Embed Size (px)
Citation preview
Prajal Kulkarni@prajalkulkarni
The Tale of 100 CVE’s
@about me
• Security Engineer @Flipkart
• Likes to do Bug Hunting!
• Loves coding in Python
• Member of null security community
• Lead vocalist @Sathee
@prajalkulkarni
WordPress Security Ecosystem!
100 CVE’s in less than a month!
How we did it?
What Tale?
60 Million Websites Worldwide
Powers 1 in 5 of all the worlds websites in the world
-Matt
Current stable release 3.9.1
Version 3.8 downloads > 20 Million times-Stats from Wikipedia
Wordpress Ecosytem
Scary Enough?
Still not??
WordPress Core – Stable 3.9.1
31,154 Plugins
More than 2.5K Themes
Wordpress Security Ecosytem
Our attempt to Improve the Ecosystem
Once Upon a Time
Credits - Anant Shrivastava
Wait Something not right!
Vulnerabilities Found!
Full path disclosure
-pma/error.php-pma/libraries/PMA_List_Database.class.php
PHP info disclosure
-pma/phpinfo.php
Security Bypass Allows direct access.
-pma/server_databases.php - Full access to all features including SQL window
-pma/main.php – reveals all the details of the database
Timeliness
• Author Contacted: 24 July 2013
• No positive response from the author
• Wordpress Security Team contacted: 11 September 2013
• Plugin Disabled in the repository : 21 October 2013
End Result?Plugin Closed!
CVE-2013-4462http://seclists.org/oss-sec/2013/q4/144
Started Project CodeVigilant
• Spot new issues in Plugins/Themes
• Report to the relevant author
• Get the patch released
• Else close the Plugin/Theme
What is required?
Apache/MySQL/PHP
XAMPP/WAMP
Python 2.7
Our Approach
Download the latest WordPress and install locally
Download all Plugins (31k)
Download all Themes (2.5k)
From Where do I get plugins/themes??
http://themes.svn.wordpress.org/
Download Themes Locally
Now What?
Started with Manual Approach!
Analyze Plugin/Theme source code
Understand the logic
Find Issues
Report !
Slow Results!!
Two Weeks Stats ??
Vulnerability Chart
LFI
Xss
Auth Bypass
Using Components With Known Vulnerabilities
10
9
1
1
Took a Lot of Time!
Lets Automate Everything!
Started with Cross site Scripting!
Simple Logic!
Find all $_GET parameters
Replace their value with chk_string: '><script>alert(document.cookie)</script>
Send the request with the appropriate URL structure
Check if the response contains the chk_string
Guess What!
• More than 100 valid XSS!
• Testing for XSS we also stumbled upon:– SSRF– LFI– Unvalidated Redirects and
Forwards
Stats for the next 3 weeks!A3-Cross-Site Scripting 211
Unvalidated Redirects and Forwards
4
Local File Inclusion 6
Information Disclosure 1
Direct access & Auth Bypass
1
Using Components with Known Vulnerabilities
30
SSRF/XSPA 4
Injection 9
http://codevigilant.com/
Future for codevigilant
Automation frameworks for other vulnerabilities
Explore other platforms like Drupal & Jumla
Encourage External Researchers to contribute.
Prajal Kulkarni
@prajakulkarni http://www.prajalkulkarni.com
Anant Shrivastava @anantshri
http://www.anantshri.info
Project Leads
Questions?
