Support » Plugin: Wordfence Security - Firewall & Malware Scan » Need verification on Possible XSS False positive with ActionNetwork.org

  • Resolved Peter La Fond

    (@myinternetscout)


    Hi Wordfence Support,

    I received a XSS Attack Notification last week (March 7th 2017) originating from an embedded ActionNetwork.org inquiry/petition form. To embed this form on the website, we need to place a script in the text editor. We’d really like to use this service, however I need to verify as to whether this XSS attack warning is a false positive or not. The error I received states…

    109.199.113.16 (United States)

    Blocked for XSS: Cross Site Scripting in query string: data=<link href=’https://actionnetwork.org/css/style-embed.css&#8217; rel=’stylesheet’ type=’text/css’ /><scrip\xea

    How can I verify this is a real XSS attack or a potential vulnerbility? Tech support at ActionNetwork.org claims this is a false positive. Thanks for your help. Best regards, Peter

Viewing 5 replies - 1 through 5 (of 5 total)
  • Hey Wordfence folks, this is Jason from Action Network. Happy to help out here however I can to get more detail and get this cleared up! I’m fairly certain it’s a false positive — that stylesheet there is our standard stylesheet for our javascript-based embed code — but I’d need more details to check it out further.

    What you are showing there looks to be intentionally adding JavaScript code (through a tag) to a page. As long as you are logged in as an Editor or Administrator level user when doing that, it wouldn’t be a vulnerability, since users with those roles are permitted to do the equivalent of cross-site scripting (XSS) due to the unfiltered_html capability.

    Thanks for your input WhiteFir. However, I need to get Wordfence’s thoughts on this (since it’s their software that created the warning), and then I need relay their input to my client. If we don’t hear back from Wordfence soon, the client needs to decide if they trust the Wordfence warning or not. The final decision on this is with the client.

    Hi,
    Yes, this seems to be a false positive detection and I suggest switching the firewall status into “Learning Mode” then do the same action you were doing (embedding the code into your post in this case) and the firewall will learn to whitelist this action in the future, after that you can revert the firewall status back into “Enabled and Protecting”.

    Thanks.

    Hi @myinternetscout
    Since I haven’t heard back from you I am assuming that the instructions helped you solve your issue so I am marking this topic as resolved.

    If however, for whatever reason, you are still experiencing this issue and it is not resolved please respond to the post, which will move it back up the queue, and mark this topic as “not resolved”.

    Thank you.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Need verification on Possible XSS False positive with ActionNetwork.org’ is closed to new replies.