dan catalin vasile - hacking the wordpress ecosystem
DESCRIPTION
Dan Catalin Vasile - Hacking the Wordpress Ecosystem OWASP Romania InfoSec Conference, Bucharest, October 25, 2013TRANSCRIPT
![Page 1: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/1.jpg)
Hacking the Wordpress Ecosystem
![Page 2: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/2.jpg)
About Me
Dan Catalin VASILE• Information Security Consultant• Researcher / Writer / Presenter• OWASP Romania Board Member
• Online presence– http://www.pentest.ro– [email protected] / @DanCVASILE
![Page 3: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/3.jpg)
Hacking the Wordpress EcosystemWHY?
About the talk
![Page 4: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/4.jpg)
More numbers
About the talk
![Page 5: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/5.jpg)
Finding Wordpress!
About the talk
![Page 6: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/6.jpg)
SCOPE?
Scope
![Page 7: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/7.jpg)
TO SCARE!!!!
Scope
Attacks on:
- The Worpress platform- Plugins- Themes- Infrastructure- Humans
![Page 8: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/8.jpg)
and TO REPAIR.
Scope
Focus on:
- Infrastructure- Installation process- Protective server side measures- Protective client side measures- Reviewing source code- Maintenance
![Page 9: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/9.jpg)
Wordpress Ecosystem
Infrastructure
Base platformUsers
Themes Plugins
![Page 10: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/10.jpg)
Hacking the infrastructure
Physical security
![Page 11: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/11.jpg)
Hacking the infrastructure
Common web server vulnerabilities
• Overflows• DoS• Remote command execution• XSS in internal tools• Security Misconfiguration
… just to name a few & morehttp://httpd.apache.org/security/vulnerabilities_22.html
![Page 12: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/12.jpg)
Hacking the infrastructure
PHP vulnerabilities
• DoS• Overflows• Remote command execution
• SQL injection• XSS• Source code disclosure• RFI• CSRF
&more
![Page 13: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/13.jpg)
Hacking the Wordpress platform
One example from the CVE Database
![Page 14: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/14.jpg)
Hacking the plugins
How many plugins are there? 27,596 PLUGINS, 536,317,915 DOWNLOADS(as of October 2013)
How many of them are vulnerable? Not as many as you’ve expected. CVE lists ‘only’ 164 vulnerabilities (not all related to plugins)
Fear not! New plugins everyday & new disclosures on old plugins.
![Page 15: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/15.jpg)
Hacking the themes
Themes can be vulnerable!
They sometimes come up with other plugins necessary to get the functionality needed
Think about TimThumb vulnerability!
![Page 16: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/16.jpg)
Hacking the themes
What is TimThumb?A small php script for cropping, zooming and resizing web images (jpg, png, gif). Perfect for use on blogs and other applications.
The problem!“TimThumb” essentially, caches even remote files locally, without doing any proper sanitization.
The problem for hackersThe file “timthumb.php” does however, check if to see if the target file is actually an image or not. This timthumb file is also quite often renamed to something else and is used in many themes.
![Page 17: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/17.jpg)
TimThumb hack
The easiest way to trick TimThumb into believing a remotely stored image (that also contains evil PHP code) is an actual image (with timthumbcraft)
![Page 18: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/18.jpg)
TimThumb hack
Uploading the file
![Page 19: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/19.jpg)
TimThumb hack
Additional problems with the TimThumb hack- When uploading the image, the php script will be located in the cache directory with a ‘random’ name
![Page 20: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/20.jpg)
TimThumb hack
We’re IN!
![Page 21: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/21.jpg)
Hacking the users
Last but not least, hacking the human element:
- Social engineering- Phishing- Exploiting bad habits
![Page 22: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/22.jpg)
Let’s fix it
Let’s start fixing the Wordpress Ecosystem
Short recap:- Infrastructure- Wordpress base platform- Wordpress plugins- Wordpress themes- Users
![Page 23: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/23.jpg)
Fixing the Infrastructure
INFRASTRUCTURE
- Choose a decent data-center- Use encryption for physical disks- Use secure communication channels with the server
(SSH, SFTP); do you still use FTP? You should be banned from the world.
- Keep the Web Server, PHP and Database updated to the latest version
- Secure configurations (disable directory listing, secure php.ini configuration, etc.)
- Log and analyze
![Page 24: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/24.jpg)
Fixing the Wordpress platform
WORDPRESS PLATFORM - INSTALLATION
- Always download the platform from a trusted source; use https://wordpress.org/download/
- Change the default ‘admin’ username- Set a strong password- Change the default ‘wp_’ table prefix- Set an insane database password- Move wp-config.php outside /public_html
![Page 25: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/25.jpg)
Fixing the Wordpress platform
WORDPRESS PLATFORM - MAINTENANCE
- BACKUP!!! (BackWPup plugin)- Update! - Use SSL for authentication- Use CAPTCHA for logging in (Captcha on Login
plugin) - Limit the access to /wp-admin (form .htaccess)- Source code audit
![Page 26: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/26.jpg)
Fixing the themes
THEMES
- Update- Review the code
![Page 27: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/27.jpg)
Fixing the plugins
PLUGINS
- Delete unused plugins- Update- Review ratings and user comments- Source code audit
![Page 28: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/28.jpg)
Fixing the users
USERS
- Awareness- Set user roles and give only the privileges they
need- Log & audit user actions (ARYO Activity Log plugin)- Personal computer security- Enforce the use of strong passwords (
Minimum Password Strength plugin)
![Page 29: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/29.jpg)
Further actions
Install one or more security plugins
• Login Security Solution• AntiVirus• WP Security Scan• WordPress File Monitor Plus• OSE Firewall Security• Block Bad Queries• Wordfence
![Page 30: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/30.jpg)
Further actions
Monitor the website from an external party
• WebsiteDefender• Pingdom• Change Detection
![Page 31: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/31.jpg)
Further actions
Source code audit
![Page 32: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/32.jpg)
What to do
If you know what you’re doing, do the whole ecosystem yourself.
Otherwise go with a managed solution:• Wordpress.org• Wpengine.com• Godaddy.comEtc.
![Page 33: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/33.jpg)
Goal
Wordpress Security Checklist project on OWASPhttps://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
My part:- Establish the structure- Contribute with content
I need help for:- Content- Plugin suggestions and reviews- Source code audits
![Page 34: Dan Catalin Vasile - Hacking the Wordpress Ecosystem](https://reader033.vdocuments.net/reader033/viewer/2022061104/54008ed48d7f7289408b4877/html5/thumbnails/34.jpg)
Questions
?Thank you!