Skip to content

billxie22901/CodePath_FBCyberSecurity_Assignment7

BranchesTags

Repository files navigation

Project 7 - WordPress Pentesting

Time spent: 5 hours spent in total

Objective: Find, analyze, recreate, and document five vulnerabilities affecting an old version of WordPress

Pentesting Report

  1. (Required) Vulnerability Cross Site Scripting in Post Comment
  • Summary: Attacker can inject JavaScript via the comment. The script is triggered when the comment is visible.
    • Vulnerability types: XSS
    • Tested in version: 4.1
    • Fixed in version: 4.6
  • GIF Walkthrough:
  • Steps to recreate: Go to homepage. Write <script>alert("XSS")</script> in a comment area. Reload the page.
  • Affected source code: Link 1
  1. (Required) Vulnerability Cross Site Scripting in Post Title
  • Summary: Attacker can inject JavaScript via the Title for new post. The script is triggered when the comment is published.
    • Vulnerability types: XSS
    • Tested in version: 4.1
    • Fixed in version: 4.6
  • GIF Walkthrough:
  • Steps to recreate: Create a new post. Insert <script>alert("XSS)</script> into the title of the post. The script is triggered when the post is published.
  • Affected source code:
  1. (Required) Vulnerability Cross Site Scripting in Audio Insertion
  • Summary: Attacker can inject JavaScript via audio insertion. The script is triggered when the audio is inserted.
    • Vulnerability types: XSS
    • Tested in version: 4.1
    • Fixed in version: 4.2
  • GIF Walkthrough:
  • Steps to recreate:
    • Add 3 audio files to WordPress, make their description <script>alert(document.cookie);</script>
    • Edit a post and add the audio files to the post.
    • Script is triggered when the audio files are added.
  • Affected source code:

Resources

GIFs created with LiceCap.

License

Copyright 2017 William Xie

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published