Embed Size (px)
Citation preview
SESSION ID
Its a Jungle Out There The Security State of CMS Platforms
STU-W03A
Maty Siman Founder amp CTO CISSP
Checkmarx
checkmarx
RSAC
CMS
ldquoA Content Management System (CMS) is a computer program that allows publishing editing and modifying content as well as maintenance from a central interfacerdquo (Wikipedia)
2
RSAC
Infographics (httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
3
RSAC
Drupal Architecture
4
Plug
in(s
) W
idge
ts
RSAC
CMS Plugins
Barriers to entry are very low
No publishing fees
No publishing checks
Simple API
PHP
5
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
RSAC
CMS
ldquoA Content Management System (CMS) is a computer program that allows publishing editing and modifying content as well as maintenance from a central interfacerdquo (Wikipedia)
2
RSAC
Infographics (httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
3
RSAC
Drupal Architecture
4
Plug
in(s
) W
idge
ts
RSAC
CMS Plugins
Barriers to entry are very low
No publishing fees
No publishing checks
Simple API
PHP
5
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
RSAC
Infographics (httpwwwwebnethostingnetwordpress-vs-joomla-vs-drupal-cms-popularity-war)
3
RSAC
Drupal Architecture
4
Plug
in(s
) W
idge
ts
RSAC
CMS Plugins
Barriers to entry are very low
No publishing fees
No publishing checks
Simple API
PHP
5
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
RSAC
Drupal Architecture
4
Plug
in(s
) W
idge
ts
RSAC
CMS Plugins
Barriers to entry are very low
No publishing fees
No publishing checks
Simple API
PHP
5
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
RSAC
CMS Plugins
Barriers to entry are very low
No publishing fees
No publishing checks
Simple API
PHP
5
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
RSAC
Significant Exposure
6
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
RSAC
Significant Exposure
Anyone in your company can set a new WordPress instance No need for IT personnel or RampD assistance
7
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
RSAC
1+1=
Low Barrier + Exposure = Security Concern
8
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
RSAC
Some Stats
9
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
RSAC
Our report
Jan 2013 ndash 30 of top 50
Feb ndash Apr ndash Notified 3 vendors (Automatic)
Jun ndash 20 of top 50
ndash 7 out of 10 e-commerce
Recommendations
10
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
RSAC
11
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
RSAC
12
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
RSAC
SlimStat SQLi
13
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
RSAC
report (Jan 8 2014)
14
Ory Segal - httpsblogsakamaicom201401wordpress-plugins-exploitation-through-the-big-data-prismhtml
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
RSAC
Anatomy of an attack- Widespread
15
Check which sites
are using these
plugins
On average 3 of
them are
vulnerable to high-
risk vulnerabilities
Download 10 WP
plugins
google index of wp-contentpluginsslimstat
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
RSAC
Anatomy of an attack- Targeted
16
Check for
vulnerabilities
in these plugins
Download these
plugins
Check what plugins
are used by your
target Google index of wp-content
sitevictimcom
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
RSAC
What should I do
1 Ask your plugin-market owner what security measures it takes to ensure the security level of the hosted plugins
2 We found that ldquoyou get what you pay forrdquo ndash commercial markets are more secure than free ones (wordpresscom VS wordpressorg)
3 Upgrade your plugins to their latest version
4 Educate your team regarding the security risks of setting up new CMS instances
17
Thank you Maty Siman Founder amp CTO at Checkmarx
Thank you Maty Siman Founder amp CTO at Checkmarx
