Boston BSides - Discover 1352 Wordpress Plugin XSS - Larry Cashdollar

we have to highlight the not quite here but that's not in the title yeah yeah so we'll get into that too so uh I'm Larry cash doller um a hobbyist vulnerability researcher um work at aami I've been doing this since uh I think 1998 was the first vulnerability I found in an SGI irx and midi keys to get me root and subsequently break an onyx SGI 2 and piss off a bunch of uh Army uh uh Army Admirals or generals I'm not sure what they were but um they were angry but uh yeah so I used to do penetration testing that was what I was doing back then except uh back then it was a little

less formal like my boss pretty much said uh we want you to Break Stuff you seem to be good at it um can you tell us about it when you do it and and I usually did unless I broke something big like that and I told them a week later when they cool down um I have over 100 cves by name uh everything ranges from um buffer overflows to uh exploiting set u rout binaries temp race conditions to Wordpress plugins for remote file inclusion stuff like that um I work in the aam uh security Response Team uh Patrick wasn't that uh he wasn't in the he was in that group for a while and then he decided to leave us left me

holding the bag uh he was the only guy in our office the other guy is down in uh North Carolina the other guys are in Florida so now my boss my [ __ ] who is at least 2 feet taller than I am has only one person to pick on um he us he doesn't pick on you guys he just picks on me he just takes it out on me yeah cuz I'm shorter than everybody but um so uh people are asking why cross-site scripting um I was looking through WordPress plugins at mostly like local file inclusion remote file inclusion SQL injection I like getting a shell on things I like getting a database dump I don't really like cross

scripting that much but I kept seeing these things in the code I kept seeing these blatant you know echoing user input directly back to the browser so I'm like you know what I'm going to see how many of these I can find I just figure out an index of them just see how many there are and I thought these were a sure thing uh I thought that you know if if you were seeing a get being aned back it was cross-site scripting we'll go over that later in the in the mess up slide um I had a lot of curiosity about vulnerability Discovery uh automated I wanted to automate uh vulnerability Discovery and vulnerability proof of

concept generation and vulnerability proof of concept verification so it wasn't really so much about cross- scripting was more about can I get my computer to do this for me and then check the logs every couple hours um and also I figured these would be pretty easy to create cross- side scripting concept on the fly it should just be a you know break a script tag Echo a alert Java box in and close the script tag and it should kind of work most cases um assumptions I know what you I assume you know what WordPress is I assume you know what cross scripting is I assume you know what a WordPress plugin is and I assume you're not from the violence I'm

disappointed cuz I'm small I don't want to get beaten up when you guys see the rest of this um so uh let's see so I first step was to collect plugins um I wanted to collect all the plugins at once I wanted all 50,000 plugins I didn't want to grab a th000 or 2,000 I wanted to grab all of them so I decided to scrap uh wordpress's uh plugin SPN Source repository page uh they got pissed off blocked my IP address for eight months um also uh I got a lot of crup um I got plug-in versions for you know the same plugin with eight different versions um I got plugins that had been removed four years

ago I I got uh just a bunch of stuff that I didn't need and it was just taking up exra disc so I I uh um had to come up with another another way to do this I also wanted medad I wanted to collect tidbits about the plugin um so plugin collection 2 was I used the list of plugins from the the code repository as an index and then I scraped each Plage or each page on the uh WordPress site for that plugin I piped that all through proxy chains because I didn't want to um I didn't want WordPress to block me again because it was pain in the ass to reroute it through another um

proxy somewhere and uh so I I got this running and I let it run and it took about 5 days um in all it downloaded 42478 plugins took about I think it was 10 GB of disc something like that maybe it was 15 um The Next Step was how was I going to mine all these plugins for uh proide scripting vulnerabilities so a couple of years ago I had done this same sort of research with um ruby gems so I took one of my old Pro scripts that I Ed to look at command injection and ruby gems modified it to look for cross- side scripting in uh WordPress plugins and uh just look you know set up to look for

Echo get you know Echo post Echo requests and then I try to find different variations where uh the plug-in author would either put a single quote or a double quote or put a space before a single quote or a space before a double quote um I also wanted to grab the line number uh and a snippet of the vulnerable code because whenever I do an advisory I like providing a snippet of the code that the vulnerability is in in case the author changes it or in case the author silently fixes it I can at least go back to what I originally saw diff the two and say okay this is you know this is what the Au changed maybe

they did it wrong you know maybe they they you know snuck it in there I didn't know um I also wanted to automatically generate the exploit and title so I wanted to generate a proofer concept exploit based on the code snippet where I extracted the variables from it and also wanted to just put a generic title in there like cross scripting vulnerability and plug in Fubar baz version 1.2 um and then as I mentioned I collected the vulnerable variables uh that made it easier to just automatically generate concept because then I can use that variable to be the payload um injector for my JavaScript or alert box to generate the cross-site scrip thing um Pro Concepts I only looked at

get and request only I didn't want to try and do Post because that's just a little harder this was you know I just want to see if this could be even done so I figured I start with the easy stuff the little hanging through um I wanted to uh just create a generic most like most likely to succeed um exploit for testing so I figured just you know uh have a script tag ending and then a script tag beginning and just try and uh break the HTML um not script tag HML tag and then uh just generate all this on the Fly um kind of needed somewhere to store all this um I figured I had 900

vulnerabilities with 900 tested proof of Concepts uh what should I do I built a database uh my SQL database um created a database WP onlyb because I'm so you know original couldn't creative I couldn't think of any better name super leak crossrip thing zero day database I just whatever and then I had to think about uh you know what columns to store um I uh I figured I'd store the title uh file name plug-in name vulnerable code proof of concept cuz I you know I wanted to have that associated with the database the variables that were vulnerable to crossy scripting injection and then a date just so I knew when the table was created or or that entry table was

created I wanted to collect some data data along with it uh populate more fields in the database like the version number author download links download I figured if I had the number of downloads I could sort the table by plugin popularity so I could look at the top plugins for number of downloads and then start to um figure out which ones might be more interesting than others that have more downloads that might be more prolific across the internet in case this got really serious um and then you know in the midst of doing all this I thought to myself you know I should probably give people like like WordPress uh a sort of a a a notification that I'm

doing this because you know if I suddenly get this database built and then I give them 24 hours to react to it that'd be kind of a jerk move you I figured I should tell them look I'm building this this database uh I'm starting to put it together you guys have any suggestions recommendations I figured I would just let you know if there's any way I can help uh just let me know and I'll do whatever it is to help you guys get the stuff resolved um so I start to realize I was over in over my head which doesn't take much me five six so um I realized I needed an adult I probably should ask people who

are smart what I should do uh what you know how I should organize this this data uh who I should notify sort of Bounce my ideas off of other folks so I I first person or first group I notified was WordPress um they were flabbergasted at first they were like in shock they're like we can't believe you have a database of 1352 cross-side scripting vulnerabilities what the hell are we going to do we only can address one of these one at a time and it takes us days to verify it we have to they they create a proof of concept verify it and then notify the author if the author doesn't pull down the plugin they pull down the

Plugin or if the author doesn't fix the plugin they pull down the plugin so they had this very slow manual cycle of getting this done uh so I had gone back and forth with them for a little while about you know my expectations and I was just willing to help in any way I could and they were kind of quiet and you know just sort of I assume they were just chugging through the the database and then I notified Brian Martin Jericho at attrition because he's just been collecting vulnerabilities since I can remember um he was uh he was running the osvdb I figured he would know how to handle this sort of B thing he I think

actually gave birth to a kitten when he heard about this because he's like I've been wanting to write a story about someone who's you know giving a thousand or dispersing a thousand vulnerabilities at once it would be a great blog entry and please tell me you have this database I'm like yeah I have this database and here it is you can have it just don't share with anybody else and then I notified Scott more IBM X Force because he's been an old friend and I figured he probably should know about it and notified Ryan duur because he runs the WordPress vulnerability database so if I'm going to give him 1300 entries he should know about

and then I talked to some friends at aamai you know I told uh Patrick and U you know a couple of people in my group a couple of people in impos group cuz they're really smart and I figured you know they should know cuz they might you know guide me or tell me if I'm being an idiot and they were all like that's really cool and you're sick in the head cuz who the hell was spending that much time trying to find this stuff but they thought it was great um and then solar designer because I figured eventually I would send this stuff to the OSS Security list so I figured he I can't send 13 152 vulnerabilities at once um

people are going to murder me if I do that you can't send that many emails out to security list so then I thought you know what could I send them in blocks of like 200 could I send him in blocks of 500 so I talked to solo designer for a couple of days going back and forth about you know what fields we should send and how we should format it it should all be one email but it should be easily parsable so we went through this back and forth and uh so I started notifying all all these people I had uh friend of mine uh who sh rame nameless sent the database on request of me to

some TLP red uh security list which if you don't know what the traffic light protocol is TP red is need to know only it's uh um you know the only people receiving that information are sworn to not share with anybody else it's not supposed to be shared out of who's ever received it um so a group of people uh had gotten hold of it in Germany and these uh these were a group of security researchers all doctors in their computer science and they were looking for a they were doing a study on WordPress plug-in vulnerabilities with cross-site scripting on zero days so these guys flipped out they're like holy cow you're this is this will dovetail

right into our research this is great we got a Skype call I was like I'm going to be one of the cool kids now these guys are actually like Skyping me and they're they got degrees in computer science they doctor they're doctors it was like it was like the equivalent of The Big Bang Theory except they were in Germany and they were drinking beer and they weren't awkward so I thought I was becoming one of the cool kids you know I'm like yeah this is pretty cool you know like start maybe I'll be accepted and people won't look at my height any one so there'll be a lot of short jokes cuz if I don't do

them my CSO will Landy over there so um I figured i' i' customized the data for everybody everybody was like can you can you add this table can you add that table uh people wanted custom csvs um you know the WordPress people uh Jericho Brian Martin he and I went back and forth and we were fixing stuff in the tables we were fixing mangled entries I took suggestions I I sent people the SQL database and the PHP code to render it into a pretty web page that showed you the advisory that I created and everything um I added more columns people are like hey why don't you add these columns you know you need to you should get cve IDs

for these and at the time I just became uh involved with the distributed weakness filing where we're sort of taking part of the cve um cve uh database and we're sort of doing our own thing for we're supporting the stuff that they don't support so that everything get a CD ID so they had given me a block of a th000 IDs which I thought i' never used for the year and I'm like oh cool I'm going to use like 900 of them right now now so I just assigned all these cve or DWF IDs to you know all these vulnerabilities in my database I added a tight field so that I could tell if the injection was via a

get poster request so I could sort by uh you know if I could sort by if I want to just look at get requests or post request vulnerabilities or po or um requests I could you know pull those out of the database really easy the guys in Germany wanted to check and see if certain plugs were using nonc so I added that in there if it was a flag you know a one if it was if the plug a onc I added um Auto verify which we'll get into it was just a bleen statement um that'll be part of the automatic exploit stuff that we'll get into in the next couple of slides um people wanted the

file name without the full path I used I needed the file name with the full path but they want it without so I had to parcel those out and create new entry just make things easier for those guys and I wanted to vendor contact date um so that when I I eventually found a way to notify these guys or the plugin offers we could at least keep track of who was notified and who wasn't and then I wanted to I wanted to you know I wanted valid to validate the proof of Concepts I figured proof of concept or go home I want to know that all 1352 if possible of these vulnerabilities were valid that the

actual JavaScript um executed um I had an idea about how I would test this I was I think I was on a flight from uh back from a RV trip in California and uh thought of a way to test it and um I thought it would be really cool to release a database that was you know over a th000 vulnerabilities with over a th000 proof of concept exploits with it that were verified how cool would that be these are th bones and here the th exploits for um yeah so the first version of the automatic exploiter uh uh was I was going to try and send the um payload to all of our or at least all of

the get requests because those would be the easiest to exploit um there were about 900 of those uh the rest were post request so I didn't figured I wouldn't bother with those yet well now I guess I should go back and check those just for fun um I decided to set up such a CGI bin environment I figured I could use pH P CGI to just execute the PHP code and generate an HTML file with the payload embedded in it and um and then I could exec that JavaScript you know with the with the vulnerable payload and see if it actually executes um I needed I couldn't use an alert that's and I'm not going to look at a

bunch of alert boxes that have been rendered to BNG so I figured the easiest way would be to have it do a pull a an image and have that image be a PHP script that just specifies as a an argument the uh vulnerability database number to Mark as um Auto verified um so that e that PHP all it does is set one to Auto verify for that dollar sign number in the database sort as CPT or PHP script you can imagine and um to set up the environment variables for PHP CGI you just need to set up a Gateway interface equal to CGI 1.1 um you needed half translated equals ownable PHP file name query string

equals payload redirect status CGI method is get for the get methods um I first started doing this when I was testing lfi and RFI um I didn't want to just I didn't want to have to stick a PHP file on a web server and then fire it off and I I got tired of trying to play with curl and stuff so I I had created a just a a script that that would run uh vulnerable or run my exploit code to do a post request or a get request against a a plugin that had an lfi or an RFI vulnerability and I thought this might work pretty well for just testing cross- side scripting stuff

so I made this little script called Fast CGI explorator it's really easy I don't know if you guys can see it um I haven't seen it this big yet um so all it does is just populate all of those uh all of those environment variables uh specifically the ones of Interest are you know the query string is going to contain our um payload for the crossy scripting you know the JavaScript and then uh you know the regular variables are just filled in with the default CGI redir CGI method get then path translated is the actual file name uh to the PHP file that we're going to Target so the process um to render tohtml I needed to run all of these

vulnerable PHP files that I had extracted from the database uh with you know through this script that I had created with a payload of uh script New Image and then Source equals my URL to go and set the database Auto verify to one um I had an idea to process the uh uh HTML and JavaScript stuff by using Phantom JS Phantom JavaScript um Phantom JavaScript if you haven't heard of it it's a full web stack uh it's no you don't it's command line it's it's it's a web browser on the command line it'll it'll process JavaScript it'll execute our payload um there's lots it has a lot of functionality I just wanted to use it

for this one thing I really wanted it just to read all of the HTML files out of my directory that I had rendered from that for loop with that uh CGI in script and then just create PNG files that I could look at and the PNG files I could at least tell um depending on size if the JavaScript had fired off or not or if I got an error just based on file size you know if I knew if I knew the file size was bigger I knew something had happened and it at least executed or I got an error message or something like that so I ended up finding this the scander what somebody had written in

JavaScript that would go through and do exactly what I wanted it would you specify a directory uh with all of your HTML files in it it would read through that directory and render the JavaScript in each one of those HTML files and create uh an image file of what what a browser would have seen as a sort as a PNG I ran this thing I was watching bar log uh access log and I was dancing I was watching stuff come through I was seeing boom you know this this U um script fired off or this this JavaScript fired off that JavaScript fired off I could see these things coming in and setting themselves to Auto verify in my

in my database and I was just like this is the coolest thing I'm dancing around I'm like this is so awesome Larry yeah what did that dance look like I can't dance like that man that's that was filmed in like what 1997 or 6 I couldn't even dance like that then so I don't have I have no rhythm ask my wife I have no rhythm she doesn't dance with me anymore dance with a off I guess anyway um so here's what it looked like this is what the uh uh this is what the the actual output of that uh directory looked like when it was done it had taken these these HTML files that were

generated by the php5 CGI um environment that I had created with a little script and then um rendered them down to all that PNG so you can see if it had executed the uh uh the JavaScript or Not by just looking at the database so you know it was easy I could I to this day I still go through and look at the Java or the file sizes because I haven't looked at them all to see exactly what happened I can uh it was an easy way just to see um what had gone off what had broken uh what didn't work what might be a more interesting vulnerability later on I think some of these I looked at might

have SQL in ction but I didn't investigate fully um so there were some interesting results and um the results were there was 38 exploits that had fired off and set to Auto verify in the database I thought there was going to be the way I was looking at the logs I thought there was going to be at least another digit in there you know somewhere you know like 138 or 380 or you know something bigger than 38 so I was pretty disappointed um it's kind of kind of like you know I I think this uh was kind of failed it was only 4% of those 900 actually worked um and then I started thinking about it it did work

damn it it it it actually rendered 38 of these things fired off I didn't look at the proof of concept um that I created for it they were automatically generated and then just stuffed into a variable that I teased out from the code and then had the phantomjs test to see if that JavaScript was fired back and executed so I'm like the process worked and I thought well this's my mic so uh I thought to myself if the if the JavaScript succeeded in executing um I knew that the proof of concept was escaping the tags properly and that that JavaScript was actually reaching the browser and being rendered um I knew that in order for us to reach the code I

say us I mean myself and my imaginary friend who hangs out with me and my basement um I knew that I'm used to saying us as a C team for aiz so I usually because we were always collaborating but I knew that the execution didn't require uh authentication I didn't need to be authenticated to Wordpress so it was an un unauthenticated Crossing vulnerability in that plugin um I knew that it also it wasn't just a class that was defined in a PHP uh file that wasn't reachable in some cases you'll see a PHP file that has uh cross- side scripting vulnerability in it and it's just a class file you can't actually execute any of the code um and then I knew that

the injection wasn't being sanitized at all there wasn't uh something tricky going on by the plug-in author um so I knew that it was pretty valid most likely um if it wasn't successful I knew that the injection Point might be sanitized there's something else going on that I didn't see in code that might exist around code um in some cases you'll see uh a get request for a variable and then the plug-in author is casting that variable to an in so you can't inject any code so you're done can't do anything with it um and then I also knew that some of the code might require authentication um you might need admin or whatever to reach the code um or it's

not escaping tags properly which in some cases I found out um uh let's see because there's people younger than 20 in this room uh where I messed up I was frustrated when I did this slide but where I messed up um I didn't have WordPress installed where the plugins could reach it so if if the plugin was looking reaching out for an include for a a WordPress plugin or a WordPress core file like you know wp-admin the PHP it was just error 500 um I should have probably notified everybody later on my research um probably should have put that farther down list um I didn't have the entire plugin copy uh so I had only copied the

vulnerable PHP file out of the plugin into my testing environment if that PHP file was including PHP files from the plugin itself uh it would fail it wouldn't be able to include the file and it would just fail out and error 500 again um php5 doesn't set headers uh it ignores them because it's CGI execution it's not actually old server stack so it's not going to set headers so some of the plugins were actually setting header types of like content type text CSS and those aren't going to be rendered by the browser they're going to be interpreted as text so you're not going to get any jobs with execution anyway um the big ticker was I

found out that WordPress is escaping the uh GPC or the GPR CS um get post request cookie and server variables the global super glal they're using ad slashes on those if you include the WordPress um the WordPress core utilities or core code in your plugin which they all do in some cases you know they may not be because their the plugin file that you're hitting is actually outside of Wordpress thing and the auor isn't including it but for the ones that it is it made them all context dependent um the double star was the the entire plugin not copy actually gave me some false negatives which I found out later I fixed um yeah so WordPress is doing this

um if you look at their code base now they did this like four four and a half five years ago I didn't know this I I somehow I missed it I I guess I had never noticed when I was when I was doing SQL injection that sometimes it would try and inject well actually the reason why it was the one I found was unauthenticated so that I guess I wouldn't I somehow I escaped this I guess because I was missing I was only really looking at unauthenticated stuff because I thought those were the most fun so um I ended up uh finding this out the hard way when I'm like why why are all these things being escaped

back to me I what's escaping this the only thing the author the pluging author is not escaping anything so something's escaping it and one of the smart guys or two of the Smart Guys on the C team uh Eric Cobin and Chad Sean they started poking at the WordPress trunk code um or WordPress core Library code and I'm like yeah this is it they're like look at look at what's Happening Here I I added these uh well in case people take pictures they can you know I'm not going can't really click those but you can at least know where to go um you can click them if you want you know entertain yourself um so this made uh all of my

stuff sort of different um I realized that with honoring the headers I only had 27 that were automatically cross-site scripted or uh cross-site script vulnerability in um I found three manually uh I think just make myself feel better about getting a solid 30 um I manually validated they needed some tweaking they just needed a few of them needed an extra variable to be defined so that they could reach the vulnerable code uh one of them actually had or two of them actually needed um the entire plugin copy because they were doing includes from their their plugin that I missed and as I mentioned before I was seeing some stuff like this where the the actual um code was vulnerable except

for that line which made it not vulnerable anymore so that was a false positive that I would trip over too um my cool kid status that was it I'm like that's it I'm not a cool kid anymore I I thought maybe I could you know if I if I would have found a th000 plus vulnerabilities maybe I could submit it to Defcon and speak there or something like that and then I'm like no nobody that's it I'm done now so uh what I learned this is the what I learned slide test your stuff end to end I should have done a full server stack for testing the cross-site scripting I I should have had an Apache server running PHP with

WordPress on it with all the plugins loaded and then started firing the automatic leer at that I shouldn't have done the CGI uh PHP CGI it was I thought it was a good idea um it bit me and uh I don't know sometimes that's what good ideas do um I should have researched any odd results that weren't making sense in hindsight I remember poking at an SQL injection in a plugin that was authenticated or required authentication and seeing these weird slashes that were coming through that were escaping the SQL injection and at the time I thought it was the plugin author who was doing it and now I realized it was actually the WordPress plugin or the WordPress

core that was doing it that I didn't realize um so the WordPress escaping stuff uh made uh all the cross side scripting plugin stuff uh work um yeah so the WordPress escaping stuff made everything contact dependent um and you know the the ad slash stuff escapes this stuff so you can't escape out of an HTML tag so the context dependent stuff um if it's loading up WordPress if it's if it's including WordPress load it's going to automatically Escape anything that's in G but but we can still send this in because we're not escaping out of an HTML tag this is still going to send a popup a box in the browser um in this instance I can't escape this

because you know the cross-site scripting um the variables embedded in HTML tags and I can't if I stick a a quote or a double quote and it's going to end up escaping it out and I can't I can't break out of it um which it it sucks because I have to manually go through all 1322 uh entries and look and see and check their context are they inside of an HTML tag are they inside of a JavaScript tag if you're inside a JavaScript tag I might be able to you know do something um I I can't look at these things anymore for 1300 of these I'm not having these I started dreaming about crossy scripting and PHP

I went through the same thing when I was looking at Ruby Jams 2 years ago I was starting to dream about Ruby jams and I just stopped I'm like it got to stop when you have dreams about a giant Ruby Jam chasing you you're done so um so what's next uh I'm kind of done with the WordPress plugin crite scripting I really like finding like lfi or RFI I can I don't want to I don't want to rely on social engineering something want to exploit something I just want to exploit it because I found a bug in the code and I don't need someone to click something um I might try playing with the automatic

exploiting stuff some more just to sort of finish it out and see what it does um I still feel like I should look at some of the entries to see if they're valid I did share this with those guys in Germany um and they said they had found some that were valid I'm not sure they were looking for uh more in-depth ones than I was they were looking to actually use these to exploit the plugin and actually have like an administrative user and things like that I was looking to send an alert box so I might contact them and see what results they came up with um I thought about applying this to see how functions like f open were being

used or Li forrell injection or C surf um see how evals being used lfi RFI trying you know use this to find more drastic vulnerabilities and uh you know maybe maybe work on some C stuff for a while iess to stop looking at PHP and get back to like something that uh well is equally painful but this is just a different pain I guess um this is my thank you slide uh thanking everyone here to listen to me ramble about this uh I wanted to call out Brian Martin Scott Moore Ryan Ur Ma at WordPress and solar designer because these guys were I I they got really heavily involved with this they were you know

helping me out and and uh I had to tell them that I didn't realize that WordPress was doing this and I wonder if she did and just figured she'd let me wrap myself up in my you know my own axle like just let me trip over my own shoelaces and just like oh yeah you're an elite hacker dude we're scared what will we ever do I wonder how long it'll be till he figures out where these are all context depending so I don't know know she she says that she really appreciated the work I did she said really but then I don't know if that was sarcasm so I assume it wasn't and she's just being

nice um and then my I'm sorry slide is the same as my thank you slide because I kind of wasted these people's time um maybe they learned something like don't talk to Larry anymore um I don't know I I don't know but uh I it was all in all it was pretty much uh a big learning experience uh it was pretty much seeing if I could do something and then partially succeeding and then just vetting out the stuff that I messed up on and hoping that other people can learn from it and you know see my mistakes this is sort of like my I have I keep a lab uh Notebook on Google uh docs of all my stuff and this was sort

of all the notes from that converted into this uh slide deck and um if anybody has any questions um that's my Twitter handle I am larry.com because I've been there for 16 years so back then they said what do you want your email address to be and I'm like Larry and I also had access to the old app server back then so I could have made whatever I wanted but uh any questions tomatoes have you considered doing the same thing for OJs no I haven't thought about it I mean there's a pattern there Ruby Gams PHP and it seems like the next natural progression be no maybe I'll take a look at that I haven't looked at node.js at

all so I I'm open to suggestions now because uh when I was doing the ruby gem stuff my former boss Mike Smith said you know you should look at WordPress plugins you have a field day so now it's like at the time I was like yeah yeah you know WordPress plugins I'm playing with these Ruby jams and then now it's like yeah WordPress was a lot of fun because with Ruby jams you needed a uh you needed to create a project to put a ruby jam into test to see if your vulnerability to proove a concept with WordPress it it it's right there you can just set up a WordPress instance stick the plugin in

and see if your proof of concept exploit works so other questions oh no not a question but a comment and it's a good one so no worry all right um I'm very thankful to you for talking about the failures and encounter the limitations of that is something that only the cool kids do thanks for that oh you know there one thing I there's one thing that I certainly learn from this is yeah I mean it worked to a degree

but yeah Christ yeah I mean the fact that I found 38 vulnerabilities at once is kind of significant I guess 30 of them were legitimately vulnerable and and uh so 30 at once in one whack is that's pretty telling I me right there you just I it's not like I looked at those plugins specifically I just grabbed a whole bunch said I'm going to have a computer go through and look through the code for vulnerabilities generated an exploit for those and then point an exploit at it and got 30 of them to work so yeah uh know what plugins you're running on your WordPress site if you're running WordPress site and if you know PHP you

might want to go through them and look for simple bugs and things like it out so any other questions thanks

Larry