Maciek Palmowski: [00:00:00] In WordPress there is always a lot of discussion about security. For example, during every WordCamp, you can hear thousands of discussions about why my website got hacked, which plugins should I use to make my website secure, or which hosting should I use so my website won't be hacked anymore? The thing that always puzzles me is why mo Most of those questions are aimed to developers.
Maciek Palmowski: 'cause for some reason they are seen as people who should know the answers about security. And that's quite a mistake because there are people who knows about security a bit more. Those are security researchers, mostly known as hackers. And to make sure that today we will have a proper perspective on security.
Maciek Palmowski: I decided to invite Mat Rowlings, also [00:01:00] known as Stealthcopter. And yeah, I hope that Mat will share a bit of his hacker perspective on security. Hi Mat. Great to have you here. Could you tell a bit about yourself first?
Mat Rollings: Yeah, sure. So thanks for having me on. I'm Mat or Stealthcopter as I'm more commonly known. I've been a developer for over a decade now. It might be even close to 15 years. So I spent a lot of time as a developer and then I never really understood that people could do security or hacking as a job.
Mat Rollings: And when I found that out as a developer, I started shifting more into that, the cybersecurity space. So I spent a few years doing application security, so helping developers secure their applications, write more secure code, get better defense in depth. Really enjoyed that for a few years. Went to work in FinTech for a bit, which wasn't really for me.
Mat Rollings: So I decided to take a bit of a step back and focus on what I enjoy doing, which is hacking stuff and teaching people. So I've [00:02:00] tradition, I've transitioned into full-time bug bounty now. So I spend all my time, searching for bugs, getting paid for it, teaching other people how to do the same.
Mat Rollings: And some of the volunteering, like teaching kids to code and stuff, just stuff that I really enjoy doing.
Maciek Palmowski: That's true. I do see that you are helping a lot, for example, on our Discord channel. Everyone, if they have a problem, I'm sure that you will pop up out of the blue and try to help them.
Mat Rollings: Yeah, definitely. 'cause that's something I missed from having like my full-time job. Like I really enjoyed having a team of like more junior people that you could mentor and build up and help them develop their career. So that's the bit like. That's the main thing from having a proper job I would miss.
Mat Rollings: So I've replaced that by mentoring people in the community.
Maciek Palmowski: Which is a really great thing. So let's start with I think a very important question 'cause if we look at stereotypes, every hacker should be wearing a hoodie. And here you are [00:03:00] not in a dark room, but in a very light room with some plants in the background wearing your Hawaiian T-shirt.
Maciek Palmowski: Is this even legal for a hacker?
Mat Rollings: I've got plenty of hoodies, but I, i, yeah, I'm not really a grungy golfie person anymore. I think I did used to be more in my teens, but I just love wearing Hawaiian shirts now. I think I've got to that age where I've got that. I've not got kids, but I've got that dad energy going.
Maciek Palmowski: Okay. But now let's go with the more serious things. We know that WordPress is famous of the amount of vulnerabilities we can found we can find in the whole ecosystem. If I remember correctly, in 2023 altogether there was around 6,000 valid reports. So tell me how do you find those?
Maciek Palmowski: How do you find which plugins? Might have a vulnerability? I.
Mat Rollings: Yeah, so it's a good question, [00:04:00] and I think there's quite a, there's a very normal way people try and get into it where they try and. They'll pick a plugin and then try and find vulnerabilities in it, and that's a totally valid way of doing it. But it's gonna be a very slow way of doing it if you're looking at one plugin, searching for all the possible vulnerabilities.
Mat Rollings: If you keep doing this, you're gonna, you're gonna spend a lot of time until you probably stumble up across the vulnerability. So what I like to do, and I know quite a lot of the other security researchers in the space is download the code for all the plugins that are in scope and then use static code analysis to look through all of the code you've got and search and start looking for.
Mat Rollings: So looking for vulnerable code or looking for sources or syncs. So source sources is where we're taking user input in. And syncs are these potentially dangerous functions where you want to get your un unsanitized or unvalidated user input [00:05:00] into these functions, which might be able to do something that perhaps the developer wasn't expecting you to do or you shouldn't be able to do for your current user level.
Mat Rollings: So I've made a. I've got a website wp ctf.org, and I've made a list of a lot of the common sources and syncs in WordPress and PHP. And you can filter these. If you go through all of these that I've written down, you should pretty much be able to find all of the vulnerabilities that I've reported so far.
Maciek Palmowski: Okay, and okay. You found a vulnerability. What's next? How does the whole workflow looks like? Because I understand that you have to create a proof of concept and everything
Mat Rollings: Yeah. Yeah. From doing your static code analysis, you'll probably come up with a list of targets you want to look at. And so static code analysis is great, but that's only very like the first step of getting you a target that you then need to try and exploit. So the next step is having a WordPress instance available.
Mat Rollings: Like I use a Docker instance. Some [00:06:00] people use a VPS or a vm and that's when you need to start figuring out how you can go from. You've got this target, so you install the target plugin or theme, and then you need to figure out how you can get to that bit of code by triggering something through the front end.
Mat Rollings: So I've actually made a WordPress hacking plugin that kind of helps do this next step because we've done the static code analysis and now it's probably more onto the dynamic analysis where you need to be installing and testing stuff. So I've got a WordPress hacking plugin that can really help speed along this.
Mat Rollings: My go-to is always using this to get the next few steps and make my exploitation easier. Like it's got a few gadgets and it can show you all the links to all the functions and stuff. I just pushed out an update the other day so it's got loaded more features and if anyone needs anything cool or new add in, just pop a feature request on the GitHub and we'll see if we can write something.
Mat Rollings: But from that then I'll figure out how we can get to the vulnerable bit of code. [00:07:00] I use XD bug, which is a PHP debugger which is super useful for figuring out how to follow those the logic flowing code. So you can pause execution by setting break points. You can follow where you're going in the program.
Mat Rollings: You can see what variables or what. And you can even modify the variables if you want, so you can. You can really figure out how to get down the logic flow to get to the part where you want to try and get your user input into that sync. So it's a really like it if people don't use it, like start using it.
Mat Rollings: 'cause it, it speeds you up by like a hundred times trying to get your your input to the sync. So that's really good. You'll quickly be able to tell if it is vulnerable 'cause you'll be able to see. Your variable going through the logic flow, and you'll be able to see if it gets sanitized or what.
Mat Rollings: And then once you manage to get your, your your little bit of exploit working, that's when I tend to write most of mine as a Python script because it makes it super easier on the triage's side, they [00:08:00] can just run the Python script and go, yep, you've got a vulnerability. I know some people like to, they prefer to write really long instructions, maybe add a video, but I think that probably slows down triage quite a lot 'cause you have to like, scrub through the video, find out what they're doing, why isn't something they've not mentioned working.
Mat Rollings: So yeah, Python script just makes it super easy. So I, I don't tend to have any vulnerability reports kicked back unless I've done something really stupid. So that's a good tip for getting stuff resolved quickly and, without any kickback. So yeah, and then also writing the report.
Mat Rollings: That can be, because I've spent quite a few years in application security, I understand how to explain the vulnerabilities to developers and non-developers. So I always start with I think a lot of people say bluff. So bottom line up front. So say what the impact is, say what the vulnerability is in the first sentence.
Mat Rollings: And then go on into more detail. So they should always understand [00:09:00] what the vulnerability is from the first sentence, and that helps get your report triaged under the right category so you're getting the right amount of points or bounty for it. So yeah, I tend to split my report up into sections, have the summary so they can just understand it.
Mat Rollings: Have a section on what is the actual cause, so which bit of code is causing the vulnerability, and then steps to reproduce it. So really easy to follow steps. Just so that anyone following it could just repeat what you're doing, which is super useful.
Maciek Palmowski: Okay, and so we already have the part where you found the vulnerability. You wrote the report. So the last step before getting your money from the Bounty is to report it somewhere. And what are your CRI criteria on picking which Bug Bounty program to use?
Mat Rollings: Yeah, so it, it's mainly comes down to maths. So we have a lot of, we have a lot of traditional bug bounty programs. You don't have [00:10:00] a choice of where to submit, so you just submit it to one place, trying to make it as impactful as possible. And then go in with the WordPress Bug Bounty is a bit different 'cause there's two and a half.
Mat Rollings: It depend, depending on how you count it. Bug Bounty programs, you've got Patchstack Wordfence, and then you've got a private invite. Only one from WP Scan which is run by automatic. I, it's not very popular, I don't think a lot of people submit vulnerabilities to at the moment. And their restrictions are quite high.
Mat Rollings: So it's over 50,000 installs and has to be una unauthenticated or subscriber level with stored excess s or higher. So for most people it'll mainly come down to submitting, to Patchstack or Wordfence. And there's a lot of like little bonuses and stuff in play that can make it quite tricky to figure out where to submit to.
Mat Rollings: So there's some vulnerabilities that will only be valid in one Bug Bounty program like Patch that goes all the way down to 50 plus installs. Which is really cool 'cause there's, especially for people starting off, it means there's such a large amount of like [00:11:00] plugins in scope. And if you look at those plugins with the 50 plus install, there's there's new plugins getting up to 50 installs all the time.
Mat Rollings: So you're constantly having that increased scope on plugins that haven't really had anyone look at them. So definitely the best for beginners there. Wordfence. I think their minimum is 1000. But I think for people who are new, the minimum is actually 50,000. So that makes it quite a difficult one for people starting off to actually submit to.
Mat Rollings: 'cause you need to submit a certain number before you can actually get accepted to submit vulnerabilities from a lower install count. So you can check their website. Wordfence have a nice calculator you can use to see what the approximate bounty range will be. And patch Stack have a table you can use to figure out how many points you're gonna get. So Wordfence will tend to. They pay out a fixed bounty per bug you submit. Whereas Patchstack will pay out a a leaderboard. So if you're in the top 20, you get a payout [00:12:00] each month. But then they've also got the zero day bonuses, which is what makes it more complicated. So if you find a subscriber or unauthenticated vulnerability that leads to a total compromise of this, of the WordPress instance, you'll get a payout, which is pretty good.
Maciek Palmowski: And there is also this leveling system just to make things a bit more complicated because it was too easy until that point.
Mat Rollings: Yeah, so if you like, like that kind of gamified aspect, there's a lot of maps and stuff you can be doing there yeah. Yeah. I think Patch Dick has really nailed the gamification of it.
Maciek Palmowski: And tell me, do you prefer to report to those managed Bug Bounty programs? Or maybe do you prefer reporting directly to developers or companies? 'cause.
Mat Rollings: Yeah, so I would generally like never report directly to a company or developer. Almost all the time you do this, you're gonna be ignored 'cause. You're coming from like a nobody email [00:13:00] address. They're probably, you might, you probably go straight to spam or they'll get ignored as they'll think you're a scammer or a spammer.
Mat Rollings: Sometimes it does lead to quite negative Like they might think, oh, you're a hack, or you're just trying to ruin the reputation of my company. I've had, one CEO reached out to me on Twitter after reporting a vulnerability to Patchstack and start having a go at me for it, which was funny 'cause they just didn't understand the vulnerability or the impact of it at all.
Mat Rollings: There, there are companies that are an exception to that. Like some of them are really good and have a really positive, like I've had some that are like, thank you and here's an API key you can use to test our application in the future. But yeah, you're very unlikely to get any kind of monetary reward or any kind of acknowledgement from directly interacting with the companies.
Mat Rollings: So I'd always recommend if you can, to go for a program.
Maciek Palmowski: And this is the thing that you mentioned about [00:14:00] that the, yeah. Some developers can even turn a bit hostile towards you. What do you wish that agencies or organization to better understand about about security? About what those security researchers are doing and yeah. How can we make it better so they will understand that the moment that someone reports a vulnerability, it's not because you want to ruin them, it's because you are helping them.
Mat Rollings: Yeah, definitely. It's quite a difficult thing, and I saw this a lot when I was doing application security, was that. You'd go in to talk to teams about like security vulnerabilities you've found or things they could be doing better, and you'd have some of them take it very personally and like the, we are not you're not coming in to try and blame people.
Mat Rollings: You can't expect developers to have the same level of knowledge on security as a security expert. [00:15:00] So like we're coming in when we report. Vulnerabilities. We're trying to help whoever we're reporting the vulnerabilities to, so we're definitely, we're not the enemy. We're trying to help and it's a hell of a lot better to have a security researcher come in and explain the vulnerability to you than it is for a hacker to come and exploit that vulnerability where there might be monetary or reputational loss to you or the company.
Mat Rollings: So yeah, definitely better us than cyber criminals using it.
Maciek Palmowski: Yeah, this is also something that at many conferences I try to to others that, there is no shame in having a vulnerability in your code. But on the other hand it might be a huge shame in how you handle this vulnerability.
Mat Rollings: Yeah, definitely.
Maciek Palmowski: other hand, we saw a lot of examples from quite a lot of companies how they could transition vulnerability into, let's use this word PR success.
Maciek Palmowski: The [00:16:00] way, how they handled it, the way how they fixed it and the way how they communicated it, because it all it's our around this. But let's go back a bit to those bounty programs because you also have a lot of experience outside of WordPress and how would you compare those bounty programs that are in the WordPress ecosystem versus, the rest are there things that maybe WordPress is doing better or, and what are the things we should learn from others?
Mat Rollings: Yeah, so that's a good question. So I never really intended to, become like a WordPress security expert or anything. But I'd been trying to get into bug bounty for a while and it's quite a difficult thing to start off if you're a beginner. 'cause you start looking at all these programs and traditionally with bug bounty programs, they come at quite a late stage in a comp, in a company's security posture.
Mat Rollings: So if you look at all the. People paying like hundreds of thousands of dollars to be on a Hacker One program or a similar Bug bounty program. [00:17:00] That's after they've done a lot of internal pen testing, security reviews. They've had a lot of eyes on the code. So they're looking for the kind of, they've got rid of all the low hanging fruit and they're looking for more more serious, more creative vulnerabilities.
Mat Rollings: So that's not to say there aren't easy stuff out there because they're always adding code. There's always gonna be mistakes, but. It's much later on in the security cycle of a company. Whereas if we look at the WordPress bug ban, the ecosystem, it's completely different because it's security companies like Patchstack and Wordfence that are paying for the vulnerability and not the companies themselves.
Mat Rollings: It means that a lot of the companies that this is actually protecting are quite early on in their security posture. I imagine nine 99% of the companies that have a WordPress plugins in scope for the programs wouldn't be able to run a bug BNY program on their own. Like they just wouldn't have the money or the capability or the staff to do it.
Mat Rollings: So they're seeing like real [00:18:00] value from like these companies coming in and providing this as a service to them, which I think it's probably quite undervalued as well, because. They're getting this for free effectively. So this is it's effectively a marketing tool for the security companies, right? So if they can convert just like one or 2% of the vulnerability, the companies they report to these vulnerabilities, then they're probably gonna make a return on the investment.
Mat Rollings: So it's very good for all the other kind companies that are benefiting from this free security, and that's massively benefiting the whole WordPress ecosystem as a whole. Yeah, it's really cool.
Maciek Palmowski: Yeah so in short WordPress has it all upside down compared to the rest where. There are just a few companies that kind of protect most of the ecosystem while in other places it's more of everyone on their own and,
Mat Rollings: Yeah, exactly. And this is one of the things that makes it really good for. People who are starting off as security researchers or people who are wanting to get into bug bounty hunting. [00:19:00] So it's what I've done. I've found like 500 plus vulnerabilities in WordPress plugins now, and I've been using this to build up my skill level and confidence to go into other bug bounty programs and start finding stuff.
Mat Rollings: And I've started having a lot of success doing that. But I've run a a workshop a few times at local BSides events trying to teach others how to use WordPress Bug Bounty as like a way to break into bug bounty as a whole. So I think it's really valuable for people starting off and trying to develop those skills as bug bty researcher.
Maciek Palmowski: And now let's talk a bit about your achievements. What what vulnerability are you the most proud of?
Mat Rollings: Yeah, so I found a lot of weird and wonderful stuff. The first vulnerability I actually reported was a really complicated one. And I. I just couldn't look away from the code. This was over Christmas, so it [00:20:00] actually became like a little Christmas hobby for me. And it took like over a week to develop and figure out how to exploit this.
Mat Rollings: And I think if all WordPress vulnerabilities were this difficult I wouldn't have even carried on hunting them. But this one just had so many peculiar things like, it reminded me a little bit of malware in the way that it used quite obs obfuscated ways of writing code. Everything was in a nested global array.
Mat Rollings: So really long lines of code that you can't really understand until you've got so deep into it. But it was just one of those things where it had like a one, one of the things we. We talk about an application security is like a code smell where you can see that something is slightly wrong and it's indicates that there might be a bigger problem there.
Mat Rollings: So you see these code smells and you're like, I'm gonna dig a bit further into this. So I kept digging into this, you start seeing things that you can access that maybe you shouldn't be able to [00:21:00] access. Like with WordPress, it's Ajax hooks that you can interact as an authenticated user. And this one had an interesting way of preventing access to certain hooks.
Mat Rollings: Like it would register them all, and if any of them began with the letter, I think it was l or something. You could access it unauthenticated, which is a, it's a really strange way of doing it, and it's very easy to mess up if you do something like that. 'cause you accidentally add a function beginning with Val that you'd forgotten, began with Val and you'd forgotten that you'd done this role.
Mat Rollings: Suddenly an unauthenticated user would get access. I don't remember it off the top of my head exactly, but there was a function you could access as an unauthenticated user that would allow you to generate, generate and test nonsense. And for some reason, this developer decided to implement their own N system rather than using the built in WordPress one.
Mat Rollings: And it turned out that there was also some weirdness in the way that we've implemented that. That meant I could check almost 1000 NS at a time. So that massively reduced the [00:22:00] number of requests, but also the NS was time-based so that I could then just brute force by guessing the server time. So there was lots of these little steps to get to the next step.
Mat Rollings: So I'd got a few of these. And then the final step was getting remote code execution. And this was a really fun one. Because it was a anti-malware plugin that was designed to remove any kind of malware that it would find on the WordPress instance. So it would periodically, it would be able to download these new regex rules for malware.
Mat Rollings: And if it would search code like on the server, and if it found any instances of this code, it would delete it. But from these previous vulnerabilities, I was able to update these RegX rules, which meant that I could take the plugins own code and delete certain parts of it so that I was left with a bit of vulnerable code that I could use.
Mat Rollings: So one of the rules was looking for [00:23:00] eval so I could delete all the stuff other than eval, and then I could find a bit of user input. Which was much further down. So delete everything in between. So eval with the user input, close the bracket, few more things to make sure it was syntactically correct.
Mat Rollings: And then that meant that the plugin would delete its own code, leave behind a vulnerable function that would then eval, which meant I could get remote code execution on the box. So yeah, that, that took quite a lot and I think it took quite a lot to triage it as well because I think Dave did a really good job.
Mat Rollings: We had quite a bit of back and forth, but he did eventually get it working on between two AWS instances where you could brute force it in quite a, I think it only turned out to be a few seconds or minutes to do it, which was very cool.
Maciek Palmowski: But this also, first of all, a very interesting way to spend Christmas. That's true. But this also adds one interesting thing about picking a bounty program because apart from [00:24:00] the money aspect, which is important because let's be honest it's your job, so you want to earn as much. Also the aspect of a proper triage and. Some support from the company is probably also important because I can imagine that some researchers wouldn't be able to handle the case that you just told about. So I can imagine that this is also a very important thing.
Maciek Palmowski: And while I understand this was one one of this was the finding that you are the most proud of and what is the. Weirdest, stupidest or whatever. So on the on, on the other end of your findings,
Mat Rollings: So I think we had, we all had quite a few good ones. Back in October or something, I think it might have been earlier. But Patchstack ran an event where that's when you started doing I think the event was zero installs, right? As the minimum. Was it 50? I
Mat Rollings: can't
Maciek Palmowski: or then we started with the, with the very low, I think it was 50, [00:25:00] because this was the moment when we learned how much
Mat Rollings: Yeah. But this was the first time when 50 plus installs was available for any bug bounty, which meant that like the flood gates had opened late. None of the security researchers had even downloaded all the I. I'm sure some people have, but I hadn't downloaded any plugins with that, that few installs.
Mat Rollings: And it took a long time to actually do that. I don't have the best internet connection, so that probably helps. I think it took me around 16 days to get all of the plugins downloaded. 'cause you had to actually figure out first, which ones had six 50 plus installs. So that took a long time.
Mat Rollings: And that was a really, that was a really fun, but it did, it occupied like all of my life for that time. So I was a bit burnt out at the end of it. But it's really good. But use, using the static code analysis, I was just popping so many rce arbitrary file uploads privilege escalation. It would be like every other plugin you'd look at would've been vulnerable.[00:26:00]
Mat Rollings: And we, I can't remember how many plugins we got kicked off the WordPress or repo, but it was a lot.
Maciek Palmowski: I know it was around 1000.
Mat Rollings: a thousand. Yeah. That's crazy. But yeah, I think I think probably everyone who was hunting that month found a few interesting things. The, my favorite one was I found three different instances of this where you could just send a get request or a post request and put question mark ID equals one.
Mat Rollings: And that would instantly log you in as admin. And that was just crazy. Like it didn't take, it didn't take much skill. You just find the code, you're like, that can't be real. You put it in the browser and you're like, oh, yep, I'm admin. That must have been the easiest report to triage.
Maciek Palmowski: I can imagine that for the first time when you saw it was like, no it it just can't be that easy.
Mat Rollings: Yeah, it is crazy seeing it once, but then seeing it three times. It just goes to show how [00:27:00] like few eyes have been on these plugins. So it's really cool having that event that we actually got to secure and remove a load of those plugins.
Maciek Palmowski: Yeah in, in, in the end, because I remember because I was checking the stats we removed around 2% of all plugins from the repository. Which is great because we really made it much more secure. And tell me because while you are finding vulnerabilities in WordPress, are you a WordPress user?
Mat Rollings: No, I'm not. So it used to be a long time ago. And my WordPress instance got hacked, but. N never did an did anything actually noticeable. So I just I had found out it'd been hacked like years later when I saw like the back door from doing a scan. But it was just like a personal blog, so it didn't really matter.
Mat Rollings: I tend to use I've gone the complete over way from using CMSs now, so I tend to use static site generators like Hugo just 'cause, I don't wanna [00:28:00] say they're a hundred percent secure, but. It's gonna be very difficult to hack something with just static HTML. So I've gone that way. But if you look at how many people still are using WordPress, it's it like, it's just crazy.
Mat Rollings: I don't think many people realize like just how many active installs of WordPress there are. So it is it's surprising that like the bug bounty space is still, it's still quite new. So yeah, a lot of exciting things to still find.
Maciek Palmowski: And. Based on your perspective and what you are doing, what tip would you give to any WordPress user to make their website more secure? Apart from converting it to static, which is a very good way to do it.
Mat Rollings: It is good. It's good, but it's not really. You can't really recommend that to someone who aren't like technically skilled, you don't like, you can't really be expecting them to go and get, commit all of their changes when they wanna [00:29:00] do a blog post and stuff. So it makes sense why WordPress is so popular because it's so easy to use.
Mat Rollings: So the biggest. Tips you can really have as a user is to just keep your plugins and WordPress version up to date. And if you install a WordPress security plugin that does virtual patching then that will massively secure you against most vulnerabilities. So you'd only probably be vulnerable if you did have a plugin that had a known vulnerability, you'd probably only be vulnerable for a day or two.
Mat Rollings: So will massively reduce your chance of being hacked. It's also worth having like a plan for if you did get hacked. Do you have a backup? Can you restore from that? That's always a really valuable, the one that I think everyone's probably learnt their lesson at least once. If you've accidentally deleted or formatted your hard drive by accident, you you. It is a trial by fire. So you learn how to do this after messing yourself up a few times.
Maciek Palmowski: True. True. [00:30:00] What? What? What can I tell? This was also the moment when I started doing backups after. Making a small mistake on production, it happens. And do you see a huge difference in the way how plugins that are created by those bigger companies are compared with those created by, let's call it indie developers, especially in terms of security?
Mat Rollings: Yeah, so I think as a it can really vary 'cause. As a security researcher, I try not to have, in my mind this kind of divide between an indie developed WordPress plugin and like a big company that's developed this plugin. Because a lot of times the bigger plugins, they'll still have been written by an indie developer.
Mat Rollings: They've just been bought out by a big company at some point. So I think. I think as a security researcher, it's important not to have that kind of bias in your head when you're looking for vulnerabilities. And this is true of like when you're going with other bug BNY programs. I think it's [00:31:00] important not to think in a negative way where you're thinking, ah, someone like this is a big company.
Mat Rollings: There'll be no vulnerabilities here. Someone else has found all these vulnerabilities. 'cause there's still lots of really silly or basic vulnerabilities in massive companies and applications that some security researchers come up and gone, I wonder if this works, or just trying something you wouldn't expect.
Mat Rollings: So there's a lot of those bugs that can just be hiding there that you don't think to try because they're too obvious or too silly. So yeah, I try and avoid that bias when I go looking into plugin, and that's where like doing static code analysis across the whole code base can help because you are not, you don't care if the vulnerability is in like a independent or a massive massive tech company.
Mat Rollings: So where I would probably more see the divide is by the install count, which means. The higher installs, you've probably had more bug bounty hunters looking over the code. So you [00:32:00] are less likely to find stuff, but again, you don't want to introduce that bias where you're thinking you're not gonna find something, which will mean you'll end up fulfilling that prophecy and not finding anything.
Mat Rollings: And sometimes I think even having a big company would be a disadvantage because with the. In Indeed developed ones, you've probably got quite a passionate developer working on the product. So they really care about what they're doing. And maybe it is their, it could be their sole source of income, so it could be something they really care about keeping secure.
Mat Rollings: So they're more likely to spend that time and love on the functionality to make sure it is good. Whereas in being co if you're in a, if you're an employee in a big company, you might be more junior and just. Working nine to five, trying to get a paycheck, and you don't have that passion. And you might be rushed to complete several things and you might not necessarily know about all the security procedures that you need to be aware of.
Mat Rollings: So yeah I think I personally wouldn't draw a line anywhere.
Maciek Palmowski: Okay. [00:33:00] Yeah. And that's as, as you said, the part about that there's a lot of buying out of those smaller smaller plugins by big companies that, it's all already so mixed up. So we don't, we often don't even remember anymore that some of those plugins were. We were developed by a single developer for many years.
Maciek Palmowski: And now it just changed. And now let's talk a bit about WordPress core, because we all know that this, everyone loves to say that WordPress is insecure, which isn't true because WordPress core, per se is quite secure. I would say that together with the huge market share and the amount of, researchers constantly trying to find something there because yeah, the bounties would be really nice. We can we can easily say that it's quite secure, but does WordPress core has some flaws inside of it that automatically affects all [00:34:00] the ecosystem like, like plugin source themes.
Mat Rollings: Yeah, so I, I think there's a lot of kind of interesting design choices for WordPress. I think because it's existed for such a long time it means that kind of, the code has grown over time and you see a lot of stuff that's a remnant of its history. There's a lot of stuff in there that isn't really used, but is still in there for some reason.
Mat Rollings: And I, I think there's quite a. I dunno if scaredness is the right word, but there's definitely a hesitance to implement changes especially changes that might have impact for backwards compatibility. 'cause the popularity of WordPress, WordPress really relies on the plugins, right? Because without the plugins, like WordPress is a very basic CMS, so the plugins is where it gets its real advantage from, yeah there's some weird stuff. There's some weird functions. One of the things that I find weird is that a [00:35:00] user's first and last name can contain any characters as long as it's not an angle bracket. So I wrote an automation that searched for themes that could be exploited by setting a user's, display name to something with quotes in. And if a, if you get a quote character inside a h TM L tribute, you can escape that tribute and get cross site scripting. So I wrote an automation that's just went through, installed everyth theme one by one, tested a user's display name, and if it popped up in the alert box on a page.
Mat Rollings: So I think I, I got like about 50 themes just using that automation. So that was quite an easy one. Yeah, and there's other stuff that I think they do in WordPress core that kind of confuses developers a little bit. Like with the use of ns, which NS is supposed to be a number used once but in WordPress you can use it as much as you want within a 12 hour window.[00:36:00]
Mat Rollings: So they're used as CRSF. So cross site request forgery tokens that might be used in other apps. And they should never really be used for authentication. And WordPress have this in the docs, but if you look at a WordPress plugin, like a lot of the times you'll find that it is used exactly for authentication.
Mat Rollings: And this on its own isn't a vulnerability. It's very easy to mess this up and cause a vulnerability by accident. 'cause if you accidentally leak that nun somewhere and that nun is the only way of doing your au authentication for the function you've got, then you can get an exploit there. So it is, it's quite a difficult one 'cause WordPress has these, like security things built in, but it really relies heavily on the developer understanding how to use these.
Mat Rollings: And there's quite a lot of intricacies with how you should be using them, how you shouldn't be using them. That means there's quite a, there's there's a lot of pressure on the developers to get this right and know how to do it, which like. [00:37:00] I don't think that's really fair, especially when you're relying on these developers so much heavily to bolster your ecosystem and the amount of plugins and code they're writing.
Mat Rollings: So yeah it's just tricky for developers. Like the security should be built into WordPress itself. Like with the framework I dunno how they would do this. In some languages you have like nice annotations on functions that can just mean you can really easily see at authenticated this function should only be for authenticated users.
Mat Rollings: Then you could put the role for that in brackets or something, and then you'd know exactly what role was for each function. And that's the kind of thing you could start having into a automated scanner. So you could. You could go, this function is unauthenticated. Did you mean it to be? Which I think with code scanners at the moment it's quite difficult because they can't have that contextual understanding of what the code is supposed to be doing.
Mat Rollings: It's very hard for a static code and analyze or even an AI to be able to know if a function should be [00:38:00] accessible and if it is accessible by what user level it should be accessible. So yeah. It's really hard. And it's something that AI will probably get better at, but it, that's part of it where the security researchers can really understand the best by knowing what should and shouldn't be accessible by each user.
Maciek Palmowski: And you mentioned and guessed my next question. let's talk about ai. Do you think that AI will start taking over security researchers job?
Mat Rollings: Yeah, I mean there's always. That kind of question or that risk of people losing their jobs to ai. And I definitely don't think like in the short term or the medium term that we necessarily will, there's a lot of stuff where AI is gonna be used in conjunction with security researchers and I think whatever, like this is true of every industry where [00:39:00] AI has the.
Mat Rollings: The danger of replacing you, it's where you wanna become AI assisted. So as a researcher or a programmer, if you can learn how to adopt AI in a way into your processes, into like how you write or read code that can set you apart and really be like a force multiplier for you. So I use AI quite a lot and.
Mat Rollings: There's a lot of stuff it can do and there's a lot of stuff it's less good at as well. 'cause when we talk about ai, we're predominantly talking about LLMs at the moment, which. If you want to look at an LLM for doing code review, it's probably gonna be quite good at a basic level, but because it doesn't have any kind of contextual understanding of stuff it's really gonna mess you up.
Mat Rollings: If you start giving it a lot of code and going, where's the security vulnerability? It's probably gonna go off and start finding stuff that isn't there. Start talking about stuff that you don't [00:40:00] care about, like best practices. So it's very likely to miss stuff. So I wouldn't use it for doing any kind of security review, but if there's any kind of, if I wanna write some scripts to help me find more vulnerabilities quicker, then that's where AI will really help.
Mat Rollings: And it's really good at. Accelerating boring tasks. So anything like you find boring it, it probably means you're doing something really repetitive. And that's where AI and computers they should be doing the boring, repetitive jobs for us. 'cause we wanna have, we wanna keep the fun jobs to ourselves, right?
Mat Rollings: There's no point getting the AI to do all the fun stuff. 'cause then you'll just become the boring part of the process. So yeah. I find it's really good at helping me write report reports. So I tend to write my reports as a template and then use these templates, fill in the gaps, and then submit.
Mat Rollings: But it's really good if you can't figure out the wording or something in a summary, you can say, how's the best way [00:41:00] to right here's my, you can just give it a python, proof of concept, HTTP request or whatever, and say. Help me write a report. Here's the kind of structure I want, and it all do a really good job.
Mat Rollings: And then you can iterate if it's not quite right, make the summary short or I don't need two paragraphs explaining this is vulnerability. But it's really good at that kind of, I've always called it like stakeholder talk, like where you need to explain what's going on in a really basic yet impactful way.
Mat Rollings: So yeah, adopting AI into your processes can really help you.
Maciek Palmowski: Yeah, I agree here because even from my own experience right now I do using AI for. Especially when I look at a new code base to, for example, explain this function what is happening here? This was always the part that took a lot of time, especially when we started a new project and with you as a security researchers, you are constantly switching context.
Maciek Palmowski: So that's a very difficult part, which, for example, for me would be very hard. [00:42:00] 'cause I always prefer to stay in one code base and continue working in
Mat Rollings: Yeah. And one of the other things I like is that you can say you've got a load of documentation or code. You can attach that to an NLM, upload it to an ai, and there are ones where you can upload the document and you can like. You can either set it up as a podcast, so you'll have people explaining what the documentation is, or you can interactively ask questions.
Mat Rollings: And I've seen there's some companies popping up where they'll take all your security documents and then you can interactively talk with them so you can understand what it actually means for you. It's a really, I think that's a really powerful way. As long as they're not having hallucinations and stuff that doesn't exist, that's gonna be a really powerful way to quickly get information out of stuff that might take you a bit longer to do manually.
Maciek Palmowski: It's really great to hear from you that you don't think that especially in the short and midterm, that it'll take jobs, but, [00:43:00] but on the other hand, it can be a really great tool in every researcher tool belt that will just speed up the process. Remove the boring part because I can imagine that the October example when everyone was reporting like crazy even writing the reports took quite a lot of time compared to to the rest of the process.
Mat Rollings: And just submitting the reports took a lot of time as well. Like filling all the boxes in the forms.
Maciek Palmowski: Oh yeah. Yeah. So a agent would be a really good thing. So next time, right? Next time, we will try it.
Mat Rollings: Yeah. It's one of those things where. You always weigh up like how long it's gonna take to do this manually versus should I write a bit of JavaScript that fills these in all for me? So I've come very close to doing that a few times, but just haven't yet.
Maciek Palmowski: Yeah I'm always a poor judge when it comes to when I should automate something and when not. Okay. So Mat, I think we covered quite a lot. We learned how. How [00:44:00] finding vulnerabilities looks like from your perspective, how the process looks like. Also you shared quite a lot of interesting findings about WordPress score and and its code and of course about back bounties because it's also something very important. And I do hope that some companies. That we'll listen to our talk and decide after this, that yeah, maybe we should invest a bit more into our security approach in, in general because they can just benefit from it.
Maciek Palmowski: So that said thank you so much for for spending the, this time with me and sharing all your knowledge. And have a great day.
Mat Rollings: Yeah. Thank you very much.
Maciek Palmowski: See ya. Bye.
