XSS vulnerability in the UnderConstruction plugin, that’s exactly what they did.  On August 16, 2021, they let the plugin developers know there was an issue.  They also issued a firewall rule to their paid-version customers that very day.  They waited for two weeks without getting a response from the plugin developers. 

Remember earlier when I mentioned that the community makes a diligent effort to police itself? Well, in software development, reputation is everything.  Whether you are a major software vendor, like Microsoft, or an app developer, your reputation is paramount to your products’ performance in the marketplace.  Software sites like the Google Play Store or the Apple app store actively monitor issues with the apps they host.  In the WordPress world, the WordPress development team does something similar.  So when the threat intelligence team at WordFence didn’t get a response after two weeks, the WordPress plugins team was their very next stop.  They forwarded the issue to the plugins team on August 30, 2021.  The next day on August 31, 2021, an updated version of the UnderConstruction plugin was released to the public. On September 15, 2021, the firewall rule protecting against the XSS issue was released to the WordFence free version users.

Northstarr Recommendations 

If you have a WordPress website, it’s just like any other technology that your business uses.  It needs to be managed, monitored, and maintained.  You should use good tools and technologies.  Security, more so than any other area, is not the place to save a few bucks.  Some people would have you believe that anyone can set up a website; to some extent, that’s true.  Is it an attractive website?  Is it secure?  Is it actively monitored and managed?  In a lot of cases, it isn’t.  Your company’s website is often the first impression your customers get of your business.  Shouldn’t that first impression reflect the quality of your products and services?  It should, and we can help you make that happen.

To find out more about what we do, visit our website or give us a call at (888) 767-2210 to set up an appointment. We look forward to meeting with you!