wpbullet: A static code analysis for WordPress and PHP

by do son ·

wpbullet

wpBullet

Static code analysis for WordPress Plugins/Themes (and PHP)

wpbullet

Installation

$ git clone https://github.com/webarx-security/wpbullet wpbullet
$ cd wpbullet
$ pip install -r requirements.txt

Usage

--path (required) System path or download URL 

Examples:

--path="/path/to/plugin"

--path="https://wordpress.org/plugins/example-plugin"

--path="https://downloads.wordpress.org/plugin/example-plugin.1.5.zip"



--enabled (optional) Check only for given modules, ex. --enabled="SQLInjection,CrossSiteScripting"

--disabled (optional) Don't check for given modules, ex. --disabled="SQLInjection,CrossSiteScripting"

--cleanup (optional) Automatically remove content of .temp folder after scanning remotely downloaded plugin



$ python wpbullet.py --path="/var/www/wp-content/plugins/plugin-name"

 

Creating modules

Creating a module is flexible and allows for an override of the BaseClass methods for each module as well as creating their own methods

Each module in Modules directory is implementing properties and methods from core.modules.BaseClass, thus each module’s required parameter is BaseClass

Once created, the module needs to be imported in modules/__init__.py. Module and class name must be consistent in order to the module to be loaded.

If you are opening a pull request to add a new module, please provide unit tests for your module as well.

Module template

Modules/ExampleVulnerability.py

from core.modules import BaseClass





class ExampleVulnerability(object):



    # Vulnerability name

    name = "Cross-site Scripting"



    # Vulnerability severity

    severity = "Low-Medium"



    # Functions causing vulnerability

    functions = [

        "print"

        "echo"

    ]



    # Functions/regex that prevent exploitation

    blacklist = [

        "htmlspecialchars",

        "esc_attr"

    ]

 

Overriding regex match pattern

Regex pattern is being generated in core.modules.BaseClass.build_pattern and therefore can be overwritten in each module class.

Modules/ExampleVulnerability.py

import copy





...

# Build dynamic regex pattern to locate vulnerabilities in given content

def build_pattern(self, content, file):

    user_input = copy.deepcopy(self.user_input)



    variables = self.get_input_variables(self, content)



    if variables:

        user_input.extend(variables)



    if self.blacklist:

        blacklist_pattern = r"(?!(\s?)+(.*(" + '|'.join(self.blacklist) + ")))"

    else:

        blacklist_pattern = ""



    self.functions = [self.functions_prefix + x for x in self.functions]



    pattern = r"((" + '|'.join(self.functions) + ")\s{0,}\(?\s{0,1}" + blacklist_pattern + ".*(" + '|'.join(user_input) + ").*)"

    return pattern

 

Copyrihgt (C) 2019 webarx-security

Source: https://github.com/webarx-security/

Tags: wpbullet