XSS Harvest Festival

In the previous post we crafted a Javascript code to exploit a recent XSS vulnerability in Wordpress. It displays a fake Wordpress login page to the administrator, which sends the username and password to the attacker’s host.

In today’s post we are going to learn to capture the submitted credentials on the server side. Secondly we explore a couple of options of hosting our credential harvester application.

Read More

WordpreXSS Exploitation

There are many misconceptions around the potential effects cross-site scripting (XSS). The usual pop-up alert(1) window is failing to demonstrate the potential consequences of XSS to non-security people. See a walk-through process of exfiltrating data from a Wordpress site by exploiting a XSS vulnerability.

Read More