<-- Back to timeline

My Tryst with Source Code Review

c0c0n 2014


Talk Slides

Talk Abstract

This presentation is based on the personal experience when i took a task of performing pen test on all publicly available WordPress plugins (amounting to a total of 30K plugins). it soon became clear that such as task would be daunting and time consuming if done only from blackbox prospective. hence i decided to leverage both blackbox and code review process in place. The code base was in php language and at this point owing to the large codebase at hand all generic tools were failing to work on identifying various issues. It is to be noted only opensource tools were tried and tested and no commercial tool was used. The talk focuses on how quickly with help of simple scripts and by stitching generic tools the author was able to solve a lot of his problems as well as was able to perform the task with ease. The end result of phase 1 of the activities was close to 270 vulnerabilities distributed as listed below.

Vulnerability Type Count

  1. A3-Cross-Site Scripting (XSS): 211
  2. A1-Injection: 9
  3. Information Disclosure: 1
  4. Direct access authorization bypass: 1
  5. A9 Using Components with Known Vulnerabilities: 30
  6. SSRF/XSPA: 4
  7. Local File Inclusion: 6
  8. A10-Unvalidated Redirects and Forwards: 4

Some of the scripts written so far are

  1. identifying probable XSS via code review and validating the same via request call.
  2. automated installation and configuration of plugins / extension.
  3. Identifying possible SQL injection points. (in progress)
  4. identification of various access levels available for a plugin (access level map)
  5. automated information extraction and identification if there is a newer version available.
  6. automated screenshot of application based on specific conditions.
  7. automating reporting template
    and many more