Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Tale of Forgotten Disclosure and Lesson learned

8,353 views

Published on

Visual version of http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto The presentation talks about how a disclsoure was forgotten and what we can do to prevent such issues and how to keep a track on Vulnerable components

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Tale of Forgotten Disclosure and Lesson learned

  1. 1. TALE OF FORGOTTEN DISCLOSURE BY ANANT SHRIVASTAVA
  2. 2. ANANT SHRIVASTAVA Information Security Consultant Admin - Dev - Security null + OWASP + G4H and @anantshri Co-Author OWASP Testing Guide 4.0 Projects http://anantshri.info      
  3. 3. SCENARIO 1. A vulnerability present in code (last updated March 2013) 2. Public disclosure in aug 2014. 3. Interestingly someone posted a pull request in Jan 2013 4. Till may 2015 it was not patched even though there was a new release after the pull request was in place.
  4. 4. INFORMATION RECIEVED
  5. 5. INVESTIGATION RESULT 1. Javascript Based DOM-XSS 2. Culprit identified as facebook-page-photo-gallery wordpress plugin. 3. Remove the plugin 4. XSS Fixed; Issue closed 5. End of Story
  6. 6. EMAIL TO PLUGINS TEAM
  7. 7. RESPONSE FROM PLUGIN TEAM
  8. 8. MEANWHILE DISCOVERY REQUIRES EXPERIMENTATION
  9. 9. REPOSITORY
  10. 10. CRUX OF THE ISSUE function getHashtag(){ var url = location.href; hashtag = (url.indexOf('#prettyPhoto') !== -1) ? decodeURI(url.substring(url.indexOf('#pretty Photo')+1,url.length)) : false; return hashtag; };
  11. 11. GOOGLE AHOY
  12. 12. INTERESTING FACT
  13. 13. CONTACTING AUTHOR
  14. 14. SPREAD THE WORD
  15. 15. SPREAD THE WORD
  16. 16. SPREAD THE WORD
  17. 17. FINALLY SOME ACTION
  18. 18. SOME ACTION
  19. 19. RELIEVED LET THE WORLD BE IN PEACE AND LETS GET BACK TO WORK
  20. 20. AFTER 7 DAYS
  21. 21. WHY YOU NO FIX
  22. 22. WORDPRESS PLUGIN INFO 1. Total 35 Plugins Found Total Plugin Downloads Active Install 2882520 3,37,780
  23. 23. NERDY DATA
  24. 24. WHAT IS VULNERABLE 1. Any application / website which has jquery.prettyphoto.js 2. Version 3.1.4 and 3.1.5 are confirmed vulnerable older versions not checked.
  25. 25. WHAT IS A FIX 1. Upgrade to 3.1.6
  26. 26. ENOUGH OF THE PAST WHAT'S IN IT FOR ME.
  27. 27. LESSONS TO BE LEARNED
  28. 28. FOR DEVELOPER 1. Never ignore pull requests and security issue bug report. 2. Proactively test software and at-least if a fix is released publicly accept security issue.
  29. 29. FOR DEVELOPERS / SYSADMIN / DEVOPS 1. never ignore update from shared library 2. Keep an eye on how shared resources are holding up. 3. Monitor your Dependencies
  30. 30. HOW
  31. 31. HOW
  32. 32. HOW
  33. 33. IS THIS ENOUGH 1. Not yet 2. We still lack method to track it for every third party library. 3. Manual tracking is still required.
  34. 34. REFERENCES 1. A9 - Using Components with Known Vulnerabilities 2. https://www.owasp.org/index.php/Top_10_2013-A9- Using_Components_with_Known_Vulnerabilities
  35. 35. THANKS

×