A Serious Open Source Vulnerability In WebPageTest Still Persists


After a talk, a blog post, Various publications, the RCE exploit is still open for discussion.

The maintainers of the WebPageTest project seem to be ignoring a serious remote code execution (RCE) vulnerability, despite a researcher’s best efforts at disclosure. A pre-authentication RCE vulnerability in the open source project WebPageTest was identified by ManoMano researcher Louka “Laluka” Jacques-Chevallier and was discussed in a blog post published on September 23. Additionally, a lecture about the research was presented at DEFCON Paris.

WebPageTest was created by Catchpoint and dates back to the 1990s and dial-up modem era. It has now developed into a programme for evaluating the speed and functionality of website code for optimization needs. The researcher claims that this programme has historically been “prone” to security problems due to a lack of code and container updates, obsolete components that were left unpatched against known vulnerabilities, and the “heavy use of stinky PHP code.”

In October 2021, WebPageTest’s v22.01 stable release was released. WebPageTest has previously been reported to contain server-side request forgery (SSRF) vulnerabilities, flaws that allow attackers to send successful requests through a server-side application to an undesired site or resource.

Laluka’s study was concentrated on a recently found SSRF weakness. In less than 15 minutes, Laluka found an SSRF vulnerability after looking at the software’s source code and doing crawling and fuzzing tests. Although the SSRF was restricted to an HTTP scheme, the underlying code surprised the cybersecurity researcher in additional ways. When Laluka looked more closely, it found a number of problems, including PHP code that might launch a payload by using a slash in the path, file write faults, and sanitization errors. The researcher eventually succeeded in pushing a command injection, building a reverse shell, taking advantage of JSON file jobs, and achieving RCE.

Although Beanstalkd is not present in default installations, if the Beanstalkd work queue engine is being used, it might potentially be able to exploit the RCE. According to Laluka, it is possible to inject a new, malicious task and force the worker to use the file by taking advantage of the SSRF and command injection flaws. This may be thought of as a second RCE in and of itself. By May 25, the researcher had confirmed the entire RCE exploit chain after discovering the first SSRF flaw on April 15. The lines of communication were noted as being “very laborious” even though Catchpoint reacted when Laluka called the vendor on June 15.


Please enter your comment!
Please enter your name here