Shreya Pohekar & Syed Sheeraz Ali


Talk Title :

Raining CVEs On WordPress Plugins With Semgrep


Abstract :

Every organization has its own unique coding style and strategies. This can make it difficult for a static code analyzer to effectively find bugs in every codebase. The customizations available with these analyzers are prone to a lot of false positives.

In this research, we leveraged an open-source tool semgrep to write custom rules that ran over 80k WordPress plugins to find vulnerabilities like SQLi, XSS, and LFI in bulk. The first challenge to overcome was getting a large number of false positives. We understood the coding patterns and came up with better rules. The tweaking reduced the percentage of false positives drastically. Writing good rules helped us identify the vulnerable code just by looking at the semgrep’s output. This removed the overhead of manual validation by installing the plugin altogether.

The SQLIs we found were all time-based blind but we identified the code and converted lots of them to union-based SQLI. We bypassed filters to get SQLI and XSS and created custom rules for the code that contains the bypassed filter. In the XSS ruleset, we obtained thousands of results with possible XSS that lead to the creation of an automated XSS validator: XSSBomb.

The talk will have a demo for basic usage of semgrep, writing custom rules, and running them over the list of vulnerable plugin repos. We will also demo the tool XSSBomb. In this research, we identified some really good real-world examples of writing secure code and WordPress's way of preventing attacks. As a result of this research, we collectively found 47 confirmed bugs and were assigned CVEs for the same.

Bio :

Shreya Pohekar is a Developer and Security Researcher. She is currently Leading InfosecGirls Bhopal, ex-lead Null Bhopal. She is a challenge creator for Winja CTF. She is a contributor to Code-Vigilant Project. She's an active speaker in various community meetups like Null, OWASP, and infosecgirls. She's a blogger and writes about technology and Infosec at [shreyapohekar.com]. She is RHCSA Certified and holds a pro-hacker badge on hackthebox.

Want to connect with Shreya Pohekar?

Sheeraz is Security Researcher and Developer. He leads Null Bhopal he also spoke at null and contributed to other Communities like owasp. He is Security Content Engineer at Hack the box and writes Explanations and writeups at [sheerazali.com]. He has experience working in Linux and web dev, web security, active Directory, Linux administration, and Windows administration. He likes to automate things and his scripts to automate a lot of Trivial tasks can be found on his [github.com/pwnmeow]. He holds OSCP and many other training certifications. Major areas of interest are the Red and Blue team.

Want to connect with Syed Sheeraz Ali?