All posts tagged Cross-site Scripting

Web Application Attack and Audit Framework

by Ian Dunn

Tony Perez recently wrote about the  Web Application Attack and Audit Framework (W3AF) , which is a tool you can use to scan a website for various vulnerabilities, like XSS and SQL injection. You can watch a demo to get a feel for what it does. I think it’s a good thing to run during the testing phase, and periodically after you launch. Note: If you’re trying… [more]

Cross Site Scripting Vulnerability in Subscribe2 Plugin

by Ian Dunn

News of the XSS bug in Subscribe2 didn’t show up in any of my RSS feeds or mailing lists, even though it’s a fairly popular plugin,  so I wanted to make a note of it in case anyone else missed it. Version 8.2 has a fix for it . Update: It also sounds like an official WordPress mailing list for plugin security notifications is in the works.

WordPress Plugin and Theme Security

by Ian Dunn

Mark Jaquith recently gave a good presentation on writing secure WordPress themes and plugins at Wordcamp Phoenix 2011. The notes are also available. The main points are: Protect against SQL Injection by using the API whenever possible (because it automatically handles data sanitization). If the API can’t do what you need, use $wpdb->prepare(). Protect against Cross-site Scripting by sanitizing any output with esc_html(), esc_url(),… [more]