Study and Analysis of Web Content Security Through Content Management Systems

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 9, Issue 10, October 2019)

Study and Analysis of Web Content Security Through Content

Management Systems

Ajay Kumar Phulre1, Dr. Megha Kamble2

1,2_{Computer Science and Engineering, LNCT University, Bhopal, India}

Abstract—A Content management system is a software tool

that allows you to create, edit, and publish content. While early CMS software was used to manage documents and local computer files, most CMS systems are now designed exclusively to manage content on the Web. Content management system (CMS) typically has two major components. A content management application (CMA) is the front-end user interface that allows a user, even with limited expertise, to add, modify, and remove content from a website. A content delivery application (CDA) Responsible for publishes contents, compiles that information and updates the website. untrusted third-party JavaScript in web applications offers attackers an opportunity to compromise the integrity of web applications and subvert the behavior of web applications. The documents are generated in a standard format to allow support by all browsers. JavaScript is one form of client side script that permits dynamic elements on each page. The web browser is key it interprets and runs all scripts etc. Among all content management system WordPress is the most popular CMS and for this reason it is exposed to a constant attention from hackers. WordPress offers enhanced security for members a dedicated group will do an in-depth code review to seek out vulnerabilities.

Keywords—Content Management Systems, website

security, cyber security, vulnerabilities.

I. INTRODUCTION

Security threats are rapidly rising as well, allowing various malicious activities associated with known vulnerabilities in most commonly used CMS platforms. Market analysis shows that three major CMS platforms are dominating market today – WordPress, Joomla and Drupal. Analysis of CMS architecture and advanced CMS features from perspective of security trends and put them in appropriate context of current security trends in web development. Research will also identify and classify common CMS security vulnerabilities and current vulnerability trends.[1]

Content management systems are available as installable applications and web-based user interfaces. The goal of a CMS is to provide an intuitive user interface for building and modifying webpage content. Each CMS also provides a web publishing tool that allows one or more users to publish updates live on the Web.

From most popular content management system WordPress, Joomla and Drupal. wordpress is more powerful and provide better services . WordPress was first released in 2003. Its principle technology is PHP with an SQL database in the background. In recent years, like many other sites on the web, JavaScript has been becoming more important. This is especially obvious from projects like Calypso and the upcoming Gutenberg editor. Since its inception, and their strengths such as ease of use, support, ability to customize, performance, security, SEO WordPress has undeniably had the best run of all available content management systems.

II. COMMON WORDPRESS ATTACK AND HACKS

A. WordPress XSS Attack

At its heart a WordPress XSS attack is one where a bad actor is able to inject some code into your visitor’s experience without your knowledge or approval. [13] This is dangerous because JavaScript is an increasingly powerful and important part of websites and web apps. Because of how much data is available to an attacker who successfully makes an XSS attack, you want to be very careful you do everything you can to prevent it. The root cause of cross-site scripting vulnerabilities, like most such issues in programming, is trusting too much in the source of your data. From the perspective of a rational and kind person, it’s easy to just think that if you have a “Name” field, the only things you’ll get in that field resemble human names. But make that assumption at your own peril. From a security perspective you must be a little paranoid: assume that a human or bot will offer that their name is <script>alert('XSS');</script> and make sure that nothing bad happens in your application if they do. A random JavaScript window saying “XSS” is about the most innocuous version of this kind of attack.

B. The Kind of WordPress XSS Attacks

(2)

 Stored (Persisted) Cross-Site Scripting

A stored (or persisted) cross-site scripting attack is to my mind the worst kind. The reason it’s bad is that every time that a page is loaded on your site you have the real risk that the bad thing that the attacker did is served to every single visitor to your site. In a stored attack, your web server has happily accepted the data which includes a WordPress XSS attack, and then shows that attack code to everyone. An example of a stored XSS vulnerability: in the past, some CMS have made it possible for people to add JavaScript to comments on websites. When that is allowed, every visitor who is shown the comment that contains the JS will be a victim of the XSS attack.

 Reflected XSS also uses Your Server

The involvement of your server in the stored XSS attack is mirrored by that of a reflected cross-site scripting attack. Both of these involve your server, but a reflected attack is differentiated by not being stored there. Rather, a reflected XSS attack exists when your server doesn’t take the input from a user and adequately clean and safe it before it shows that input.

 DOM-based XSS Attacks

The last type of cross-site scripting attack is a DOM-based one. This is kind of the least relevant for most WordPress sites, as it does the least to involve a WordPress site. A DOM-based XSS attack will not go through your server, which is how it differs from both stored and reflected attacks. Practically speaking, DOM-based XSS attacks are only relevant when you’re writing JavaScript for WordPress sites. Because that’s not a common methodology (though it is increasingly so) we’ll spend a very small amount of time talking about it. I heartily recommend the OWASP article and prevention cheat-sheet for those interested in learning more about this topic.

C. Web Shell PHP Exploit

WordPress is by far the most popular CMS (Content Management System). This popularity is due in particular to the great personalization offered by themes and extensions. This customization is also a door open for backdoors .A web shell can be written in any language supported by the target web server. The most usually observed web shells are written in widely supported languages, such as PHP and ASP. Perl, Python, Ruby, and Unix shell scripts are also used. Using network discovery tools, an adversary can identify vulnerabilities that can be exploited and result in the installation of a web shell. For example, these vulnerabilities may exist in content management systems (CMS) or Web server software.

D. WordPress Arbitrary File Deletion Vulnerability

This wide adoption makes it an interesting target for cyber criminals. RIPS Team disclosed an Arbitrary File Deletion Flaw Present in WordPress Core at Jun. 26, 2018. Karim El Ouerghemmi from RipsTech disclosed a critical flaw in WordPress allowing any author, publisher or administrator to delete any file from an installation, in any folder, without any tools. In less than 1 minute, a site can be destroyed. The flaw is known to the security team of WordPress for about 7 months but still, no fix has been released, so Karim revealed it. Aattacker could delete the main file of a security extension so that it does not load anymore to then make more serious hacking actions. Because let’s say it, breaking a site can only be of interest for a hacker to steal the data.

E. Pharma Hack

WordPress Pharma Hacking is a kind of website spam hack that injects spam into WordPress pages and search engine results not visible to the normal user. The spam only shows up if the user agent is from Google’s crawler. Also, the infection is a bit tricky to remove and if not done properly will keep on regenerating. Basically, pharma hack is an exploit that takes advantage of vulnerabilities in WordPress. The attacker exploits vulnerable WP websites to distribute pharmaceutical content to search engines and the website visitors. These attacks most often target search engines like Google or Bing in an attempt to increase traffic to illegal pharmaceutical businesses.

F. Japanese Keywords Hack

Japanese keywords hack, also known as Japanese SEO Spam, Japanese Search Spam or the Japanese Symbol Spam can be devastating to see on your website. Certain websites complain of being affected by this type of search spam that results in the appearance of hacked pages with a different page title and content. The Google search results will display the infected pages with their content in Japanese characters. Content Management System (CMS) based websites like WordPress, OpenCart, Drupal or Magento, when hacked, result in the creation of new spammy pages with an autogenerated Japanese text. These infected pages contain affiliate links to stores that sell counterfeit brand merchandise. The hackers generate revenue from these outbound links inserted in your website page.

III. LITERATURE SURVEY

(3)

Core of the problem, according to researchers in [1], is that web security needs to address the research challenges in Javascript execution environment, safe inclusion of third party contents and regular audits of embedded contents in web applications. Those are also some of the core CMS related security issues.

However, increasing growth of malicious websites and systems for distributing malware through websites is urging adoption of effective techniques for timely detection of web security threats. So researchers in [2] propose a set of features extracted from the content and the structure of webpages, which could be used as indicators of web security threats. Many researchers covered topic of web application testing and prevention methods against different security flaws. Researchers also focused on various tool for testing security of CMS [3],[4],[5] and various corporate solutions for testing web applications for security vulnerabilities in general are continually being patented as well [6]. However, there is lack of latest CMS security research analysis. Researchers in [7] compared security of three most used CMS (WordPress, Drupal and Joomla) and another from same year (2013) [8] explored security issues. Responsible development of CMS with security in mind is topic of research for researchers in [9]. Quality of plugins and their effect on security of CMS is another popular topic of research [10],[11]. We can conclude that there is no recent research in area of CMS security that analyzes responses of various communities and organizations involved when vulnerability is discovered. This research also covers analysis of all other relevant major security factors with analysis of latest statistics that is of relevance to overall security of CMS [12].

 Web application vulnerabilities detection in Hacked WordPress website

Before you start the analysis and WordPress clean-up process, confirm that your WordPress website has actually been hacked and it is not a technical issue. Read the article How to check if My WordPress is Hacked to determine if your website or blog was hacked or not [21].Even if you have a WordPress backup solution in place, make a backup of the current WordPress website. Follow this guide to do a complete manual backup of WordPress[3] A WordPress backup is very important at this stage since:It allows you to analyse the infection at a later stage.Some hosting providers delete the website when it is hacked.If you do not have a backup strategy in place, at least you can salvage some of the website from this backup before things get wong.

 Audit Logs and Web Server and FTP Server Logs

If you keep a WordPress activity log (audit trail)[21]this might be the best place from where to start your analysis. See if you can identify any suspicious behavior. Look for events in the WordPress activity log of new created users, or user password changes, modified WordPress plugin file, modified widgets or themes and so on. You should also take a look at the web server and FTP server log files. See if you can spot something unusual, like traffic from an unusual IP address. If you have other network services running on your server, check their logs as well. fixes common WordPress Vulnerabilities detected in previous versions. In addition to this, it is also very important to do the same with the plugins we use, and also remove all those that we do not use.

IV. PROPOSED ANALYSIS FOR WEB CONTENT SECURITY

We find and Detect once that our site has been infected with some type of Malware and malicious code then main action that WordPress users should take is to always have their site updated with the latest stable version available, a new version usually fixes common wordPress sensitivity detected in previous versions. In addition to this, it is also very important to do the same with the plugins we use, and also remove all those that we do not use.

 Introduced searching and scanning Process for infected files.

Initial scanning process for malicious code we prefer with FTP program from Local host already installed offline Antivirus. With an FTP program, we can download the entire site so that each of the files that are part of the web is analyzed in search of malicious code. Generally antivirus is able to analyze the files while they are being downloaded, so once the download is completed we should only go to see the generated report to know which are those that have been designated as potentially dangerous.

 Detection of Malicious code Online Scanning Process

(4)

Within the online tools, we can also activate the Google Webmaster tool to consult its Security problems section where it will inform us about the type of threat we are suffering.

 wp-content folder Scanning Process

In wp-content folder searching for PHP files download folder does not contain any PHP files. So, delete all PHP files in a wp-content folder. Due to large size of wp-contant folder its not easy to find PHP files we should search, using (a)cPanel File Manager Type .php in a search bar and select the current directory. The file manager will display all PHP files. (b)With FileZilla File Filter for searching particular file type and delete bulk file Another way to discover PHP files in the download folder is to use Windows Search. Download the “uploads” folder on the PC and use the Windows Explorer search to list the PHP files. You must scan the download folder for possible malware. Typically, the download folder does not contain any PHP files. So, delete all PHP files in a wp-content folder After cleaning your wp-content folder and reinstalling the theme and plugins, also install a security plug-in named Anti-Malware and Brute-Force Security, then analyze your WordPress with this plugin. This plugin can detect many known threats and traps and correct them. It can also update your obsolete Tim thumb script.

 Web application vulnerabilities list by modification

First places will appear those who have suffered some type of change recently. Detection of potentially dangerous files is to access via FTP and sorts them by modification date. If you have SSH access to your server, check which files in your WordPress website have changed in the last four or five days, or since you noticed the hack. You can do so by navigating to the directory where your WordPress website is and using the find command: Find .mtime -5 –ls The above command lists (-ls) all the files which has the modified time (.mtime) in the last five days (-5). If the list is too long, use the less command to be able to browse through the list: Find .mtime -5 –ls | less One of the fastest ways to detect potentially dangerous files is to access via FTP and sort them by modification date. Thus, in the first places will appear those who have suffered some type of change recently. If we have not changed anything in them, it can be a symptom that inside there is some kind of code that is causing the problem. The problem with this system is that you should go through all the folders that are part of the site to locate each of the infected files, a job that could be very tedious if the code has been inserted in a large number of files. And Before any intervention, make a regular backup of your WordPress site.

You must save the following items: (a) Complete Backup database (b) Backup FTP account Your host may have a full backup system directly accessible via cPanel for example. Take the opportunity to get a complete ZIP of your site.

V. CONCLUSION

Web analyzing responses and actions of various parties involved in example of content management systems security vulnerability we managed to propose improvements that could lead to better and more organized management of security community responses in case of discovered vulnerabilities. we managed to propose improvements that could lead to better and more organized management of security actions of various parties involved in example of WordPress security vulnerability we managed to propose improvements that could lead to better and more organized management of security community responses in case of discovered vulnerabilities.

REFERENCES

[1] Patil, S., Hare Hunting in the Wild Web: A Study of Web Security Threats and Solutions. (IRJET) Volume: 03 Issue: 08 | Aug-2016. [2] Canfora, G. and C.A. Visaggio, A set of features to detect web

security threats. Journal of Computer Virology and Hacking Techniques, 2016. 12(4): p. 243-261.

[3] Costa Nunes, P.J., J. Fonseca, and M. Vieira. phpSAFE: A Security Analysis Tool for OOP Web Application Plugins. in Dependable Systems and Networks (DSN), 2015 45th Annual IEEE/IFIP International Conference on. 2015. IEEE.

[4] Jensen, T., et al., Thaps: automated vulnerability scanning of php applications, in Secure IT Systems. 2012, Springer. p. 31-46. [5] Sethi, S. and V. Singhal. ICTS2016-SS27-07: A Peek into Web

Applications Security. in Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies. 2016. ACM

[6] Pistoia, M. and O. Tripp, Testing WEB Applications For Security Vulnerabilities With Metarequests. 2016, Google Patents.

[7] Patel, S.K., V.R. Rathod, and J.B. Prajapati. Comparative analysis of web security in open source content management system. in Intelligent Systems and Signal Processing (ISSP), 2013 International Conference on. 2013. IEEE.

[8] Onishi, A., Security and Performance, in Pro WordPress Theme Development. 2013, Springer. p. 297-332.

[9] Mansfield-Devine, S., Taking responsibility for security. Computer Fraud & Security, 2015. 2015(12): p. 15-18.

[10] Coelho Martins da Fonseca, J.C. and M.P. Amorim Vieira. A Practical Experience on the Impact of Plugins in Web Security. in Reliable Distributed Systems (SRDS), 2014 IEEE 33rd International Symposium on. 2014. IEEE.

(5)

[12] Jerković, H., P. Vranešić, and S. Dadić. Securing web content and services in open source content management systems. in Information and Communication Technology, Electronics and Microelectronics (MIPRO), 2016 39th International Convention on. 2016. IEEE. [13] https://wpshout.com/wordpress-xss-attack/

[14] “Multi-layer Software Configuration: Empirical Study on Wordpress” Mohammed Sayagh, Bram Adams Polytechnique Montreal, Canada 2015.

[15] S. Zhang and M. D. Ernst, “Which configuration option should I change?” in Proceedings of the 36th International Conference on Software Engineering, ser. ICSE 2014. ACM, 2014, pp. 152–163. [16] https://www.url-encode-decode.com/base64-encode-decode/ [17] Žolt Namestovski*, Márta Takács* *, Branka Arsović* SISY 2012 •

Supporting Traditional Educational Process with E-Learning Tools IEEE 10th Jubilee International Symposium on Intelligent Systems and Informatics • September 20-22, 2012, Subotica, Serbia. [18] Dhaval R Gandhi; Nehal N Shah Published in: “Comparative

analysis for hardware circuit architecture of Wallace tree multiplier” 2013 International Conference on Intelligent Systems and Signal Processing (ISSP) Date Added to IEEE Xplore: 10 June 201.

[19] Cosmin A. Conţu ;Eduard C. Popovici ; Octavian Fratu ; Mădălina G. Berceanu “Security issues in most popular content management systems”2016 International Conference on Communications (COMM) INSPEC Accession Number: 16196383 DOI: 10.1109/ICComm.2016.7528327 Publisher: IEEE Conference Location: Bucharest, Romania 2016.

[20] Hrvoje Jerkovic, Branko Sinkovic, International Journal of Economics and Management Systems “Vulnerability analysis of most popular open source Content Management Systems with focus on WordPress and proposed integration of artificial intelligence cyber security features” http://www.iaras.org/iaras/journals/ijems 2017.

[21] https://www.wpwhitesecurity.com/how-to-tell-wordpress-blog-website-hacked/ ,https://www.wpwhitesecurity.com/online-

wordpress-backup-services-ultimate-wordpress-backup- solution/,https://www.wpwhitesecurity.com/wordpress-backup-blueprints-manual-backup/