Presentation Material

Abstract

Every organization has its own unique coding style and strategies. This can make it difficult for a static code analyzer to effectively find bugs in every codebase. The customizations available with these analyzers are prone to a lot of false positives.

In this research, we leveraged an open-source tool semgrep to write custom rules that ran over 80k WordPress plugins to find vulnerabilities like SQLi, XSS, and LFI in bulk. The first challenge to overcome was getting a large number of false positives. We understood the coding patterns and came up with better rules. The tweaking reduced the percentage of false positives drastically. Writing good rules helped us identify the vulnerable code just by looking at the semgrep’s output. This removed the overhead of manual validation by installing the plugin altogether.

The SQLIs we found were all time-based blind but we identified the code and converted lots of them to union-based SQLI. We bypassed filters to get SQLI and XSS and created custom rules for the code that contains the bypassed filter. In the XSS ruleset, we obtained thousands of results with possible XSS that lead to the creation of an automated XSS validator: XSSBomb.

The talk will have a demo for basic usage of semgrep, writing custom rules, and running them over the list of vulnerable plugin repos. We will also demo the tool XSSBomb. In this research, we identified some really good real-world examples of writing secure code and WordPress’s way of preventing attacks. As a result of this research, we collectively found 47 confirmed bugs and were assigned CVEs for the same.