Understanding vulnerabilities in plugin-based web systems: an exploratory study of wordpress

A common software product line strategy involves plugin-based web systems that support simple and quick incorporation of custom behaviors. As a result, they have been widely adopted to create web-based applications. Indeed, the popularity of ecosystems that support plugin-based development (e.g., WordPress) is largely due to the number of customization options available as community-contributed plugins. However, plugin-related vulnerabilities tend to be recurrent, exploitable and hard to be detected and may lead to severe consequences for the customized product. Hence, there is a need to further understand such vulnerabilities to enable preventing relevant security threats. Therefore, we conducted an exploratory study to characterize vulnerabilities caused by plugins in web-based systems. To this end, we went over WordPress vulnerability bulletins cataloged by the National Vulnerability Database as well as associated patches maintained by the WordPress plugins repository. We identified the main types of vulnerabilities caused by plugins as well as their impact and the size of the patch to fix the vulnerability. Moreover, we identified the most common security-related topics discussed among WordPress developers. We observed that, while plugin-related vulnerabilities may have severe consequences and might remain unnoticed for years before being fixed, they can commonly be mitigated with small and localized changes to the source code. The characterization helps to provide an understanding on how typical plugin-based vulnerabilities manifest themselves in practice. Such information can be helpful to steer future research on plugin-based vulnerability detection and prevention.

[1]  Forrest Shull,et al.  Building Knowledge through Families of Experiments , 1999, IEEE Trans. Software Eng..

[2]  Marco Aurélio Gerosa,et al.  Attracting , Onboarding , and Retaining Newcomer Developers in Open Source Software Projects , 2014 .

[3]  Raphael Pham,et al.  Improving the software testing skills of novices during onboarding through social transparency , 2014, SIGSOFT FSE.

[4]  Rahul Telang,et al.  An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price , 2007, IEEE Transactions on Software Engineering.

[5]  Robert A. Martin,et al.  The Case for Common Flaw Enumeration , 2005 .

[6]  Peter Willett,et al.  The Porter stemming algorithm: then and now , 2006, Program.

[7]  Lerina Aversano,et al.  The life and death of statically detected vulnerabilities: An empirical study , 2009, Inf. Softw. Technol..

[8]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[9]  Sebastian G. Elbaum,et al.  Code churn: a measure for estimating the impact of code change , 1998, Proceedings. International Conference on Software Maintenance (Cat. No. 98CB36272).

[10]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[11]  Mira Mezini,et al.  Learning from examples to improve code completion systems , 2009, ESEC/SIGSOFT FSE.

[12]  Victor R. Basili,et al.  The TAME Project: Towards Improvement-Oriented Software Environments , 1988, IEEE Trans. Software Eng..

[13]  Pankaj Jalote,et al.  Integrating Static and Dynamic Analysis for Detecting Vulnerabilities , 2006, 30th Annual International Computer Software and Applications Conference (COMPSAC'06).

[14]  Bill Tomlinson,et al.  Safety, Security, Now Sustainability: The Nonfunctional Requirement for the 21st Century , 2014, IEEE Software.

[15]  Gerardo Canfora,et al.  How Long Does a Bug Survive? An Empirical Study , 2011, 2011 18th Working Conference on Reverse Engineering.

[16]  Ahmed E. Hassan,et al.  What are developers talking about? An analysis of topics and trends in Stack Overflow , 2014, Empirical Software Engineering.

[17]  M. Meyer,et al.  Product Platforms in Software Development , 1998 .

[18]  John D. McGregor,et al.  Proceedings of the 13th International Software Product Line Conference , 2009 .

[19]  James D. Herbsleb,et al.  Social coding in GitHub: transparency and collaboration in an open software repository , 2012, CSCW.

[20]  Indrajit Ray,et al.  Measuring, analyzing and predicting security vulnerabilities in software systems , 2007, Comput. Secur..

[21]  Jacques Klein,et al.  Profiling Android Vulnerabilities , 2016, 2016 IEEE International Conference on Software Quality, Reliability and Security (QRS).

[22]  Sven Apel,et al.  Do #ifdefs influence the occurrence of vulnerabilities? an empirical study of the linux kernel , 2016, SPLC.

[23]  Leif Singer,et al.  Enablers, inhibitors, and perceptions of testing in novice software teams , 2014, SIGSOFT FSE.

[24]  Carlos M. da Fonseca,et al.  A Practical Experience on the Impact of Plugins in Web Security , 2014, 2014 IEEE 33rd International Symposium on Reliable Distributed Systems.

[25]  Mark Steyvers,et al.  Finding scientific topics , 2004, Proceedings of the National Academy of Sciences of the United States of America.

[26]  Arie van Deursen,et al.  Test confessions: A study of testing practices for plug-in systems , 2011, 2012 34th International Conference on Software Engineering (ICSE).

[27]  Alessandro F. Garcia,et al.  Exploring context-sensitive data flow analysis for early vulnerability detection , 2016, J. Syst. Softw..

[28]  James Walden,et al.  Security of open source web applications , 2009, 2009 3rd International Symposium on Empirical Software Engineering and Measurement.

[29]  Mehran Bozorgi,et al.  Beyond heuristics: learning to classify vulnerabilities and predict exploits , 2010, KDD.

[30]  Tommi Mikkonen,et al.  Pluggable Systems as Architectural Pattern: An Ecosystemability Perspective , 2015, ECSA Workshops.

[31]  Giampaolo Garzarelli,et al.  Open source software and the economics of organization , 2003 .

[32]  Marco Aurélio Gerosa,et al.  How to Support Newcomers Onboarding to Open Source Software Projects , 2014, OSS.

[33]  Teemu Koskinen,et al.  Quality of WordPress Plug-Ins: An Overview of Security and User Ratings , 2012, 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Confernece on Social Computing.

[34]  Chanchal Kumar Roy,et al.  CSCC: Simple, Efficient, Context Sensitive Code Completion , 2014, 2014 IEEE International Conference on Software Maintenance and Evolution.

[35]  Bashar Nuseibeh,et al.  Feature interaction: the security threat from within software systems , 2008 .

[36]  Ramayya Krishnan,et al.  An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure , 2010, Inf. Syst. Res..

[37]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.

[38]  N. Nagappan,et al.  Use of relative code churn measures to predict system defect density , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[39]  Edward Amoroso Recent Progress in Software Security , 2018, IEEE Software.

[40]  Michael I. Jordan,et al.  Latent Dirichlet Allocation , 2001, J. Mach. Learn. Res..

[41]  Thomas Zimmermann,et al.  Automatic Identification of Bug-Introducing Changes , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[42]  Jan Bosch,et al.  From software product lines to software ecosystems , 2009, SPLC.

[43]  Jeffrey C. Carver,et al.  Identifying the characteristics of vulnerable code changes: an empirical study , 2014, SIGSOFT FSE.

[44]  Hung Viet Nguyen,et al.  Exploring variability-aware execution for testing plugin-based web applications , 2014, ICSE.

[45]  John Murray,et al.  Impact of plugins on the security of web applications , 2010, MetriSec '10.

[46]  Emerson R. Murphy-Hill,et al.  Social influences on secure development tool adoption: why security tools spread , 2014, CSCW.

[47]  Dave Aitel,et al.  The Shellcoder's Handbook: Discovering and Exploiting Security Holes , 2004 .