The document summarizes Prajal Kulkarni's project to find security vulnerabilities in the WordPress ecosystem. Over a period of a few months, they found over 100 Common Vulnerabilities and Exposures (CVEs) using both manual and automated techniques. Their automated scanning uncovered many cross-site scripting and file inclusion issues. They reported vulnerabilities to developers and plugin maintainers to get issues patched or plugins removed from repositories. Their goal is to improve WordPress security through their CodeVigilant project.

1. Prajal Kulkarni
@prajalkulkarni
The Tale of 100 CVE’s

2. @about me
• Security Engineer @Flipkart
• Likes to do Bug Hunting!
• Loves coding in Python
• Member of null security community
• Lead vocalist @Sathee
@prajalkulkarni

3.  WordPress Security Ecosystem!
 100 CVE’s in less than a month!
 How we did it?
What Tale?

4. 60 Million Websites Worldwide
Powers 1 in 5 of all the worlds websites in the world
-Matt
Current stable release 3.9.1
Version 3.8 downloads > 20 Million times
-Stats from Wikipedia

5. Wordpress Ecosytem

7. Scary Enough?

8. Still not??

10. WordPress Core – Stable 3.9.1
31,154 Plugins
More than 2.5K Themes
Wordpress Security Ecosytem

11. Our attempt to Improve the Ecosystem

12. Once Upon a Time
Credits - Anant Shrivastava

13. Wait Something not right!

14. Vulnerabilities Found!
Full path disclosure
-pma/error.php
-pma/libraries/PMA_List_Database.class.php
PHP info disclosure
-pma/phpinfo.php
Security Bypass Allows direct access.
-pma/server_databases.php - Full access to all features
including SQL window
-pma/main.php – reveals all the details of the database

15. Timeliness
• Author Contacted: 24 July 2013
• No positive response from the author
• Wordpress Security Team contacted: 11 September 2013
• Plugin Disabled in the repository : 21 October 2013

16. End Result?
Plugin Closed!
CVE-2013-4462
http://seclists.org/oss-sec/2013/q4/144

17. Started Project CodeVigilant
• Spot new issues in Plugins/Themes
• Report to the relevant author
• Get the patch released
• Else close the Plugin/Theme

18. What is required?
Apache/MySQL/PHP
XAMPP/WAMP
Python 2.7

19. Our Approach
Download the latest WordPress and install
locally
Download all Plugins (31k)
Download all Themes (2.5k)

20. From Where do I get plugins/themes??

21. http://themes.svn.wordpress.org/

22. Download Themes Locally

23. Now What?

24. Started with Manual Approach!
Analyze Plugin/Theme source code
Understand the logic
Find Issues
Report !

25. Slow Results!!

26. Two Weeks Stats ??
Vulnerability Chart
LFI
Xss
Auth Bypass
Using Components With
Known Vulnerabilities
10
9
1
1

27. Took a Lot of Time!

28. Lets Automate Everything!

29. Started with Cross site Scripting!

31. Simple Logic!
Find all $_GET parameters
Replace their value with chk_string:
'><script>alert(document.cookie)</script>
Send the request with the appropriate URL structure
Check if the response contains the chk_string

32. Guess What!
• More than 100 valid XSS!
• Testing for XSS we also stumbled upon:
– SSRF
– LFI
– Unvalidated Redirects and Forwards

33. Stats for the next 3 weeks!
A3-Cross-Site Scripting 211
Unvalidated Redirects and
Forwards
4
Local File Inclusion 6
Information Disclosure 1
Direct access & Auth
Bypass
1
Using Components with
Known Vulnerabilities
30
SSRF/XSPA 4
Injection 9

35. http://codevigilant.com/

36. Future for codevigilant
Automation frameworks for other vulnerabilities
Explore other platforms like Drupal & Jumla
Encourage External Researchers to contribute.

37. Prajal Kulkarni
@prajakulkarni
http://www.prajalkulkarni.com
Anant Shrivastava
@anantshri
http://www.anantshri.info
Project Leads

38. Questions?