Tony Perez recently wrote about the Web Application Attack and Audit Framework (W3AF) , which is a tool you can use to scan a website for various vulnerabilities, like XSS and SQL injection. You can watch a demo to get a feel for what it does. I think it’s a good thing to run during the testing phase, and periodically after you launch. Note: If you’re trying… [more]
All posts tagged Cross-site Scripting
News of the XSS bug in Subscribe2 didn’t show up in any of my RSS feeds or mailing lists, even though it’s a fairly popular plugin, so I wanted to make a note of it in case anyone else missed it. Version 8.2 has a fix for it . Update: It also sounds like an official WordPress mailing list for plugin security notifications is in the works.
Mark Jaquith recently gave a good presentation on writing secure WordPress themes and plugins at Wordcamp Phoenix 2011. The notes are also available. The main points are: Protect against SQL Injection by using the API whenever possible (because it automatically handles data sanitization). If the API can’t do what you need, use $wpdb->prepare(). Protect against Cross-site Scripting by sanitizing any output with esc_html(), esc_url(),… [more]