• Beste,

    Ik heb een aanvraag gedaan voor het certificaat van Thuiswinkel.org. Nou heb ik hun feedback terug gehad en mijn website wordt beoordeeld als niet veilig vanwege de onderstaande twee redenen.

    Kan iemand mij hierbij helpen?

    Reden 1:
    Threat
    XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application
    might include the user’s name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain
    characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim’s Web browser.
    The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by
    the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.
    Impact
    XSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web
    application itself. An exploit can lead to theft of the user’s credentials and personal or financial information. Complex exploits and attack scenarios are possible via
    XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript,
    Flash and Java applets) can be used to as a part of a compromise.
    Solution
    Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.
    Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or
    JavaScript.

    Reden 2:
    Threat
    XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application
    might include the user’s name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain
    characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim’s Web browser.
    The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by
    the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.
    Impact
    XSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web
    application itself. An exploit can lead to theft of the user’s credentials and personal or financial information. Complex exploits and attack scenarios are possible via
    XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript,
    Flash and Java applets) can be used to as a part of a compromise.
    Solution
    Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.
    Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or
    JavaScript.

    De pagina waar ik hulp bij nodig heb: [log in om de link te zien]

4 reacties aan het bekijken - 1 tot 4 (van in totaal 4)
  • Moderator Jeroen Rotty

    (@jeroenrotty)

    Support Moderator

    Waar kreeg/krijg je die meldingen? Ik heb je SSL certificaat gecontroleerd en die is gewoon goed.

    Beste Jeroen,

    Bedankt voor je reactie.

    Ik krijg deze meldingen vanuit Thuiswinkel. Zij scannen mijn website voordat zij een certficaat afgeven. En dit heeft dus te maken met mijn contact pagina.

    Vandaag is er nog iets geks bijgekomen namelijk dit (ik heb de meest recente update):
    Threat
    WordPress is the most commonly used Content Management System.
    Multiple Vulnerabilities are affecting WordPress prior to 5.4.1:
    CVE-2020-11025 Authenticated Cross-Site Scripting (XSS) in Customizer
    CVE-2020-11026 Authenticated Cross-Site Scripting (XSS) in File Uploads
    CVE-2020-11027 Password Reset Tokens Failed to Be Properly Invalidated
    CVE-2020-11028 Unauthenticated Users View Private Posts
    CVE-2020-11029 Cross-Site Scripting (XSS) in wp-object-cache
    Impact
    Authenticated users could be able to upload malicious files and execute malicious JavaScript.
    For CVE-2020-11027, When a user requested a password reset link, but did not use it and instead reset their password by logging in, the password reset link would
    still be usable.
    For CVE-2020-11028, unauthenticated users can view private posts by manipulating time and date queries.
    Solution
    Upgrade to latest version of WordPress 5.4.1.

    @jeroenrotty kun je mij hierbij helpen aub?

    Moderator Jeroen Rotty

    (@jeroenrotty)

    Support Moderator

    Niet direct, de forums zijn nogal beperkt qua ondersteuning hier. Los daarvan zou ik aan hun vragen of ze meer informatie kunnen verstrekken over die meldingen. Je zegt bvb. zelf dat je de laatste versie van WordPress draait, maar die laatste heeft het over security issues in vorige WordPress versies, dus lijkt me niet van toepassing.

4 reacties aan het bekijken - 1 tot 4 (van in totaal 4)