WordPress Plugin Security Scanner

•Télécharger en tant que ODP, PDF•

2 j'aime•773 vues

Avădănei Andrei

Short bio

● Founder & CEO of DefCamp … and CTO (tech), CFO (financial), CMO (marketing), Sales
Manager, Community Manager, Speaker, Team Coordinator :))
● Founder Cyber Security Research Center from Romania (CCSIR)
● Community manager @worldit.info
● Vice President at GREPIT
● Volunteer at BitDefender Romania
● ...

Once upon a time..

● Somewhere in the www appeared HTML websites
(bullshit)
● Then web 2.0 websites took the lights
● + third party plugins (hell yeah)
● It was a wonderful time full of innovation and peace (>:D<)
● Then came the hackers and seized a big opportunnity
● But that is another story. >:)

Third-party apps

● Some sort of crowd development
● A good idea, poorly implemented
● Used by everybody in different ways (Google, Facebook,
Apple, Wordpress, Joomla, Vbulletin, Moodle ..)
● Usually there is no security test for apps before being
accepted in their market store
● And there is the place where all magic starts

Case study : Wordpress

● 23,688 plugins
● 416,305,218 downloads
● and counting
● Not bad, right?
● If we cannot break in the core, lets hack his chilldrens
● And here WP Plugins Scanner come in

WP Plugins Scanner

● White box pentesting tool
● Hooked RIPS implemented
● You can download plugins from WP directory
● You can build some sort of repository on your localhost
● Asynchronous scanning
● Soon :
– target websites and enumerate their plugins
– subversioning for plugins
– auto-monitor updates
– cache-ing results
– similar scanners for Joomla, Vbulletin and others?

Thanks!

Avădănei Andrei
Founder & CEO DefCamp
linkedin.com/in/andreiavadanei
twitter.com/AndreiAvadanei
github.com/CCSIR/WP-Plugins-Scanner

Recommandé

Women Who Mule - Workshop series #2: GhostAlexandra N. Martinez

Hinting at a better webChristian Heilmann

Web security 101Kristaps Kūlis

eZ Summer Camp 2014: interactive dive into ez product backlogRoland Benedetti

Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAbhinav Mishra

We Economy - DrupalsouthEmma Jane Hogbin Westby

Develop, Debug, Learn? - Dotjs2019Christian Heilmann

Seven ways to be a happier JavaScript developer - NDC OsloChristian Heilmann

Recommandé

Women Who Mule - Workshop series #2: GhostAlexandra N. Martinez

Hinting at a better webChristian Heilmann

Web security 101Kristaps Kūlis

eZ Summer Camp 2014: interactive dive into ez product backlogRoland Benedetti

Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAbhinav Mishra

We Economy - DrupalsouthEmma Jane Hogbin Westby

Develop, Debug, Learn? - Dotjs2019Christian Heilmann

Seven ways to be a happier JavaScript developer - NDC OsloChristian Heilmann

Build and Deploy a Python Web App to Amazon in 30 MinsJeff Hull

Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Sigma Software

Pentester++CTruncer

Understanding and implementing website securityDrew Gorton

wp cli- don’t fear the command lineDwayne McDaniel

Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...Demi Ben-Ari

WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingAaron Saray

My Tools for Success in WordPressThomas Griffin

Tools to Save TimeBeMyApp

Tooling Matters - Development toolsSimon Dittlmann

Javascript Security - Three main methods of defending your MEAN stackRan Bar-Zik

EMFcamp2022 - What if apps logged into you, instead of you logging into apps?Chris Swan

Year Zeroleifdreizler

Malware analysis, threat intelligence and reverse engineeringbartblaze

Codebits 2014 - Secure Coding - Gamification and automation for the winTiago Henriques

Do WordPress developers write code?Stanko Metodiev

Mobile backends with Google Cloud Platform (MBLTDev'14)Natalia Efimtseva

Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - PanoraysDemi Ben-Ari

Hacking for Innovation: IIT KharagpurSaurabh Sahni

No Code Development.pptxSayianJude

How you can become a hacker with no security experienceAvădănei Andrei

Honeypots - The Art of Building Secure Systems by Making them VulnerableAvădănei Andrei

Contenu connexe

Similaire à WordPress Plugin Security Scanner

Build and Deploy a Python Web App to Amazon in 30 MinsJeff Hull

Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Sigma Software

Pentester++CTruncer

Understanding and implementing website securityDrew Gorton

wp cli- don’t fear the command lineDwayne McDaniel

Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...Demi Ben-Ari

WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingAaron Saray

My Tools for Success in WordPressThomas Griffin

Tools to Save TimeBeMyApp

Tooling Matters - Development toolsSimon Dittlmann

Javascript Security - Three main methods of defending your MEAN stackRan Bar-Zik

EMFcamp2022 - What if apps logged into you, instead of you logging into apps?Chris Swan

Year Zeroleifdreizler

Malware analysis, threat intelligence and reverse engineeringbartblaze

Codebits 2014 - Secure Coding - Gamification and automation for the winTiago Henriques

Do WordPress developers write code?Stanko Metodiev

Mobile backends with Google Cloud Platform (MBLTDev'14)Natalia Efimtseva

Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - PanoraysDemi Ben-Ari

Hacking for Innovation: IIT KharagpurSaurabh Sahni

No Code Development.pptxSayianJude

Similaire à WordPress Plugin Security Scanner (20)

Build and Deploy a Python Web App to Amazon in 30 Mins

Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,

Pentester++

Understanding and implementing website security

wp cli- don’t fear the command line

Hacker vs company, Cloud Cyber Security Automated with Kubernetes - Demi Ben-...

WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding

My Tools for Success in WordPress

Tools to Save Time

Tooling Matters - Development tools

Javascript Security - Three main methods of defending your MEAN stack

EMFcamp2022 - What if apps logged into you, instead of you logging into apps?

Year Zero

Malware analysis, threat intelligence and reverse engineering

Codebits 2014 - Secure Coding - Gamification and automation for the win

Do WordPress developers write code?

Mobile backends with Google Cloud Platform (MBLTDev'14)

Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - Panorays

Hacking for Innovation: IIT Kharagpur

No Code Development.pptx

Plus de Avădănei Andrei

How you can become a hacker with no security experienceAvădănei Andrei

Honeypots - The Art of Building Secure Systems by Making them VulnerableAvădănei Andrei

DefCamp 2012 @BucharestAvădănei Andrei

A journey through an INFOSEC labyrinthAvădănei Andrei

Polish the WheelAvădănei Andrei

Virtual Anonimity – What? Why? When? How?Avădănei Andrei

SmartFenderAvădănei Andrei

SYDO - Secure Your Data by ObscurityAvădănei Andrei

Xss is more than a simple threatAvădănei Andrei

Arta de a susţine o prezentareAvădănei Andrei

Spaghetti Code vs MVCAvădănei Andrei

Plus de Avădănei Andrei (11)

How you can become a hacker with no security experience

Honeypots - The Art of Building Secure Systems by Making them Vulnerable

DefCamp 2012 @Bucharest

A journey through an INFOSEC labyrinth

Polish the Wheel

Virtual Anonimity – What? Why? When? How?

SmartFender

SYDO - Secure Your Data by Obscurity

Xss is more than a simple threat

Arta de a susţine o prezentare

Spaghetti Code vs MVC

WordPress Plugin Security Scanner

1. Wordpress Plugins Scanner „To hack or not hack, that is the real question!“ Avădănei Andrei Founder & CEO DefCamp linkedin.com/in/andreiavadanei twitter.com/AndreiAvadanei

2. Short bio ● Founder & CEO of DefCamp … and CTO (tech), CFO (financial), CMO (marketing), Sales Manager, Community Manager, Speaker, Team Coordinator :)) ● Founder Cyber Security Research Center from Romania (CCSIR) ● Community manager @worldit.info ● Vice President at GREPIT ● Volunteer at BitDefender Romania ● ...

3. Once upon a time.. ● Somewhere in the www appeared HTML websites (bullshit) ● Then web 2.0 websites took the lights ● + third party plugins (hell yeah) ● It was a wonderful time full of innovation and peace (>:D<) ● Then came the hackers and seized a big opportunnity ● But that is another story. >:)

4. Third-party apps ● Some sort of crowd development ● A good idea, poorly implemented ● Used by everybody in different ways (Google, Facebook, Apple, Wordpress, Joomla, Vbulletin, Moodle ..) ● Usually there is no security test for apps before being accepted in their market store ● And there is the place where all magic starts

5. Case study : Wordpress ● 23,688 plugins ● 416,305,218 downloads ● and counting ● Not bad, right? ● If we cannot break in the core, lets hack his chilldrens ● And here WP Plugins Scanner come in

6. WP Plugins Scanner ● White box pentesting tool ● Hooked RIPS implemented ● You can download plugins from WP directory ● You can build some sort of repository on your localhost ● Asynchronous scanning ● Soon : – target websites and enumerate their plugins – subversioning for plugins – auto-monitor updates – cache-ing results – similar scanners for Joomla, Vbulletin and others?

7. Demo

8. Questions? :-)

9. Thanks! Avădănei Andrei Founder & CEO DefCamp linkedin.com/in/andreiavadanei twitter.com/AndreiAvadanei github.com/CCSIR/WP-Plugins-Scanner

10. Thanks! Avădănei Andrei Founder & CEO DefCamp linkedin.com/in/andreiavadanei twitter.com/AndreiAvadanei github.com/CCSIR/WP-Plugins-Scanner