Security Audit

Why Should You Do a Plugin Security Audit Before Making Your Plugin Live?

Updated on: August 26, 2020

Why Should You Do a Plugin Security Audit Before Making Your Plugin Live?

Plugin vulnerabilities are considered as the number one reason for attacks on any CMS platform. Exploiting vulnerabilities in an outdated or unsecured third-party plugin could allow attackers to indirectly target thousands of websites in a single blow. Taking an example of one of the most popular CMSs i.e. WordPress suffers almost more than 55% of attacks on its sites cased due to vulnerable plugin exploits (see the chart below).

Clearly, we can establish a connection between plugin vulnerabilities and the chances of an attack.

Not just WordPress, faulty plugins, add-ons extensions, and modules have been a nagging problem and embarrassment for every CMS. Further, for every high-end cyberattack, the plugin’s developers come under brutal scrutiny and face massive criticism online. They also have to work against the clock to patch it asap to control the damage and much of the uproar.

For this reason, developing a plugin is not an easy task. There are certain security practices plugin and theme developers must follow. One such vital security measure is to test your plugin for vulnerabilities while developing it. For this purpose, one can conduct a Plugin security audit, aka Plugin security assessment.

If the above reasons were not pressing enough reasons for you to consider a plugin security testing, you should consider this:

  • plugin vulnerabilities are a huge risk for customer and user data
  • data leaks can cause you to face legal action
  • plugin vulnerabilities can defame your company (development company), website or business

What is Plugin Security audit or plugin VAPT?

Vulnerability Assessment and Penetration Test are types of vulnerability tests. VAPT is a combination of the two that gives optimal results.

A vulnerability assessment, as the name suggests, can identify the various vulnerabilities in the plugin. On the other hand, a penetration test is done to find out if these vulnerabilities can be exploited and how. It also shows the magnitude of the damage that a potential attack can cause. Together, a VAPT can provide data about existing vulnerabilities in your plugin, how potential hackers can exploit them, and the damage that can result from the hack.

plugin security audit
Difference between VA and PT; Source: BlockGeeks

A person equipped with technical knowledge and the right tools is capable of conducting a vulnerability assessment. Penetration tests are mostly done by ethical hackers, also known as white hats, who exploit all vulnerable ports and end-points to determine critical and most severe vulnerabilities in software like a plugin.

That said, after going through this guide you will have enough knowledge and resources to carry out a successful plugin security audit on your own. More on that later.

First, let’s understand the common vulnerabilities that affects a WordPress plugin.

Common plugin vulnerabilities

How to do a WordPress plugin security audit (developers perspective)

A plugin security audit comprises three steps: Information Gathering (i.e. Reconnaissance), Exploitation, and Remediation.

The purpose of a plugin security audit varies with different plugins and developers’ needs. Having said that, almost all plugin security audits tend to encompass the following things:

  1. Testing all input areas on the plugin
  2. Checking requests made by the plugin
  3. Checking the source code
  4. Checking permissions and data storage on the plugin

1) Gathering Information

The first step in a plugin security audit is to gather information about your plugin. This information shall help you in prioritizing security areas you need to test first on your plugin.

Common security areas that are tested in a plugin security audit are — user data input and related checks (validation, sanitization, escaping), files & directories permissions, configurations, data storage, encryption, web servers, database, and more.

Now, you can use automated tools to find out vulnerabilities in each of these security areas. Tools like Nikto, Nmap, Testssl, etc can accelerate the process for you.

  • Nikto: Nikto is a Kali Linux pentest tool. It is extensively used to find out information such as — server, hostname, port, IP, security headers, etc. of an application.

    To use this tool on Kali Linux, run the following command:

    # nikto –h [examplewebserverurl]

    Where [examplewebserverurl] is your web server’s IP or FQDN.
Using Nikto to find information about the application; Source: Astra Security
  • Nmap: Nmap, short for Network Mapper, is a pen-testing tool used for network inventory, managing service upgrade schedules, and monitoring host or service uptime. In other words, Nmap is a tool that tells you all about the hosting service of that application; from the name of the hosting service, version, operating system to what firewalls or security systems they have, Nmap tells you about all.

    To run Nmap on Kali-Linux, run the following command:

    nmap -sV -Pn [examplewebserverurl]
Discovering network vulnerabilities with Nmap; Source: Astra Security

2) Exploitation

By now, you have an idea of all vulnerabilities that are present in your plugin. Next, you need to exploit them. This will help you learn how easily each vulnerability can be exploited and the level of damage it can cause.

There are tools available for this as well. For example, SQLmap, Burp Suite, etc.

  • SQLmap: SQLmap is a tool to exploit database vulnerabilities. This tool is basically used to crack open the database by executing malicious queries into the plugin’s input fields.

    To use this tool, run the following command in your SQL database:

    sqlmap -u “example.com?scan=test” –dbs
Using SQLmap to exploit database vulnerabilities; Source: Astra Security
  • Burp Suite: Burp Suite comprises a range of pen-testing tools. The Burp Suite tools can be used in any stage of a plugin security audit. It caters to both — security assessment and vulnerability exploitation. Tools included in Burp Suite are: HTTP Proxy, Scanner, Intruder, Spider, Repeater, Decoder, Comparer, Extender & Sequencer.
Using Burp suite to perform plugin security audit; Source: Astra Security

Now that you’re equipped with adequate information about vulnerabilities, you can easily resolve them individually. However, it really does seem like a lot of work.

Get Professional Support

The above process (as simply as I have tried to put it) can be tiring for many. Moreover, if you aren’t a security-savvy person, you cannot be completely sure you executed the plugin VAPT flawlessly. Therefore, we recommend that you get a professional VAPT to get better results.

Astra’s security experts will thoroughly go through the plugin’s source code, configurations, permissions, and run over 1250 tests to spot vulnerabilities in the plugin or any software and help you resolve them.

Source: Astra

VAPT by Astra comes for a very reasonable price and various other features.

VAPT Pricing

Further, Astra’s VAPT process can be broken down to these five pointers:

Website VAPT Process

Conclusion

All it takes is one vulnerable plugin to ruin a website. Plugin exploits affect thousands of websites and businesses daily. Several of which never recover from the aftereffects of a cyberattack and eventually shut down. Cyberattacks taint your business’s reputation and affect customers’ trust. Hence, to save yourself and your plugin from this adversity, it is necessary that you conduct a detailed plugin security audit or plugin security assessment. A plugin VAPT (Vulnerability Assessment and Penetration Testing) helps you to identify and resolve security flaws in your plugin. It is better to get a professional like Astra to conduct security audits that suit your needs.

Was this post helpful?

Tags: , ,

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany