Skip to content

Category: Web Dev

Relating to web design, web programming, web servers, and other web topics

A jQuery 1.x vulnerability exists and no fix is planned

Published by Will Chatham on 5/21/2017

I haven’t seen much talk about this issue around the Internet, so I thought I’d present what I’ve learned for others to be aware of. It mainly has to do with the fact that jQuery 1.x (and 2.x, for that matter) were replaced by 3.x, yet they are still thriving in many, many projects, applications, and websites to this day.

While doing a security review of some code the other day, a retirejs scan informed me that jQuery 1.x contained a Medium vulnerability regarding cross-domain requests in ajax. According to Snyk:

“Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain ajax request is performed without the dataType option causing text/javascript responses to be executed.

Remediation: Upgrade jquery to version 3.0.0 or higher.”

“Upgrading to 3.0.0 or higher seems pretty drastic,” I thought to myself. Well, according to a comment I found on jQuery’s GitHub page, this is actually their stance, and they don’t plan on patching 1.x because it is a ‘breaking change’:

https://github.com/jquery/jquery/issues/2432#issuecomment-290983196

So it would behoove you to upgrade to jQuery 3 if you don’t want to be susceptible to this vulnerability. The magnitude of that may seem rather staggering if you consider all the projects across just about everything (WordPress plugins, Drupal modules, etc etc) that bundle the 1.x version of jQuery, and haven’t updated it in years.

While the vulnerability may not be relevant if you are not making cross-domain ajax calls, this is but one risk that has come to light for which there will be no fix. And it’s not exactly reasonable to assume that developers know they need to avoid that if they intend to use jQuery 1.x.

The longer jQuery 1.x sits in your project, the higher a risk it becomes.

As the impending OWASP Top-10 for 2017 says, “Applications and APIs using components with known
vulnerabilities may undermine application defenses and enable various attacks and impacts.”

Long story short: Keep your bundled libraries up to date!

WordPress Security from WordCamp Asheville 2016

Published by Will Chatham on 8/20/2016

One of the coolest things about WordCamp is that they post videos of each talk and presentation on WordPress.tv for viewing afterwards. It give you the chance to see all the great presentations you may have missed, or to revisit the ones you attended.

With so many WordCamps happening all over the world, it is a great resource.

My presentation from WordCamp Asheville 2016, titled WordPress Security: Don’t Be a Target, is now live on WordPress.tv.

Speaking at WordCamp Asheville – June 3 – 5, 2016

Published by Will Chatham on 5/3/2016

Tickets are on sale for WordCamp Asheville, and I hope many of you will come. This is my first opportunity to attend WordCamp, and I’ll actually be getting to speak at it. Come check it out if you are attending.

My presentation will be about WordPress security, how to make yourself less of a target, and how to harden your WordPress website against hackers using freely available tools.

Come say Hi if you attend!

A Well-Oiled Website Is the Key to Corporate Success

Published by Will Chatham on 3/9/2016

Promoting a business was never an easy task in the past. Since the introduction of modern technology and the internet and the major applications it has for business, promotion is now and even bigger task due to the number of factors a business owner has to consider. For instance, you now need to worry about web hosting, software development, eCommerce, social media and search rankings.

However, most of this can be generalised and referred to as your website. Your website is essentially the first thing that people see when they Google your business or search for you on the internet, so it better be damned good and make a great first impression if you want people to actually visit your website more often to increase exposure.

Creating a great website is easy if you just hire a freelancer or outsource the work. However, that doesn’t mean it will always stay good. Websites have to change and evolve depending on their audience or the business that runs them which is why many large corporations have in-house web design teams and programmers that work in harmony on a website. This enables the website to constantly change depending on new trends, fads or even design tropes that are popular. It goes without saying that a great website is one of the major components of a successful marketing strategy which ultimately leads to corporate success. If you want to create a website that your viewers will love, then here are a couple of tips for you to follow.

Monitoring performance and user interaction

One of the most important things to consider when running a website is how it feels for your users to interact with. You can’t exactly go to someone and ask them about your website, and you can’t really ask your web development team or friends to check your website and give feedback. You need to get responses from people who actually use your website for its intended purpose, and this can be rather difficult.

This is why companies and web developers turn to application performance management tools. This list of APM tools should give you a rough idea of what APM actually is. But in short, it’s a way to monitor applications that are built either on websites or as independent software packages. You can monitor things such as CPU usage and code performance, meaning your developers can optimise your web services using data collected with an APM tool. It can even track things such as users who are currently using the service and how they are using your web services.

By monitor users and how they utilise your website, you can collect statistics that can be used to improve your business website and propel it into the public spotlight. Although good web design comes from a lot of experience and studying, the only way to stay at the forefront of fantastic web design is to analyse patterns generated with monitoring tools.

Constant updates to increase retention

To keep your users coming back, you need to give them a reason. If they check your online web store and don’t find anything useful, then you need to at least give them a reason to come back in the future. Perhaps you update your store and you get some new items in that you want to show off, or maybe you’re open to suggestions from your potential customers. Whatever changes on your website, it’s a good idea to let people know via mailing lists or even social media. You could even have a suggestions box or a way for visitors to contact you regarding new and future products or content that they want to see.

The idea here is to constantly update your website so that people have a reason to return. By retaining customer attention, they’re more likely to suggest your website or services to other people. Your website might just be a simple front page to your business that shows contact information and services. In this situation, there’s not much you can do to keep people coming back. This is why a lot of company websites have blogs attached to them. These blogs usually contain information about inner workings of the company, the latest industry technologies, or they’re short posts about up and coming products that are written to excite people. These posts are then posted on social media and they’re shared among thousands of people, drawing attention to the website and ultimately attracting more and more exposure.

Keeping your website constantly updated can be difficult if you don’t have much content to write about, but it’s one of the key ways to ensure that you are always ahead of the curve in online marketing.

Get With The Program: Learning To Code

Published by Will Chatham on 2/25/2016

As computers become more omnipresent in our lives, coding knowledge is becoming more and more in demand. With enough programming knowledge you can create your own website, build your own app, develop your own software and even engineer your own hardware. If you’re considering learning to code from scratch, here are the steps you should take.

Choose your language

First you will need to choose your programming language. Different languages are better suited to different applications – for example C++ is good for creating games, Java is good for mobile apps and PHP is specific for web programming. Some languages such as Python are more versatile. Most programmers learn multiple languages – once you know one, the others come more naturally as they rely of the same basic principles.

Take a course

Self-teaching yourself code is possible, although you’ll probably still want a few tips and pointers. Books, blogs, video tutorials and online training courses can be good for learning at home. If you work better with other people, a coding workshop or a short course may be more suitable. You can even hire private tuition.

Experiment

Once you’ve got to grips with the basics, it’s time to start experimenting. From here you can start to build your own code and better understand how to enable certain functions. Use open-source software to research other codes that people have discovered and shared. Try writing your own basic processes from scratch. Soon you will be able to start a full project of your own.

Build your own program

Eventually you will be ready to build your own program. You should start with something basic and work your way up to building a professional program – one that you may or may not wish to commercially sell.

Building something complex may require assembling a team, largely because it will be time-consuming and allocating tasks could speed up the whole process. Before building a program, you should lay out a design document to follow. From here you can start developing until you have a working prototype. This prototype will then need to be tested for bugs. You can get friends and family to test it, or – if you are creating a commercial product – you can hire a test group of professionals and download a test management solution to record any bugs they find. Learning to deal with bugs is a frustrating but essential part of programming.

Eventually, once you have ironed out bugs, you will have a fully-working computer program, which you can try and sell or use as a personal project to put in a portfolio.

Getting paid to code

There are all kinds of avenues you can take from here. You can develop your own software based on your own idea, work freelance turning other people’s ideas into realities or work for a software development company following set projects and a set wage. There are all kinds of areas that you can specify in from web design to PPC marketing to video games development to mobile app development to business software development to creating digital security and protecting against hacks. The world is your oyster.

Are You Putting Your WordPress Site at Risk?

Published by Will Chatham on 3/11/2015

WordPress as a platform has been a solid, secure application over the years. The few times a vulnerability has been found, the WP team has been super-fast to patch it, publicize it, and take care of business.

That said, there are two major areas where WordPress lacks in security:

1. Plugins

2. Administrators

There are so many plugins for WordPress, which is part of what makes it so great. However, those plugins can also present attack vectors, and we see evidence of this almost every day.

It was just revealed that most WP users have very little understanding of the risk they are lending to their own websites. Not updating plugins, not updating WP itself, and not doing backups, are the most easily fixed things that people tend to not do.

This puts WP websites at risk, lets them get hacked, and gives WordPress as a whole a bad wrap.

The survey of 503 WordPress users, which took place online during February this year, revealed that WordPress users are more exposed to security problems than expected. In total, 54 percent of respondents said they updated WordPress between once a week and every few weeks, and yet only 24 percent back their websites up — and only 23 percent have received training in the use of tools such as backup plugins.

ZDNet

On that note, I thought I’d mention that the most popular SEO plugin for WordPress, Yoast’s WP SEO, has a new, major vulnerability in it. GO UPDATE!