wordstress 0.40.0 → 0.50.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/LICENSE.txt +1 -1
- data/README.md +73 -32
- data/lib/wordstress/version.rb +1 -1
- data/wordstress.gemspec +4 -1
- metadata +6 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b0aa61cebd1eb419b6a984c3b7dfd1beda4d952f
|
|
4
|
+
data.tar.gz: 81fd3b8759deaddab58bd678c8b75b273c3ace22
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c188252811ed425f272b9faa410386abf65f29674e87c96898e0f4f783240cbf93dd8741c2597e80a9dc943954afedf502e489bef057daf4e0c136a2302569a7
|
|
7
|
+
data.tar.gz: 58f698450f1ae8d0981f017f77cc0b4d3ca01955d920b2672d4c092af0ddc895999f250b3bc40f0d36fdf848c2e7dd92811883a71dccea782148431ee80288d6
|
data/LICENSE.txt
CHANGED
data/README.md
CHANGED
|
@@ -3,6 +3,71 @@
|
|
|
3
3
|
wordstress is a application security tool specific for wordpress powered
|
|
4
4
|
websites, inspired by [wpscan](https://github.com/wpscanteam/wpscan) tool.
|
|
5
5
|
|
|
6
|
+
|
|
7
|
+
## Description
|
|
8
|
+
|
|
9
|
+
[wordstress](https://rubygems.org/gems/wordstress) is a whitebox
|
|
10
|
+
security scanner for wordpress powered websites.
|
|
11
|
+
|
|
12
|
+
Site owners don't want to spend time in reading complex blackbox security scan
|
|
13
|
+
reports trying to remove false positives. A useful security tool must give them
|
|
14
|
+
only vulnerabilities really affecting installed plugins or themes.
|
|
15
|
+
|
|
16
|
+
Let's assume, plugin `foobar_plugin` version 3.4.3 has a sever SQL Injection
|
|
17
|
+
vulnerability. In one of several wordpress powered website, you installed
|
|
18
|
+
version 3.2.1 version that **is not vulnerable**.
|
|
19
|
+
|
|
20
|
+
A blackbox security scanner will try to enumerate installed plugins but it
|
|
21
|
+
can't tell the exact installed version. So, using a blackbox approach you'll
|
|
22
|
+
have a alleged SQL Injection vulnerability you must validate and mitigate.
|
|
23
|
+
Unfortunately, you will lose precious time to spot a false positive since your
|
|
24
|
+
plugin is safe.
|
|
25
|
+
|
|
26
|
+
With wordstress plugin, you'll give [the security
|
|
27
|
+
tool](https://rubygems.org/gems/wordstress) the exact `foobar_plugin` version
|
|
28
|
+
installed on the system, 3.2.1. The tool will scan the knowledge base and
|
|
29
|
+
report 0 vulnerabilities. You save time and you can be focused only on stuff
|
|
30
|
+
really need your attention.
|
|
31
|
+
|
|
32
|
+
Of course you may argue that giving on the Internet a place where all your
|
|
33
|
+
website third parties plugins and themes name with version is not a wise
|
|
34
|
+
decision. This is correct, that's why wordstress plugin creates a secure access
|
|
35
|
+
key the scanner must use in order to access /wordstress virtual page.
|
|
36
|
+
|
|
37
|
+
People without the correct key can't access your website information. The key
|
|
38
|
+
is unique per server and created with hashing functions so to be resilient to
|
|
39
|
+
guessing account. Bruteforcing the key will lead to an unsuccessful attempt,
|
|
40
|
+
and you'll be busted. For sure.
|
|
41
|
+
|
|
42
|
+
You must pass the correct key value to wordstress ruby gem in order to perform
|
|
43
|
+
the whitebox scan. If you provide the wrong key or you won't provide a key at
|
|
44
|
+
all, the wordstress plugin will give no information as output and then no
|
|
45
|
+
whitebox scan will be possible.
|
|
46
|
+
|
|
47
|
+
You don't like the key? Just reload the page a couple of times since you're
|
|
48
|
+
comfortable about the generated entropy and then save the settings.
|
|
49
|
+
|
|
50
|
+
## Installation
|
|
51
|
+
|
|
52
|
+
wordstress scanner, this ruby gem is very easy to install. You need a working
|
|
53
|
+
ruby environment, please ask your preferred search engine if you need
|
|
54
|
+
instructions on how to setup ruby on your operating system. Just issue the
|
|
55
|
+
`gem install wordstress` command and you're almost ready to start.
|
|
56
|
+
|
|
57
|
+
To install the [wordstress plugin for
|
|
58
|
+
wordpress](https://wordpress.org/plugins/wordstress/) you may must:
|
|
59
|
+
|
|
60
|
+
* download wordstress.zip and unpack the content to your `/wp-content/plugins/` directory
|
|
61
|
+
* activate the plugin through the 'Plugins' menu in WordPress
|
|
62
|
+
* navigate the Settings->Wordstress admin page
|
|
63
|
+
* every time you enter wordstress setting page, a new key is automagically
|
|
64
|
+
generated, to increase entropy you may want to reload the page a couple of
|
|
65
|
+
times. When you're comfortable with the generated key, press the "Save Changes"
|
|
66
|
+
button.
|
|
67
|
+
The virtual page is now available at the url http://youblogurl/wordstress?worstress-key=the_key
|
|
68
|
+
* from the command line, use wordstress security scanner this way: `worstress -u http://yourblogurl/wordstress -k the_key`
|
|
69
|
+
* enjoy results
|
|
70
|
+
|
|
6
71
|
## Why another tool?
|
|
7
72
|
|
|
8
73
|
[wpscan](https://github.com/wpscanteam/wpscan) is a great tool and wordstress
|
|
@@ -27,47 +92,23 @@ During those years I was very upset as pentester with false positives about
|
|
|
27
92
|
themes and plugins and their version. Since an authenticated check is necessary
|
|
28
93
|
to match scan results with installed plugin (or theme) version, I tought it was
|
|
29
94
|
a better idea to start authenticated from the beginning.
|
|
30
|
-
** UPDATE ** - this can be very tricky to accomplish
|
|
31
|
-
|
|
32
|
-
Of course, wordstress will perform blackbox testing, trying to guess the
|
|
33
|
-
installed wordpress version and listing vulnerabilities taken from
|
|
34
|
-
[wpvulndb](https://wpvulndb.com).
|
|
35
95
|
|
|
36
96
|
## Online resource
|
|
37
97
|
|
|
98
|
+
[Wordstress homepage](http://wordstress.org)
|
|
99
|
+
[Wordstress plugin](http://wordpress.org/plugins/wordstress/)
|
|
38
100
|
[Attacking Wordpress](http://hackertarget.com/attacking-wordpress/)
|
|
39
101
|
|
|
102
|
+
|
|
40
103
|
## Killing features
|
|
41
104
|
|
|
42
105
|
* A great knowledge base powered by [wpvulndb API](https://wpvulndb.com)
|
|
43
|
-
* Information gathering from robots.txt file
|
|
44
106
|
* Standard rubygem distribution
|
|
45
|
-
*
|
|
46
|
-
*
|
|
47
|
-
*
|
|
48
|
-
*
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
## Installation
|
|
53
|
-
|
|
54
|
-
Add this line to your application's Gemfile:
|
|
55
|
-
|
|
56
|
-
```ruby
|
|
57
|
-
gem 'wordstress'
|
|
58
|
-
```
|
|
59
|
-
|
|
60
|
-
And then execute:
|
|
61
|
-
|
|
62
|
-
$ bundle
|
|
63
|
-
|
|
64
|
-
Or install it yourself as:
|
|
65
|
-
|
|
66
|
-
$ gem install wordstress
|
|
67
|
-
|
|
68
|
-
## Usage
|
|
69
|
-
|
|
70
|
-
TODO: Write usage instructions here
|
|
107
|
+
* Whitebox testing using existing wordpress user for template and themes vulnerabilities.
|
|
108
|
+
* Information gathering from robots.txt file _(planned)_
|
|
109
|
+
* SQL and CSV output. Suitable for script integration _(planned)_
|
|
110
|
+
* Massive websites scan from text file _(planned)_
|
|
111
|
+
* SSL server rating using [Qualys SSL Labs rating guide](https://www.ssllabs.com/projects/rating-guide/) _(planned)_
|
|
71
112
|
|
|
72
113
|
## Contributing
|
|
73
114
|
|
data/lib/wordstress/version.rb
CHANGED
data/wordstress.gemspec
CHANGED
|
@@ -9,7 +9,8 @@ Gem::Specification.new do |spec|
|
|
|
9
9
|
spec.authors = ["Paolo Perego"]
|
|
10
10
|
spec.email = ["paolo@wordstress.org"]
|
|
11
11
|
spec.summary = %q{wordstress is a security scanner for wordpress powered websites}
|
|
12
|
-
spec.description = %q{wordstress is a security scanner for wordpress powered websites
|
|
12
|
+
spec.description = %q{wordstress is a security scanner for wordpress powered websites. Site owners don't want to spend time in reading complex blackbox security scan
|
|
13
|
+
reports trying to remove false positives. A useful security tool must give them only vulnerabilities really affecting installed plugins or themes. Please refere to the README file for further informations.}
|
|
13
14
|
spec.homepage = "http://wordstress.org"
|
|
14
15
|
spec.license = "MIT"
|
|
15
16
|
|
|
@@ -21,6 +22,8 @@ Gem::Specification.new do |spec|
|
|
|
21
22
|
spec.add_development_dependency "bundler", "~> 1.7"
|
|
22
23
|
spec.add_development_dependency "rake", "~> 10.0"
|
|
23
24
|
|
|
25
|
+
spec.required_ruby_version = '>= 2.0.0'
|
|
26
|
+
|
|
24
27
|
spec.add_dependency 'codesake-commons'
|
|
25
28
|
spec.add_dependency 'json'
|
|
26
29
|
spec.add_dependency 'ciphersurfer'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: wordstress
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.50.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Paolo Perego
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-02-
|
|
11
|
+
date: 2015-02-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -94,7 +94,9 @@ dependencies:
|
|
|
94
94
|
- - ">="
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
96
|
version: '0'
|
|
97
|
-
description:
|
|
97
|
+
description: |-
|
|
98
|
+
wordstress is a security scanner for wordpress powered websites. Site owners don't want to spend time in reading complex blackbox security scan
|
|
99
|
+
reports trying to remove false positives. A useful security tool must give them only vulnerabilities really affecting installed plugins or themes. Please refere to the README file for further informations.
|
|
98
100
|
email:
|
|
99
101
|
- paolo@wordstress.org
|
|
100
102
|
executables:
|
|
@@ -127,7 +129,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
127
129
|
requirements:
|
|
128
130
|
- - ">="
|
|
129
131
|
- !ruby/object:Gem::Version
|
|
130
|
-
version:
|
|
132
|
+
version: 2.0.0
|
|
131
133
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
132
134
|
requirements:
|
|
133
135
|
- - ">="
|