ATTACKING AND DEFENDING WORDPRESS

warbarnacleΑσφάλεια

5 Νοε 2013 (πριν από 3 χρόνια και 5 μήνες)

71 εμφανίσεις

ATTACKING AND DEFENDING
WORDPRESS

sh
-
3.2#
whoami


Alan Kakareka, CISSP, GSNA, GSEC, CEH,
MCP, MCDST, Net+, Sec+.


MS MIS from Florida International University,
USA.


CTO and founder of Demyo, Inc.


Consulting businesses worldwide on InfoSec
issues.


Based in Miami, Florida, USA.

Demyo
, Inc.

I can manage my website from anywhere in the world.

What is wrong here?

Demyo
, Inc.

Restrict access by .
htaccess

file on the server

Demyo
, Inc.

#Secure Access to WP
-
LOGIN.PHP
by IP

<Files
wp
-
login.php
>

Order Deny, Allow

Deny from All

Allow from [Your IP]

</
Files>

#Secure Access to WP
-
LOGIN.PHP by
Domain Name

<Files
wp
-
login.php
>

Order Deny, Allow

Deny from All

Allow from [Your Domain Name]

</Files>

OWASP


OWASP


Open Web Application Security Project


OWASP top 10 vulnerabilities 2010:


A1
: Injection

A2
: Cross
-
Site Scripting (XSS)

A3
: Broken Authentication and Session
Management

A4
: Insecure Direct Object References

A5
: Cross
-
Site Request Forgery (CSRF)

A6
: Security Misconfiguration

A7
: Insecure Cryptographic Storage

A8
: Failure to Restrict URL Access

A9
: Insufficient Transport Layer Protection

A10
:
Unvalidated

Redirects and Forwards

SQLi

3 Major types:


Error based


Blind


Time based


All of them can

be in either GET

or POST or both


Demyo
, Inc.

Does Wordpress have any SQLi?

Demyo
, Inc.

XSS

3 Major types:


Reflective


Stored


DOM based


Which one is the

most dangerous?

Demyo
, Inc.

Does Wordpress have any
XSS?

Demyo
, Inc.

The list goes on and on and on…

Demyo
, Inc.


Wordpress is a web technology and all
OWASP vulnerabilities apply to it.

Attack Surface

Plugins vulnerabilities



Demyo
, Inc.

Exploit
-
db.com



Demyo
, Inc.

Another search engine for vulnerabilities



Why shared hosting is dangerous?


Bing.com

dork “ip:127.0.0.1”


Demyo
, Inc.

IP Neighbors


What is a IP Neighbor?


A IP Neighbor is a domain that is hosted by
a server that has more than one domain
name on it.


So all the Domain names hosted on the
server would be IP neighbors.

From Wordpress to the goodies (server itself)

Some flaw in
wordpress

(LFI.
SQLi, XSS, etc.)

Malicious code to
server (privilege
escalation)

Woot

woot
, we
got root!

I like root

Demyo
, Inc.

Shared hosting conclusion

Demyo
, Inc.

So It does not
have to be your
fault that your
website got
hacked!

Do a little test on your own one in a while

Demyo
, Inc.


A penetration test,
occasionally
pentest
,
is a method of
evaluating the
security of a
computer system or
network by
simulating an attack
from malicious
outsiders and/or
malicious insiders
(
wikipedia
)

wpscan



Sample output of
wpscan



Demyo
, Inc.

Burp



sqlmap



Demyo
, Inc.

Where to learn some InfoSec?


Defending Wordpress


Keep your Wordpress up to date


Keep your Wordpress plugins up to date


Install only needed Wordpress plugins


Keep OS up to date


Uninstall unneeded services on the server

Demyo
, Inc.

Defending Wordpress


Remove the default administrator user (admin)


Use security plugins for Wordpress


Login Lockdown


Bullet proof security (helps to mitigate XSS,
LFI/RFI, CSRF, SQLi)


Ultimate Security Checker


Demyo
, Inc.

Wrapping up and links


http://
sucuri.net
/how
-
to
-
lock
-
down
-
wordpress
-
admin
-
panel
-
with
-
a
-
dynamic
-
ip.html


https://
www.owasp.org
/
index.php
/
Category:OWASP_Top_Ten_Project


http://www.exploit
-
db.com/search/?action=search&filter_page=6&filter_description=&filter_author=&filter_platform=0&filte
r_type=0&filter_lang_id=0&filter_exploit_text=wordpress&filter_port=0&filter_osvdb=&filter_cve
=


http://
sec.jetlib.com
/
search.php


http://blog.dagoosh.com/post/2009/04/20/Multiple
-
Domains
-
on
-
the
-
Same
-
IP
-
Address
-
Dangers
-
of
-
Shared
-
Hosting
-
Environments.aspx


https://
en.wikipedia.org
/wiki/
Penetration_test


http://sqlmap.org/


http://sqlmap.org
/


http://
www.ush.it
/2008/08/18/lfi2rce
-
local
-
file
-
inclusion
-
to
-
remote
-
code
-
execution
-
advanced
-
exploitation
-
proc
-
shortcuts/


http
://
www.bad
-
neighborhood.com
/login
-
lockdown.html


https://
wordpress.org
/extend/plugins/bulletproof
-
security/


Demyo
, Inc.

Questions And Contact Info


Email:
almaz@demyo.com


Cell +1 201 665 6666


LinkedIn: Almantas Kakareka


Twitter: @
DemyoSec


www.demyo.com