Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Muhon decided to review Wordpress plugins with a set of SAST tools. Initially, they reviewed 10K plugins with Semgrep. This led to hours upon hours of reviewing false positives. So, they decided to use LLMs to triage bugs themselves.

To not spend too much on tokens, they decided to focus on a single class of bugs: missing authorization. In WordPress, AJAX hooks are API endpoints that can be called by users, including low-privileged ones. There are no authorization checks by default; if a developer fails to verify the user's permissions in the callback, a low-privileged user can perform unexpected actions.

Step 1 was to create a Semgrep rule that detected AJAX hooks whose callback functions didn't include simple authorization checks. The rule first finds all callbacks and then checks whether each callback contains a set of common authorization functions. Next, they would analyze the output with Claude and score each finding. From the high-scoring ones, they would review the findings and perform dynamic testing.

To review the findings from the scan, they used the VS Code extension Sarif Explorer. It keeps track of findings that you have alreayd reviewed and which ones you're done reviewing. After reviewing the code, they performed dynamic analysis on all potential bugs with the Wordfence Docker Wordpress Research Lab.

For 11K findings, Claude Opus 4.6 cost $120. Claude was good at filtering issues that were obviously false positives. This was either for things with no impact or authorization checks that were not detected by Semgrep for whatever reason. This took it from 11K to 1.4K.

Claude was bad about Wordpress-specific security, like $_GET automatically escaping quotes to prevent SQLi or the functions wp_handle_upload() being safe against file upload webshell attacks. In the future, they will add more specific WordPress knowledge to reduce the false positive rate. They also learned that being more specific on in scope impacts would have been helpful, in accordance to the bug bounty platforms they were looking into.

They found a few interesting things... on the plugins: an IDOR that leaked PII and missing permission checks for admin actions like resetting the database. Additionally, they found an SSRF and the ability to download backup files. All of them got CVEs assigned to them.

Overall, a good article on what did and didn't work in vulnerability scanning, combining regular tools and AI tools.