About WHITE-BOX Testing

  • Hi guys,
    We all know that many companies choose wordpress for their website, and network security is the most important issue in this era.
    IT dept. required black-box / white-box testing for official website.
    My customer’s website had passed black-box testing, but not for white-box.
    What can we do?
    Is there any way that our website can pass the test?`

    • This topic was modified 3 years, 4 months ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not a Requests and Feedback topic
Viewing 4 replies - 1 through 4 (of 4 total)

  • Hi @blueblueblu I find your question interesting but I’m afraid that is too general to be able to help o propose some potential solutions.

    It would be useful to know which are the concrete security concerns the white-box testing raised.

    Thread Starter blueblueblu

    (@blueblueblu)

    Hi @mmaattiiaass thanks your reply, below is the partial list (3/5456)

    List No. / Severity / Title / Description / File Name / Line / code 
1. / Medium / Potential XSS / The application appears to reflect data to the screen with no apparent validation or sanitisation. It was not clear if this variable is controlled by the user. / wp-admin\wp-links-opml.php / 70 / <outline type="category" title="<?php echo esc_attr( $catname ); ?>">
2. / Medium / mt_rand / The application uses pseudo-random number generation that is not cryptographically secure. Carry out a manual check to ensure this is not being used in a process that requires cryptographically secure random numbers. / wp-admin\wp-admin\admin.php / 80 / if ( $c <= 50 || ( $c > 50 && mt_rand( 0, (int) ( $c / 50 ) ) === 1 ) ) {
3. / Standard / preg_replace / This function will evaluate PHP code. It is dangerous when used with user controlled parameters and may facilitate direct attacks against the web server. Conduct a manual review of this section to ensure safe usage. / wp-admin\wp-login.php / 1120 / 				$redirect_to = preg_replace( '|^https://|', 'https://', $redirect_to );

    Sacn tool: VisualCodeGrepper

    • This reply was modified 3 years, 4 months ago by blueblueblu.

    If those are the only errors that you can see, then you’re fine. You need ot actually understand what they are saying, and not just tyr to get rid of them. None of those “issues” are actually errors. They all say that they’ve found something that may be an issue and should be looked at manually.

    Thread Starter blueblueblu

    (@blueblueblu)

    Hi @catacaustic,
    Thank you paid your time for this question.
    All alerts come from original source that code download from www.ads-software.com, IT dept. ask my customer to do something to let these issue no longer appear.
    We have no idea how to do, so I’m here…………..Q.Q

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘About WHITE-BOX Testing’ is closed to new replies.