XSS has been in the news quite a bit the past few weeks (see XSS Vulnerability Affecting Multiple WordPress Plugins, Critical Persistent XSS 0day in WordPress).
What is it and how does it cause problems? What can you do to stay safe?
XSS stands for Cross Site Scripting. Exploiting a site through an XSS vulnerability is not new, and is one reason why many tech people have an unfavourable view of javascript.
Ok, that wasn’t very informative. What does it really mean? There are two types of ways to run code, on the web server (aka server side) and in the browser (aka client side). Server side code tends to be more robust and traditional; for example, this is where the contact form actually gets sent. Client side code is very often the pretty extras, such as the popup window asking you to fill out that contact form.
The 0day XSS bug on Monday took advantage of how comments were stored in the WordPress database and how modern web browsers like to be helpful and clean up bad code by closing html tags, for example. Someone could submit a comment that depending on how the site was configured, could have caused some very large issues, including infecting site visitors with malware or injecting SEO spam into the site.
Could we have avoided this issue in the first place? Very likely yes, but why is beyond the scope of this quick post. We are hearing more about XSS exploits for several reasons including the spread of information through social media and the increase in the number of sites using the software that is impacted.
To stay safe, keep your site backed up and up-to-date. WordPress 4.2.1 was released Monday afternoon specifically to address the XSS 0day vulnerability.
Even with your software kept current here are two additional quick tips to help keep your site safe:
1. If you were putting it off, now is a great time to do that spring cleaning maintenance and delete unused themes and plugins.
2. Not only should you change passwords every so often, you should limit who can access your site. That also means how you interact. I have two user accounts one for site administration and maintenance, and one that has a different level of access to write and publish blog posts. The account I use to write posts can’t update plugins. Sure, it’s a little annoying to log in with a different account, but that is a trade-off for security.
Want to learn more? In addition to the links above:
WordPress Themes: XSS Vulnerabilities and Secure Coding Practices (Sucuri, October 4, 2012).
Cross-Site Scripting in WordPress: What Is XSS? (tuts+, March 13, 2013)
What is cross-site scripting? (Tech Republic, March 18, 2008)
Here are some additional tips stay safe from phishing.