1. Prajal Kulkarni
@prajalkulkarni
The Tale of 100 CVE’s

2. @about me
• Security Engineer @Flipkart
• Likes to do Bug Hunting!
• Loves coding in Python
• Member of null security community
• Lead vocalist @Sathee
@prajalkulkarni

3.  WordPress Security Ecosystem!
 100 CVE’s in less than a month!
 How we did it?
What Tale?

4. 60 Million Websites Worldwide
Powers 1 in 5 of all the worlds websites in the world
-Matt
Current stable release 3.9.1
Version 3.8 downloads > 20 Million times
-Stats from Wikipedia

5. Wordpress Ecosytem

7. Scary Enough?

8. Still not??

10. WordPress Core – Stable 3.9.1
31,154 Plugins
More than 2.5K Themes
Wordpress Security Ecosytem

11. Our attempt to Improve the Ecosystem

12. Once Upon a Time
Credits - Anant Shrivastava

13. Wait Something not right!

14. Vulnerabilities Found!
Full path disclosure
-pma/error.php
-pma/libraries/PMA_List_Database.class.php
PHP info disclosure
-pma/phpinfo.php
Security Bypass Allows direct access.
-pma/server_databases.php - Full access to all features
including SQL window
-pma/main.php – reveals all the details of the database

15. Timeliness
• Author Contacted: 24 July 2013
• No positive response from the author
• Wordpress Security Team contacted: 11 September 2013
• Plugin Disabled in the repository : 21 October 2013

16. End Result?
Plugin Closed!
CVE-2013-4462
http://seclists.org/oss-sec/2013/q4/144

17. Started Project CodeVigilant
• Spot new issues in Plugins/Themes
• Report to the relevant author
• Get the patch released
• Else close the Plugin/Theme

18. What is required?
Apache/MySQL/PHP
XAMPP/WAMP
Python 2.7

19. Our Approach
Download the latest WordPress and install
locally
Download all Plugins (31k)
Download all Themes (2.5k)

20. From Where do I get plugins/themes??

21. http://themes.svn.wordpress.org/

22. Download Themes Locally

23. Now What?

24. Started with Manual Approach!
Analyze Plugin/Theme source code
Understand the logic
Find Issues
Report !

25. Slow Results!!

26. Two Weeks Stats ??
Vulnerability Chart
LFI
Xss
Auth Bypass
Using Components With
Known Vulnerabilities
10
9
1
1

27. Took a Lot of Time!

28. Lets Automate Everything!

29. Started with Cross site Scripting!

31. Simple Logic!
Find all $_GET parameters
Replace their value with chk_string:
'><script>alert(document.cookie)</script>
Send the request with the appropriate URL structure
Check if the response contains the chk_string

32. Guess What!
• More than 100 valid XSS!
• Testing for XSS we also stumbled upon:
– SSRF
– LFI
– Unvalidated Redirects and Forwards

33. Stats for the next 3 weeks!
A3-Cross-Site Scripting 211
Unvalidated Redirects and
Forwards
4
Local File Inclusion 6
Information Disclosure 1
Direct access & Auth
Bypass
1
Using Components with
Known Vulnerabilities
30
SSRF/XSPA 4
Injection 9

35. http://codevigilant.com/

36. Future for codevigilant
Automation frameworks for other vulnerabilities
Explore other platforms like Drupal & Jumla
Encourage External Researchers to contribute.

37. Prajal Kulkarni
@prajakulkarni
http://www.prajalkulkarni.com
Anant Shrivastava
@anantshri
http://www.anantshri.info
Project Leads

38. Questions?