Vulnerability exploitation for Joomla content management system

doi:10.7523/j.issn.2095-6134.2015.06.015

Abstract

Abstract:

We propose and develop a vulnerability exploitation scheme, called JoomHack. We use online shared and updatable vulnerability detection library of attack patterns, traverse them to exploit vulnerabilities, use attack patterns in database as seeds to generate new ones, and bring higher success rates. Experiments show that JoomHack takes advantage over Joomscan and other penetration tools of superiority when exploiting Joomla-based web system. JoomHack exploits vulnerabilities, assess risk for Joomla site effectively, and lay the foundation for web security work such as bug fixes. It is effective and has low cost for the improvement of web security.

Key words: Joomla, shared vulnerability library, risk assessment, vulnerability exploit, web security

CLC Number:

TP393

DONG Ying, ZHANG Yuqing, YUE Hongzhou. Vulnerability exploitation for Joomla content management system[J]. , 2015, 32(6): 825-835.

References

[1] IBM. IBM Internet Security Systems X-Force 2013 mid-year trend statistics[EB/OL]. (2013-10-19)[2014-07-20]. http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&appname=SWGE_WG_WG_USEN&htmlfid=WGL03036USEN&attachment=WGL03036USEN.PDF.

[2] CERT Australia. Cyber crime and security survey report[EB/OL]. (2013-09-19)[2014-07-20]. http://www.canberra.edu.au/cis/storage/Cyber%20Crime%20and%20Security%20Survey%20Report%202012.pdf.

[3] Fong E, Okun V. Web application scanners:definitions and functions[C]//System Sciences, IEEE International Conference, 2007:280-287.

[4] Yeo J. Using penetration testing to enhance your company's security[J]. Computer Fraud & Security, 2013(4):17-20.

[5] Farooq A, Javed F, Hussain M, et al. Open source content management systems:a canvass[J]. International Journal of Multidisciplinary Sciences and Engineering, 2012(3):38-43.

[6] W3techs. World wide web technology surveys[EB/OL]. (2013-03-23)[2014-07-20]. http://w3techs.com.

[7] W3techs. Historical trends in the usage of content management systems for websites[EB/OL]. (2013-07-31)[2014-07-20]. http://w3techs.com/technologies/history_overview/content_management/all.

[8] OpenSource CMS. CMS demos & information[EB/OL]. (2013-03-27)[2014-07-20]. http://www.opensourcecms.com/.

[9] Joomla. What is Joomla?[EB/OL]. (2013-03-27)[2014-07-20]. http://www.joomla.org/about-joomla.html.

[10] Patel S K, Rathod V R, Prajapati J B. Comparative analysis of web security in open source content management system[C]//Intelligent Systems and Signal Processing (ISSP), IEEE International Conference, 2013:344-349.

[11] Patel S K, Rathod V R, Parikh S. Joomla, Drupal and WordPress:a statistical comparison of open source CMS[C]//Trends in Information Sciences and Computing (TISC), IEEE International Conference on, 2011:182-187.

[12] Patel S K, Rathod V R, Prajapati J B. Performance analysis of content management systems:Joomla, Drupal and WordPress[J]. International Journal of Computer Applications, 2011(4):39-43.

[13] Walden J, Doyle M, Welch G A, et al. Security of open source web applications[C]//Proceedings of the 20093rd International Symposium on Empirical Software Engineering and Measurement, IEEE Computer Society, 2009:545-553.

[14] Jensen T, Pedersen H, Olesen M C, et al. THAPS:automated vulnerability scanning of PHP applications[M]//Secure IT Systems, Springer Berlin Heidelberg, 2012:31-46.

[15] 2011 Open source awards[EB/OL]. (2013-03-28)[2014-07-30]. http://www.packtpub.com/open-source-awards-home.

[16] Rahmel D. Joomla database administration and configuration[M].Advanced Joomla!, Apress, 2013:185-210.

[17] Rahmel D. Joomla and web services[M]. Advanced Joomla!, Apress, 2013:131-157.

[18] Rahmel D. Customizing Joomla with widgets[M]. Advanced Joomla!, Apress, 2013:25-43.

[19] Rahmel D. Joomla security administration[M]. Advanced Joomla!, Apress, 2013:159-183.

[20] Joomla. What is Joomla?[EB/OL]. (2013-04-09)[2014-07-30]. http://www.joomla.org/about-joomla.html.

[21] OWASP. Category:OWASP top ten project[EB/OL]. (2013-05-02)[2014-07-30]. https://www.owasp.org/index.php/Cate gory:OWASP_Top_Ten_Project.

[22] NVD. National vulnerability database[EB/OL]. (2013-05-23)[2014-07-30]. http://nvd.nist.gov/.

[23] EDB. The exploit database[EB/OL]. (2013-05-23)[2014-07-20]. http://www.exploit-db.com/.

[24] Kieyzun A, Guo P J, Jayaraman K, et al. Automatic creation of SQL injection and cross-site scripting attacks[C]//Software Engineering, IEEE 31st International Conference, 2009:199-209.

[25] Hoebel V. The Joomla hacking compendium[EB/OL]. (2013-05-03)[2014-07-20]. http://www.exploit-db.com/papers/15780/.

[26] Lam M S, Martin M, Livshits B, et al. Securing web applications with static and dynamic information flow tracking[C]//Proceedings of the 2008 on Partial evaluation and semantics-based program manipulation, ACM Sigplan symposium, 2008:3-12.

[27] Bau J, Bursztein E, Gupta D, et al. State of the art:automated black-box web application vulnerability testing[C]//Security and Privacy (SP), IEEE Symposium, 2010:332-345.

[28] Jovanovic N, Kruegel C, Kirda E. Pixy:a static analysis tool for detecting web application vulnerabilities[C]//Security and Privacy, IEEE Symposium, 2006.

[29] Wassermann G, Su Z. Sound and precise analysis of web applications for injection vulnerabilities[C]//Sigplan Notices, ACM, 2007:32-41.

[30] Kals S, Kirda E, Kruegel C, et al. Secubat:a web vulnerability scanner[C]//Proceedings of the 15th international conference on World Wide Web, ACM, 2006:247-256.

[31] Huang Y W, Huang S K, Lin T P, et al. Web application security assessment by fault injection and behavior monitoring[C]//Proceedings of the 12th international conference on World Wide Web, ACM, 2003:148-159.

[32] Mavituna Security. What is Netsparker?[EB/OL]. (2013-03-29)[2014-07-30]. https://www.mavitunasecurity.com/netsparker/.

[33] Janusec. WebCruiser|Web Vulnerability Scanner, SQL Injection Tool![EB/OL]. (2013-03-31)[2014-07-30]. http://sec4app.com/.

[34] Acunetix. Audit your website security with acunetix web vulnerability scanner[EB/OL]. (2013-03-39)[2014-07-30]. http://www.acunetix.com/vulnerability-scanner/.

[35] Sense Post. Wikto[EB/OL]. (2013-04-20)[2014-07-30].http://research.sensepost.com/tools/web/wikto.

[36] IBM. Appscan[EB/OL]. (2013-04-03)[2014-07-30].http://www-03.ibm.com/software/products/us/en/appscan/.

[37] OWASP. ZAP[EB/OL]. (2013-03-10)[2014-07-30].https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project.