-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathproject_7_readme
65 lines (49 loc) · 2.65 KB
/
project_7_readme
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# Project 7 - WordPress Pentesting
Time spent: **5** hours spent in total
> Objective: Find, analyze, recreate, and document **five vulnerabilities** affecting an old version of WordPress
## Pentesting Report
1. (Required) CVE 2015-5622: Authenticated Stored Cross-Site Scripting (XSS)
- [ ] Summary:
- Vulnerability types: XSS
- Tested in version: 4.1
- Fixed in version: 4.2.3
- [ ] GIF Walkthrough: https://giphy.com/gifs/4ZvIgOxbXfXjxcgdsT/html5
- [ ] Steps to recreate: https://github.com/sllopis/Project-7-Codepath
- [ ] Affected source code:
- [Link 1](https://core.trac.wordpress.org/changeset/33359)
2. (Required) CVE 2015-5714: Authenticated Shortcode Tags Cross-Site Scripting (XSS)
- [ ] Summary:
- Vulnerability types: XSS
- Tested in version: 4.0
- Fixed in version: 4.3.1
- [ ] GIF Walkthrough: https://giphy.com/gifs/dSdVQVRnclcOQVdmak/html5
- [ ] Steps to recreate: https://github.com/sllopis/Project-7-Codepath
- [ ] Affected source code:
- [Link 1](https://github.com/WordPress/WordPress/commit/ f72b21af23da6b6d54208e5c1d65ececdaa109c8)
3. (Required) CVE 2017-6817: Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
- [ ] Summary:
- Vulnerability types: XSS
- Tested in version: 4.0
- Fixed in version: 4.7.3
- [ ] GIF Walkthrough: https://giphy.com/gifs/58Fqq9UYZj8FTrvqB4/html5
- [ ] Steps to recreate: https://github.com/sllopis/Project-7-Codepath
- [ ] Affected source code:
- [Link 1](https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8)
## Assets
## Resources
- [WordPress Source Browser](https://core.trac.wordpress.org/browser/)
- [WordPress Developer Reference](https://developer.wordpress.org/reference/)
GIFs created with [LiceCap](http://www.cockos.com/licecap/).
## Notes
My most significant challenge was to set up Kali and WordPress using the VM Box, I was not granted permission whenever I would run "vagrant up", until I realized that I had to run it as an administrator using "sudo vagrant up". After that, everything ran smoothly.
## License
Copyright [2018] [Sergio]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.