Articles

    Publish
     
      • The Ultimate WordPress Plugin Security Testing Cheat Sheet

        Oct 20 2017, 8:40 PM

        by larsonr eever 2

        The security documentation provided by WordPress and found online for plugin security is sparse, outdated or unclear. This cheat sheet is intended for Penetration Testers who audit WordPress plugins or developers who wish to audit their own WordPress plugins. This cheat sheet can be effectively used to test various WordPress plugins.

        Cross-Site Scripting (XSS)

        Check if the following global PHP variables are echo'd to pages, or stored in the database and echo'd at a later time without first being sanitised or output encoded.

        • $_GET
        • $_POST
        • $_REQUEST
        • $_SERVER['REQUEST_URI']
        • $_SERVER['PHP_SELF']
        • $_SERVER['HTTP_REFERER']
        • $_COOKIE

        (Note: the list of sources above is not extensive nor complete)

        Cross-Site Scripting (XSS) Tips

        Unsafe API functions

        The following functions can cause XSS if not secured:

        • add_query_arg()
        • remove_query_arg()

        See References Below:

        DISALLOWUNFILTEREDHTML

        When doing dynamic testing for XSS the following setting in the wp-config.php file may reduce false positive results as it prevents administrative and editor users from being able to embed/execute JavaScript/HTML, which by default they are permitted to do.

        define( 'DISALLOW_UNFILTERED_HTML', true );

        SQL Injection

        Unsafe API methods (require sanitising/escaping):

        • $wpdb->query()
        • $wpdb->get_var()
        • $wpdb->get_row()
        • $wpdb->get_col()
        • $wpdb->get_results()
        • $wpdb->replace()

        Safe API methods (according to WordPress):

        • $wpdb->insert()
        • $wpdb->update()
        • $wpdb->delete()

        Safe code, prepared statement:

        <?php $sql = $wpdb->prepare( 'query' , value_parameter[, value_parameter ... ] ); ?>

        Note: Before WordPress 3.5 $wpdb->prepare could be used insecurely as you could just pass the query without using placeholders, like in the following example:

        $wpdb->query( $wpdb->prepare( "INSERT INTO table (user, pass) VALUES ('$user', '$pass')" ) );

        SQL Injection Tips

        Unsafe escaping ('securing') API methods:

        • esc_sql() function does not adequately protect against SQL Injection - see refs below
        • escape() same as above
        • esc_like() same as above
        • like_escape() same as above

        Displaying/hiding SQL errors:

        <?php $wpdb->show_errors(); ?> <?php $wpdb->hide_errors(); ?> <?php $wpdb->print_error(); ?>

        File Inclusion

        • include()
        • require()
        • include_once()
        • require_once()

        PHP Object Injection

        • unserialize()

        Command Execution

        • system()
        • exec()
        • passthru()
        • shell_exec()

        PHP Code Execution

        • eval()
        • assert()
        • preg_replace() dangerous "e" flag deprecated since PHP >= 5.5.0 and removed in PHP >= 7.0.0.

        Authorisation

        • is_admin() does not check if the user is authenticated as administrator, only checks if page displayed is in the admin section, can lead to auth bypass if misused.
        • is_user_admin() same as above
        • current_user_can() used for checking authorisation. This is what should be used to check authorisation.

        Open Redirect

        • wp_redirect() function can be used to redirect to user supplied URLs. If user input is not sanitised or validated this could lead to Open Redirect vulnerabilities.

        Cross-Site Request Forgery (CSRF)

        • wp_nonce_field() adds CSRF token to forms
        • wp_nonce_url() adds CSRF token to URL
        • wp_verify_nonce() checks the CSRF token validity server side
        • check_admin_referer() checks the CSRF token validity server side and came from admin screen

        SSL/TLS

        • CURLOPT_SSL_VERIFYHOST if set to 0 then does not check name in host certificate
        • CURLOPT_SSL_VERIFYPEER if set to FALSE then does not check if the certificate (inc chain), is trusted
        • Check if HTTP is used to communicate with backend servers or APIs. A grep for "http://" should be sufficient.

        Further reading/references:

        1. https://developer.wordpress.org/plugins/security/
        2. https://codex.wordpress.org/FunctionReference/escsql
        3. https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
        4. https://secure.wphackedhelp.com/fixmysite.html
        5. https://curl.haxx.se/libcurl/c/CURLOPTSSLVERIFYHOST.html
        6. https://www.owasp.org/index.php/OWASPWordpressSecurityImplementationGuideline
        7. http://php.net/manual/en/function.preg-replace.php

        • Tip How to
        • Security Risks
        • DigiCert Code Signing
        • Error messages
        • Vulnerabilities & Exploits
        • Best Practice
        • Products
        • Malware Scan
        • Vulnerability Assessment
        • Symantec Website Security
        • DigiCert Complete Website Security
        • DigiCert SSL TLS Certificates
        • Managed PKI for SSL
      • The importance of orchestrated “cloud” security

        Feb 23 2015, 7:43 PM

        by Dion Alken 6

        The importance of orchestrated “cloud” security

        In today’s digital world, the area of security and safety has become paramount. Cybercrimes are on the rise and are becoming more sophisticated. We could be experiencing “a new era in cybercrime”.

        In 2015 we already had some interesting cases:

        This week it was revealed that the Carbanak malware used by the cyber-criminals proved to be very successful in helping the attackers steal around $1 billion. Researchers are worried about the increasing sophistication of attacks.

        Despite increased awareness of cybercrime within the financial services sector, it appears that spear phishing attacks (http://ie.norton.com/spear-phishing-scam-not-sport/article) and the old exploits (for which patches have been disseminated) remain effective against larger companies. Attackers always use this minimal effort approach in order to bypass a victim ́s defences

        Researchers said: “the most highly sophisticated criminal attack we have ever seen.”  “It’s like an arms race. Security companies develop better protection and criminals develop better malware to bypass it,”

        While early versions of Carbanak (https://www-secure.symantec.com/connect/app#!/blogs/carbanak-multi-million-dollar-cybercrime-gang-focuses-banks-rather-their-customers)  were based partially on code from Carberp (https://www-secure.symantec.com/connect/app#!/blogs/new-carberp-variant-heads-down-under),  the latest versions do not appear to use any Carberp source code. In 2013 Russian authorities claimed to have captured the mastermind behind the Carberp banking Trojan and other members of this criminal gang.

        The cybercrime ring, led by a 28-year old Russian national, allegedly had been in operation since 2009 and has stolen approximately $250 million from Ukrainian and Russian banks, according to an April 2013 report from Kommersant Ukraine, a national publication.

        In March 2012, authorities arrested and broke up a gang that used Carberp to steal $2 million from over 90 individual bank accounts. That cybercrime gang used the malware and was not responsible for developing the Trojan. The black-market price for the malware was between $5,000 and $50,000.

        Then there are new developments in enterprise level threats with a “cyber-warfare” character.

        The designers of Stuxnet (http://virus.wikidot.com/stuxnet) have further developed new malware that can enter into the firmware of hardware and is able to effect the heart of the computer – The Bios-code (http://en.wikipedia.org/wiki/BIOS). The Equation group is a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. The Equation group uses multiple malware platforms, some of which surpass the well-known “Regin” (https://www-secure.symantec.com/connect/app#!/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance)  threat in complexity and sophistication. The Equation group (http://en.wikipedia.org/wiki/Equation_Group) is probably one of the most sophisticated cyber-attack groups in the world; and they are the most advanced threat actor we have seen.

        So far, we’ve identified several malware platforms used exclusively by the Equation group. They are: • EQUATIONDRUG – A very complex attack platform used by the group on its victims. It supports a module plugin system, which can be dynamically uploaded and unloaded by the attackers.

        • DOUBLEFANTASY – A validator-style Trojan, designed to confirm the target is the intended one. If the target is confirmed, they get upgraded to a more sophisticated platform such as EQUATIONDRUG or GRAYFISH.

        • EQUESTRE – Same as EQUATIONDRUG.

        • TRIPLEFANTASY – Full-featured backdoor sometimes used in tandem with GRAYFISH. Looks like an upgrade of DOUBLEFANTASY, and is possibly a more recent validator-style plugin.

        • GRAYFISH – The most sophisticated attack platform from the EQUATION group. It resides completely in the registry, relying on a boot kit to gain execution at OS start-up.

        • FANNY – A computer worm created in 2008 and used to gather information about targets in the Middle East and Asia. Some victims appear to have been upgraded first to DoubleFantasy, and then to the EQUATIONDRUG system. Fanny used exploits for two zero-day vulnerabilities which were later discovered with Stuxnet.

        • EQUATIONLASER – An early implant from the EQUATION group, used around 2001-2004. Compatible with Windows 95/98, and created sometime between DOUBLEFANTASY and EQUATIONDRUG.

        So are there more threats? Yes.

        Are VPNs and VoIP sessions also targeted at an industrial scale? Yes.

        In 2014 it was revealed that malware on systems is spreading automatically via social networks like for example fake Facebook servers, as to infect millions of computers. Electronic infiltration methods for industrial-scale exploitation have therefore aggressively scaled.

        Large arsenals of imaginatively named malware, to remotely control computers and to capture data from them, as well as to interrupt their operation are now revealed.

        For example:

        UNITEDRAKE is modular malware that can take complete control of infected computers.

        CAPTIVATEDAUDIENCE hijacks computer microphones and records conversations.

        FOGGYBOTTOM snatches web browser history files, and login details for sites and email accounts.

        GUMFISH controls webcams and takes photographs.

        SALVAGERABBIT can capture data from external drives.

        GROK is a key logger.

        QUANTUMSKY blocks access to specific websites.

        QUANTUMCOPPER corrupts targets' file downloads.

        By using malware deployed in network routers. Access can be gained to data passing through virtual private networks. The HAMMERSTEIN man in the middle malware appears to attack the Internet Key Exchange (IKE) phase used to set up secure VPN sessions, and attempts decryption of content.

        In a similar manner, the HAMMERCHANT router implant can compromise Voice over Internet Protocol communications, capturing Session Initiation Protocol (SIP/H.323) signalling used to set up calls as well the Real Time Protocol (RTP) data streams for the content.
        Vulnerabilities in web browsers, the Oracle Java and Adobe Flash frameworks, and router software are used to infect devices. The "man in the middle" (MITM) technique, whereby software is secretly placed on networks between computers communicating with each other is a favourite technique of hackers. MITM allows multiple devices to be targeted and also makes it easier to capture the data they transmit.

         

        What can we do as consumers, businesses and governments?

        Firstly we need to understand that communication between sender and receiver has always been vulnerable.

        We cannot rely on an encryption or antivirus alone. As an IT manager, it is interesting to know that more than half a billion (552 million) identities were exposed in 2013 as a result of data breaches. As malware designers are developing technologies on more vulnerability then we ever had. Users, Companies and Governments need to expect that their information is treasure booty for targeted and automated attacks.

        Symantec can help with the complete security and information management orchestration incorporating up to date cloud security solutions http://www.symantec.com/products-solutions/solutions/detail.jsp?parent=cloud&child=build_cloud.

        Depending on your needs our team will be able to orchestrate the optimal solution for you.

        Progress in malware can be countered by the latest security research and advances in security and compliance for devices and websites.

        Let our Symantec help you build your castle!

        • Security Risks
        • Endpoint Encryption
        • Malicious Code
        • DigiCert Code Signing
        • Emerging Threats
        • Evolution of Security
        • Vulnerabilities & Exploits
        • Protection Engine for Cloud Services
        • Products
        • Control Compliance Suite
        • DeepSight™ Technical Intelligence
        • Enterprise Security Manager
        • Malware Scan
        • Online Fraud
        • Internet Security Threat Report
        • Vulnerability Assessment
        • LiveUpdate
        • Symantec Website Security
        • Data Center Security
        • encryption
        • DigiCert SSL TLS Certificates
        • Endpoint Protection
        • Web Security.cloud