Content Management Systems and MD5: Investigating Alternative Methods of Version Identification for Open Source Projects
2017 (English)Independent thesis Advanced level (professional degree), 20 credits / 30 HE credits
Student thesis
Abstract [en]
WordPress is a very widely used content management system that enables users to easier create websites. The popularity of WordPress has made it a prime target for attacks by hackers since a potential vulnerability would affect many targets. Vulnerabilities that can be utilised in an attack are referred to as exploits. Most exploits are only viable for a subset of all the version of the software that they target. The knowledge of which version of a content managements system a website is running is often not explicit or easy to determine. Attackers can potentially exploit a vulnerable website faster if the version is known, since this allows them to search for existing vulnerabilities and exploits, instead of trying to identify a new vulnerability.
The purpose of this thesis is to investigate existing and alternate methods for detecting the version of WordPress on websites that are powered by it. The scope is limited to an analysis of existing tools and the suggested methods for version identification are limited to identification using unique values that are calculated from the contents of files. The suggested methods for version identification and the generation of the required data is implemented using Python 3, the programming language. We investigate the feasibility of version obfuscation, how discernible a version of WordPress is, and how to compare versions of WordPress.
The thesis has proven the feasibility of version identification with a new perspective that delivers more accurate results than previous methods. Version obfuscation has also been proven to be very feasible without affecting the usability of the WordPress website. Furthermore, a method for discerning between two specific versions of WordPress is presented. All the results are in theory applicable to other software projects that are hosted and developed in the same way. This new area of research has much for security professionals and has room for future improvement.
Place, publisher, year, edition, pages
2017.
Keywords [en]
Content Management Systems, Version Identification, Obfuscation
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
URN: urn:nbn:se:bth-14821OAI: oai:DiVA.org:bth-14821DiVA, id: diva2:1118689
External cooperation
Outpost24 AB
Subject / course
Degree Project in Master of Science in Engineering 30.0
Educational program
DVACD Master of Science in Computer Security
Presentation
2017-05-31, C341, Valhallavägen 1, Karlskrona, 08:00 (English)
Supervisors
Examiners
2017-07-032017-07-012022-05-12Bibliographically approved