automated capability analysis in wordpress plugins
play

Automated capability analysis in Wordpress plugins Using static and - PowerPoint PPT Presentation

Feb 02, 2024 •125 likes •480 views

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2 Frank Uijtewaal Collab: DongIT (dongit.nl) Initial project goal Find a new and interesting type of security analysis for web applications

  1. Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2 Frank Uijtewaal Collab: DongIT (dongit.nl)

  2. Initial project goal ● Find a new and interesting type of security analysis for web applications ● Static code analysis ● WordPress ● Plugins ● A7 Missing Function Level Access Control 4 July 2016 2

  3. ! 4 July 2016 3

  4. ! 4 July 2016 4

  5. ! 4 July 2016 5

  6. ! 4 July 2016 6

  7. Static Code Analysis Machine Learning 4 July 2016 7

  8. Static Code Analysis Machine Learning 4 July 2016 8

  9. Static Code Analysis Machine Learning 4 July 2016 9

  10. Static Code Analysis part Turns out Not so easy No parsing & analysis tools available 4 July 2016 10

  11. Updated goal ● Static analyis ● Static & Dynamic analysis Future work here 4 July 2016 11

  12. WordPress ● Capability checking – Functions current_user_can , user_can if (!current_user_can('manage_options')) { wp_die(__("you don't have the clearance")); } ● User roles – Administrator , editor , author , etc. ● URL handlers: events and callbacks – Functions add_action , add_filter ( string $tag, callable $function_to_add, ....) 4 July 2016 12

  13. Static analysis summary ● Simple, conformative code quite doable ● Lots of variation means stronger tools required ● Modeling and analysis tools a must to do this research ● No such tools freely available 4 July 2016 13

  14. Static analysis example ● Extract required capabilities if (!current_user_can('manage_options')) { wp_die(__("you don't have the clearance")); } ● Done! – Req capability == 'manage_options' ● Easy 4 July 2016 14

  15. Not always straightforward if ( is_wp_error( $error = $ this ->validate_call( $blog_id, $ this ->needed_capabilities ) ) ) { return $error; } $must_pass = ( isset ( $capability['must_pass'] ) && is_int( $capability['must_pass'] ) ? $capability['must_pass'] : count( $capabilities ) ); $failed = array (); // store the failed capabilities $passed = 0; // foreach ( $capabilities as $cap ) { if ( current_user_can( $cap ) ) { $passed ++; } else { $failed[] = $cap; } } 4 July 2016 15

  16. Static ... += dynamic ● No fancy tools ● Given current options, static = no go ● No time to create all tools necessary ● How far do we get without those “tools”, then? ● But... PHP interpreter? 4 July 2016 16

  17. Static & dynamic, principles ● Gather as much data as possible statically ● Run URL handlers: – Directly: my_url_handler($arg1, $arg2, $arg3); – Not through webserver as is normally the case – Use gathered data to make a nice baby room ● Record as much data from run – Use data to repeat and finetune environment – Use data to analyse code paths & capabilities 4 July 2016 17

  18. Static & Dynamic approach Find entrypoints Analyse Analyse required parameters globals Populate and run Unittest template Run unittest with Analyse outputs Various capabilities 4 July 2016 18

  19. Static & Dynamic approach Find entrypoints Analyse Analyse Analyse required parameters parameters globals Populate and run Unittest template Run unittest with Analyse outputs Various capabilities 4 July 2016 19

  20. Analyse parameters ● Known hooks ● Custom hooks ● Trace parameters to known functions public function a_func($post_id) {} ● add_ping ( int $post_id, string $uri ) ● add_post_meta ( int $post_id, string $meta_key, mixed $meta_value, bool $unique = false ) ● check_and_publish_future_post ( int|WP_Post $post_id ) ● Constraint analysis 4 July 2016 20

  21. Static & Dynamic approach Find entrypoints Analyse Analyse required parameters globals Populate and run Unittest template Run unittest with Analyse outputs Various capabilities 4 July 2016 21

  22. Static & Dynamic approach Find entrypoints Analyse Analyse required Analyse required parameters globals globals Populate and run Unittest template Run unittest with Analyse outputs Various capabilities 4 July 2016 22

  23. Static & Dynamic approach Find entrypoints Analyse Analyse required parameters globals Populate and run Unittest template Analyse outputs Analyse output 4 July 2016 23

  24. Static & Dynamic approach Find entrypoints Analyse Analyse required parameters globals Populate and run Populate and run Unittest template Unittest template Analyse outputs Analyse output 4 July 2016 24

  25. Unittest template ● Run callback: – WordPress has support for PHPunit – So, unittests ● WP_UnitTestCase – Sets up environment – Creates temporary tables – Offers nice functionality ● Xdebug for call traces and code coverage 4 July 2016 25

  26. class TemplateTest extends WP_Ajax_UnitTestCase { private $roles = array (); public function setUp() { parent ::setUp(); $ this ->role_names = array ('subscriber', 'contributor', 'author', 'editor', 'administrator'); } public function test_do_handling() { foreach ($ this ->role_names as $role_name) { // 1 {Setup per role} $ this ->_setRole($role_name); $filename = __DIR__ . "/traces/trace-{$role_name}"; xdebug_start_code_coverage(XDEBUG_CC_UNUSED); xdebug_start_trace($filename); // 2 {Call to URL handler} xdebug_stop_trace(); $coverage = xdebug_get_code_coverage(); xdebug_stop_code_coverage(); file_put_contents($filename . '.cov', coverage_to_json($coverage)); // 3 {Teardown for per-role setup} } } } 4 July 2016 26

  27. Static & Dynamic approach Find entrypoints Analyse Analyse required parameters globals Populate and run Unittest template Analyse outputs 4 July 2016 27

  28. Static & Dynamic approach Find entrypoints Analyse Analyse required parameters globals Populate and run Unittest template Analyse outputs Analyse outputs 4 July 2016 28

  29. Output 1: Traces ● Headers Record type 1 6 10 11 12 - ... Entry level function name line number no. of parameters parameters Exit level empty Return level return value empty ● Example output 0 19 wpdb->_real_escape 1209 1 $string = 'setting_b' 0 20 mysqli_real_escape_string 1127 2 class mysqli { ... }, 'setting_b' 1 20 R 20 'setting_b' 1 19 R 19 'setting_b' 4 July 2016 29

  30. function plugin_settings_page() { if (!current_user_can('manage_options')) { wp_die(__("you don't have the clearance")); } include (sprintf("%s/settings.php", dirname(__FILE__))); } 13 - E: MyPlugin->plugin_settings_page ([]) 14 - E: current_user_can (["$capability = 'manage_options'"]) 14 - R: FALSE 14 - E: __ (["$text = 'you don\\'t have the clearance'", '$domain = ???']) 15 - E: translate (["$text = 'you don\\'t have the clearance'", "$domain = 'default'"]) 16 - E: apply_filters (["$tag = 'gettext'", "$value = 'you don\\'t have the clearance'", "'you don\\'t have the clearance'", "'default'"]) 16 - R: 'you don\'t have the clearance' 15 - R: 'you don\'t have the clearance' 14 - R: 'you don\'t have the clearance' 14 - E: wp_die (["$message = 'you don\\'t have the clearance'", '$title = ???', '$args = ???']) 4 July 2016 30

  31. Output 2: Code coverage Subscriber coverage admin coverage Admin noncoverage 20 20 54 21 21 22 22 53 53 54 57 58 4 July 2016 31

  32. Did the run/test succeed? ● Meaning: – Did we predict the correct arguments and globals? ● Metrics: – Full Code coverage? – Joined set should hit all return paths? ● If deemed not: – Rerun with different parameters/globals – Test's output may help here 4 July 2016 32

  33. Static & Dynamic approach Find entrypoints Analyse Analyse required parameters globals Populate and run Unittest template Analyse outputs 4 July 2016 33

  34. Conclusions ● Lack of good parsing & analysis tools inhibits research. – Exploring code, extracting features difficult – Testing hypotheses not possible on large scale ● If they were available: – Static & dynamic analysis may be quite fruitful here 4 July 2016 34

  35. Future work ● Design & build a good working modeling tool – Modular and extendible – Allows for queries to be done ● What (symbolic) value does this variable have here? ● What should x be to evaluate this to true? (constraint solving) ● What is this variable used for? – Needs to build a very good representation of the code ● Next steps are Modeling & Predictions – WordPress knowledge needed for classification 4 July 2016 35

Recommend

Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis

Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis

Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis Powered by RIPS Technologies High-tech company based in Bochum, Germany Supports the full feature stack of the PHP language Detects

1.06k views • 47 slides
A Month of WordPress Plugins 2007 Ask and You May

A Month of WordPress Plugins 2007 Ask and You May

WordPress Plugins Lorelle VanFossen File Gallery WordPress Plugin A Month of WordPress Plugins 2007 Ask and You May Change WordPress Open Camp

542 views • 32 slides
Top WordPress Plugins SEO Tips and Tactics MeetUp Christina Peterson Thursday, May 23, 13 Top

Top WordPress Plugins SEO Tips and Tactics MeetUp Christina Peterson Thursday, May 23, 13 Top

Top WordPress Plugins SEO Tips and Tactics MeetUp Christina Peterson Thursday, May 23, 13 Top WordPress Plugins The WordPress Plugin Directory contains nearly 25,000 plugins (as of 5/18/13) Thursday, May 23, 13 Top WordPress Plugins

505 views • 25 slides
The Struggle is Real: Developing WordPress Plugins Daniel Simanek <daniel.simanek@wisc.edu>

The Struggle is Real: Developing WordPress Plugins Daniel Simanek <daniel.simanek@wisc.edu>

The Struggle is Real: Developing WordPress Plugins Daniel Simanek <daniel.simanek@wisc.edu> Research and Graduate Education Throwing Things Classes Filter all the Things No Magic Code like everyone Is Stupid Break the (WordPress)

851 views • 60 slides
Getting Timely Support For Your Premium WordPress Themes & Plugins Personnel File Name:

Getting Timely Support For Your Premium WordPress Themes & Plugins Personnel File Name:

Insider Secrets For Getting Timely Support For Your Premium WordPress Themes & Plugins Personnel File Name: Justin Ferriman Gender: Male Age: 31 Height: 58 (on a tall day) Weight: Fluctuates by season Profession: Co-founder &

518 views • 41 slides
Designing Websites for 2016 and Beyond Marjorie R. Asturias Happiness Engineer WordPress.com

Designing Websites for 2016 and Beyond Marjorie R. Asturias Happiness Engineer WordPress.com

Designing Websites for 2016 and Beyond Marjorie R. Asturias Happiness Engineer WordPress.com Powers 1 in 4 websites +25% of the web Plugins Upgrades Total WordPress Sites +25k 3 +60m WordPress.com Page Views Employees +14m 5 billion

437 views • 20 slides
WordPress Wizardry: Tips, Shortcuts, & SEO Secrets for Tech Writers Alyson Harrold &

WordPress Wizardry: Tips, Shortcuts, & SEO Secrets for Tech Writers Alyson Harrold &

WordPress Wizardry: Tips, Shortcuts, & SEO Secrets for Tech Writers Alyson Harrold & Massimo Paolini Workshop Agenda WordPress Labyrinth The alchemy of themes, plugins & other CMS tricks Content Casting

837 views • 45 slides
radare Easing binary analysis for fun and profit Overview IO with plugins Basic file

radare Easing binary analysis for fun and profit Overview IO with plugins Basic file

radare Easing binary analysis for fun and profit Overview IO with plugins Basic file input/output access wrapped with plugins: Posix IO W32 IO Remote TCP IO EWF (Encase disk images) Debugger Haret ... Hexadecimal

695 views • 12 slides
WORDPRESS Lesson 01.01 Introduction to WordPress Welcome Welcome to WordPress! Over the next

WORDPRESS Lesson 01.01 Introduction to WordPress Welcome Welcome to WordPress! Over the next

WORDPRESS Lesson 01.01 Introduction to WordPress Welcome Welcome to WordPress! Over the next set of sessions we're going to cover a lot of different topics, techniques, and technologies, all of which are going to help you better manage and

410 views • 13 slides
WORDPRESS Lesson 02.02 WordPress Editor WordPress Editor WordPress uses a simple HTML editor

WORDPRESS Lesson 02.02 WordPress Editor WordPress Editor WordPress uses a simple HTML editor

WORDPRESS Lesson 02.02 WordPress Editor WordPress Editor WordPress uses a simple HTML editor that allows users to create and update content for blog posts, pages, comments, and other content types that require a rich editing environment.

766 views • 17 slides
Wordpress Security GIMPA, November 2018 By: @niiankrah What is Wordpress? WordPress is a

Wordpress Security GIMPA, November 2018 By: @niiankrah What is Wordpress? WordPress is a

Wordpress Security GIMPA, November 2018 By: @niiankrah What is Wordpress? WordPress is a free and open-source content management system based on PHP and MySQL. It uses a plugin architecture and a template system. It is most

367 views • 17 slides
Contributing to WordPress Sam Sidler @samuelsidler samuelsidler.com sam@wordpress.org Why

Contributing to WordPress Sam Sidler @samuelsidler samuelsidler.com sam@wordpress.org Why

Contributing to WordPress Sam Sidler @samuelsidler samuelsidler.com sam@wordpress.org Why Contribute to WordPress? Learn from the best developers Gain experience in the codebase Influence the direction of the project Make valuable

265 views • 25 slides
Process and Measurement System Capability Analysis Introduction Process capability means

Process and Measurement System Capability Analysis Introduction Process capability means

ST 435/535 Statistical Methods for Quality and Productivity Improvement / Statistical Process Control Process and Measurement System Capability Analysis Introduction Process capability means broadly the ability of a process to achieve

397 views • 15 slides
13 Vim plugins I use every day VimConf 2019 Tatsuhiro Ujihisa 13 Vim plugins I use every day

13 Vim plugins I use every day VimConf 2019 Tatsuhiro Ujihisa 13 Vim plugins I use every day

13 Vim plugins I use every day VimConf 2019 Tatsuhiro Ujihisa 13 Vim plugins I use every day VimConf 2019 Tatsuhiro Ujihisa Abstract I'm going to talk about how I use these plugins to be able to write code effectively as a professional

362 views • 25 slides
FOSOV Autonomous and Automated Ground Mobility Capability Collaboration Event 19-20 February

FOSOV Autonomous and Automated Ground Mobility Capability Collaboration Event 19-20 February

FOSOV Autonomous and Automated Ground Mobility Capability Collaboration Event 19-20 February 2020 Wifi: GuestHighSpeed Password: SWXGu35t Landing Page: sofwerx.org/fosov Admin Remarks Parking Special Event Parking Lot 2203 E

336 views • 10 slides
Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot

Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot

Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot gray inc. @dotgray Sunday, March 15, 15 Resources Codex.WordPress.org / Hardening_WordPress Blog.Sucuri.net / WordPress Security WPSecure.net /

608 views • 32 slides
WordPress Day 8 - Underscores 1 What is underscores? _s, or underscores , is a WordPress

WordPress Day 8 - Underscores 1 What is underscores? _s, or underscores , is a WordPress

TWD 25 WordPress Day 8 - Underscores 1 What is underscores? _s, or underscores , is a WordPress starter theme. It is a code base for building custom themes. 2 Why use underscores? Maintained by Automattic developers. This is the

821 views • 47 slides
HOW YOU CAN GET INVOLVED WITH THE WORDPRESS COMMUNITY WHO WE ARE JOHN HAWKINS - WordPress

HOW YOU CAN GET INVOLVED WITH THE WORDPRESS COMMUNITY WHO WE ARE JOHN HAWKINS - WordPress

HOW YOU CAN GET INVOLVED WITH THE WORDPRESS COMMUNITY WHO WE ARE JOHN HAWKINS - WordPress developer - WordPress user for 15+ years - Owned a WP Agency for 5+ years - Organized first WordCamp in Vegas (2009) - Founded the WP Vegas

684 views • 35 slides
wordpress masterclass how to set up your own wordpress website I'm a web designer whos

wordpress masterclass how to set up your own wordpress website I'm a web designer whos

wordpress masterclass how to set up your own wordpress website I'm a web designer whos passionate about helping small businesses create a professional online brand personality that stands out from the crowd and generates an income that gives

786 views • 37 slides
xrootd news Paul Millar Zeuthen, dCache workshop xrootd plugins xrootd has plugins that allow

xrootd news Paul Millar Zeuthen, dCache workshop xrootd plugins xrootd has plugins that allow

xrootd news Paul Millar Zeuthen, dCache workshop xrootd plugins xrootd has plugins that allow extension of behaviour Authentication plugins Authorisation / name-space mapping See Gerd's talk Xrootd news | Paul Millar | 2012-04-18 |

522 views • 6 slides
Motivation It may involve Minor changes in the main source Requires static linking We

Motivation It may involve Minor changes in the main source Requires static linking We

1 July 2012 Plugins: Outline 1/61 Outline Workshop on Essential Abstractions in GCC GCC Control Flow and Plugins Motivation GCC Resource Center Plugins in GCC (www.cse.iitb.ac.in/grc) GCC Control Flow Department of Computer

639 views • 24 slides
Why SCons is not slow ./agg/src/agg_curves.o ./bindings/python/mapnik_line_pattern_symbolizer

Why SCons is not slow ./agg/src/agg_curves.o ./bindings/python/mapnik_line_pattern_symbolizer

./plugins/input/raster/raster_info.os ./plugins/input/raster/raster_datasource.os ./src/font_engine_freetype.os ./plugins/input/raster/raster .input ./src/point_symbolizer .os ./src/scale_denominator .os ./src/envelope.os

888 views • 40 slides
WordPress Day 1 1 About Me Jonathon Leathers - WordPress Developer TWD 4 Student (2013)

WordPress Day 1 1 About Me Jonathon Leathers - WordPress Developer TWD 4 Student (2013)

TWD 25 WordPress Day 1 1 About Me Jonathon Leathers - WordPress Developer TWD 4 Student (2013) weCreate Design (2014 - now) Vancouver WordPress Meetup Organizer (2017 - now) WordCamp Vancouver Lead Organizer (2018 & 2019) TWD

1.52k views • 119 slides
WordPress I Day 7 1 Tuesday, June 18, 13 Moving Your WordPress Site (within the same domain)

WordPress I Day 7 1 Tuesday, June 18, 13 Moving Your WordPress Site (within the same domain)

WordPress I Day 7 1 Tuesday, June 18, 13 Moving Your WordPress Site (within the same domain) How do I move files from a \wordpress sub- directory to the site root? A common request. Unlike a basic HTML site, we can't simply move the

593 views • 25 slides

More recommend