Life Cycle of a WordPress (or Joomla) Zero-Day
It’s rare that you find good write-ups with evidence-based details on the field of security. (This I learned while working on WordPress Security with Confidence.) This is true for a whole host of reasons, but it’s one of the many reasons that I’m pointing you all at this write-up from Larry Cashdollar.
Larry’s narrative loses me a bit (on two readings), but some of the facts he lists are really interesting:
- His disclosures of new Joomla vulnerabilities were, best he could tell, ignored by the black hat hackers that control the attack scripts that take on sites for over a year from the time they were publicly disclosed.
- But then, he discovered that the reason may have simply been the location of his disclosure (emphasis mine): “While my advisories had permeated the usual exploit curator websites, like packetstormsecurity.org, they had not made it over to http://exploit-db.com, http://cxsecurity.org and http://0day.today. Two days after submitting all three exploits to exploit-db.com I found a hit in Akamai’s logs.“
- When he disclosed a path traversal vulnerability in a WordPress plugin, it took (just) 4 days for him to see an attack.
- When Larry tracked what happened following Marc Montipas’s disclosure of a serious vulnerability in the JSON REST API (in WP below 4.7.2), he saw attacks started just three hours after the disclosure what made. But some (maybe a large percentage) of these requests may have been security scanners and not real attacks.
- Larry speculates that a lot of attackers are using “Google dorks” to find WordPress sites. That is, queries like
(found via Marc Montpas)