The tale of 100 cve's
Upcoming SlideShare
Loading in...5
×
 

The tale of 100 cve's

on

  • 179 views

 

Statistics

Views

Total Views
179
Views on SlideShare
173
Embed Views
6

Actions

Likes
0
Downloads
1
Comments
0

2 Embeds 6

https://twitter.com 5
https://tweetdeck.twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

The tale of 100 cve's The tale of 100 cve's Presentation Transcript

  • Prajal Kulkarni @prajalkulkarni The Tale of 100 CVE’s
  • @about me • Security Engineer @Flipkart • Likes to do Bug Hunting! • Loves coding in Python • Member of null security community • Lead vocalist @Sathee @prajalkulkarni
  •  WordPress Security Ecosystem!  100 CVE’s in less than a month!  How we did it? What Tale?
  • 60 Million Websites Worldwide Powers 1 in 5 of all the worlds websites in the world -Matt Current stable release 3.9.1 Version 3.8 downloads > 20 Million times -Stats from Wikipedia
  • Wordpress Ecosytem
  • Scary Enough?
  • Still not??
  • WordPress Core – Stable 3.9.1 31,154 Plugins More than 2.5K Themes Wordpress Security Ecosytem
  • Our attempt to Improve the Ecosystem
  • Once Upon a Time Credits - Anant Shrivastava
  • Wait Something not right!
  • Vulnerabilities Found! Full path disclosure -pma/error.php -pma/libraries/PMA_List_Database.class.php PHP info disclosure -pma/phpinfo.php Security Bypass Allows direct access. -pma/server_databases.php - Full access to all features including SQL window -pma/main.php – reveals all the details of the database
  • Timeliness • Author Contacted: 24 July 2013 • No positive response from the author • Wordpress Security Team contacted: 11 September 2013 • Plugin Disabled in the repository : 21 October 2013
  • End Result? Plugin Closed! CVE-2013-4462 http://seclists.org/oss-sec/2013/q4/144
  • Started Project CodeVigilant • Spot new issues in Plugins/Themes • Report to the relevant author • Get the patch released • Else close the Plugin/Theme
  • What is required? Apache/MySQL/PHP XAMPP/WAMP Python 2.7
  • Our Approach Download the latest WordPress and install locally Download all Plugins (31k) Download all Themes (2.5k)
  • From Where do I get plugins/themes??
  • http://themes.svn.wordpress.org/
  • Download Themes Locally
  • Now What?
  • Started with Manual Approach! Analyze Plugin/Theme source code Understand the logic Find Issues Report !
  • Slow Results!!
  • Two Weeks Stats ?? Vulnerability Chart LFI Xss Auth Bypass Using Components With Known Vulnerabilities 10 9 1 1
  • Took a Lot of Time!
  • Lets Automate Everything!
  • Started with Cross site Scripting!
  • Simple Logic! Find all $_GET parameters Replace their value with chk_string: '><script>alert(document.cookie)</script> Send the request with the appropriate URL structure Check if the response contains the chk_string
  • Guess What! • More than 100 valid XSS! • Testing for XSS we also stumbled upon: – SSRF – LFI – Unvalidated Redirects and Forwards
  • Stats for the next 3 weeks! A3-Cross-Site Scripting 211 Unvalidated Redirects and Forwards 4 Local File Inclusion 6 Information Disclosure 1 Direct access & Auth Bypass 1 Using Components with Known Vulnerabilities 30 SSRF/XSPA 4 Injection 9
  • http://codevigilant.com/
  • Future for codevigilant Automation frameworks for other vulnerabilities Explore other platforms like Drupal & Jumla Encourage External Researchers to contribute.
  • Prajal Kulkarni @prajakulkarni http://www.prajalkulkarni.com Anant Shrivastava @anantshri http://www.anantshri.info Project Leads
  • Questions?