WordCamp Miami 2016 SiteLock Presentation

BEYOND THE BASICS:

Building security into your development projects

W O R D C A M P M I A M I 2 0 1 6

BIO Binod Purushothaman Director, Product & Technology @SiteLock  §  Heads the product development team. §  Lead several technology startups in the

manufacturing and finance sectors in India and the United States.

BIO Logan Kipp Lead Security Analyst @SiteLock  §  Provides SiteLock's Partners and Support

Services Division with information and training on emerging technologies and threats.

§  Has seven years experience in the website hosting and security technology field, previously working at GoDaddy.

INTRODUCTION

§  Malware: Things Get Ugly

§  XSS: A WordPress Story

§  Plugins: Dance the Tango

MALWARE

MALWARE

MALWARE

MALWARE

MALWARE

MALWARE

MALWARE

MALWARE

MALWARE

MALWARE

MALWARE

MALWARE

MALWARE

MALWARE

MALWARE

MALWARE

ANOTHER REASON FILE MONITORING IS IMPORTANT!

XSS

“Cross-site scripting (XSS) is a type of computer security vulnerability t y p i c a l l y f o u n d i n w e b applications. XSS enables attackers to inject client-side script into web pages viewed by other users.”

- Wikipedia

XSS SiteLock Research Team picks up possible XSS vulnerability in plugin during routine SAST scan. §  File: settings.php §  Argument: $curr

XSS

Found $curr set at line 195/196, where it’s set to Default if $cntr is empty, or the value of $cntr if not. Variable $cntr set at lines 91/92. If $_GET[‘scounter’] set, inherits value. Could this be a reflective XSS vulnerability?

XSS

Let’s find out. We simply need to pass a harmless XSS string in the $_GET[‘scounter’] variable to get a proof of concept, like a document.cookie alert. Something like: ?page=slider-settings&scounter=<script>alert(document.cookie)</script>

XSS

Great success.

BUT IF YOU USE A WEB APPLICATION FIREWALL…

These types of attacks are blocked.

RECENT RESEARCH

Free WordPress Plugin -- “Tango”

§  File Management – View & Edit – Zip & Unzip

§  Database Management – Easy backups

VULNERABILITY EXAMPLE: TANGO

VULNERABILITY EXAMPLE: TANGO

VULNERABILITY EXAMPLE: TANGO

The plugin consists of four files.

VULNERABILITY EXAMPLE: TANGO

Curious. Startup relies on a file existing.

VULNERABILITY EXAMPLE: TANGO

What would happen if we renamed the readme.txt then?

VULNERABILITY EXAMPLE: TANGO

VULNERABILITY EXAMPLE: TANGO

VULNERABILITY EXAMPLE: TANGO

$ls /

VULNERABILITY EXAMPLE: TANGO

What else could we do here? Anything.

§  Grab external files. §  Dump the file structure. §  Trash everything.

$dd if=/dev/random of=/dev/sda

VULNERABILITY EXAMPLE: TANGO

CODE STARTS SIMPLE

MY CODE

C O D E B E C O M E S C O M P L E X

T H E M E S +

C O M P O N E N T S +

F R A M E W O R K +

P L U G I N S +

ATTACKERS INCREASE THEIR COMPLEXITY

M YPLUGIN

XSS VULNERABIL ITY

No  escaping  or  sani-za-on  used.  

STATIC CODE ANALYSIS RESULTS: TRUECODE

CODE ANALYSIS

XSS FIXED

Use  WordPress  esc_html()  to  remove  the  vulnerability  

BUILT- IN WORDPRESS FUNCTIONS

§  Always use WP built-in functions – esc_html() – sanitize_text_field() – update_option()

UPDATED SCAN RESULTS

INSECURE SDLC

SECURE SDLC

-END-