View
241
Download
1
Category
Preview:
DESCRIPTION
The presentation paper will touch on our recent contribution to improve the current WordPress security ecosystem. WordPress in itself has grown from just being a Blogging platform to a full-fledged CMS Application and hence people are increasingly using it for multitude of projects or purposes. WordPress Ecosystem has recently been targeted with large number of security issues and we have witnessed the whole depth and breadth of OWASP top 10′s being exploitable in multiple instances. Today’s statistics on WordPress show that there are more than 28000+ plugins and close to 2000+ Themes. However from a security standpoint we have also seen a painful growing trend of the issues that crop-up with both WordPress core as well as the plugin and theme sections. We have decided to stop being a spectator and contribute to the cause and hence we are doing the following activity which will be part of the final outcome: Analyze the existing vulnerabilities and new issues being reported on a regular basis. Identify new issues within the plugin and themes (WordPress core we are targeting as a secondary target), report the issue, get the patch released or get the plugin closed on the WordPress repository. The Research/presentation will also describe methods of automating ways to discover vulnerabilities on the entire 28K list of plugins and 2K Themes. We will strive to get the issues fixed and then only release the details. However, in case the plugin/theme author is not responding and we can only get the plugin closed then we will go ahead with the disclosure in order to get this issue out in public. The final outcome / presentation will touch base on the vulnerability landscape, common issues and quick fixes for those issues and will also coincide with a comprehensive guideline for developers to protect their own plugin’s. We will be updating all our vulnerabilities on our website (will be disclosed) as and when they are patched.
Citation preview
Prajal Kulkarni@prajalkulkarni
The Tale of 100 CVE’s
@about me
• Security Engineer @Flipkart
• Likes to do Bug Hunting!
• Loves coding in Python
• Member of null security community
• Lead vocalist @Sathee
@prajalkulkarni
WordPress Security Ecosystem!
100 CVE’s in less than a month!
How we did it?
What Tale?
60 Million Websites Worldwide
Powers 1 in 5 of all the worlds websites in the world
-Matt
Current stable release 3.9.1
Version 3.8 downloads > 20 Million times-Stats from Wikipedia
Wordpress Ecosytem
Scary Enough?
Still not??
WordPress Core – Stable 3.9.1
31,154 Plugins
More than 2.5K Themes
Wordpress Security Ecosytem
Our attempt to Improve the Ecosystem
Once Upon a Time
Credits - Anant Shrivastava
Wait Something not right!
Vulnerabilities Found!
Full path disclosure
-pma/error.php-pma/libraries/PMA_List_Database.class.php
PHP info disclosure
-pma/phpinfo.php
Security Bypass Allows direct access.
-pma/server_databases.php - Full access to all features including SQL window
-pma/main.php – reveals all the details of the database
Timeliness
• Author Contacted: 24 July 2013
• No positive response from the author
• Wordpress Security Team contacted: 11 September 2013
• Plugin Disabled in the repository : 21 October 2013
End Result?Plugin Closed!
CVE-2013-4462http://seclists.org/oss-sec/2013/q4/144
Started Project CodeVigilant
• Spot new issues in Plugins/Themes
• Report to the relevant author
• Get the patch released
• Else close the Plugin/Theme
What is required?
Apache/MySQL/PHP
XAMPP/WAMP
Python 2.7
Our Approach
Download the latest WordPress and install locally
Download all Plugins (31k)
Download all Themes (2.5k)
From Where do I get plugins/themes??
http://themes.svn.wordpress.org/
Download Themes Locally
Now What?
Started with Manual Approach!
Analyze Plugin/Theme source code
Understand the logic
Find Issues
Report !
Slow Results!!
Two Weeks Stats ??
Vulnerability Chart
LFI
Xss
Auth Bypass
Using Components With Known Vulnerabilities
10
9
1
1
Took a Lot of Time!
Lets Automate Everything!
Started with Cross site Scripting!
Simple Logic!
Find all $_GET parameters
Replace their value with chk_string: '><script>alert(document.cookie)</script>
Send the request with the appropriate URL structure
Check if the response contains the chk_string
Guess What!
• More than 100 valid XSS!
• Testing for XSS we also stumbled upon:– SSRF– LFI– Unvalidated Redirects and
Forwards
Stats for the next 3 weeks!A3-Cross-Site Scripting 211
Unvalidated Redirects and Forwards
4
Local File Inclusion 6
Information Disclosure 1
Direct access & Auth Bypass
1
Using Components with Known Vulnerabilities
30
SSRF/XSPA 4
Injection 9
http://codevigilant.com/
Future for codevigilant
Automation frameworks for other vulnerabilities
Explore other platforms like Drupal & Jumla
Encourage External Researchers to contribute.
Prajal Kulkarni
@prajakulkarni http://www.prajalkulkarni.com
Anant Shrivastava @anantshri
http://www.anantshri.info
Project Leads
Questions?
Recommended