New ask Hacker News story: ChatGPT helped me find a WooCommerce XSS hole
ChatGPT helped me find a WooCommerce XSS hole
3 by SecurityNoob | 0 comments on Hacker News.
We have a WooCommerce shop and recently hired a developer off Fiverr to write a plugin which adds extra functionality to our shop, allowing customers to write a note next to their orders when they are logged into the ‘My Account’ section of the website. In return, the admin within the admin orders screen (WooCommerce->Orders) can see these customer notes and also reply to them. These notes show within a new column. It’s a cool little plugin. Initially I thought the code was fine, but until I studied it more (I’m rather cautious) I wasn’t going to make it live. I thought I’d let ChatGPT take a look at it: “You are now an infosec specialist. Look at the following code and tell me what’s wrong with it”. ChatGPT pointed me to missing sanitisation checks on the form input where users type messages… I verified this logging into the site as a customer, placing an order, heading to ‘My Account’ and writing within the note box a script to simply pop up a alert box saying “XSS”… (not very creative). I then hit send. On the admin side, I refreshed the Orders screen and boom - an alert box opens. 100% XSS attack success. So thanks to ChatGPT, I managed to find and remedy poor sanitation checks on user supplied input. I went back to Fiverr and showed the coder screenshots of the XSS attack on the admin screen of our site. Now we are in an argument because he refuses to see why it’s such a big deal and that it’s only text being shown (I think he is referring to the “XSS” which pops up). No matter how much explaining I give, this Fiverr coder cannot accept that user injected JavaScript on our ADMIN ORDERS screen is a massive gaping security issue. Am I being over-dramatic here? He says with his 10 years coding, he knows better than me. What worries me is that this guy is a top rated Woocommerce coder. Am I living on another planet or is he?
3 by SecurityNoob | 0 comments on Hacker News.
We have a WooCommerce shop and recently hired a developer off Fiverr to write a plugin which adds extra functionality to our shop, allowing customers to write a note next to their orders when they are logged into the ‘My Account’ section of the website. In return, the admin within the admin orders screen (WooCommerce->Orders) can see these customer notes and also reply to them. These notes show within a new column. It’s a cool little plugin. Initially I thought the code was fine, but until I studied it more (I’m rather cautious) I wasn’t going to make it live. I thought I’d let ChatGPT take a look at it: “You are now an infosec specialist. Look at the following code and tell me what’s wrong with it”. ChatGPT pointed me to missing sanitisation checks on the form input where users type messages… I verified this logging into the site as a customer, placing an order, heading to ‘My Account’ and writing within the note box a script to simply pop up a alert box saying “XSS”… (not very creative). I then hit send. On the admin side, I refreshed the Orders screen and boom - an alert box opens. 100% XSS attack success. So thanks to ChatGPT, I managed to find and remedy poor sanitation checks on user supplied input. I went back to Fiverr and showed the coder screenshots of the XSS attack on the admin screen of our site. Now we are in an argument because he refuses to see why it’s such a big deal and that it’s only text being shown (I think he is referring to the “XSS” which pops up). No matter how much explaining I give, this Fiverr coder cannot accept that user injected JavaScript on our ADMIN ORDERS screen is a massive gaping security issue. Am I being over-dramatic here? He says with his 10 years coding, he knows better than me. What worries me is that this guy is a top rated Woocommerce coder. Am I living on another planet or is he?
Comments
Post a Comment