SlideShare a Scribd company logo

Wordpress Plugins Scanner

Download as ODP, PDF
Avădănei Andrei, profile picture
Avădănei Andrei

This document introduces the Wordpress Plugins Scanner tool. It was created to allow security testing of Wordpress plugins by downloading plugins from the Wordpress directory and building a local repository to run asynchronous scans. The tool aims to find vulnerabilities in the many third-party plugins used by Wordpress and other platforms like Joomla and Vbulletin. Over 23,000 Wordpress plugins have been downloaded over 416 million times, presenting a large attack surface for hackers to target. The presentation demonstrates the tool and discusses plans to expand its capabilities.

1 of 10
Download to read offline
1
2
3
4
5
6
7
8
9
10
Wordpress Plugins Scanner „To hack or not hack, that is the real question!“ Avădănei Andrei Founder & CEO DefCamp linkedin.com/in/andreiavadanei twitter.com/AndreiAvadanei
Short bio ● Founder & CEO of DefCamp … and CTO (tech), CFO (financial), CMO (marketing), Sales Manager, Community Manager, Speaker, Team Coordinator :)) ● Founder Cyber Security Research Center from Romania (CCSIR) ● Community manager @worldit.info ● Vice President at GREPIT ● Volunteer at BitDefender Romania ● ...
Once upon a time.. ● Somewhere in the www appeared HTML websites (bullshit) ● Then web 2.0 websites took the lights ● + third party plugins (hell yeah) ● It was a wonderful time full of innovation and peace (>:D<) ● Then came the hackers and seized a big opportunnity ● But that is another story. >:)
Third-party apps ● Some sort of crowd development ● A good idea, poorly implemented ● Used by everybody in different ways (Google, Facebook, Apple, Wordpress, Joomla, Vbulletin, Moodle ..) ● Usually there is no security test for apps before being accepted in their market store ● And there is the place where all magic starts
Case study : Wordpress ● 23,688 plugins ● 416,305,218 downloads ● and counting ● Not bad, right? ● If we cannot break in the core, lets hack his chilldrens ● And here WP Plugins Scanner come in
WP Plugins Scanner ● White box pentesting tool ● Hooked RIPS implemented ● You can download plugins from WP directory ● You can build some sort of repository on your localhost ● Asynchronous scanning ● Soon : – target websites and enumerate their plugins – subversioning for plugins – auto-monitor updates – cache-ing results – similar scanners for Joomla, Vbulletin and others?
Demo
Questions? :-)
Thanks! Avădănei Andrei Founder & CEO DefCamp linkedin.com/in/andreiavadanei twitter.com/AndreiAvadanei github.com/CCSIR/WP-Plugins-Scanner
Thanks! Avădănei Andrei Founder & CEO DefCamp linkedin.com/in/andreiavadanei twitter.com/AndreiAvadanei github.com/CCSIR/WP-Plugins-Scanner

More Related Content

PDF
Women Who Mule - Workshop series #2: Ghost
Alexandra N. Martinez
 
PDF
Hinting at a better web
Christian Heilmann
 
PDF
Web security 101
Kristaps Kūlis
 
PDF
eZ Summer Camp 2014: interactive dive into ez product backlog
Roland Benedetti
 
PDF
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Abhinav Mishra
 
PDF
We Economy - Drupalsouth
Emma Jane Hogbin Westby
 
PPTX
Develop, Debug, Learn? - Dotjs2019
Christian Heilmann
 
PDF
Seven ways to be a happier JavaScript developer - NDC Oslo
Christian Heilmann
 
Women Who Mule - Workshop series #2: Ghost
Alexandra N. Martinez
 
Hinting at a better web
Christian Heilmann
 
Web security 101
Kristaps Kūlis
 
eZ Summer Camp 2014: interactive dive into ez product backlog
Roland Benedetti
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Abhinav Mishra
 
We Economy - Drupalsouth
Emma Jane Hogbin Westby
 
Develop, Debug, Learn? - Dotjs2019
Christian Heilmann
 
Seven ways to be a happier JavaScript developer - NDC Oslo
Christian Heilmann
 

Similar to Wordpress Plugins Scanner (20)

ODP
Build and Deploy a Python Web App to Amazon in 30 Mins
Jeff Hull
 
PDF
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Sigma Software
 
PDF
Pentester++
CTruncer
 
PDF
Understanding and implementing website security
Drew Gorton
 
PDF
wp cli- don’t fear the command line
Dwayne McDaniel
 
PPTX
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...
Demi Ben-Ari
 
PDF
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
Aaron Saray
 
PDF
My Tools for Success in WordPress
Thomas Griffin
 
PDF
Tools to Save Time
BeMyApp
 
PDF
Tooling Matters - Development tools
Simon Dittlmann
 
PPTX
Javascript Security - Three main methods of defending your MEAN stack
Ran Bar-Zik
 
PDF
EMFcamp2022 - What if apps logged into you, instead of you logging into apps?
Chris Swan
 
PDF
Year Zero
leifdreizler
 
PDF
Codebits 2014 - Secure Coding - Gamification and automation for the win
Tiago Henriques
 
PDF
Do WordPress developers write code?
Stanko Metodiev
 
PDF
Mobile backends with Google Cloud Platform (MBLTDev'14)
Natalia Efimtseva
 
PDF
Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - Panorays
Demi Ben-Ari
 
PDF
Hacking for Innovation: IIT Kharagpur
Saurabh Sahni
 
PPTX
No Code Development.pptx
SayianJude
 
PDF
EuroPython 2011 - How to build complex web applications having fun?
Andrew Mleczko
 
Build and Deploy a Python Web App to Amazon in 30 Mins
Jeff Hull
 
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Sigma Software
 
Pentester++
CTruncer
 
Understanding and implementing website security
Drew Gorton
 
wp cli- don’t fear the command line
Dwayne McDaniel
 
Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...
Demi Ben-Ari
 
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
Aaron Saray
 
My Tools for Success in WordPress
Thomas Griffin
 
Tools to Save Time
BeMyApp
 
Tooling Matters - Development tools
Simon Dittlmann
 
Javascript Security - Three main methods of defending your MEAN stack
Ran Bar-Zik
 
EMFcamp2022 - What if apps logged into you, instead of you logging into apps?
Chris Swan
 
Year Zero
leifdreizler
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Tiago Henriques
 
Do WordPress developers write code?
Stanko Metodiev
 
Mobile backends with Google Cloud Platform (MBLTDev'14)
Natalia Efimtseva
 
Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - Panorays
Demi Ben-Ari
 
Hacking for Innovation: IIT Kharagpur
Saurabh Sahni
 
No Code Development.pptx
SayianJude
 
EuroPython 2011 - How to build complex web applications having fun?
Andrew Mleczko
 
Ad

More from Avădănei Andrei (11)

PPT
How you can become a hacker with no security experience
Avădănei Andrei
 
PDF
Honeypots - The Art of Building Secure Systems by Making them Vulnerable
Avădănei Andrei
 
PPT
DefCamp 2012 @Bucharest
Avădănei Andrei
 
ODP
A journey through an INFOSEC labyrinth
Avădănei Andrei
 
ODP
Polish the Wheel
Avădănei Andrei
 
PPT
Virtual Anonimity – What? Why? When? How?
Avădănei Andrei
 
PPT
SmartFender
Avădănei Andrei
 
PPT
SYDO - Secure Your Data by Obscurity
Avădănei Andrei
 
PPT
Xss is more than a simple threat
Avădănei Andrei
 
PPT
Arta de a susţine o prezentare
Avădănei Andrei
 
ODP
Spaghetti Code vs MVC
Avădănei Andrei
 
How you can become a hacker with no security experience
Avădănei Andrei
 
Honeypots - The Art of Building Secure Systems by Making them Vulnerable
Avădănei Andrei
 
DefCamp 2012 @Bucharest
Avădănei Andrei
 
A journey through an INFOSEC labyrinth
Avădănei Andrei
 
Polish the Wheel
Avădănei Andrei
 
Virtual Anonimity – What? Why? When? How?
Avădănei Andrei
 
SmartFender
Avădănei Andrei
 
SYDO - Secure Your Data by Obscurity
Avădănei Andrei
 
Xss is more than a simple threat
Avădănei Andrei
 
Arta de a susţine o prezentare
Avădănei Andrei
 
Spaghetti Code vs MVC
Avădănei Andrei
 
Ad

Wordpress Plugins Scanner

  • 1. Wordpress Plugins Scanner „To hack or not hack, that is the real question!“ Avădănei Andrei Founder & CEO DefCamp linkedin.com/in/andreiavadanei twitter.com/AndreiAvadanei
  • 2. Short bio ● Founder & CEO of DefCamp … and CTO (tech), CFO (financial), CMO (marketing), Sales Manager, Community Manager, Speaker, Team Coordinator :)) ● Founder Cyber Security Research Center from Romania (CCSIR) ● Community manager @worldit.info ● Vice President at GREPIT ● Volunteer at BitDefender Romania ● ...
  • 3. Once upon a time.. ● Somewhere in the www appeared HTML websites (bullshit) ● Then web 2.0 websites took the lights ● + third party plugins (hell yeah) ● It was a wonderful time full of innovation and peace (>:D<) ● Then came the hackers and seized a big opportunnity ● But that is another story. >:)
  • 4. Third-party apps ● Some sort of crowd development ● A good idea, poorly implemented ● Used by everybody in different ways (Google, Facebook, Apple, Wordpress, Joomla, Vbulletin, Moodle ..) ● Usually there is no security test for apps before being accepted in their market store ● And there is the place where all magic starts
  • 5. Case study : Wordpress ● 23,688 plugins ● 416,305,218 downloads ● and counting ● Not bad, right? ● If we cannot break in the core, lets hack his chilldrens ● And here WP Plugins Scanner come in
  • 6. WP Plugins Scanner ● White box pentesting tool ● Hooked RIPS implemented ● You can download plugins from WP directory ● You can build some sort of repository on your localhost ● Asynchronous scanning ● Soon : – target websites and enumerate their plugins – subversioning for plugins – auto-monitor updates – cache-ing results – similar scanners for Joomla, Vbulletin and others?
  • 9. Thanks! Avădănei Andrei Founder & CEO DefCamp linkedin.com/in/andreiavadanei twitter.com/AndreiAvadanei github.com/CCSIR/WP-Plugins-Scanner
  • 10. Thanks! Avădănei Andrei Founder & CEO DefCamp linkedin.com/in/andreiavadanei twitter.com/AndreiAvadanei github.com/CCSIR/WP-Plugins-Scanner