Tale of Forgotten Disclosure and Lesson learned

A presentation at Null Meet Bangalore Chapter in May 2015 in Bengaluru, Karnataka, India by Anant Shrivastava

Slide 1

Slide 1

TALE OF FORGOTTEN DISCLOSURE BY ANANT SHRIVASTAVA

Slide 2

Slide 2

ANANT SHRIVASTAVA Information Security Consultant Admin - Dev - Security null + OWASP + G4H http://anantshri.info and @anantshri Co-Author OWASP Testing Guide 4.0 Projects

Slide 3

Slide 3

SCENARIO 1. 2. 3. 4. A vulnerability present in code (last updated March 2013) Public disclosure in aug 2014. Interestingly someone posted a pull request in Jan 2013 Till may 2015 it was not patched even though there was a new release after the pull request was in place.

Slide 4

Slide 4

INFORMATION RECIEVED

Slide 5

Slide 5

INVESTIGATION RESULT 1. 2. 3. 4. 5. Javascript Based DOM-XSS Culprit identified as facebook-page-photo-gallery wordpress plugin. Remove the plugin XSS Fixed; Issue closed End of Story

Slide 6

Slide 6

EMAIL TO PLUGINS TEAM

Slide 7

Slide 7

RESPONSE FROM PLUGIN TEAM

Slide 8

Slide 8

MEANWHILE DISCOVERY REQUIRES EXPERIMENTATION

Slide 9

Slide 9

REPOSITORY

Slide 10

Slide 10

CRUX OF THE ISSUE function getHashtag(){ var url = location.href; hashtag = (url.indexOf(‘#prettyPhoto’) !== -1) ? decodeURI(url.substring(url.indexOf(‘#pretty Photo’)+1,url.length)) : false; return hashtag; };

Slide 11

Slide 11

GOOGLE AHOY

Slide 12

Slide 12

INTERESTING FACT

Slide 13

Slide 13

CONTACTING AUTHOR

Slide 14

Slide 14

SPREAD THE WORD

Slide 15

Slide 15

SPREAD THE WORD

Slide 16

Slide 16

SPREAD THE WORD

Slide 17

Slide 17

FINALLY SOME ACTION

Slide 18

Slide 18

SOME ACTION

Slide 19

Slide 19

RELIEVED LET THE WORLD BE IN PEACE AND LETS GET BACK TO WORK

Slide 20

Slide 20

AFTER 7 DAYS

Slide 21

Slide 21

WHY YOU NO FIX

Slide 22

Slide 22

WORDPRESS PLUGIN INFO 1. Total 35 Plugins Found Total Plugin Downloads Active Install 2882520 3,37,780

Slide 23

Slide 23

NERDY DATA

Slide 24

Slide 24

WHAT IS VULNERABLE 1. Any application / website which has jquery.prettyphoto.js 2. Version 3.1.4 and 3.1.5 are confirmed vulnerable older versions not checked.

Slide 25

Slide 25

WHAT IS A FIX 1. Upgrade to 3.1.6

Slide 26

Slide 26

ENOUGH OF THE PAST WHAT’S IN IT FOR ME.

Slide 27

Slide 27

LESSONS TO BE LEARNED

Slide 28

Slide 28

FOR DEVELOPER 1. Never ignore pull requests and security issue bug report. 2. Proactively test software and at-least if a fix is released publicly accept security issue.

Slide 29

Slide 29

FOR DEVELOPERS / SYSADMIN / DEVOPS 1. never ignore update from shared library 2. Keep an eye on how shared resources are holding up. 3. Monitor your Dependencies

Slide 30

Slide 30

HOW

Slide 31

Slide 31

HOW

Slide 32

Slide 32

HOW

Slide 33

Slide 33

IS THIS ENOUGH 1. Not yet 2. We still lack method to track it for every third party library. 3. Manual tracking is still required.

Slide 34

Slide 34

REFERENCES 1. A9 - Using Components with Known Vulnerabilities 2. https://www.owasp.org/index.php/Top_10_2013-A9Using_Components_with_Known_Vulnerabilities

Slide 35

Slide 35

THANKS