HADESS WWW.HADESS.

IO
TABLE OF CONTENTS
Zero-Day Vulnerability 1
Vulnerabilities 2

Plugins 3
 HADESS

Introduction
We are excited to announce the launch of our 40 Vulnerabilities in 40

Days Campaign! Our goal is to raise awareness about the importance of

proactive vulnerability management and to encourage everyone to take

action to secure their systems.

Starting from March 1st, we will be showcasing We believe that knowledge is power, and by
one vulnerability every day for 40 days, along educating ourselves and others, we can help
with details on how to detect and remediate it. make the world a safer place. Join us and
Our team of experts will be available to provide become a part of the 40 Vulnerabilities in 40
insights and best practices, so you can learn Days Campaign today!
from real-world scenarios and understand the
impact of these vulnerabilities.

Introduction ۰
 HADESS

SECTION 1

Zero-Day

A zero-day vulnerability is a security weakness Zero-day vulnerabilities are particularly

in software or hardware that is unknown to the dangerous because they can be used by
party responsible for patching or otherwise attackers before the vendor has had a chance to
protecting the system. This vulnerability can be release a patch or a fix for the issue. Attackers
exploited by attackers to conduct malicious can take advantage of these vulnerabilities to
activities such as unauthorized access to launch targeted attacks, which can have serious
sensitive data, spreading malware, or disrupting consequences, such as data theft, financial loss,
normal operations. or reputational damage.

1
 HADESS

SECTION 1

Vulnerabilities List

CVE-2022-45834 CSRF

CVE-2022-4367 CSRF

CVE-2022-4011 CSRF

CVE-2022-3941 CSRF

CVE-2022-4412 CSRF

CVE-2022-4411 CSRF

CVE-2022-4406 CSRF

CVE-2022-4405 CSRF

CVE-2022-4404 CSRF

CVE-2022-4528 CSRF

CVE-2022-4529 CSRF

CVE-2022-4530 CSRF

CVE-2022-4531 CSRF

CVE-2022-4532 CSRF

2 CVE-2022-4533 CSRF
 CVE-2022-4534 CSRF

CVE-2022-4535 CSRF

CVE-2022-4536 CSRF

CVE-2022-4537 CSRF

CVE-2022-4538 CSRF

CVE-2022-4539 CSRF

CVE-2022-4540 CSRF

CVE-2022-4541 CSRF

CVE-2022-4550 CSRF

CVE-2022-46847 HTTP Header Injection

Vulnerabilities List
CVE-2022-4423 HTTP Header Injection

CVE-2022-4424 HTTP Header Injection

CVE-2022-4425 HTTP Header Injection

CVE-2022-4443 HTTP Header Injection

CVE-2022-47171 HTTP Header Injection

CVE-2022-47163 HTTP Header Injection

CVE-2022-47162 HTTP Header Injection

CVE-2022-47159 HTTP Header Injection

CVE-2022-47155 HTTP Header Injection

CVE-2022-47154 HTTP Header Injection

CVE-2022-47152 HTTP Header Injection

CVE-2022-47147 HTTP Header Injection

CVE-2022-47138 HTTP Header Injection

CVE-2022-47141 HTTP Header Injection

CVE-2022-47143 HTTP Header Injection

CVE-2022-47139 HTTP Header Injection

CVE-2022-47135 HTTP Header Injection

3
 CVE-2022-47448 HTTP Header Injection

Vulnerabilities List
CVE-2022-47447 HTTP Header Injection

CVE-2022-47440 HTTP Header Injection

CVE-2022-47446 HTTP Header Injection

CVE-2022-47443 HTTP Header Injection

CVE-2022-47422 HTTP Header Injection

CVE-2022-4549 HTTP Header Injection

CVE-2022-4548 HTTP Header Injection

CVE-2022-47427 HTTP Header Injection

Plugins Type
T ION CS
J EC RF
IN
CMS
R
DE

15.4% User Management

EA

23.1%
PH
HTT

Book
9.6%

Calendars
9.6%

Import/Export
42.3%

4
 HADESS

CSRF Vulnerability
Example request:

Vulnerable Code:

5
 HADESS

The displayed code snippet is used in WordPress and can save the information in
the CSV file to the WordPress database. After filling the WordPress form with the
required information, the code connects to the WordPress database and stores
the information in the CSV file in the desired table of the WordPress database. This
code also has a special value "update_db" which, if checked, will update the data
in the CSV file instead of creating a new record. If no records have been updated, a
success message is displayed. But if there is a problem connecting with the
database, an error message will be displayed.
CSRF Protection Parameter

One of the useful methods to prevent CSRF vulnerability in the development of WordPress
plugins is to use unique tokens. To use this method, you need to use tokens in your plugin
development code that are uniquely added to the form. For example, you can use the form
author token.

6
 HADESS

For example, in the code below, the form author token is added as a variable containing a random
value in the form:

In the code below, the token of the form author is checked after submitting the form, and if the
token is not correct, the form is considered invalid:

You can also use change tokens like time token. For example, you can add a time token like this:

In the following code, the time token is checked after submitting the form and if the token is
older than one minute, it considers the form invalid:

7
 HADESS

You can also use WordPress framework features, such as the wp_verify_nonce class, to prevent
CSRF. Using the wp_verify_nonce class in the WordPress framework is a useful and advanced
method to prevent CSRF attacks.
The wp_verify_nonce class uses a random token that is generated on each new request and after
the form is submitted, the token is compared with the token submitted in the form.
To use the wp_verify_nonce class in the development of WordPress plugins, you can use the
following code:

HTTP Header Injection

8
 HADESS

The displayed code attempts to obtain the IP address of the user requesting the page. This is
done by using different variables on the server side. This code can be useful for users who use
proxy or proxy server. Normally, the user's IP address is shown by default in a part of the
browser's address bar, but in some cases, the user's IP address can be hidden by using a proxy
or proxy server. The displayed code can obtain the user's IP address using the standard
HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR, HTTP_X_FORWARDED,
HTTP_FORWARDED_FOR and HTTP_FORWARDED. If none of these variables are available, the
IP address is considered invalid and the function returns an empty value.
Also, the filter_var function is used to check the correctness of the filtered IP address. If the IP
address is not valid, the function returns empty.

HTTP Header Injection Methods

9
 HADESS

A useful way to avoid http header injection vulnerability in WordPress plugin development is to
use wp_remote_get and wp_remote_post functions. These functions use the cURL library and
by default, the http header is also filtered in all the texts that are sent.
To use the wp_remote_get and wp_remote_post functions in the development of WordPress
plugins, you can use the following code:

You can also use the wp_http_validate_url function to filter invalid entries.
The function checks whether the submitted URL is valid or not. If the URL is invalid, the
wp_http_validate_url function will return an error and you will not be able to execute your
code.
To use the wp_http_validate_url function in the development of WordPress plugins, you can
use the following code:

10
 HADESS

You can also use the esc_url_raw function to control Internet access. This function filters the
submitted URL and deletes it if the URL is invalid.
To use the esc_url_raw function in the development of WordPress plugins, you can use the
following code:

Cross-Site Request Forgery (CSRF) is a type of security vulnerability that occurs

when a malicious website is able to trick a user's browser into sending a request
to another website, without the user's knowledge or consent. This can be used
to steal sensitive information or to perform unauthorized actions on behalf of
the user.

1. Synchronizer token pattern: This involves adding a unique token to each form or request that is generated by the
server and passed to the client. The client must then include this token in all subsequent requests to the server, which
the server can then use to verify that the request was initiated by the user.
2. Same-Site Cookies: This is a flag that can be set on a cookie, which tells the browser to only send the cookie on
requests to the same domain that set the cookie. This makes it more difficult for a malicious website to perform a
CSRF attack, as it won't have access to the necessary cookies.
3. Referrer header check: This involves checking the value of the referrer header in each request to ensure that it was
sent from the same domain. This helps to prevent CSRF attacks that use methods such as image tags or JavaScript to
send requests.
4. CAPTCHA: A CAPTCHA can be used to require the user to prove that they are a human before performing a sensitive
action. This makes it more difficult for a malicious website to perform a CSRF attack, as it won't be able to complete
the CAPTCHA.
5. Use of Anti-CSRF libraries: Anti-CSRF libraries, such as the OWASP CSRFGuard, provide an easy-to-use solution for
protecting against CSRF attacks by automatically generating and validating tokens for each request.

11
 HADESS

HTTP header injection is a type of security vulnerability that occurs when an

attacker is able to inject malicious content into HTTP headers. This can be used

to manipulate the behavior of web applications or to steal sensitive information.

To prevent HTTP header injection, it's important to follow these best practices:

1. Input validation: Ensure that all user-supplied data is properly validated and sanitized to prevent malicious data from

being included in HTTP headers.

2. Use secure encoding and decoding functions: Use secure encoding and decoding functions, such as HTML entities and

URL encoding, to ensure that special characters are properly handled.

3. Limit header size: Limit the size of HTTP headers to prevent excessive data from being included in the headers.

4. Use a web application firewall (WAF): A WAF can provide protection against HTTP header injection by detecting and

blocking malicious requests.

5. Keep software up to date: Ensure that all software, including web applications and the underlying operating system, is

kept up to date to address known vulnerabilities.

6. Regularly perform security testing: Regularly perform security testing, including penetration testing, to identify and

remediate vulnerabilities in your systems.

12
 HADESS

Vulnerabilities Type
The type of vulnerability detected in plugins by the number of plugins installed
75%

50%

25%

0%
100 1000 10000 100000 1000000

Http Header Injection CSRF

Identified vulnerabilities were investigated Also, the above chart is divided based on the
separately by the amount of installation and frequency of vulnerabilities detected in about
test cases related to CSRF and HTTP Header 1000 checked plugins.
Injection vulnerabilities.

13
 HADESS

Plugin Type
A vulnerability has been found for each type of plugin

25

20

15

10

0
User Management Import/Export Calendars Book CMS

Checked plugins are divided based on the type of functionality and application of the plugin, as
well as the amount of installation and the amount of vulnerabilities detected in each package.

80%

60%

40% Installation Count

PLUGINS WITH MORE THAN
20% 1000 INSTALLATIONS HAVE
MORE THAN 10
VULNERABILITIES OUT OF
0% MORE THAN 40
<1000 >=1000 >=10000 100000 1000000 VULNERABILITIES.

CSRF
2%

CSRF ‫آسیب پذیری‬

OUT OF 100 PLUGINS WITH
MORE THAN 1000 INSTALLS,
TWO ARE VULNERABLE.

Other

14
98%
 HADESS
CSRF
1%

Impact
Any restriction on their
side could be removed per
vulnerability

Other
99%

CSRF
5%

HTTP Header
Injection
A plugin with +10000
installations was found in
plugin list to be vulnerable
to http header injection
from 100 plugins

Other
95%

Patch Time
More than 80% of vulnerabilities are not patched after they are reported

Patch

Unpatch

0% 20% 40% 60% 80%

15
 HADESS

Manually/Automatically
Vulnerabilities are found using which method

40%

30%

20%
Automatically
80%
10%

0%
100 1000 10000 100000 1000000

50%

40%
Manually
30%
20%
20%

10%

0%
100 1000 10000 100000 1000000

Root-Cause

No Problem Vulnerability

1 Wordpress CSRF Protection Misuse CSRF

2 Lack Input Validation CSRF

3 HTTP Header White-list HTTP Header Injection

16
About Hadess
Savior of your Business to combat cyber threats
Hadess performs offensive cybersecurity services through infrastructures and software
that include vulnerability analysis, scenario attack planning, and implementation of
custom integrated preventive projects. We organized our activities around the
prevention of corporate, industrial, and laboratory cyber threats.

Contact Us

To request additional information about Hadess’s services, please fill out the form
below. A Hadess representative will contact you shortly.

Website:

www.hadess.io

Email:

Marketing@hadess.io

Phone No.

+989362181112

Company No.

982128427515

hadess_security
Hadess
Products and Services
SAST | Audit Your Products
Identifying and helping to address hidden weaknesses in
your Applications.

RASP | Protect Applications and APIs Anywhere

Identifying and helping to address hidden weaknesses in
your organization’s security.

Penetration Testing | PROTECTION PRO

Fully assess your organization’s threat detection and response
capabilities with a simulated cyber-attack.

Red Teaming Operation | PROTECTION PRO

Fully assess your organization’s threat detection and response
capabilities with a simulated cyber-attack.

ThirdEye | Attack Surface Intelligence

Find your company leakage and monitor attack vector.
 HADESS

Penetration Testing

Module-Based Target-Based
Penetration testing typically involves Penetration testing is a simulated
a combination of several different cyber attack performed on a
testing methods and techniques, computer system, network, or web
which can be grouped into different application to evaluate its security
modules. The specific modules used posture. The target of a
in a penetration test will depend on penetration test can vary based on
the goals and scope of the test, as the specific needs and goals of the
well as the systems and services organization.
being evaluated.

Priority-Based
The priority of a vulnerability during
a penetration test is determined by
the potential impact of the
vulnerability, if exploited, and the
likelihood of it being exploited.
Vulnerabilities that pose a high risk
to the target systems and services
are given a higher priority, while
those with a lower risk are given a
lower priority.
۱۷

 HADESS

Red Team Operation

OSINT
OSINT (Open-Source Intelligence) is a valuable tool for red teams, as it provides them with
the ability to gather information about a target in a non-intrusive manner. Red teams use
OSINT to gather information about the target's infrastructure, personnel, systems, and
operations. This information can be used to identify potential weaknesses and
vulnerabilities that can be exploited during a penetration test or simulated attack.

Hardening
Red team hardening is a technique used by red teams to evaluate an organization's security
posture by simulating attacks and attempting to exploit vulnerabilities. The goal of red team
hardening is to identify and remediate security weaknesses in an organization's systems,
processes, and people, so that they are better prepared to defend against real-world attacks.

Goal-Based
The goal of a red team exercise is to simulate an attack on an organization's systems,
processes, and people to identify security weaknesses and vulnerabilities. Red teams use a
variety of techniques, including penetration testing, social engineering, and physical
security assessments, to test the effectiveness of an organization's defenses and to identify
areas where they can be improved.

Asset-Based
Red team asset-based testing involves simulating an attack on a specific asset or group of
assets within an organization. The goal of this type of red team exercise is to identify
vulnerabilities in the targeted assets and to evaluate the effectiveness of the organization's
۱۸ defenses in protecting those assets.
 HADESS

SAST

SAST (Static Application Security Testing) is a type of security testing that involves analyzing
the source code of an application, without actually executing the code, to identify potential
security vulnerabilities. SAST is performed early in the software development lifecycle, before
the application is deployed, and is typically integrated into the development process as part of
a DevSecOps approach.

۱۹
 HADESS

ASM

Attack surface management (ASM) is a security practice that involves reducing the attack
surface of an organization's systems and services, making them less vulnerable to cyber
attacks. The attack surface refers to the total number of potential entry points for an
attacker, including network interfaces, applications, services, and other elements of an
organization's technology infrastructure.

۲۰
 HADESS

Secure Coding

Secure coding is a software development practice that involves writing code that is free from
vulnerabilities and that follows best practices for security. The goal of secure coding is to
prevent security issues and vulnerabilities from being introduced into an application during the
development process.

۲۱