Since the main cause of XSS is failure to validate/sanitise input, it's not too surprising that such sites would also have a tendency to more SQL injection vulnerabilities.
Web security still outstandingly mediocre, experts report
Cross-site scripting (XSS) vulnerabilities continue to dominate the list of most common vulnerabilities found in real-world tests. In more than a third (37 per cent) of cases, a website vulnerable to XSS is also vulnerable to a more critical flaw such as SQL injection or improper access control, according to web security …
COMMENTS
-
Monday 7th November 2016 15:39 GMT Alister
By contrast there has been no move away from the ageing TLS 1.0 protocol: 96.1 per cent of web servers still support it, compared with 97 per cent in June 2016. Maintaining compliance with the credit card industry’s PCI DSS standard means those who handle credit card data need to drop support for TLS 1.0 from June 2018.
Very few publicly facing web sites will be prepared to remove TLS 1.0 support whilst a substantial number of visits come from client browsers or operating systems which require it.
We investigated it last month, as a PCI audit highlighted that we still supported it on some of our servers, but an analysis of the client's site traffic showed that nearly 30% of visitors still used browsers which required TLS 1.0 to connect.
I can't see any company whose primary income stream is web based cutting off 30% of their customer base just to be PCI compliant.
-
Monday 7th November 2016 18:00 GMT Nate Amsden
Which is one reason why the deadline keeps being extended.
For my org we've been unable to go beyond 1.0 due to a blocking citrix netscaler bug I was working with them for 18 months on(unrelated to TLS, but blocked upgrading). Now they have a fix which is due in early December for public use. Which means immediate deploy to test envs then production hopefully in late January. Assuming no further blocking bugs discovered.
Not vulnerable to the major TLS attacks according to SSL labs though.(qualys does regular scans to validate we are PCI compliant)
-
-
Monday 7th November 2016 17:29 GMT Ian 55
How do they know?
"More than 72 per cent of WordPress installs assessed by High-Tech Bridge had default admin panel location and at least one brute-force crackable login/password pair"
Duh, the number that have it at anywhere other than /wp-admin is very low. If you have one WP site, you probably don't know you can change it, while if you have loads, the tool you use to manage them probably assumes /wp-admin.
But it'd be very interesting to know how they know about the crackable login-password pair. Are they just saying 'there's at least one login and all passwords are ultimately brute-forceable given enough millennia' or have they actually cracked them?
-
Monday 7th November 2016 18:04 GMT Nate Amsden
Re: How do they know?
I no longer actively blog but tgat is where my WP admin is at too. Someone cracked into it earlier in the year somehow (I've never run the vulnerable plug-ins,maybe compromised one of the admin accounts).
Ended up locking it down by limiting access to the admin to my private VPN. Also deleted all other accounts(been 3 years since anyone other than me wrote articles), no issues since fortunately.
-
Wednesday 9th November 2016 20:24 GMT Ian 55
Re: How do they know?
It turns out that the xmlrpc.php unit has the 'feature' of allowing attackers to test many hundreds of username / password combos in a single call. Obviously, there is no legit use for this, but it's been kept because it's part of the spec. I suspect that's how they got into one of mine.
The only real uses for the unit are the Android/ithing clients and the bloatware that's Automattic's Jetpack plugin. If you need the latter, there's a plugin that only allows access to it only from their IP addresses, otherwise block access to it.
-
-
Monday 7th November 2016 22:13 GMT PrivateCitizen
Re: How do they know?
But it'd be very interesting to know how they know about the crackable login-password pair.
Normally it means they have actually cracked them. Generally this is because someone either left the defaults in place or used an easily guessable password (admin, password, pa55w0rd etc). Its unlikely that the theoretical attack would be noted here.
-
-
Tuesday 8th November 2016 11:05 GMT William 3
Even if their websites are secure
They only ruin it by using advertisements, tracking, and all the other shit that makes it's insecure for the users of said website.
This is what happens when you let the unwashed masses onto the Internet.
Wish they'd all fuckoff back to watching telly and texting their mates about what's happening in Corrie.