Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The tale of 100 cve's

1,779 views

Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

The tale of 100 cve's

  1. 1. Prajal Kulkarni @prajalkulkarni The Tale of 100 CVE’s
  2. 2. @about me • Security Engineer @Flipkart • Likes to do Bug Hunting! • Loves coding in Python • Member of null security community • Lead vocalist @Sathee @prajalkulkarni
  3. 3.  WordPress Security Ecosystem!  100 CVE’s in less than a month!  How we did it? What Tale?
  4. 4. 60 Million Websites Worldwide Powers 1 in 5 of all the worlds websites in the world -Matt Current stable release 3.9.1 Version 3.8 downloads > 20 Million times -Stats from Wikipedia
  5. 5. Wordpress Ecosytem
  6. 6. Scary Enough?
  7. 7. Still not??
  8. 8. WordPress Core – Stable 3.9.1 31,154 Plugins More than 2.5K Themes Wordpress Security Ecosytem
  9. 9. Our attempt to Improve the Ecosystem
  10. 10. Once Upon a Time Credits - Anant Shrivastava
  11. 11. Wait Something not right!
  12. 12. Vulnerabilities Found! Full path disclosure -pma/error.php -pma/libraries/PMA_List_Database.class.php PHP info disclosure -pma/phpinfo.php Security Bypass Allows direct access. -pma/server_databases.php - Full access to all features including SQL window -pma/main.php – reveals all the details of the database
  13. 13. Timeliness • Author Contacted: 24 July 2013 • No positive response from the author • Wordpress Security Team contacted: 11 September 2013 • Plugin Disabled in the repository : 21 October 2013
  14. 14. End Result? Plugin Closed! CVE-2013-4462 http://seclists.org/oss-sec/2013/q4/144
  15. 15. Started Project CodeVigilant • Spot new issues in Plugins/Themes • Report to the relevant author • Get the patch released • Else close the Plugin/Theme
  16. 16. What is required? Apache/MySQL/PHP XAMPP/WAMP Python 2.7
  17. 17. Our Approach Download the latest WordPress and install locally Download all Plugins (31k) Download all Themes (2.5k)
  18. 18. From Where do I get plugins/themes??
  19. 19. http://themes.svn.wordpress.org/
  20. 20. Download Themes Locally
  21. 21. Now What?
  22. 22. Started with Manual Approach! Analyze Plugin/Theme source code Understand the logic Find Issues Report !
  23. 23. Slow Results!!
  24. 24. Two Weeks Stats ?? Vulnerability Chart LFI Xss Auth Bypass Using Components With Known Vulnerabilities 10 9 1 1
  25. 25. Took a Lot of Time!
  26. 26. Lets Automate Everything!
  27. 27. Started with Cross site Scripting!
  28. 28. Simple Logic! Find all $_GET parameters Replace their value with chk_string: '><script>alert(document.cookie)</script> Send the request with the appropriate URL structure Check if the response contains the chk_string
  29. 29. Guess What! • More than 100 valid XSS! • Testing for XSS we also stumbled upon: – SSRF – LFI – Unvalidated Redirects and Forwards
  30. 30. Stats for the next 3 weeks! A3-Cross-Site Scripting 211 Unvalidated Redirects and Forwards 4 Local File Inclusion 6 Information Disclosure 1 Direct access & Auth Bypass 1 Using Components with Known Vulnerabilities 30 SSRF/XSPA 4 Injection 9
  31. 31. http://codevigilant.com/
  32. 32. Future for codevigilant Automation frameworks for other vulnerabilities Explore other platforms like Drupal & Jumla Encourage External Researchers to contribute.
  33. 33. Prajal Kulkarni @prajakulkarni http://www.prajalkulkarni.com Anant Shrivastava @anantshri http://www.anantshri.info Project Leads
  34. 34. Questions?

×