CoMisSion – Whitebox CMS analysis

Context

At Intrinsec, source code auditing is one of our missions. Among different languages and technologies, CMS analysis is common.

When auditing a CMS, we have to answer the following questions:

  • Which version of the CMS core is used?
  • Are there any vulnerabilities affecting this version?
  • Has the core been altered?
  • Which plugins are used? In which version?
  • Are there any vulnerabilities affecting these plugins?
  • Have the plugins been altered?

Much of this information can be gathered easily from a CMS folder (WordPress and Drupal, at least). But it can be long, tedious, error-prone and you should probably never spend time doing what a well-trained monkey can do.

CoMisSion

CoMisSion is a tool to automate all this stuff. You give it a CMS type (WordPress and Drupal are currently supported), a source code directory, an output filename and you are ready to go.

Code, setup process, usage, and other details are available on Github.

The tool prints its results to stdout. You can see here an example of a WordPress core analysis. To gather CVEs, the tool uses the WPvulndb API.

Once the version is identified, the tool downloads a « clean » archive of this version and checks for any alteration. This way, we can quickly focus on the homemade development done by our client.

Then the tool analyzes each plugin the same way.

Up-to-date and unmodified plugins are thus eliminated from the manual analysis.

The tool can do this type of analysis only if the plugin is published on the official CMS website and follows its guidelines. However, if the plugin is not free or has been downloaded from another website, you have to find out its location and manually perform the analysis.

Report

The tool generates a report as an XLSX file, with four tabs :

  • The core
  • Alterations to the core
  • The plugins list and analyses
  • Alterations to plugins

In the report, the tool consolidates the gathered information.

Below you can see an example of the first tab. Using wpvulndb, the tool gathers some details on CVEs  such as the type (XSS, RCE, etc.) or in which version the vulnerability is fixed.

And below is the plugins analysis tab.

This report is a starting point of our audit. We can then go further and perform in-depth analysis of the alterations made to the core and the plugins.

Feel free to try it and report any issue on Github.