Guides

Guide: From ClickJacking and Self-XSS to XSSJacking

During a penetration testing we may face some input sanitisation issues that can lead to various XSS attacks. However, many times we are not able to trigger these issues and perform an attack with an actual impact. For example, we may find an XSS on a submit form which sends the user’s data with POST requests. Moreover, these data are…

Continue Reading

Exploits

CVE-2017-9420: WordPress Spiffy Calendar v.3.2.0 Reflected Cross-Site Scripting (XSS)

Identification Date: 02/06/2017 Vendor Homepage: http://spiffycalendar.sunnythemes.com/ Software Link: https://wordpress.org/plugins/spiffy-calendar   Description This version of the Spiffy Calendar plug-in is vulnerable to a Reflected Cross-Site Scripting vulnerability in the “yr” parameter due to the lack of proper input handling of the user’s data. An attacker can execute arbitrary JavaScript using a specially crafted URL. Thus, when the victim clicks on the…

Continue Reading