What is ...?
RIPS Technologies is a high-tech company based in Bochum, Germany. We produce a software called RIPS, a security solution for businesses that you can use to scan your PHP applications for highly complex vulnerabilities. The findings are then broken down into easy to understand reports, along with simple patch recommendations. RIPS is unique because of its dedication to the PHP language. Most scanners support many programming languages and don't focus on the specific details of the language used in the application. RIPS takes all the little details of the PHP language into account when scanning your software and thus can find highly complex vulnerabilities that would otherwise be missed.
Our goal at RIPS Technologies is to make the web a safer place. With our own PHP security scanner RIPS we are constantly analyzing popular open source projects to find, report, and fix critical vulnerabilities. In our blog we create write-ups for the most interesting problems that we encounter.
This is a time consuming process, since most popular web applications are large and complex. It is aggravated by the fact that we have to provide a working proof-of-concept exploit for every vulnerability that we find to demonstrate the seriousness of the problem. We are dedicated to our goal but for various reasons we are not able to give every open source vendor access to RIPS. There is a high risk of abuse, for example malicious actors could use the results to identify weaknesses in other peoples code that they plan to exploit for their own advantage. In some cases we form partnerships with open source projects and provide the vendors with RIPS results to help them find and resolve security problems in their code on their own, but currently this is limited to a few selected projects. To solve this problem we created CodeRisk.
CodeRisk helps developers and users to assess the security risk of code. The results of RIPS are combined into an easy to understand risk value from 0 to 100 that can be accessed through this application. The value takes into account the severity of successful exploitation, the quantity of found issues in relation to the code size, and the likelihood that an issue can be abused by a third-party. Dangerous code can be a vulnerability but it can also be a feature that is included on purpose (for example, a file browser). Please note that we do not guarantee that every possible vulnerability is found, nor that every found vulnerability is exploitable. A list of vulnerability types that RIPS searches for can be found here. Only issues of the category "Exploitable Security Issues" are used for the calculation of the score. "Misconfiguration Issues" and "Code Quality Issues" are included in the maintainer report but they are not part of the score.
The formula for the RIPS CodeRisk calculation can be seen here:
Every found security issue is taken into account and factored into the final value. There are certain properties of issues that affect the likelihood of successful exploitation, for example the amount of code between the source and sink, or the origin of user input. These properties are used as weights to make the value more meaningful. The size of the code is taken into consideration as well since a very large project will naturally contain more issues in general. As a result the value is less precise the larger the project gets.
For now the results are limited to WordPress plugins but more applications will be available in the future.
We here at RIPS Technologies have a long relationship with WordPress. In 2016 we performed a complete one time analysis of all ~48,000 public WordPress plugins. The results indicated that 43% of the scanned plugins had at least one medium severity issue. With a market share of around 30% of all websites this leads to a lucrative target for criminals. In 2017 we scanned WordPress plugins with known vulnerabilities in order to see if these would have been found by RIPS. As it turns out all the vulnerabilities that we looked at could have been found by scanning the code with RIPS. All this makes WordPress a good selection as the first CodeRisk application.
What can I do if a plugin has a high RIPS CodeRisk?
If you are a user of this plugin...
... there is no need to panic. A high RIPS CodeRisk does not mean that there is a critical vulnerability in the plugin that can be directly exploited by an attacker, though it is possible. Quite often the affected code is not reachable without prior authentication, so there is no differentiation between authenticated and unauthenticated issues in the value.
There are some steps that you should do in order to keep your blog secure. First, you should look if there is already an updated version for the plugin. Since our scans are only performed periodically and not in real time it is possible that there is already a new release containing a security fix. If this is the case you just need to update the plugin and are good to go. If there is no security update it is a good idea to inform the plugin maintainer that there is a potential security vulnerability in the plugins code and that they should contact us for more information. This should hopefully lead to a security fix in the near future. Lastly, if the developer is not reacting you should consider to uninstall this plugin and to switch to a more secure alternative.
If you are the developer of this plugin...
... you can request the full RIPS results. To help you secure your code we will provide you with detailed information on what kind of issues our scanner found and how you could fix them. In order to verify that you are the maintainer of the plugin (and not just an evil hacker that wants to exploit a possible vulnerability) you need to register on this site, click on the "I'm the Maintainer" button on the plugin page, and verify your ownership. This way we can make sure to only provide the critical information to the right people. After you have fixed the plugin the next rescan will yield an updated RIPS CodeRisk and a more secure web.
Do not share your credentials or abuse the system. We monitor all activities and suspend offenders.
I want to help you make the web a safer place. What can I do?
We are always looking for new people to work with us on our PHP security scanner and other state of the art security solutions. Take a look at our careers section for more information.