Limited Automated WP Plugin Vulnerability Scanning with wtfian

When looking through WordPress plugins, I noticed that a lot of developers seem to have issues using AJAX securely. They frequently don’t use nonces at all, they leak nonces to people they shouldn’t, and they forget to check the user’s capabilities. At first, going after the low hanging fruit (AJAX issues) of the low hanging fruit (WP plugins) was kind of fun, but it started to get boring pretty fast so I wrote a script to do it for me.

So I give you wtfian!
What does it stand for?
Who cares?
What does it do?
It scans for authorization/authentication bypass issues and CSRF for AJAX calls in wordpress plugins. It can also provide some hints about nonce leakage. It’s designed to assist in code reviews.
How well does it work?
Eh, OK I guess. I wrote it in an evening and never intended to release it to the public, so the code is pretty ugly, but it mostly does what I indended. I’m releasing it because I figure it might come in handy to a few people, and might even be the base of, or inspiration for, something much better. There are false positive and false negatives and it only partially supports object oriented code, but it still may have some use.

Example Use:

username@desktop:~/wtfian$ php wtfian.php plugins/nextgen-gallery/

It will produce some output like this:

Interesting Functions:
Function Name: start_buffer
Hook Name: init
Hook File: plugins/nextgen-gallery/non_pope/class.photocrati_resource_manager.php
Hook Line: 26
Function File: plugins/nextgen-gallery/non_pope/class.photocrati_resource_manager.php
Function Line: 77
Nonces Checked: 
Nonces Created: 
Capabilities Checked: 


Function Name: print_marker
Hook Name: wp_footer
Hook File: plugins/nextgen-gallery/non_pope/class.photocrati_resource_manager.php
Hook Line: 27
Function File: plugins/nextgen-gallery/non_pope/class.photocrati_resource_manager.php
Function Line: 34
Nonces Checked: 
Nonces Created: 
Capabilities Checked:
...

There may be quite a bit of noise that you have to scroll through to find the interesting bits:

Function Name: load_scripts
Hook Name: admin_print_scripts
Hook File: plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/admin.php
Hook Line: 24
Function File: plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/admin.php
Function Line: 259
Nonces Checked: 
Nonces Created: ngg-ajax
Capabilities Checked:
...
Function Name: ngg_ajax_operation
Hook Name: wp_ajax_ngg_ajax_operation
Hook File: plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/ajax.php
Hook Line: 2
Function File: plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/ajax.php
Function Line: 12
Nonces Checked: ngg-ajax
Nonces Created: 
Capabilities Checked: NextGEN Upload images,NextGEN Manage gallery
Nonce Sources: 
        Nonce 'ngg-ajax' is generated in function 'load_scripts'
NOTE: Check for nonce leakage


Function Name: createNewThumb
Hook Name: wp_ajax_createNewThumb
Hook File: plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/ajax.php
Hook Line: 76
Function File: plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/ajax.php
Function Line: 78
Nonces Checked: 
Nonces Created: 
Capabilities Checked: NextGEN Manage gallery
NOTE: May be vulnerable to CSRF


Function Name: ngg_rotateImage
Hook Name: wp_ajax_rotateImage
Hook File: plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/ajax.php
Hook Line: 116
Function File: plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/ajax.php
Function Line: 118
Nonces Checked: 
Nonces Created: 
Capabilities Checked: NextGEN Manage gallery
NOTE: May be vulnerable to CSRF


Function Name: ngg_ajax_dashboard
Hook Name: wp_ajax_ngg_dashboard
Hook File: plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/ajax.php
Hook Line: 166
Function File: plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/ajax.php
Function Line: 168
Nonces Checked: 
Nonces Created: 
Capabilities Checked: NextGEN Gallery overview
NOTE: May be vulnerable to CSRF
...

I know you want to download it now. Go ahead.
Download wtfian (79K)

Credit, where credit is due. I made use of PHP-Parser by Nikita Popov for all the PHP parsing.
It’s pretty damn awesome. A PHP parser written in PHP…

Author: Voxel@Night

Leave a Reply