Web Security

How to Lock down xmlrpc.php in WordPress

This article explains how you can lockdown xmlrpc.php using .htaccess. The WordPress xmlrpc.php endpoint can be misused as an endpoint for brute force attacks. If you do not use xmlrpc.php for any integrations, you might as well disable it completely. Adding these lines to your .htaccess file will disallow access to the endpoint for everyone. Edit your public/.htaccess file and add <Files xmlrpc.php> Require all denied </Files> Note: xmlrpc.php is required by some plugins, like Jetpack.

Read time: 1 min Read more »

What is XMLRPC for WordPress and How You Can Stop Hackers From Using It

Website security is a tough thing to solve in the right way. Specifically with security issues related to XML-RPC – as commonly exploited in attacks on WordPress sites. There’s a lot of information available on the internet providing all kinds of solutions, but which are correct? In this article will explain the how, the solutions out there, and what actually is the best solution. Let’s dive in! WHAT IS XML-RPC? XML-RPC for WordPress was designed to enable remote connections between your site and external applications. This means users are able to interact with their WordPress site through different blogging platforms or phone apps. This was useful in the earlier days of the internet when a person would want to edit content offline, and then connect to their WordPress blog later to publish it. There are certain situations where users would want to use XML-RPC. However, with advances in technology, the use and functionality of XML-RPC…

Read time: 3 mins Read more »

Why Installing a Security Plugin to WordPress Actually Hurt Your Site

WordPress users often lean onto plugins for any required feature or functionality without thinking much about their impact on the site’s performance. There are several WordPress security plugins out there that promise to secure your website from XMLRPC related security issues but in reality, they hurt your site more. Here are some of the reasons why securing your site with a plugin is not the best choice. Security plugins are only effective at the application level and do not protect your server from getting hit. They add unnecessary code on your site that downgrades its performance and increases time to first byte (TTFB). Some of these plugins do more harm than good and are used by hackers to create backdoors for your website. These plugins require frequent management that adds more workload. From the above assessment, none of the options offer an ideal solution to handle the XMLRPC security problem. This brings us to Accelerated…

Read time: 1 min Read more »

WordPress Cross-Site Port Attack (XSPA)

Cross-site Port Attacks (XSPA) are very common in which the hacker injects the malicious script to retrieve information on TCP ports and IP addresses. In the case of WordPress, XMLRPC is used along with its pingback mechanism to bypass any IP masking such as basic WAF like Cloudflare. In an XSPA attack, the hacker uses pingback. ping method to pingback a post on a target website which in return sends the IP address in response. Hacker uses a sniffer to create the endpoint for sending the pingback and a live URL of a blog post. Hackers send the following request from her server. <methodCall> <methodName>pingback.ping</methodName> <params><param> <value><string>http://<YOUR SERVER >:<port></string></value> </param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string> </value></param></params> </methodCall> If the response contains a fault code and a value greater than 0 then it means the port is open for you to start sending the HTTP packets directly.

Read time: 1 min Read more »

WordPress DDoS Attack

Distributed Denial of Service (DDoS) is one of the most lethal cyber-attacks that can paralyze the server by hitting it with hundreds and thousands of concurrent requests. Hackers use the pingback feature of WordPress along with the xmlrpc.php file to execute such attacks. Ideally, the hacker targets the endpoint or a page that can be hit several times and takes longer to respond. This way a single hit can have a maximum impact on server resources and in our case, XMLRPC serves the hacker well in exposing such endpoints. Several already compromised WordPress sites are used to execute the pingback. ping method to target a single victim. The overwhelming HTTP GET and POST requests jam the regular traffic and eventually crashes the server. First, the hacker checks if the xmlrpc.php file is enabled or not by sending the following request. POST /xmlrpc.php HTTP/1.1 Host: withinsecurity.com Connection: keep-alive Content-Length: 175 <?xml version="1.0" encoding="utf-8"?> <methodCall> <methodName>demo.sayHello</methodName> <params>…

Read time: 2 mins Read more »

WordPress Bruteforce Attack

In the Bruteforce attack, the hacker tries to guess the correct username and password by running numerous login attempts. Unfortunately, a large number of WordPress sites use weak admin passwords or do not have any security layer added to stop attackers. Those sites are easily compromised with this type of attack. Others use a strong password and also have security mechanisms in place such as reCaptcha, and auto IP blocking that is effective against brute force attacks but if the hacker decides to use XMLRPC; she does not even need to access the WordPress admin. A very common tool from Kali Linux, WPSCAN is used to enumerate all the usernames and once it’s done, the hackers brute force the password using the xmlrpc.php file by sending the following HTTP request to the victim site. POST /xmlrpc.php HTTP/1.1 User-Agent: Fiddler Host: www.example.com Content-Length: 164 <methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>admin</value></param> <param><value>pass</value></param> </params> </methodCall> In the above example, a…

Read time: 3 mins Read more »

Cross-site WebSocket hijacking

In this section, we'll explain cross-site WebSocket hijacking (CSWSH), describes the impact of a compromise, and spell out how to perform a cross-site WebSocket hijacking attack. What is cross-site WebSocket hijacking? Cross-site WebSocket hijacking (also known as cross-origin WebSocket hijacking) involves a cross-site request forgery (CSRF) vulnerability on a WebSocket handshake. It arises when the WebSocket handshake request relies solely on HTTP cookies for session handling and does not contain any CSRF tokens or other unpredictable values. An attacker can create a malicious web page on their own domain which establishes a cross-site WebSocket connection to the vulnerable application. The application will handle the connection in the context of the victim user's session with the application. The attacker's page can then send arbitrary messages to the server via the connection and read the contents of messages that are received back from the server. This means that, unlike regular CSRF, the attacker gains two-way interaction with…

Read time: 3 mins Read more »

What are WebSockets?

WebSockets is a bi-directional, full-duplex communications protocol initiated over HTTP. They are commonly used in modern web applications for streaming data and other asynchronous traffic. In this section, we'll explain the difference between HTTP and WebSockets, describe how WebSocket connections are established, and outline what WebSocket messages look like. What is the difference between HTTP and WebSockets? Most communication between web browsers and web sites uses HTTP. With HTTP, the client sends a request and the server returns a response. Typically, the response occurs immediately, and the transaction is complete. Even if the network connection stays open, this will be used for a separate transaction of a request and a response. Some modern websites use WebSockets. WebSocket connections are initiated over HTTP and are typically long-lived. Messages can be sent in either direction at any time and are not transactional in nature. The connection will normally stay open and idle until either the client or…

Read time: 3 mins Read more »

Examining the database in SQL injection attacks

When exploiting SQL injection vulnerabilities, it is often necessary to gather some information about the database itself. This includes the type and version of the database software and the contents of the database in terms of which tables and columns it contains. Querying the database type and version Different databases provide different ways of querying their version. You often need to try out different queries to find one that works, allowing you to determine both the type and version of the database software. The queries to determine the database version for some popular database types are as follows: Database type Query Microsoft, MySQL SELECT @@version Oracle SELECT * FROM v$version PostgreSQL SELECT version() For example, you could use a UNION attack with the following input: ' UNION SELECT @@version-- This might return output like the following, confirming that the database is Microsoft SQL Server and the version that is being used: Microsoft SQL Server 2016…

Read time: 2 mins Read more »

Directory traversal

In this section, we'll explain what directory traversal is, describe how to carry out path traversal attacks and circumvent common obstacles, and spell out how to prevent path traversal vulnerabilities. What is directory traversal? Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server. Reading arbitrary files via directory traversal Consider a shopping application that displays images of items for sale. Images are loaded via some HTML like the following: <img src="/loadImage?filename=218.png"> The loadImage URL takes a filename parameter and returns the contents of the specified file. The…

Read time: 5 mins Read more »

Blind SQL injection

In this section, we'll describe what blind SQL injection is, explain various techniques for finding and exploiting blind SQL injection vulnerabilities. What is blind SQL injection? Blind SQL injection arises when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors. With blind SQL injection vulnerabilities, many techniques such as UNION attacks, are not effective because they rely on being able to see the results of the injected query within the application's responses. It is still possible to exploit blind SQL injection to access unauthorized data, but different techniques must be used. Exploiting Blind SQL injection by triggering conditional responses Consider an application that uses tracking cookies to gather analytics about usage. Requests to the application include a cookie header like this: Cookie: TrackingId=u5YD3PapBcR4lN3e7Tj4 When a request containing a TrackingId cookie is processed, the application determines whether…

Read time: 9 mins Read more »

Warning: file_get_contents(http://api.wipmania.com/[YOUR SITE URL]): failed to open stream: Connection refused in /var/www/vhosts/amberit.eu/httpdocs/wp-content/themes/amberit/inc/layout-functions.php on line 821