WordPress Security: XSS – Session Hijacking

In Practical Scenarios for XSS Attacks, we know XSS can lead to multiple attack scenarios, today, we will look into detail on how AppCalcium for WordPress Security works.

We will use one real-world WordPress Plugin vulnerability (https://cxsecurity.com/ascii/WLB-2019090152) to study how AppCalcium for WordPress Security works proactively.

Here are steps on how vulnerability can be leveraged.

# Exploit Title: WordPress Plugin Sell Downloads 1.0.86 - Cross Site Scripting 
# Exploit Author: Mr Winst0n 
# Author E-mail: manamtabeshekan@gmail.com 
# Discovery Date: September 09,2019 
# Vendor Homepage: https://wordpress.dwbooster.com/content-tools/sell-downloads 
# Software Link : https://wordpress.org/plugins/sell-downloads/ 
# Tested Version: 1.0.86 # Tested on: Parrot OS, WordPress 5.1.1
# PoC:
1- Go to "Products for Sale" section
2- Click on "Add New"
3- In opend window click on "Add Comment"
4- Fill comment as "/><img src=x onerror="alert()"> or "/><input type="text" onclick="alert()">
5- Click on "Publish" (or "Update" if you editing an existing product)
6- You will see a pop-up (also if click on input), Also if you go to product link will see the pop-up.

When the user browses the product, special comment can be added like below

When other users browse the same product, they can see the comment, and one alert will pop up like this, which indicates the javascript had been triggered, and malicious code can then be launched.

XSS prevention

AppCalcium for WordPress Security scans all request to check XSS attacks when AppCalcium is enabled, the same comment input will be blocked.

The XSS attack has been blocked

We can see the blocking details in the admin console from https://www.oaxon.com.

What if the attacker uses advanced techniques like below to bypass XSS filter technologies?
Let’s assume the attacker is doing a good job and bypassed the XSS filter technologies.

Content Security Protection

AppCalcium for WordPress Security monitors the browser activity and blocks abnormal connection to protect sensitive information leakage.

Let’s change the XSS attach script a little bit, and assume attack want to steal session information and send back to xxx.xxx.com (any website attacker can manage to receive information)

When normal user or administrator opens the product page, the cookie will be sending to xxx.xxx.com (fake).
AppCalcium for WordPress Security learned automatically earlier from trustworthy behaviors, and only allow web connections below:

The attacker’s website xxx.xxx.com will be blocked, and user’s important information is not leaked.

From admin console on htps://www.oaxon.com, we can see the same blocking information with more details:


AppCalcium for WordPress Security leverages BigData and AI to learn what the web application suppose to do, and only allow designed behavior to happen. In this case, AppCalcium’s multi-staged protection successfully blocked attacks proactively.

AppCalcium for WordPress Security can be launched easily from AWS market place: https://aws.amazon.com/marketplace/pp/B07YFFTYDM

Leave a Comment

Your email address will not be published. Required fields are marked *