top | item 34360201

ChatGPT helped me find a WooCommerce XSS hole

13 points| SecurityNoob | 3 years ago | reply

We have a WooCommerce shop and recently hired a developer off Fiverr to write a plugin which adds extra functionality to our shop, allowing customers to write a note next to their orders when they are logged into the ‘My Account’ section of the website.

In return, the admin within the admin orders screen (WooCommerce->Orders) can see these customer notes and also reply to them. These notes show within a new column.

It’s a cool little plugin.

Initially I thought the code was fine, but until I studied it more (I’m rather cautious) I wasn’t going to make it live.

I thought I’d let ChatGPT take a look at it:

“You are now an infosec specialist. Look at the following code and tell me what’s wrong with it”.

ChatGPT pointed me to missing sanitisation checks on the form input where users type messages…

I verified this logging into the site as a customer, placing an order, heading to ‘My Account’ and writing within the note box a script to simply pop up a alert box saying “XSS”… (not very creative). I then hit send.

On the admin side, I refreshed the Orders screen and boom - an alert box opens.

100% XSS attack success.

So thanks to ChatGPT, I managed to find and remedy poor sanitation checks on user supplied input.

I went back to Fiverr and showed the coder screenshots of the XSS attack on the admin screen of our site. Now we are in an argument because he refuses to see why it’s such a big deal and that it’s only text being shown (I think he is referring to the “XSS” which pops up).

No matter how much explaining I give, this Fiverr coder cannot accept that user injected JavaScript on our ADMIN ORDERS screen is a massive gaping security issue.

Am I being over-dramatic here? He says with his 10 years coding, he knows better than me. What worries me is that this guy is a top rated Woocommerce coder.

Am I living on another planet or is he?

11 comments

[+] nocsi|3 years ago|reply

1. Using fiverr for code and expecting something secure/competent

2. ChatGPT just used the most common security pattern, which is to check the input to a program. You could have found the same thing with a security linter

3. What are you going back & forth with the fiverr developer on? Just add in a sanitizer and move on. Presumably you used fiverr to sacrifice on quality in order to save time

[+] SecurityNoob|3 years ago|reply

1. There has to be some gems on there, surely.

2. Never heard of it. Will look into that.

3. Because this guy is coding for other WooCommerce shops, making me worry about other people’s shops - if I was more trusting an naive, I’d have ran this on my site. If the dev doesn’t understand security, maybe my intervention could help him and his customers businesses.

[+] CommitSyn|3 years ago|reply

Ask him for a demo URL where he tests his plugin, send him a message to grab his admin cookie (don't make it complicated, just make it ping your server with with a 1px '/xss.jpg + document.cookie' and check your web logs), set your cookie as his to open his wp-admin and change something. Demonstrate why it's such a big deal since he is clearly a security novice.

And yes, if there's anything I've learned about WooCommerce plugins and WordPress plugins in general, it's to be very careful.

[+] SecurityNoob|3 years ago|reply

Thank you. I didn’t even think of something as simple as cookie stealing.

Here’s what he wrote to me (and his talk of manners would be fair if it were justified - he went on the attack as soon as I said there was XSS in his plugin).

“ok

Thank for the advice i will try to follow it.

well there is noting about haking your site with some text well that is a joke i will suggest you to change your university and most importantly learn some manners for talking with unknowns, seniors and any one in this world

Education doesn't teach us to earn from it. it teaches us how to behave and live a life without hurting anyone.

I'm a developer and having years of experience but you are a student and it's your learning stage, not for coding or anything like it but most importantly manners

coming back to your words. no one in this world can hack your site through the order notes nor any one wants today you are saying me joke of coding without knowing anything tomorrow you will be the joker of coding even the joker of computer science

i have developed you what you wanted and at that time you were agreed on it and now after month you learn something new and come back to me to misbehave with me and i think after 10 years you will again come and say to me somethink new that will be more interesting ”

[+] JustARandomGuy|3 years ago|reply

I’ve been in and out of the Wordpress ecosystem for almost the last 20 years. Most “developers” on Wordpress/woo commerce/other popular wordpress plugins are very limited in what they can do. Most of them are limited to assembling code fragments from Stack.

I’d trust a Wordpress developer off fiver to install and configure a plugin, or adjust themes, but not to code and certainly not to understand security fundamentals.

[+] SecurityNoob|3 years ago|reply

Where would you suggest I go for booking developers of a greater quality?

I wish I had the time to invest in learning it all myself myself, but I am up to my eyeballs as is.

[+] sergiotapia|3 years ago|reply

You're going hogwild on a fiverr dude. Calm down lol

[+] SecurityNoob|3 years ago|reply

Fair enough if it weren’t a good chunk of money and it weren’t code for a shop which takes money and orders