CONFidence 2014:
Download as PPTX, PDF0 likes549 views
Prajal Kulkarni discusses achieving 100 CVEs related to WordPress security vulnerabilities in under a month, highlighting the challenges of identifying and reporting these issues. The project's approach involved automation to improve identification of vulnerabilities such as XSS, LFI, and SSRF. Future plans include expanding automation frameworks and reaching out to external researchers to contribute to the ongoing security efforts in the ecosystem.
CONFidence 2014:
- 1. Prajal Kulkarni @prajalkulkarni The Tale of 100 CVE’s
- 2. @about me • Security Engineer @Flipkart • Likes to do Bug Hunting! • Loves coding in Python • Member of null security community • Lead vocalist @Sathee @prajalkulkarni
- 3. WordPress Security Ecosystem! 100 CVE’s in less than a month! How we did it? What Tale?
- 4. 60 Million Websites Worldwide Powers 1 in 5 of all the worlds websites in the world -Matt Current stable release 3.9.1 Version 3.8 downloads > 20 Million times -Stats from Wikipedia
- 8. Still not??
- 10. WordPress Core – Stable 3.9.1 31,154 Plugins More than 2.5K Themes Wordpress Security Ecosytem
- 11. Our attempt to Improve the Ecosystem
- 12. Once Upon a Time Credits - Anant Shrivastava
- 13. Wait Something not right!
- 14. Vulnerabilities Found! Full path disclosure -pma/error.php -pma/libraries/PMA_List_Database.class.php PHP info disclosure -pma/phpinfo.php Security Bypass Allows direct access. -pma/server_databases.php - Full access to all features including SQL window -pma/main.php – reveals all the details of the database
- 15. Timeliness • Author Contacted: 24 July 2013 • No positive response from the author • Wordpress Security Team contacted: 11 September 2013 • Plugin Disabled in the repository : 21 October 2013
- 16. End Result? Plugin Closed! CVE-2013-4462 http://seclists.org/oss-sec/2013/q4/144
- 17. Started Project CodeVigilant • Spot new issues in Plugins/Themes • Report to the relevant author • Get the patch released • Else close the Plugin/Theme
- 19. Our Approach Download the latest WordPress and install locally Download all Plugins (31k) Download all Themes (2.5k)
- 20. From Where do I get plugins/themes??
- 23. Now What?
- 24. Started with Manual Approach! Analyze Plugin/Theme source code Understand the logic Find Issues Report !
- 25. Slow Results!!
- 26. Two Weeks Stats ?? Vulnerability Chart LFI Xss Auth Bypass Using Components With Known Vulnerabilities 10 9 1 1
- 27. Took a Lot of Time!
- 29. Started with Cross site Scripting!
- 31. Simple Logic! Find all $_GET parameters Replace their value with chk_string: '><script>alert(document.cookie)</script> Send the request with the appropriate URL structure Check if the response contains the chk_string
- 32. Guess What! • More than 100 valid XSS! • Testing for XSS we also stumbled upon: – SSRF – LFI – Unvalidated Redirects and Forwards
- 33. Stats for the next 3 weeks! A3-Cross-Site Scripting 211 Unvalidated Redirects and Forwards 4 Local File Inclusion 6 Information Disclosure 1 Direct access & Auth Bypass 1 Using Components with Known Vulnerabilities 30 SSRF/XSPA 4 Injection 9
- 36. Future for codevigilant Automation frameworks for other vulnerabilities Explore other platforms like Drupal & Jumla Encourage External Researchers to contribute.
- 38. Questions?