DOM XSS Vulnerability Impacts Over 70 Million Wix Websites

Saturday, November 05, 2016

Ionut Arghire


A severe DOM (Document Object Model) based XSS (Cross-Site Scripting) vulnerability in could lead to an attacker gaining full control of the websites hosted on the platform, Contrast Security researchers warn.

Also known as type-0 XSS, a DOM based XSS is a type of attack where the payload is executed by modifying the DOM “environment” in the victim’s browser. Because of that, while the page (the HTTP response) isn’t changed, the client side code contained in the page executes differently, influenced by the malicious changes in the DOM environment.

The DOM XSS vulnerability that affects, Contrast Security says, allows an attacker to take complete control over a website hosted at Wix. An actor simply needs to add a single parameter to any site created on Wix to have their JavaScript code being loaded and run as part of the target website.

Cloud-based development platform has millions of users worldwide and allows everyone “to create a beautiful, professional web presence.” Wix claims to have 87 million registered users and over 2 million subscriptions.

Wix websites either use a subdomain or a custom domain, and an XSS against these won’t provide an attacker with access to the main domain and its cookies. Thus, a separate vulnerability is needed for an attacker to steal session cookies that could provide access to administrator session cookies or allow them to access administrator resources.

For that, an attacker can simply use the template demos that are hosted on, because they contain the vulnerability. Should the attacker manage to exploit an XSS on, they could do anything as the current user, including launching a worm attack.

The first step of such an attack, is to create a Wix website with the DOM XSS in an , Contrast Security explains. When a Wix user visits the infected website, a similar issue in is leveraged to edit all of the user's websites and inject the DOM XSS in an . Since the site infects any logged in Wix user and adds the with the same XSS to their websites, all of the current user’s websites now host the malicious content and serve it to their visitors.

“Administrator control of a site could be used to widely distribute malware, create a dynamic, distributed, browser-based botnet, mine crypto-currency, and otherwise generally control the content of the site as well as the users who use it,” Matt Austin, Senior Security Research Engineer, explains.

An attacker could not only change the content of a hosted website for targeted users, but could also challenge the user for their Wix, Facebook, or Twitter username and password or trick them into downloading malware and executing it. Additionally, the attacker could generate ad revenue by inserting ads into website pages, spoof bank web pages and attempt to get users to log in, make it difficult or impossible to find and delete the infection, and could even make themselves an administrator of the website.

The security researchers say they contacted Wix about the issue on October 14 but that no positive response was received so far, although the company initially said it was investigating the issue.

“Contrast Security attempted to reach for over three weeks with no response. So we are disclosing this vulnerability in order to protect the many Wix website owners and users of these websites,” the security researcher said.

UPDATE 11/07: Contrast Security contacted SecurityWeek to inform us that Wix appears to have fixed the issue after they made the vulnerability details public:

"We published this disclosure on 11/2 at 8 AM PST. Sometime between 12 and 3 PM PST that same day, Wix appears to have resolved the problem. We can look at the update to see how they resolved this issue," Austin told us.

Related: WordPress Flaw Allows XSS Attack via Image Filenames

Related: Zen Cart Patches Multiple XSS Vulnerabilities

Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.