WordPress security: an analysis based on publicly available exploits

The danger of SQL injections has been known for more than a decade but injection attacks have led the OWASP top 10 for years and still are one of the major reasons for devastating attacks on web sites. As about 24% percent of the top 10 million web sites are built upon the content management system WordPress, it's no surprise that content management systems in general and WordPress in particular are frequently targeted. To understand how the underlying security bugs can be discovered and exploited by attackers, 199 publicly disclosed SQL injection exploits for WordPress and its plugins have been analyzed. The steps an attacker would take to uncover and utilize these bugs are followed in order to gain access to the underlying database through automated, dynamic vulnerability scanning with well-known, freely available tools. Previous studies have shown that the majority of the security bugs are caused by the same programming errors as 10 years ago and state that the complexity of finding and exploiting them has not increased significantly. Furthermore, they claim that although the complexity has not increased, automated tools still do not detect the majority of bugs. The results of this paper show that tools for automated, dynamic vulnerability scanning only play a subordinate role for developing exploits. The reason for this is that only a small percentage of attack vectors can be found during the detection phase. So even if the complexity of exploiting an attack vector has not increased, this attack vector has to be found in the first place, which is the major challenge for this kind of tools. Therefore, from today's perspective, a combination with manual and/or static analysis is essential when testing for security vulnerabilities.

[1]  Carlos M. da Fonseca,et al.  A Practical Experience on the Impact of Plugins in Web Security , 2014, 2014 IEEE 33rd International Symposium on Reliable Distributed Systems.

[2]  Girdhari Singh,et al.  Static analysis approaches to detect SQL injection and cross site scripting vulnerabilities in web applications: A survey , 2014, International Conference on Recent Advances and Innovations in Engineering (ICRAIE-2014).

[3]  Al-Sakib Khan Pathan,et al.  A Detailed Survey on Various Aspects of SQL Injection in Web Applications: Vulnerabilities, Innovative Attacks, and Remedies , 2013, Int. J. Commun. Networks Inf. Secur..

[4]  Christopher Krügel,et al.  Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner , 2012, USENIX Security Symposium.

[5]  Pavol Zavarsky,et al.  An Analysis of Black-Box Web Application Security Scanners against Stored SQL Injection , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[6]  Matthew Finifter Exploring the Relationship Between Web Application Development Tools and Security , 2011, WebApps.

[7]  Engin Kirda,et al.  Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web Applications , 2011, Financial Cryptography.

[8]  Marco Vieira,et al.  The Web Attacker Perspective - A Field Study , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[9]  Giovanni Vigna,et al.  Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners , 2010, DIMVA.

[10]  John C. Mitchell,et al.  State of the Art: Automated Black-Box Web Application Vulnerability Testing , 2010, 2010 IEEE Symposium on Security and Privacy.

[11]  Marco Vieira,et al.  Using web security scanners to detect vulnerabilities in web services , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[12]  Mei Junjin,et al.  An Approach for SQL Injection Vulnerability Detection , 2009, 2009 Sixth International Conference on Information Technology: New Generations.

[13]  Ehud Gudes,et al.  DIWeDa - Detecting Intrusions in Web Databases , 2008, DBSec.

[14]  Konstantinos Kemalis,et al.  SQL-IDS: a specification-based approach for SQL-injection detection , 2008, SAC '08.

[15]  V. N. Venkatakrishnan,et al.  CANDID: preventing sql injection attacks using dynamic candidate evaluations , 2007, CCS '07.

[16]  Mark Curphey,et al.  Web application security assessment tools , 2006, IEEE Security & Privacy.

[17]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[18]  Alessandro Orso,et al.  A Classification of SQL-Injection Attacks and Countermeasures , 2006 .

[19]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[20]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[21]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[22]  Yannis Smaragdakis,et al.  JCrasher: an automatic robustness tester for Java , 2004, Softw. Pract. Exp..

[23]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[24]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[25]  L. Lutter Top Ten List , 2002, Foot & ankle international.